search

dstndstn / astrometry.net

Astrometry.net -- automatic recognition of astronomical images
http://astrometry.net
Other
661 stars 185 forks source link

API usage requires csrftoken from cookie, but returns error about bad/missing Referer header #233

Closed shekibobo closed 2 years ago

shekibobo commented 3 years ago

I'm attempting to write an Android app using the API. I'm using Retrofit 2 with OkHttp3. I've been trying to fetch https://nova.astrometry.net/api/myjobs. I've added a cookie manager to my client and have verified it is sending the correct Cookie header in the request I'm making, but instead of getting any kind of JSON response back, I'm getting an HTML response mentioning that I'm missing or have a malformed Referer header (depending on what I've tri). I can successfully fetch api/myjobs using Postman, and have replicated the same error if I delete the cookies for the site. In Postman, adding or removing a Referer header makes no difference. I have successfully logged in, and verified that the session id is being sent correctly. I'm not sure what the next step is, or how to figure out the CSRF requirements for this API that don't appear to be documented.

Thank you for the amazingly useful service, BTW.

dstndstn commented 3 years ago

Hi,

You should not have to send any cookies with your request. API requests must send a session key with the JSON request.

It sounds like you're working in Java, so this won't really help you, but here's the (edited) Python client's interaction with that api/myjobs call. Each call uses a new Request object; there is no client-side state (no cookies).

> python3 ~/astrometry/net/client/client.py --jobs --apikey $API_KEY_NOVA --server https://nova.astrometry.net/api/
Python: {'apikey': 'XXX'}
Sending json: {"apikey": "XXX"}
Sending to URL: https://nova.astrometry.net/api/login
Sending form data: {'request-json': '{"apikey": "XXX"}'}
Sending data: b'request-json=%7B%22apikey%22%3A+%22XXX%22%7D'
Got json: b'{"status": "success", "message": "authenticated user: dstndstn@gmail.com", "session": "SSS"}'
Got result: {'status': 'success', 'message': 'authenticated user: dstndstn@gmail.com', 'session': 'SSS'}
Got status: success
Got session: SSS
Python: {'session': 'SSS'}
Sending json: {"session": "SSS"}
Sending to URL: https://nova.astrometry.net/api/myjobs/
Sending form data: {'request-json': '{"session": "SSS"}'}
Sending data: b'request-json=%7B%22session%22%3A+%22SSS%22%7D'
Got json: b'{"jobs": [1486963, 4921559, 5049634], "status": "success"}'
Got result: {'jobs': [1486963, 4921559, 5049634], 'status': 'success'}
Got status: success
[1486963, 4921559, 5049634]
shekibobo commented 3 years ago

Wow, okay. So I tried some different things, and apparently the / after /api/myjobs/ is required in the API call. If I don't include the trailing / I get the error response about missing the Referer header and CSRF problems. Thanks for your help.

dstndstn commented 3 years ago

ooof, okay, that's unfortunate! I will try to fix that so the trailing slash isn't required! Thanks for the bug report, and good luck with your project!

dstndstn commented 3 years ago

Okay, this should be fixed https://github.com/dstndstn/astrometry.net/commit/af3e733b9b46582a2de3fb596cceef3315720a0a#diff-016dedd1ac2e6a176827889a433ad71446214c15691b56ed67de94cf0ad6250aR180 sorry for the trouble -- somehow api/myjobs was one of the very few API endpoints where the trailing slash was not optional!