odkr
commented
5 years ago Passing --request-header User-Agent:"Pandoc/2" to pandoc works around the problem (--request-header Zotero-Allowed-Request:X and --request-header X-Zotero-Connector-API-Version:0 don't, because the bug is caused by the missing User-Agent header. Passing --request-header User-Agent:"Mozilla/X" and --request-header Zotero-Allowed-Request:X works, too).
Zotero v5.0.71 introduces a security mechanim that aims to block 'browsers' from accessing its API. It appears to define 'browser' as any HTTP user agent that identifes as "Mozilla"; more precisely, the identification string of which starts with "Mozilla/" (lines 439–453 in
server_connector.js). So, HTTP requests to Zotero's API have to be made either via an HTTP user agent that doesn't identify as "Mozilla" or, alternatively, with the HTTP headerZotero-Allowed-Requestset. (judging fromserver_connector.js).By default, Pandoc doesn't set any request headers. Still, it appears Zotero treats it as 'browser'. This isn’t, however, because Pandoc identifies as Mozilla, but because Pandoc doesn't identify as any user agent. This triggers:
However,
pandoc-zotxt.luauses Pandoc'spandoc.mediabag.fetchfunction to retrieve data via HTTP (in MediaBag.hs, which ultimately callsopenURLin Class.hs). Andpandoc.mediabag.fetch(andopenURL), do not allow to set HTTP headers. Apparently, Pandoc sets headers for HTTP requests globally (seeCommonStateandstRequestHeadersin Class.hs).PANDOC_STATEis read-only. AndPANDOC_STATE.request_headers['Zotero-Allowed-Request'] = 1has no effect (PANDOC_STATE.request_headersis still empty afterwards).(And
pandoc.mediabag.fetchreturns ("", "") (i.e., the empty string two times), rather than either an error message from Zotero or (nil,nil), as the documentation would suggest. This makes debugging harder.)Lua is just a thin layer over ANSI C. There is no other library or function to connect to a socket.
This explains https://github.com/egh/zotxt/issues/11.
Fixing this will require a change in Zotero or Pandoc.