Project

General

Profile

Actions

Defect #32315

closed

Impossible to validate API key without modifying anything

Added by Nathan Cutler almost 5 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
REST API
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

AFAICT the Redmine API has no way of validating whether a given API key is valid, short of actually attempting a write operation (POST, PUT, DELETE).

With the GitHub API, you can do:

curl --silent https://api.github.com/repos/myuser/myrepo/pulls/19999?access_token=invalid
{
  "message": "Bad credentials",
  "documentation_url": "https://developer.github.com/v3" 
}

Would be great to have something like this in the Redmine API as well! Thanks for the cool software.


Related issues

Related to Redmine - Feature #30086: Use HTTP status code 403 instead of 401 when REST API is disabledClosedGo MAEDA

Actions
Actions #1

Updated by Nathan Cutler almost 5 years ago

Try, for example:

$ curl --silent https://www.redmine.org/issues/32315.json&key=invalid
Actions #2

Updated by Go MAEDA almost 5 years ago

  • Category set to REST API
Actions #3

Updated by Go MAEDA almost 5 years ago

In the upcoming Redmine 4.1.0, you can determine if an API key is valid by checking the HTTP status code of a GET request.

Redmine 4.1.0 returns "401 Unauthorized" only when the given credential is incorrect. However, in prior versions, 401 is returned even when REST API is disabled. The behavior change was made by #30086.

$ curl --dump-header /dev/stdout 'http://redmine-trunk.test/issues.xml?key=randompassword'
HTTP/1.1 401 Unauthorized
.
.
.
Actions #4

Updated by Go MAEDA almost 4 years ago

  • Related to Feature #30086: Use HTTP status code 403 instead of 401 when REST API is disabled added
Actions #5

Updated by Go MAEDA almost 4 years ago

  • Status changed from New to Closed
  • Resolution set to Fixed

Fixed in Redmine 4.1.0 (#30086).

You can check if an API is correct or incorrect by sending GET request. The API key is incorrect if HTTP status code is 401.

Actions

Also available in: Atom PDF