All API calls with auth="..." are broken

pi-hole / web

Pi-hole Dashboard for stats and more

https://pi-hole.net

Other

2.06k stars 563 forks source link

All API calls with auth="..." are broken #2326

Closed jojost1 closed 2 years ago

jojost1 commented 2 years ago

Versions

Pi-hole: 5.12
AdminLTE: 5.17
FTL: 5.14.1

It only started occurring after the updates from yesterday.

Platform

OS and version: Debian 10
Platform: Raspberry Pi

Expected behavior

When for example making the request http://192.168.1.68/admin/api.php?getForwardDestinations=""&auth="66f5f0cf90a042cd064aa3807ebb86e4191665801f0812013c110ac3cf4de344"

I would expect a response.

Actual behavior / bug

That request just returns an empty array []. If you make the request in a browser that's logged into the web interface, it does give a response. However you would expect it to work just with the auth="...".

Additional context

This breaks almost all calls of the API as used in my application Pi-hole Remote (iOS); except calls like summary(Raw) and overTimeData10mins as they do not require the auth.

PromoFaux commented 2 years ago

Confirmed, potentially down to changes here: https://github.com/pi-hole/AdminLTE/pull/2294

Will assign @rdwebdesign to take a look

jojost1 commented 2 years ago

@PromoFaux excellent, thanks a bunch for the quick reply, I appreciate it!

PromoFaux commented 2 years ago

Feel free to dig around in the code in case you see something before we do!

Might also be worth you running your Pi-hole on the dev branches (at least the web interface) so we can catch these things before we release!

Note to self: I wonder if we can set up some basic API tests on the CI using the docker image. One to investigate for future...!

jojost1 commented 2 years ago

I'll definitely start running my development Pi-hole on the dev branch so I can catch stuff like this yeah 😄 good suggestion.

Sadly I don't have time right now to go through the code 😞

gh0sti commented 2 years ago

@jojost1 does this happen right away in the pihole remote app? Just installed and connected to my hosted pihole and was able to connect just fine. Or am I not understanding the issue at hand.

jojost1 commented 2 years ago

@gh0sti the Home-tab mostly works fine, because that call (summaryRaw) doesn't require authentication with the API token. All other calls that do require authentication like the Statistics-tab, Query Log, Lists, etc, are broken. If you don't have a password set for your Pi-hole (not recommended) you will probably not experience any issues.

pralor-bot commented 2 years ago

This issue has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/pihole-api-and-tasmota/57544/2

marcandrelevesque commented 1 year ago

You broke the API again with

Pi-hole v5.14.2 FTL v5.20 Web Interface v5.18

jfb-pihole commented 1 year ago

Please clarify how we "broke the API again."

We announced that we would make API changes:

https://pi-hole.net/blog/2022/11/17/upcoming-changes-authentication-for-more-api-endpoints-required/#page-content

Then, we made the changes and included the change in our release notes:

https://pi-hole.net/blog/2022/12/21/pi-hole-ftl-v5-20-and-web-v5-18-released/#page-content

marcandrelevesque commented 1 year ago

Stream Deck plugin calls to pihole do not register ... now I guess I know why. It seems like John Holbrook needs to update the plugin then.