search

go-vikunja / vikunja

Mirror of vikunja from https://code.vikunja.io/api
GNU Affero General Public License v3.0
773 stars 56 forks source link

Vikunja API Token wasn't working for get tasks api/v1/projects/1/tasks #105

Closed ubeyou closed 5 months ago

ubeyou commented 6 months ago

Description

I have an api token with tasks read all enabled.

image

when i use api token, api/v1/projects/1/tasks it doesn't works. shows { "message": "missing, malformed, expired or otherwise invalid token provided" }

api token works for get projects.

if i login and uses bearer token from inspect, api/v1/projects/1/tasks loads fine.

discovered this when setting up n8n. #https://github.com/go-vikunja/n8n-vikunja-nodes/issues/1

Vikunja Frontend Version

0.22.0

Vikunja API Version

0.22.0

Browser and version

Chrome

Can you reproduce the bug on the Vikunja demo site?

No

Screenshots

No response

kolaente commented 6 months ago

Do the other endpoints work?

ubeyou commented 6 months ago

tested endpoint such as get projects, it works. just tasks by project id not working.

ubeyou commented 6 months ago

based on my quick testing, endpoint start with /projects , /routes , /teams all will return invalid token

/labels, /tasks, /info, /filters working fine

ubeyou commented 6 months ago

here is the api token permission returned by the api/v1/tokens when using login, can't access this with api token too

[
  {
    "id": 4,
    "title": "test2",
    "permissions": {
      "filters": [
        "create",
        "read_one",
        "update",
        "delete"
      ],
      "labels": [
        "create",
        "read_one",
        "read_all",
        "update",
        "delete"
      ],
      "notifications": [
        "read_all",
        "update"
      ],
      "projects": [
        "create",
        "read_one",
        "read_all",
        "update",
        "delete"
      ],
      "projects_buckets": [
        "create",
        "read_all",
        "update",
        "delete"
      ],
      "tasks": [
        "create",
        "read_one",
        "read_all",
        "update",
        "delete"
      ],
      "tasks_assignees": [
        "create",
        "read_all",
        "delete"
      ],
      "tasks_attachments": [
        "read_all",
        "delete"
      ],
      "tasks_comments": [
        "create",
        "read_one",
        "read_all",
        "update",
        "delete"
      ],
      "tasks_labels": [
        "create",
        "read_all",
        "delete"
      ],
      "tasks_relations": [
        "create",
        "delete"
      ]
    },
    "expires_at": "2024-04-02T01:31:59Z",
    "created": "2024-01-03T01:31:59Z"
  }
]
kolaente commented 6 months ago

here is the api token permission returned by the api/v1/tokens when using login, can't access this with api token too

That endpoint only lists which permissions are available in general. It will not work with any api token, only user logins.

FuadAbdullah commented 6 months ago

Hi there, I would like to add to the discussion. I used Postman to see for myself the error message in case it provided further details as to what caused the 401 unauthorized error. Below are my findings:

URL and authorization header (URL and token obfuscated for security reasons) image

Response body image

API token scope image

n8n Vikunja Get Many Tasks node error stack:

NodeApiError: Request failed with status code 401
    at RoutingNode.runNode (/usr/local/lib/node_modules/n8n/node_modules/n8n-workflow/dist/RoutingNode.js:117:23)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at Workflow.runNode (/usr/local/lib/node_modules/n8n/node_modules/n8n-workflow/dist/Workflow.js:733:23)
    at /usr/local/lib/node_modules/n8n/node_modules/n8n-core/dist/WorkflowExecute.js:656:53

Vikunja API server logs via Dozzle image

I also deployed Vikunja frontend and API servers as docker containers (with VIKUNJA_LOG_LEVEL: DEBUG environment variable set) and faced this issue while trying to set up a workflow using n8n and Telegram bot. I hope this information helps!

kolaente commented 6 months ago

This looks a lot like a bug. I'll take a look.

kolaente commented 5 months ago

Fixed in 514ea71d930d5faf3a36a4387291291ecda0ab48 - please check with the next unstable build if your problem went away.

requ1Re commented 1 month ago

Hi, sorry for maybe reopening this issue - but is this really fixed? I also get a lot of missing, malformed, expired or otherwise invalid token provided errors while testing the API lately. For example, getting a project background (/api/v1/projects/{id}/background) does always yield me this error, even on the try.vikunja.io instance. (API Key with full permissions). Another route which does not work is /api/v1/routes, for example.

FuadAbdullah commented 1 month ago

Hey there, I can confirm those routes are not working after testing them myself. I tried /api/v1/projects/{id}/background with DELETE method and that doesn't work, even with full permission key too. I think there are more code 401 routes that is in need of testing. The last bug fix did work though so that is why I did not follow up after this case was closed. However, I am unsure if these bugs require a separate issue.

image

requ1Re commented 1 month ago

Hey there, I can confirm those routes are not working after testing them myself. I tried /api/v1/projects/{id}/background with DELETE method and that doesn't work, even with full permission key too. I think there are more code 401 routes that is in need of testing. The last bug fix did work though so that is why I did not follow up after this case was closed. However, I am unsure if these bugs require a separate issue.

image

Thanks for confirming. I will create another issue.