search

inveniosoftware / invenio-rest

REST API support for Invenio.
https://invenio-rest.readthedocs.io
MIT License
2 stars 41 forks source link

deposit: cannot upload multiple files in one go #127

Closed lnielsen closed 2 years ago

lnielsen commented 2 years ago

Package version (if known):

Describe the bug

It's not possible to select and upload multiple files. Selecting and uploading one file at a time works.

Screenshots (if applicable)

https://user-images.githubusercontent.com/1698163/144724386-2de37df3-5992-465c-a217-f566110e9a03.mov

Additional context

Server log

127.0.0.1 - - [04/Dec/2021 21:59:54] "POST /api/records HTTP/1.1" 201 -
127.0.0.1 - - [04/Dec/2021 21:59:54] "POST /api/records/eedh6-nmt78/draft/files HTTP/1.1" 201 -
127.0.0.1 - - [04/Dec/2021 21:59:54] "POST /api/records/eedh6-nmt78/draft/files HTTP/1.1" 201 -
127.0.0.1 - - [04/Dec/2021 21:59:54] "PUT /api/records/eedh6-nmt78/draft/files/IMG_6556.jpeg/content HTTP/1.1" 400 -
127.0.0.1 - - [04/Dec/2021 21:59:54] "PUT /api/records/eedh6-nmt78/draft/files/IMG_6555.jpeg/content HTTP/1.1" 400 -
127.0.0.1 - - [04/Dec/2021 21:59:54] "DELETE /api/records/eedh6-nmt78/draft/files/IMG_6556.jpeg HTTP/1.1" 400 -
127.0.0.1 - - [04/Dec/2021 21:59:54] "DELETE /api/records/eedh6-nmt78/draft/files/IMG_6555.jpeg HTTP/1.1" 400 -

HTTP Request for a good file upload:

PUT /api/records/eedh6-nmt78/draft/files/IMG_6555.jpeg/content HTTP/1.1
Content-Type: application/octet-stream
Accept: application/json, text/plain, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate, br
Host: 127.0.0.1:5000
Origin: https://127.0.0.1:5000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15
Connection: keep-alive
Referer: https://127.0.0.1:5000/uploads/eedh6-nmt78
Content-Length: 83833
Cookie: csrftoken=eyJhbGciOiJIUzUxMiIsImlhdCI6MTYzODY1MjIzNiwiZXhwIjoxNjM4NjU1ODM2fQ.IjJPd1loWlJpR2FmRXpQbllrYWNmQXM5TTdEcU95WTFDIg.rFlc7uLV-heuCJNmuwmb3nRahcggoFYnGFbwHrgVOSTp4lqVKhNYrDXPta9JnKpAttFlcArWUCoWraHqZkhO_w; session=6e5e80d4a27ecc64_61aba8a0.Yh-rwJHAzUZ0t8K8yUjPpZTWv9I
X-CSRFToken: eyJhbGciOiJIUzUxMiIsImlhdCI6MTYzODY1MjIzNiwiZXhwIjoxNjM4NjU1ODM2fQ.IjJPd1loWlJpR2FmRXpQbllrYWNmQXM5TTdEcU95WTFDIg.rFlc7uLV-heuCJNmuwmb3nRahcggoFYnGFbwHrgVOSTp4lqVKhNYrDXPta9JnKpAttFlcArWUCoWraHqZkhO_w

HTTP Request for a bad file upload:

PUT /api/records/eedh6-nmt78/draft/files/IMG_6555.jpeg/content HTTP/1.1
Content-Type: application/octet-stream
Accept: application/json, text/plain, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate, br
Host: 127.0.0.1:5000
Origin: https://127.0.0.1:5000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15
Connection: keep-alive
Referer: https://127.0.0.1:5000/uploads/eedh6-nmt78
Content-Length: 83833
Cookie: csrftoken=eyJhbGciOiJIUzUxMiIsImlhdCI6MTYzODY1MjE5MSwiZXhwIjoxNjM4NjU1NzkxfQ.IndBOWV2M3FrS2hCU0JUeHRYUndheWxEZ2oySE9PV1dKIg.OOJmzyCsLs49DNSU94pOR1Tu6HrMyHk2Ep05yKz3SZHC-gTSENoWcw5olUWj6UD7KdYPmrhfqlEBS8JNxAKp1Q; session=6e5e80d4a27ecc64_61aba8a0.Yh-rwJHAzUZ0t8K8yUjPpZTWv9I
X-CSRFToken: eyJhbGciOiJIUzUxMiIsImlhdCI6MTYzODY1MjE5MSwiZXhwIjoxNjM4NjU1NzkxfQ.InI4M0FuV3B6bUw1eThxcVFqMTQ4N3BqRzdIWHpzRnFiIg.6wwEFNiJ7npLUKoaGjIWuBvKD1Oq8vWb_LwvGiO-jzRJConxWb3N2491LeDQVh5XfPo2DwZYnV4Y-ZznNmA4TA

Response to bad request:

HTTP/1.1 400 BAD REQUEST
Content-Type: application/json
Content-Security-Policy: default-src 'self' data: 'unsafe-inline' blob: 'unsafe-inline'
Set-Cookie: csrftoken=eyJhbGciOiJIUzUxMiIsImlhdCI6MTYzODY1MTkyMiwiZXhwIjoxNjM4NjU1NTIyfQ.Ing4UnMwdVRzRFJHZTg3QTl5YktNMEVUUWZMMm94SmQ4Ig.IfvQjFj6tu8pQJjFych8Jfn3QxIjbhyq9xcdsOIXno85DVBeRb-vTxIYOXjiAR5He8cVCmQKf2y4FUoDtyQ9AQ; Expires=Sat, 03 Dec 2022 21:05:22 GMT; Max-Age=31449600; Secure; Path=/; SameSite=Lax
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Date: Sat, 04 Dec 2021 21:05:22 GMT
Content-Length: 70
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-User-ID: 2
X-Session-ID: 6e5e80d4a27ecc64_61aba8a0
Server: Werkzeug/2.0.2 Python/3.8.9
Permissions-Policy: interest-cohort=()
Strict-Transport-Security: max-age=31556926; includeSubDomains

{
  "message": "CSRF token missing or incorrect.", 
  "status": 400
}
lnielsen commented 2 years ago

Due to the CSRF token being regenerated on every request. Moving issue to Invenio-REST