Open 15characterlimi opened 4 months ago
Hi all. I'm encountering the same issue... @15characterlimi have you found any clue or workaround this issue?
@akadaoui the solution I ended up taking isn't great, my personal workaround is that I fixed the bug in the xdrip soure code where it doesn't correctly put the access token into a query parameter like in my example (a). I didn't contribute that fix back to xdrip because I've found the xdrip maintainers to be very unwelcoming towards fixes for even very obvious bugs in the past (the xdrip source is a huge bug fest, but that's a different matter).
Anyway, that's my personal workaround but it will only work for those who use xdrip and are comfortable editing and compiling the xdrip source code themselves.
Describe the bug
Authentication by specifying the access token in the Nightscout URL through HTTP authentication (putting it in front of the hostname separated by "@") no longer works.
To Reproduce Steps to reproduce the behavior:
Below, replace ACCESS_TOKEN with an access token with role
device-readwrite
set up in Nightscout, and replace HOST with the hostname of a Nightscout instance (ends with ".code.run"). Then:https://HOST/api/v1/entries.json?token=ACCESS_TOKEN
in a browser (i.e. via HTTP GET), it lists a array of my latest glucose values, in JSON format.https://ACCESS_TOKEN@HOST/api/v1/entries.json
in a web browser then I get redirected to the same URL without ACCESS_TOKEN@, and with page body{"status":401,"message":"Unauthorized","description":"Invalid/Missing"}
This broke after I synced my fork of https://github.com/nightscout/cgm-remote-monitor to the latest commit 21e0591d49235845acba58cf8b3cc7339921185b today.
Unfortunately the previous version that I know to have worked was from around May 20, 2021, so I don't know when in the last 33 months or so this broke.
Expected behavior
Both methods should produce a list of my latest glucose values, in JSON format.
Your setup information
Additional context
Note that the documentation at https://nightscout.github.io/uploader/setup/#xdrip documents the format that no longer works (that page is very old so it still refers to API_SECRET rather than ACCESS_TOKEN, but the gist is the same).