search

go-vikunja / vikunja

Mirror of vikunja from https://code.vikunja.io/api
GNU Affero General Public License v3.0
758 stars 55 forks source link

Various API routes return 401 error with valid token #266

Closed requ1Re closed 1 month ago

requ1Re commented 1 month ago

Description

While testing the API, I found out that multiple routes return missing, malformed, expired or otherwise invalid token provided errors (status code 401) even if you use valid, full-permission API tokens. For example, getting a project background (using GET /api/v1/projects/{id}/background) does always yield me this error, even on the try.vikunja.io-instance and if the project has an user-uploaded background. Another route which does not work is /api/v1/routes, for example. I think there are even more than that.

There was a similar issue, but that has since been closed as completed: #105

Vikunja Version

v0.23.0

Browser and version

n/a

Can you reproduce the bug on the Vikunja demo site?

Yes

Screenshots

image
kolaente commented 1 month ago

/routes is not supposed to work, as there is no permission for it. The route is only really used for the form in the frontend when creating a token.

Should the project background be a separate permission or an existing one like project read?

requ1Re commented 1 month ago

It should probably be part of the project read permission. I would've guessed API keys with "full permissions" (aka. all permission checkboxes checked) would have access to everything anyways.

I think there was another route (not /routes) which had the same error, I am not sure which it was though.

kolaente commented 1 month ago

Now fixed in https://github.com/go-vikunja/vikunja/commit/99a67e09b14f40ffddf7761da69275349a196541. There are now new permissions for all routes, except user settings. Please check with the next unstable build (should be ready for deployment in ~45min, also on try).