Trouble with setting up token authentication about silverstripe-restfulapi HOT 8 CLOSED

UPDATE 1: So I did some more research and found that I had miss-read some of the docs. I had not realized that this snippet:

RESTfulAPI_TokenAuthenticator:
    tokenOwnerClass: 'Member'

needed to be indented under the RESTfulAPI settings. Once I realized this I corrected my code (naturally) in the config.yml and rebuilt/flushed my install. After I did this I once again tried accessing the api/auth/login?email=*my-email*&pwd=*my-pass* url. This time I did not receive the empty json object but instead something like this:

{"result":true,"message":"Logged in.","code":0,"token":"5f7f32cc1d8b89c3efed2e3fohqWf5B0aGBPEUw59m5N9O7cjgcCC","expire":1456395040,"userID":1}

Of course, if this was not a localhost environment I would never post my tokens anywhere online, but in this case I am indeed on a localhost :D. Any way, This I though would be the end to my problems as I thought I could use this new token in the url with ?X-Silverstripe-Apitoken=XX like you suggested in this post #28. However even when adding my newly generated token I still got the error:

{"message":"Token invalid.","code":2}

So Ill keep working on solving this, but any help you can provide will be wonderful.

Thanks again,
Mooror

from silverstripe-restfulapi.

@mooror just some quick questions. Do you have a class ApiUser? This was in the doc as an example name if the authenticator was used with something else that a Member class.

Then, the token itself, is usually passed in a request header named X-Silverstripe-Apitoken, but if you cannot modify the headers send to the server, you can pass it as a query var, which seem to be your case, in that case, your query URL would look like api/Object?token=XXXXXXXX.

Thos default X-Silverstripe-Apitoken and ?token are in the doc here https://github.com/colymba/silverstripe-restfulapi/blob/master/doc/TokenAuthenticator.md and can be changed via config if needed.

let me know how it goes

from silverstripe-restfulapi.

Thank you colymba for your reply.
After adding the

extensions:
    - RESTfulAPI_TokenAuthExtension

code to the Member model instead of the ApiUser model and changing the tokenOwnerClass to Member (which I believe is the default) I was successfully able to retrieve a single record from my Package model with this url: localhost/silver/silver/api/package/5?token=df7ea9f738ee6902b745duQtPvSv6mGl9caWiaFQMf6cgHCkbzIsC.

However when trying to retrieve multiple records (with http://localhost/silver/silver/api/package?name=test&token=df7ea9f738ee6902b745duQtPvSv6mGl9caWiaFQMf6cgHCkbzIsC I get this error:

[User Error] Uncaught SS_DatabaseException: Couldn't run query: SELECT DISTINCT "Package"."ClassName", "Package"."LastEdited", "Package"."Created", "Package"."Name", "Package"."Description", "Package"."Price", "Package"."Maintainers", "Package"."PublishDate", "Package"."RepositoryLink", "Package"."Version", "Package"."Default", "Package"."ModeID", "Package"."TypeID", "Package"."CategoryID", "Package"."ThumbnailID", "Package"."ID", CASE WHEN "Package"."ClassName" IS NOT NULL THEN "Package"."ClassName" ELSE 'Package' END AS "RecordClassName" FROM "Package" WHERE ("name" = ?) AND ("token" = ?) LIMIT 100 Unknown column 'token' in 'where clause'

I double checked the database to confirm that I have a Package record with the name of test and found that I indeed did. So I tried disabling the authentication_policy and returning to the above url minus the token and it worked just fine. I even tried http://localhost/silver/silver/api/package?name=test?token=df7ea9f738ee6902b745duQtPvSv6mGl9caWiaFQMf6cgHCkbzIsC
(which has a ? before the token instead of &) but this returned:

{"message":"Token invalid.","code":2}

Reversing the order of the token and name perimeters also make no difference. I'm not sure if this is a bug with passing tokens in through the url rather then the header.Or if I am just being a noob and passing it in wrong.

Thanks in advance,
Mooror
P.S. I realize that the api engine/script is using the token perimeter in the database query.

from silverstripe-restfulapi.

Also, how simple would it be to create a field in the CMS user profile page which would allow users to create an api token (and view there current one if they have already created one)

Thanks in advance,
Mooror

from silverstripe-restfulapi.

Thinking on it more, I thought that it was most likely if this was an issue with just the passing the token in with search parameters in url, then passing the token in the (X-Silverstripe-Apitoken) header instead should work just fine. Sure enough when I used Chrome's Postman and sent a Get request to `http://localhost/silver/silver/api/package?name=test (with my api in the header) it worked just fine.In my case I have the ability to add my API token to the header in my Server side 'app', however I am not sure if everyone else does. So this still might be a bug that needs fixing.

Thanks in advance,
Mooror

from silverstripe-restfulapi.

@mooror like you found, your error is due to the token query parameter.

And it is somewhat of a bug, more like something that should be in the default config...

Basically the QueryHandler parses the query parameters as column filter, and so thinks token is one of those.

This can easily be avoided by adding token to the skipedQueryParameters config of the RESTfulAPI_DefaultQueryHandler, see here: https://github.com/colymba/silverstripe-restfulapi/blob/master/doc/DefaultQueryHandler.md

So for now, if you are still using the token query parameters, you could add this to your yaml config:

RESTfulAPI_DefaultQueryHandler:
  skipedQueryParameters:
    - 'TOKEN'

Sorry I forgot about this earlier, and yes this should be added to the default config.

To get the API token to show up in the CMS you could just create a new DataExtension and add it to your Member. There in the updateCMSFields you should be able to add again the token and life fields. These fields are removed by default by the RESTfulAPI_TokenAuthExtension, see here https://github.com/colymba/silverstripe-restfulapi/blob/master/code/authenticator/RESTfulAPI_TokenAuthExtension.php#L24

Hope this helps

from silverstripe-restfulapi.

@colymba I'm having similar issues. Any help would be great :)

I have:

MyMember:
has_many: MyObject

MyObject
has_one: MyMember

coolness!...

I've got it so mysite/api/MyObject/123?token=123 and mysite/api/MyObject?token=123 work but I only want the member to be able to access/view/edit MyObjects they own and not other MyMembers.

Maybe you can point me it the right direction?

Cheers heaps

from silverstripe-restfulapi.

@nimeso this isn't really related to token authentication. You need to look into api_access_control, see https://github.com/colymba/silverstripe-restfulapi/blob/master/doc/RESTfulAPI.md

This thread is about what you are trying to achieve: #49

from silverstripe-restfulapi.