Defect #32315

Impossible to validate API key without modifying anything

Added by Nathan Cutler about 1 year ago. Updated about 1 month ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:REST API
Target version:-
Resolution:Fixed Affected version:

Description

AFAICT the Redmine API has no way of validating whether a given API key is valid, short of actually attempting a write operation (POST, PUT, DELETE).

With the GitHub API, you can do:

curl --silent https://api.github.com/repos/myuser/myrepo/pulls/19999?access_token=invalid
{
  "message": "Bad credentials",
  "documentation_url": "https://developer.github.com/v3" 
}

Would be great to have something like this in the Redmine API as well! Thanks for the cool software.


Related issues

Related to Redmine - Feature #30086: Use HTTP status code 403 instead of 401 when REST API is ... Closed

History

#1 Updated by Nathan Cutler about 1 year ago

Try, for example:

$ curl --silent https://www.redmine.org/issues/32315.json&key=invalid

#2 Updated by Go MAEDA about 1 year ago

  • Category set to REST API

#3 Updated by Go MAEDA about 1 year ago

In the upcoming Redmine 4.1.0, you can determine if an API key is valid by checking the HTTP status code of a GET request.

Redmine 4.1.0 returns "401 Unauthorized" only when the given credential is incorrect. However, in prior versions, 401 is returned even when REST API is disabled. The behavior change was made by #30086.

$ curl --dump-header /dev/stdout 'http://redmine-trunk.test/issues.xml?key=randompassword'
HTTP/1.1 401 Unauthorized
.
.
.

#4 Updated by Go MAEDA about 1 month ago

  • Related to Feature #30086: Use HTTP status code 403 instead of 401 when REST API is disabled added

#5 Updated by Go MAEDA about 1 month ago

  • Status changed from New to Closed
  • Resolution set to Fixed

Fixed in Redmine 4.1.0 (#30086).

You can check if an API is correct or incorrect by sending GET request. The API key is incorrect if HTTP status code is 401.

Also available in: Atom PDF