403 forbidden on Api Doc

[bambamboole]

Hi,

I only get 403 forbidden with the sandbox requests.

Same error also with the POST /api/v1/users.{_format} for creating a new user.

I only cloned repo, did composer install and travis.sh

And another question,

From where do I get the salt for the POST /api/v1/tokens.{_format} ?

[sdiaz]

Try now

[bambamboole]

Same issue on GET /api/v1/users.json with removed @Secure(roles="ROLE_API") in UserRestController.

respoonse header:

403 Forbidden

Date: Sat, 13 Jun 2015 14:04:03 GMT X-Debug-Token-Link: /app_dev.php/_profiler/237598 Allow: GET, POST Server: nginx/1.8.0 Transfer-Encoding: chunked Content-Type: application/json Cache-Control: no-cache Connection: keep-alive X-Debug-Token: 237598

my development environment is a vagrant/homestead vm

[bambamboole]

Update:

Now I tried random salt and the POST /api/v1/tokens.{_format} works.

But when I Add a header to another request with key: X-WSSE value: UsernameToken Username="admin", PasswordDigest="NdACxnR5GYgNMKyfyz3csELriwA=", Nonce="ZGY5ZDEyZTI5YjUyZmM4Mg==", Created="2015-06-13T21:25:25Z"

I only get back:

401 WSSE authentication failed.

Date: Sat, 13 Jun 2015 21:25:57 GMT X-Debug-Token-Link: /app_dev.php/_profiler/95e38b Allow: GET, POST Server: nginx/1.8.0 Transfer-Encoding: chunked Content-Type: application/json Cache-Control: no-cache Connection: keep-alive X-Debug-Token: 95e38b

I don't know whats my error...

[kahllac]

How do you get the usernameToken ?

[kahllac]

Can you post your security.yml?

[bambamboole]

security.yml `

security: encoders: FOS\UserBundle\Model\UserInterface: bcrypt

role_hierarchy:
    ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_API, ROLE_ALLOWED_TO_SWITCH]

providers:
    fos_userbundle:
        id: fos_user.user_provider.username

firewalls:

    dev:
        pattern:  ^/(_(profiler|wdt)|css|images|js)/
        security: false

    wsse_secured:
        pattern:      ^/api/v1/((?!tokens))
        context:      user
        stateless:    true
        wsse:
            nonce_dir: null
            provider: fos_userbundle
            lifetime: 600
        anonymous:    false

access_control:
    - { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }

`

I got the token with the POST /api/v1/tokens.{_format} route and username: admin password: password salt : random string 22 characters

[kahllac]

Generate your token in the client side. Use this : http://www.teria.com/~koseki/tools/wssegen/ for testing

[sdiaz]

The pattern applied is an example, you could for example replace wsse_secured: pattern: ^/api/v1/(?!tokens|salt)([a-z0-9]+)$

And then SALT resource and TOKENS will be available without authentication. The thing is that POST USER is not under this pattern so you could not access due to HTTP/1.1 401 WSSE authentication failed.

You can play with this, or we may expose SALT, TOKENS and POST USER in a "public" URL so it can be accesible outside the firewall.

[bambamboole]

Yeah, now I can get the salt.

But get list of all users still don't work with x-wsse request header.

And how can I make POST User(register new user) accesible outside the firewall? In my opinion it doesn't make sense to put the register new user service behind a firewall, so that only registered user can access it or?

Generated X-WSSE-Header(http://www.teria.com/~koseki/tools/wssegen/):

X-WSSE: UsernameToken Username="admin", PasswordDigest="U0pduqVyf51X2upww1sZf/qDH6s=", Nonce="MmQ2NzU1MDVjNmNiYjNmNw==", Created="2015-06-14T16:30:53Z"

apidoc response:

´ Request URL GET /api/v1/users.json

Response Headers 401 Unauthorized

Date: Sun, 14 Jun 2015 16:44:56 GMT X-Debug-Token-Link: /app_dev.php/_profiler/356d9f Allow: GET, POST Server: nginx/1.8.0 Transfer-Encoding: chunked Content-Type: application/json Cache-Control: no-cache Connection: keep-alive X-Debug-Token: 356d9f

Response Body { "code": 401, "message": "You are not authenticated" }

´

[bambamboole]

Sorry, but I have to ask again:

I tried almost everything to solve this problem...

1. I get the salt with the username(admin) at the salt route
2. I get the Token via the get Token Route and the parameters username(admin password(password and salt(fromt point 1.) and I get the token .
3. Now I want to get the whole user from the get users route and set the header: X-WSSE : UsernameToken Username="admin", PasswordDigest="HaWV3r1eBiP6LMGuFQGQ11gHQI4=", Nonce="ZjAyNTA0NDI0MmUxZTllYw==", Created="2015-06-25T15:09:19+02:00"

That doesnt works...

everytime I get a 401.

Please help me :-(

[kahllac]

You use nelmio for you test ?

[bambamboole]

Yes!

[kahllac]

I had the same problem. Its work if you resend the post with the good wsse header by firebug or chrome rest plugin.