search

ZoneMinder / zoneminder

ZoneMinder is a free, open source Closed-circuit television software application developed for Linux which supports IP, USB and Analog cameras.
http://www.zoneminder.com/
GNU General Public License v2.0
5.13k stars 1.22k forks source link

Logging in via the API is non-functional #2625

Closed neillbell closed 5 years ago

neillbell commented 5 years ago

Describe Your Environment

Describe the bug Logging in via the API is non-functional. Tools like zmNinja cannot access ZoneMinder. Turning off authentication via OPT_USE_AUTH restores access.

To Reproduce Steps to reproduce the behavior:

  1. Start the ZoneMinder system.
  2. Start zmNinja

Expected behavior ZmNinja should start normally and be able to access the system. Instead zmNinja reports an "API Access Error.

Debug Logs web_php.log cake_error.log

neillbell commented 5 years ago

Turning off ENABLE_CSRF_MAGIC appears to make this work for zmNinja although something odd seems to be happening in the logs.

web_php.log cake_error.log

My command line tool that uses the API still fails to log in:

web_php.log cake_error.log

neillbell commented 5 years ago

I tried the example using curl from the API docs. It didn't work either.

ransom (133) curl -XPOST -d "user=neill&pass=******" -c cookies.txt https://zm.example.org/zm/api/host/login.json
{
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJab25lTWluZGVyIiwiaWF0IjoxNTU5MDg3Njc5LCJleHAiOjE1NTkwOTEyNzksInVzZXIiOiJuZWlsbCIsInR5cGUiOiJhY2Nlc3MifQ.Q2OWSC8nb6tCcNcIeoQ62kG1Ij0GoRA4nHcpPJAJA0U",
    "access_token_expires": 3600,
    "refresh_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJab25lTWluZGVyIiwiaWF0IjoxNTU5MDg3Njc5LCJleHAiOjE1NTkxNzQwNzksInVzZXIiOiJuZWlsbCIsInR5cGUiOiJyZWZyZXNoIn0.gnaAQPPnNn3V9rCVoo65qlnuX5T7__ku0wsJtPBYOn0",
    "refresh_token_expires": 86400,
    "credentials": "auth=c1c94785a0e6d7f37d10338ee038d563",
    "append_password": 0,
    "version": "1.33.9",
    "apiversion": "2.0"
}
ransom (134) curl -b cookies.txt https://zm.example.org/zm/api/monitors.json
{
    "success": false,
    "data": {
        "name": "Not Authenticated",
        "message": "Not Authenticated",
        "url": "\/zm\/api\/monitors.json",
        "exception": {
            "class": "UnauthorizedException",
            "code": 401,
            "message": "Not Authenticated",
            "trace": [
                "#0 \/usr\/share\/zoneminder\/www\/api\/app\/Controller\/MonitorsController.php(23): AppController->beforeFilter()",
                "#1 \/usr\/share\/zoneminder\/www\/api\/lib\/Cake\/Event\/CakeEventManager.php(243): MonitorsController->beforeFilter(Object(CakeEvent))",
                "#2 \/usr\/share\/zoneminder\/www\/api\/lib\/Cake\/Controller\/Controller.php(677): CakeEventManager->dispatch(Object(CakeEvent))",
                "#3 \/usr\/share\/zoneminder\/www\/api\/lib\/Cake\/Routing\/Dispatcher.php(189): Controller->startupProcess()",
                "#4 \/usr\/share\/zoneminder\/www\/api\/lib\/Cake\/Routing\/Dispatcher.php(167): Dispatcher->_invoke(Object(MonitorsController), Object(CakeRequest))",
                "#5 \/usr\/share\/zoneminder\/www\/api\/app\/webroot\/index.php(107): Dispatcher->dispatch(Object(CakeRequest), Object(CakeResponse))",
                "#6 {main}"
            ]
        },
        "queryLog": {
            "default": {
                "log": [],
                "count": 0,
                "time": null
            }
        }
    }
}
}
ransom (135) cat cookies.txt 
# Netscape HTTP Cookie File
# https://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_zm.example.org       FALSE   /       FALSE   1559091279      ZMSESSID        eanu4oopktsf7jfah36bmra0sp
neillbell commented 5 years ago

I didn't know about the new token system. Sorry about that.