╰─▶ curl 'https://test.sram.surf.nl/api/organisations/v1' -H 'Accept: application/json' -H 'Referer: https://test.sram.surf.nl/apidocs/' -H 'Authorization: Bearer A7t4-GKLjt9a4T_2tbWwD7bBOd5lZzBHzK6aDjte6wfg' -H 'Cookie: subscription_id=78f94f7f-91b5-4f80-9582-0486d37c4eed; session=.eJw9j91OwkAQhV-F7K3YClTBXlEkmkiixkoM3jSzu7Ow0N3W_am2hHd3EXGuJplzvjNnT-7y1_u3aoeapCQb5G2--ZxnL77MFryZQbt67vhWduvlu3vcXtrFw2T5VNKGrUifFDUaBRq1I6kzHvuEo3VSg5OVLrwpA3LjXG3TOHbhElkDKrLeiEiXMdQyVgLiBo0U7VBAUZvquy3Au00X6N6iIemeAFcyPCegtCEBFcgjl4K9CIJGMvwVTLsKHe4q_xVpdMG-9iHx3yY5SYdhRn2iQWEAzMD25tjLT4zsyOh9nBnBb5FVmhcCmKtMEXYhjUJ-buqPRHI15De3YsyAjwQTNElogmNI4BqpoIwO6GAyQpHwKTB2ao_cOwRlo8qs_0oW4Yi1Qx6q1yf-4fAD16-PGg.ZQ18Xw.3gnWnWMs7N50p_mCpsE9OVBkh-c'
{"error":true,"message":"Forbidden: https://test.sram.surf.nl/api/organisations/v1. IP: 145.90.230.173, 10.24.0.20. Not a valid external API call"}
if the session user doesn't have access to the Org
It seems that the API first checks the sessions instead of preferring the Bearer token.
While this might seems like a strange thing to do, this happens when using the SBS /apidocs "Try it out" functionality, while already being logged into SBS. It seems the browser then automatically adds the session cookie.
Moved to icebox becasue this only occurs in the specific circumstance that the person who is logged in in SBS and who is using /apidocs does not have access to the Org corresponding to the API key.
Org API calls like this fail:
if the session user doesn't have access to the Org
It seems that the API first checks the sessions instead of preferring the Bearer token.
While this might seems like a strange thing to do, this happens when using the SBS
/apidocs
"Try it out" functionality, while already being logged into SBS. It seems the browser then automatically adds the session cookie.