Comments (8)
UPDATE 1: So I did some more research and found that I had miss-read some of the docs. I had not realized that this snippet:
RESTfulAPI_TokenAuthenticator:
tokenOwnerClass: 'Member'
needed to be indented under the RESTfulAPI
settings. Once I realized this I corrected my code (naturally) in the config.yml and rebuilt/flushed my install. After I did this I once again tried accessing the api/auth/login?email=*my-email*&pwd=*my-pass*
url. This time I did not receive the empty json object but instead something like this:
{"result":true,"message":"Logged in.","code":0,"token":"5f7f32cc1d8b89c3efed2e3fohqWf5B0aGBPEUw59m5N9O7cjgcCC","expire":1456395040,"userID":1}
Of course, if this was not a localhost environment I would never post my tokens anywhere online, but in this case I am indeed on a localhost :D. Any way, This I though would be the end to my problems as I thought I could use this new token in the url with ?X-Silverstripe-Apitoken=XX
like you suggested in this post #28. However even when adding my newly generated token I still got the error:
{"message":"Token invalid.","code":2}
So Ill keep working on solving this, but any help you can provide will be wonderful.
Thanks again,
Mooror
from silverstripe-restfulapi.
@mooror just some quick questions. Do you have a class ApiUser
? This was in the doc as an example name if the authenticator was used with something else that a Member
class.
Then, the token itself, is usually passed in a request header named X-Silverstripe-Apitoken
, but if you cannot modify the headers send to the server, you can pass it as a query var, which seem to be your case, in that case, your query URL would look like api/Object?token=XXXXXXXX
.
Thos default X-Silverstripe-Apitoken
and ?token
are in the doc here https://github.com/colymba/silverstripe-restfulapi/blob/master/doc/TokenAuthenticator.md and can be changed via config if needed.
let me know how it goes
from silverstripe-restfulapi.
Thank you colymba for your reply.
After adding the
extensions:
- RESTfulAPI_TokenAuthExtension
code to the Member
model instead of the ApiUser
model and changing the tokenOwnerClass
to Member
(which I believe is the default) I was successfully able to retrieve a single record from my Package
model with this url: localhost/silver/silver/api/package/5?token=df7ea9f738ee6902b745duQtPvSv6mGl9caWiaFQMf6cgHCkbzIsC
.
However when trying to retrieve multiple records (with http://localhost/silver/silver/api/package?name=test&token=df7ea9f738ee6902b745duQtPvSv6mGl9caWiaFQMf6cgHCkbzIsC
I get this error:
[User Error] Uncaught SS_DatabaseException: Couldn't run query: SELECT DISTINCT "Package"."ClassName", "Package"."LastEdited", "Package"."Created", "Package"."Name", "Package"."Description", "Package"."Price", "Package"."Maintainers", "Package"."PublishDate", "Package"."RepositoryLink", "Package"."Version", "Package"."Default", "Package"."ModeID", "Package"."TypeID", "Package"."CategoryID", "Package"."ThumbnailID", "Package"."ID", CASE WHEN "Package"."ClassName" IS NOT NULL THEN "Package"."ClassName" ELSE 'Package' END AS "RecordClassName" FROM "Package" WHERE ("name" = ?) AND ("token" = ?) LIMIT 100 Unknown column 'token' in 'where clause'
I double checked the database to confirm that I have a Package record with the name of test
and found that I indeed did. So I tried disabling the authentication_policy
and returning to the above url minus the token and it worked just fine. I even tried http://localhost/silver/silver/api/package?name=test?token=df7ea9f738ee6902b745duQtPvSv6mGl9caWiaFQMf6cgHCkbzIsC
(which has a ? before the token instead of &) but this returned:
{"message":"Token invalid.","code":2}
Reversing the order of the token and name perimeters also make no difference. I'm not sure if this is a bug with passing tokens in through the url rather then the header.Or if I am just being a noob and passing it in wrong.
Thanks in advance,
Mooror
P.S. I realize that the api engine/script is using the token perimeter in the database query.
from silverstripe-restfulapi.
Also, how simple would it be to create a field in the CMS user profile page which would allow users to create an api token (and view there current one if they have already created one)
Thanks in advance,
Mooror
from silverstripe-restfulapi.
Thinking on it more, I thought that it was most likely if this was an issue with just the passing the token in with search parameters in url, then passing the token in the (X-Silverstripe-Apitoken) header instead should work just fine. Sure enough when I used Chrome's Postman and sent a Get request to `http://localhost/silver/silver/api/package?name=test (with my api in the header) it worked just fine.In my case I have the ability to add my API token to the header in my Server side 'app', however I am not sure if everyone else does. So this still might be a bug that needs fixing.
Thanks in advance,
Mooror
from silverstripe-restfulapi.
@mooror like you found, your error is due to the token
query parameter.
And it is somewhat of a bug, more like something that should be in the default config...
Basically the QueryHandler parses the query parameters as column filter, and so thinks token
is one of those.
This can easily be avoided by adding token
to the skipedQueryParameters
config of the RESTfulAPI_DefaultQueryHandler
, see here: https://github.com/colymba/silverstripe-restfulapi/blob/master/doc/DefaultQueryHandler.md
So for now, if you are still using the token
query parameters, you could add this to your yaml config:
RESTfulAPI_DefaultQueryHandler:
skipedQueryParameters:
- 'TOKEN'
Sorry I forgot about this earlier, and yes this should be added to the default config.
To get the API token to show up in the CMS you could just create a new DataExtension
and add it to your Member. There in the updateCMSFields
you should be able to add again the token and life fields. These fields are removed by default by the RESTfulAPI_TokenAuthExtension
, see here https://github.com/colymba/silverstripe-restfulapi/blob/master/code/authenticator/RESTfulAPI_TokenAuthExtension.php#L24
Hope this helps
from silverstripe-restfulapi.
@colymba I'm having similar issues. Any help would be great :)
I have:
MyMember:
has_many: MyObject
MyObject
has_one: MyMember
coolness!...
I've got it so mysite/api/MyObject/123?token=123 and mysite/api/MyObject?token=123 work but I only want the member to be able to access/view/edit MyObjects they own and not other MyMembers.
Maybe you can point me it the right direction?
Cheers heaps
from silverstripe-restfulapi.
@nimeso this isn't really related to token authentication. You need to look into api_access_control
, see https://github.com/colymba/silverstripe-restfulapi/blob/master/doc/RESTfulAPI.md
This thread is about what you are trying to achieve: #49
from silverstripe-restfulapi.
Related Issues (20)
- Embedded Records not working as expected, or at all HOT 2
- Pagination for the Json
- The full configuration for BlogCategories & FeaturedImage
- Setting tokenOwnerClass HOT 2
- password with special characters HOT 1
- Response code 100 when post object has more than 3 relations
- CORS not working - Question really HOT 1
- api/auth/lostPassword -> BadMethodCallException
- New release? HOT 1
- Created, LastEdited never seem to be returned HOT 3
- Specify fields to be returned HOT 2
- default limit? HOT 1
- Access to token on dataobjects HOT 2
- Why convert properties and model names by "lcfirst"? HOT 1
- Lost password existing account disclosure HOT 4
- Can I call multiple dataobject in one api request and response in one json object?
- How to prevent POST requests specifying ID HOT 1
- SilverStripe 4 Support HOT 1
- model_permission_check instanceof Member not namespaced HOT 1
- Getting error: Call to undefined method SilverStripe\Config\Collections\CachedConfigCollection::set()
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from silverstripe-restfulapi.