search

Traewelling / traewelling

Free check-in service to log your public transit journeys
https://traewelling.de
GNU Affero General Public License v3.0
225 stars 43 forks source link

API: /trains/checkin does not report an error when using an unauthorized bearer token #128

Closed derf closed 3 years ago

derf commented 3 years ago

Describe the bug When checking into a train via /trains/checkin using an unauthorized bearer token, the server does not return an error such as HTTP 401. Instead, it returns an HTTP 302 redirect to the HTML login page.

To Reproduce Steps to reproduce the behavior:

  1. Obtain a token from the API, e.g. via curl or travelynx.de
  2. Revoke the token from the Träwelling settings page
  3. Use /trains/checkin to check into a train

Expected behavior The server should return HTTP 401 and preferably a JSON document explaining the error instead of HTML.

Note that I did not test whether this also happens with entirely invalid bearer tokens.

Travelynx Log

-- Non-blocking request (https://traewelling.de/api/v0/trains/checkin)
-- Reusing connection e0813e072e572ed952a845dea5dd99ae (https://traewelling.de:443)
-- Client >>> Server (https://traewelling.de/api/v0/trains/checkin)
POST /api/v0/trains/checkin HTTP/1.1\x0d
Content-Length: 103\x0d
Accept-Encoding: gzip\x0d
Authorization: Bearer [redacted]\x0d
Content-Type: application/json\x0d
Host: traewelling.de\x0d
User-Agent: travelynx/1.17.5-11-g562dd7c-dirty on / +https://finalrewind.org/projects/travelynx\x0d
\x0d
{"destination":"8000142","start":"8000080","toot":false,"tripID":"1|221647|5|80|4102020","tweet":false}
-- Client >>> Server (https://traewelling.de/api/v0/trains/checkin)

-- Client <<< Server (https://traewelling.de/api/v0/trains/checkin)
HTTP/1.1 302 Found\x0d
Date: Sun, 04 Oct 2020 10:33:56 GMT\x0d
Content-Type: text/html; charset=UTF-8\x0d
Transfer-Encoding: chunked\x0d
Connection: keep-alive\x0d
Server: nginx\x0d
Cache-Control: no-cache, private\x0d
X-RateLimit-Limit: 60\x0d
X-RateLimit-Remaining: 56\x0d
Location: https://traewelling.de/login\x0d
X-Xss-Protection: 1; mode=block\x0d
X-Frame-Options: SAMEORIGIN\x0d
Strict-Transport-Security: max-age=31536000\x0d
X-Content-Type-Options: nosniff\x0d
Referrer-Policy: strict-origin-when-cross-origin\x0d
\x0d
166\x0d
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='https://traewelling.de/login'" />

        <title>Redirecting to https://traewelling.de/login</title>
    </head>
    <body>
        Redirecting to <a href="https://traewelling.de/login">https://traewelling.de/login</a>.
    </body>
</html>\x0d

-- Client <<< Server (https://traewelling.de/api/v0/trains/checkin)
0\x0d
\x0d
MrKrisKrisu commented 3 years ago

Please try sending Header "Accept: application/json" to the server. With this Header it should work.

derf commented 3 years ago

Oops. Yup, that's it, my bad :)