Closed roksanaer closed 7 months ago
I have a feeling that for the UI user session we have another Device authorization policy that is being used instead of the token verification (especially in Swagger)
I elaborated a little about the issue in the description: https://github.com/cyfronet-fid/marketplace/issues/1787#issue-799301669.
I'm not entirely sure whether we should treat this behaviour as a bug - for API exploration being able to use browser's session to authorize is a pretty handy behaviour. We should fix the bugs / errors issue though.
Original below.
This is what Bartek mentioned below, our API controllers accept both token and session authorization strategy, which leads to the erroneous and misleading behaviour.
The API paths should be excluded from the omniauth (?).
Another way this manifests is that when a request is sent to an API endpoint without authorization and no "Accept" header, then you are redirected to the AAI, which is an undesired behaviour.
If you specify the header, then the response is correct:
The description is valid for v3.17.0.
After revoking the API token, it still can be used in the API when opened in the same browser window.
Needs investigation
Raised during release 3.6.0 retro