Access Denied - User doesn't have permissions | When using WA_API_KEY

[laloyalo]

Hello, WhatsApp team. I am trying to follow the instructions described in the Stats and Metrics documentation to enable API key access to the waweb. I am running in K8s and have configured the env variable as described in the instructions. When I attempt to send a request using the API and the headers:

Authorization: Apikey {{AdminAuthToken}}

Where {{AdminAuthToken}} is a 50 randomly generated characters string.

The following error is returned by the API.

{
    "meta": {
        "version": "v2.27.12",
        "api_status": "stable"
    },
    "errors": [
        {
            "code": 1005,
            "title": "Access denied",
            "details": "User doesn't have permission"
        }
    ]
}

And the following logs appear in the waweb container.

[2020-08-29 00:36:07.456919] app.INFO: [91395b070cc98617a96be6f01dfe6902] Matched route "{route}". {"route":"GET_metrics","route_parameters":{"_controller":"WhatsApp\\Controller\\MetricsController::getMetrics","_route":"GET_metrics"},"request_uri":"https://hidden.com/metrics","method":"GET"} []

[2020-08-29 00:36:07.457592] app.INFO: [91395b070cc98617a96be6f01dfe6902] Guard authentication successful! {"token":"[object] (Symfony\\Component\\Security\\Guard\\Token\\PostAuthenticationGuardToken: PostAuthenticationGuardToken(user=\"_apiuser\", authenticated=true, roles=\"ROLE_API\"))","authenticator":"WhatsApp\\Security\\ApiKeyAuthenticator"} []

[2020-08-29 00:36:07.457802] app.ERROR: [91395b070cc98617a96be6f01dfe6902] Invalid authentication token format [] []

[2020-08-29 00:36:07.458130] app.ERROR: [91395b070cc98617a96be6f01dfe6902] Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: Access Denied. (uncaught exception) at /var/www/html/vendor/symfony/security/Http/Firewall/ExceptionListener.php line 2 {"exception":"[object] (Symfony\\Component\\HttpKernel\\Exception\\AccessDeniedHttpException(code: 0): Access Denied. at /var/www/html/vendor/symfony/security/Http/Firewall/ExceptionListener.php:2, Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException(code: 403): Access Denied. at /var/www/html/vendor/symfony/security/Http/Firewall/AccessListener.php:2)"} []

[2020-08-29 00:36:07.458358] app.INFO: [91395b070cc98617a96be6f01dfe6902] Response:  {"meta":{"version":"v2.27.12","api_status":"stable"},"errors":[{"code":1005,"title":"Access denied","details":"User doesn't have permission"}]} []

[2020-08-29 00:36:07.458674] app.INFO: [91395b070cc98617a96be6f01dfe6902] Request GET_/metrics returns 403 in 14.44 ms [] []

It looks like the role provided to the authenticated Apikey does not have the proper permissions to access the endpoints. Are there any missing steps to get this working?

Image and tag version: docker.whatsapp.biz/web:v2.27.12

Thank you!

[origliante]

@laloyalo Hi, did you manage to solve it?

[laloyalo]

Hello @origliante , I kinda solved it by implementing a service that authenticates the WA API and stores the token in the file system, so that it can be later configured in Prometheus. There's a much simpler solution, and that is to migrate to v2.29.3 of the WA containers, as they mention in the changelog page the v2.29.1 added support for the API key, so you may just update to v2.29.3 (the recommended update) and get this new feature, which was probably the case of me reading the documentation for the latest version and not the version I was actually running 😅.

[laloyalo]

I will be closing this, as this is actually implemented in v2.29.3, not v2.27.12. Thanks!