Hello, I try to use api endpoints but I have problem. I succed to get JWT token with /api/v1/security/login
and I use it with another api endpoint like : - /api/v1/me/ - /api/v1/me/roles/
These endpoints seem very simple to use (no parameters to define) but I have always the response : { "message": "Not authorized" }
I don't see why it fails Thanks for your help
Comment From: sebastianliebscher
Hi @xavier-GitHub76, what version are you running? I can replicate this issue on latest master branch.
Steps to reproduce: - checkout master - hit the endpoint
curl --request GET \
--url http://localhost:8088/api/v1/me/roles \
--header 'Authorization: Bearer token' \
--header 'X-CSRFToken: token'
- get 401 Unauthorized
Comment From: xavier-GitHub76
Thanks for your test. I use 3.0 version.
Comment From: siddhartha8916
Make a request to http://localhost:8000/login with formdata as csrfToken and username and password. This will set a session in the browser which will then be used to call the /me api The csrf token can be obtained from the login form
Comment From: xavier-GitHub76
Hi, thanks a lot for your reply. I don't understand why we must use http://localhost:8000/login whereas the endpoint api 'login' exists. I don't find documentation about using api superset (just the swagger which does not specify the logical order of the endpoints)
I try your example with postman but I have not the same result.
- {{url}}/api/v1/security/login --> OK, I have an access_token (that I store in a variable)
- {{url}}/api/v1/security/csrf_token/ --> OK, I have an csrf (that I store in a variable)
- {{url}}/login
but I have the result :
On your screenshot, you have 10 parameters for the header, I have just 9. Could you show me the detail of your header and the result of your execution ?
- {{url}}/api/v1/me/ with access_token and csrf token
The result is always "Not authorized" 😞
Comment From: siddhartha8916
Hit a GET request to /login endpoint. There you'll get the html document containing csrf_token as a hidden input field. extract the csrf_token and save it in a variable.
Then make a POST request to /login endpoint with body as FormData containing the csrf_token, username, and password. Then make a third request to /me route. (You need not to pass any extra Bearer Token or Header)
Hope this works...
Comment From: xavier-GitHub76
hello, first of all, thank you very much for your help. It is very pleasant. 👍 Unfortunately I fail. I don't understand the systematic use of the {{url}}/'login' web page although API endpoints exist: {{url}}/api/v1/security/login {{url}}/api/v1/security/csrf_token/
I nevertheless tried your scenario.
I made the GET request on {{url}}/'login' and I successfully retrieved the value of the hidden variable crsf_token.
I made the POST request on {{url}}/'login' with body as FormData containing the csrf_token, username, and password :
I make the request on {{url}}/api/v1/me/ (with no Auth) but I had "message": "Not authorized"
Best regards
Comment From: xavier-GitHub76
ideally I was thinking of using 100% api endpoint - {{url}}/api/v1/security/login - {{url}}/api/v1/security/csrf_token/ - {{url}}/api/v1/me/
which would allow me to rely solely on APIs (/api/v1) and manipulate JSON results Thanks for your help.
Comment From: peanut00
Hello xavier-GitHub76,
Could you please advise on the interface you are using for API tests?
Thanks,
Comment From: xavier-GitHub76
Hello @peanut00 I use Postman.
Comment From: peanut00
Hello @peanut00 I use Postman.
Many Thanks for your help
Comment From: bryanjknight
Adding some logging within superset/views/users/api.py seems to show that the global user is not getting set when the request comes in to CurrentUserRestApi. Interestingly, it seems the current user API is the only one that uses g.user based on a quick search
Comment From: rusackas
@dosu-bot
Comment From: rusackas
Are people still having issues here? It's not clear to me if this is still a bug, or if there's just general confusion about API use.
Comment From: xavier-GitHub76
Hello @rusackas, I can't find precise documentation on the API.
I have done a lot of research (Google, Github, Slack) on the subject but cannot easily use the API. In particular, I read the following page: https://superset.apache.org/docs/api/ The available functions are well listed but the use of the JWT is not detailed. We know how to retrieve the value of the JWT token but for example it is not indicated that it must be passed in addition to the parameters specific to a function. This explanation can be found on sites such as stackoverflow.
Unfortunately, sometimes providing a JWT token and a CSRF token is sufficient but this is not always the case (like this issue).
Providing a session cookie helps get around the problem but I don't understand why it is necessary when the technical identification elements are already provided.
By searching in /api/v1/_openapi we can see the functions requiring the JWT token: "security": [ { "jwt":[] } ],
Thanks for your help
Comment From: Vinayselukar21
@xavier-GitHub76
Were you able to fetch current user info from "/api/v1/me" ??
Comment From: xavier-GitHub76
@Vinayselukar21
I succed to see a result but by a means that does not seem correct to me.
The use of API functions should be based on the provision of a JWT token and a CSRF token, however if I execute /api/v1/me/ with these tokens, I systematically get the return: { "message": "Not authorized" }
I manage to identify the user only by providing a cookie (retrieved after using the login page). This is not normal for me because the function returns a result without a JWT token
Comment From: xavier-GitHub76
Result Not authorized with
JWT
Result OK with just a cookie :
Comment From: Vinayselukar21
@xavier-GitHub76 Thanks for the help.
Comment From: rusackas
Sounds like this is largely resolved as far as any bug goes. I'll close it, but holler if it needs to be reopened and moved to a discussion.
Comment From: DarksChoise
@xavier-GitHub76 I have not been able to access this endpoint yet, can you explain me how, can I do it using these 3 endpoints? {{url}}/api/v1/security/login {{url}}}/api/v1/security/csrf_token/ {{url}}}/api/v1/me/