Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

List students doesn't work with Basic Auth #179

Closed
GeekJosh opened this issue Jul 2, 2020 · 9 comments
Closed

List students doesn't work with Basic Auth #179

GeekJosh opened this issue Jul 2, 2020 · 9 comments
Labels
Status: Can't Recreate Unable to recreate using the provided information or recreation steps Status: Need Information More information is required to proceed

Comments

@GeekJosh
Copy link

GeekJosh commented Jul 2, 2020

Reproduction Steps

Perform a GET request on the /students endpoint using basic authentication

Expected Behavior

A collection of students is returned

Actual Behavior

A 401 unauthorized response is received

Error Messages / Logs

{
    "code": "llms_rest_unauthorized_request",
    "message": "You are not allowed to list students.",
    "data": {
        "status": "401"
    }
}

System Information

System Report
LifterLMS Rest API 1.0.0-beta.12

@GeekJosh
Copy link
Author

GeekJosh commented Jul 2, 2020

If you use the X-LLMS-CONSUMER-KEY and X-LLMS-CONSUMER-SECRET headers for authentication, then this endpoint returns a collection of students as expected

@thomasplevy
Copy link
Contributor

Welcome to LifterLMS @GeekJosh!

I've reviewed this and using a clean local machine I am able to make requests to GET /students using basic auth without issue (also, I've reviewed your other issue, #178, and found the same result -- that it works as expected with basic auth).

Since you have two reports of issues where the requests work with header authorization but not basic authorization my assumption here is that your server is suffering from an issue that occurs on some servers where basic authentication is not available to PHP. This can be due to webserver or php configurations and this is the reason why we have header authentication available -- as an alternative when basic authentication isn't working.

Furthermore, based on how our authentication methods work, it's not possible (or at least very nearly impossible) for an endpoint to only work with header authentication or basic authentication.

There's no logic built into the controllers themselves to look for keys, that all happens during authentication (before the controller is invoked). By this I mean that the controllers don't check for your keys, the rest api initialization does (when WP itself runs hooks to determine if there's an authenticated user).

My guess is that any request you're making is not going to work with Basic Auth and that only header authentication is going to work for you. Can you let me know if I'm wrong about this and that you are able to make some requests with basic auth (but others with only header auth).

It's also possible that you've passed the credentials incorrectly in your requests.

Depending on the language you're using, you'll need to build your credential string differently, here's a good example if you're using WordPress (and PHP): https://johnblackbourn.com/wordpress-http-api-basicauth/ I

In node the easiest way would be to use Node's URL object, our node api wrapper has a simple example: https://github.com/gocodebox/llms-api-node/blob/d0131f2b6902fd0af292937cadfb8f5b10b8b092/lib/Request.js#L50-L53

There's a native curl example in our API docs: https://developer.lifterlms.com/rest-api/#section/Authentication/Basic-Authentication

If you're not sure you've done it right, post up an example (redacting real keys, of course) and I'll have a closer look and let you know if I can spot an issue.

@thomasplevy thomasplevy added Status: Can't Recreate Unable to recreate using the provided information or recreation steps Status: Need Information More information is required to proceed labels Jul 2, 2020
@GeekJosh
Copy link
Author

GeekJosh commented Jul 2, 2020 via email

@thomasplevy
Copy link
Contributor

@GeekJosh could you export your Postman request (redact the keys) and post that so I can import and see what you're doing please?

@thomasplevy
Copy link
Contributor

@GeekJosh could you check in with me on this one please?

@GeekJosh
Copy link
Author

GeekJosh commented Jul 9, 2020

Sorry for the delay, PostMan export:

{
	"info": {
		"_postman_id": "a9189efd-0cd8-4ccf-9736-d9826619e97d",
		"name": "LifterLMS",
		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
	},
	"item": [
		{
			"name": "Student List - Basic Auth",
			"request": {
				"auth": {
					"type": "basic",
					"basic": [
						{
							"key": "username",
							"value": "ck_5f1196--REDACTED--",
							"type": "string"
						},
						{
							"key": "password",
							"value": "cs_4b733b--REDACTED--",
							"type": "string"
						}
					]
				},
				"method": "GET",
				"header": [],
				"url": {
					"raw": "https://--REDACTED--/wp-json/llms/v1/students",
					"protocol": "https",
					"host": [
						--REDACTED--
					],
					"path": [
						"wp-json",
						"llms",
						"v1",
						"students"
					]
				},
				"description": "Returns 401"
			},
			"response": []
		},
		{
			"name": "Student List - Header Auth",
			"request": {
				"auth": {
					"type": "noauth"
				},
				"method": "GET",
				"header": [
					{
						"key": "X-LLMS-CONSUMER-KEY",
						"value": "ck_5f1196--REDACTED--",
						"type": "text"
					},
					{
						"key": "X-LLMS-CONSUMER-SECRET",
						"value": "cs_4b733b--REDACTED--",
						"type": "text"
					}
				],
				"url": {
					"raw": "https://--REDACTED--/wp-json/llms/v1/students",
					"protocol": "https",
					"host": [
						--REDACTED--
					],
					"path": [
						"wp-json",
						"llms",
						"v1",
						"students"
					]
				},
				"description": "Returns list as expected"
			},
			"response": []
		}
	],
	"protocolProfileBehavior": {}
}

@thomasplevy
Copy link
Contributor

@GeekJosh thanks and no worries on the delay!

I've replaced the redacted urls with my local test site and the redacted keys with working read/write keys owned by an admin WP user and I'm seeing the same result (200 response) with both header and basic auth.

This seems to really indicate an issue with your server more than anything else. Are you absolutely certain that other endpoints are working with basic auth? Try the GET /api-keys or GET /courses with basic auth and let me know if you have the same experience -- if this is a basic auth issue -- which is how I'm leaning -- you'll see a 401 for these requests as well and a 200 for the requests when using header authentication.

If you're still seeing issues here (that basic auth does work on these requests but it doesn't on GET /students we're in for some real strangeness and I'd love it if you could provide me with a full list of your server specifications, plugins, etc... (basically everything we ask for in the issue template) so we can try to work through what's going on in your server / environment that's causing this bug.

Thanks,

@thomasplevy
Copy link
Contributor

@GeekJosh bumping for requested information!

@thomasplevy
Copy link
Contributor

Closing due to inactivity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Status: Can't Recreate Unable to recreate using the provided information or recreation steps Status: Need Information More information is required to proceed
Projects
None yet
Development

No branches or pull requests

2 participants