search

casdoor / casdoor-go-sdk

Go client SDK for Casdoor
https://github.com/casdoor/casdoor
Apache License 2.0
82 stars 65 forks source link

Bug in GetToken API #102

Closed maknahar closed 3 months ago

maknahar commented 4 months ago

Get token API of Casdoor accept id in the query parameter. ID is combination of owner and name of the token as documented here. https://door.casdoor.com/swagger/#/Token%20API/ApiController.GetToken

However in GetToken implementation of this SDK, it is assumed that Organization is the owner https://github.com/casdoor/casdoor-go-sdk/blob/master/casdoorsdk/token.go#L87

queryMap := map[string]string{ "id": fmt.Sprintf("%s/%s", c.OrganizationName, name), }

Looks like this is not the case all the time. In my case, I am observing that even though organization name is built-in, owner name of the token is admin.

As a result, GetToken is sending wrong id to Casdoor server.

Attaching a sample response of get-token API that explains that ower value can be different from organization name.

Screenshot 2024-03-07 at 01 44 49

Another weird thing I am observing in get-token API is that even if wrong ID is sent, no error is returned from API. Instead response code is 200 with following json payload:

{
    "status": "ok",
    "msg": "",
    "sub": "",
    "name": "",
    "data": null,
    "data2": null
}
casbin-bot commented 4 months ago

@tangyang9464 @JalinWang @imp2002

hsluoyz commented 3 months ago

@maknahar fixed by: https://github.com/casdoor/casdoor-go-sdk/commit/3aafd160ad213b9ecfb69c922c6611e733f5d00a

maknahar commented 3 months ago

Thanks @hsluoyz