search

SpeciesFileGroup / taxonworks_api

Documentation for TaxonWorks APIs
http://api.taxonworks.org
Other
2 stars 6 forks source link

As a user I want to authenticate with my token in a header #23

Closed mjy closed 5 years ago

mjy commented 5 years ago

@LocoDelAssembly Maybe we have this already, I have to look again. If we have it's just a matter of updating the doc.

LocoDelAssembly commented 5 years ago

@mjy it is for sure for user authentication and it is also documented. For project authentication apparently it is implemented as "Project token" header but couldn't get it to work with curl and it is not documented either. However, given that https://sfg.taxonworks.org/api/v1/ exposes project tokens already, the project token leakage is of concern?

$ curl -v -H "Authorization: Project token c5lh0vgnBGTOQDOSfRYC8g" "https://sfg.taxonworks.org/api/v1/taxon_names"
*   Trying 128.174.81.101...
* Connected to sfg.taxonworks.org (128.174.81.101) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 597 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
*    server certificate verification OK
*    server certificate status verification SKIPPED
*    common name: ssl.globalnames.org (matched)
*    server certificate expiration date OK
*    server certificate activation date OK
*    certificate public key: RSA
*    certificate version: #3
*    subject: CN=ssl.globalnames.org
*    start date: Tue, 21 May 2019 19:55:55 GMT
*    expire date: Mon, 19 Aug 2019 19:55:55 GMT
*    issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
*    compression: NULL
* ALPN, server accepted to use http/1.1
> GET /api/v1/taxon_names HTTP/1.1
> Host: sfg.taxonworks.org
> User-Agent: curl/7.47.0
> Accept: */*
> Authorization: Project token c5lh0vgnBGTOQDOSfRYC8g
> 
< HTTP/1.1 401 Unauthorized
< Server: nginx/1.14.2
< Date: Fri, 19 Jul 2019 22:07:46 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 17
< Connection: keep-alive
< Status: 401 Unauthorized
< Cache-Control: no-cache
< Vary: Origin
< Referrer-Policy: strict-origin-when-cross-origin
< X-Permitted-Cross-Domain-Policies: none
< X-XSS-Protection: 1; mode=block
< X-Request-Id: e4ea8426-eaa6-4449-a314-c1e2d5c568d9
< X-Download-Options: noopen
< X-Runtime: 0.003217
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< X-Rack-CORS: miss; no-origin
< X-Powered-By: Phusion Passenger 5.3.4
< X-Varnish: 724211
< Age: 0
< Via: 1.1 varnish (Varnish/6.0)
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: true
< 
* Connection #0 to host sfg.taxonworks.org left intact
{"success":false}
mjy commented 5 years ago

Thanks. Project tokens are meant to be very public, they are never a concern.

On Fri, Jul 19, 2019 at 4:10 PM Hernán Lucas Pereira notifications@github.com wrote:

@mjy it is for sure for user authentication and it is also documented. For project authentication apparently it is implemented as "Project token" header but couldn't get it to work with curl and it is not documented either. However, given that https://sfg.taxonworks.org/api/v1/ exposes project tokens already, the project token leakage is of concern?

$ curl -v -H "Authorization: Project token c5lh0vgnBGTOQDOSfRYC8g" "https://sfg.taxonworks.org/api/v1/taxon_names"

  • Trying 128.174.81.101...
  • Connected to sfg.taxonworks.org (128.174.81.101) port 443 (#0)
  • found 148 certificates in /etc/ssl/certs/ca-certificates.crt
  • found 597 certificates in /etc/ssl/certs
  • ALPN, offering http/1.1
  • SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
  • server certificate verification OK
  • server certificate status verification SKIPPED
  • common name: ssl.globalnames.org (matched)
  • server certificate expiration date OK
  • server certificate activation date OK
  • certificate public key: RSA
  • certificate version: #3
  • subject: CN=ssl.globalnames.org
  • start date: Tue, 21 May 2019 19:55:55 GMT
  • expire date: Mon, 19 Aug 2019 19:55:55 GMT
  • issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
  • compression: NULL
  • ALPN, server accepted to use http/1.1

    GET /api/v1/taxon_names HTTP/1.1 Host: sfg.taxonworks.org User-Agent: curl/7.47.0 Accept: / Authorization: Project token c5lh0vgnBGTOQDOSfRYC8g

    < HTTP/1.1 401 Unauthorized < Server: nginx/1.14.2 < Date: Fri, 19 Jul 2019 22:07:46 GMT < Content-Type: application/json; charset=utf-8 < Content-Length: 17 < Connection: keep-alive < Status: 401 Unauthorized < Cache-Control: no-cache < Vary: Origin < Referrer-Policy: strict-origin-when-cross-origin < X-Permitted-Cross-Domain-Policies: none < X-XSS-Protection: 1; mode=block < X-Request-Id: e4ea8426-eaa6-4449-a314-c1e2d5c568d9 < X-Download-Options: noopen < X-Runtime: 0.003217 < X-Frame-Options: SAMEORIGIN < X-Content-Type-Options: nosniff < X-Rack-CORS: miss; no-origin < X-Powered-By: Phusion Passenger 5.3.4 < X-Varnish: 724211 < Age: 0 < Via: 1.1 varnish (Varnish/6.0) < Access-Control-Allow-Origin: * < Access-Control-Allow-Credentials: true <

  • Connection #0 to host sfg.taxonworks.org left intact {"success":false}

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.