Return a 401 error when auth info is not provided in endpoint requiring default auth #91
Comments
|
Thanks for providing a test repo! That's always greatly appreciated. You need to login and then pass a user ID and auth token to any authenticated routes (unless you provide custom auth). The repro steps you provided in your test repo cause an expected error (although I admit there's room for some much clearer error handling there). You are declaring the route as requiring authentication, but are not providing the user ID and auth token in the headers. This is the intended behavior. Please read more on authentication in Restivus. I'm going to close this issue, but if for some reason I've misunderstood you and you still feel this is unresolved, please feel free to reopen it and continue the discussion. Thanks! |
|
Actually, I'm going to reopen this until I return a |
kahmali
changed the title
|
Thanks for the quickness of your response to this issue. The problem may be a little deeper, or is perhaps a documentation issue. I seem unable to generate a userID and auth token (which I did attempt before I opened this issue). According to the docs, I make a request to the login endpoint like so: but I receive the following response:
I also get the response above if I use a REST client or query params. My understanding from the instructions ("The response will look like this, which you must save (for subsequent authenticated requests):") is that I should be able to make this request by submitting new credentials, and then get the generated authToken and userId, which I subsequently pass in the header to authenticate my requests. However, I receive the above error instead. So I am either not following the instructions correctly, or there is another issue. By the way, I appreciate the work you've been doing on this meteor package. Other than the above issue, I have found the API to be very clean and easy to use. |
|
Ah, I think I see the issue. I will certainly review the authentication section of the docs and try to provide some more details there and make things clearer. The docs are assuming that you have already created that user. You can do that by just adding a POST collection endpoint for your |
|
Ah, yes, that makes sense now that you point that out. I apologize for my confusion, but I agree it's an opportunity to make the docs more idiot-proof. Thank you. |
|
No problem! I agree. I'll definitely update that section of the docs. Thanks for reporting the issue! |
- Remove dependency on `useAuth` API config option for endpoint authentication (#49) - Rename API config option `useAuth` to `useDefaultAuth` to better reflect it's purpose, which is to generate the default auth endpoints - `useAuth` will still work, for backwards-compatibility - Return a 401 error when auth info is not provided in endpoint requiring default auth (#91)
- Remove dependency on `useAuth` API config option for endpoint authentication (#49) - Rename API config option `useAuth` to `useDefaultAuth` to better reflect it's purpose, which is to generate the default auth endpoints - `useAuth` will still work, for backwards-compatibility - Return a 401 error when auth info is not provided in endpoint requiring default auth (#91)
|
Resolved in 5bf092b |
- Remove dependency on `useAuth` API config option for endpoint authentication (#49) - Rename API config option `useAuth` to `useDefaultAuth` to better reflect it's purpose, which is to generate the default auth endpoints - `useAuth` will still work, for backwards-compatibility - Return a 401 error when auth info is not provided in endpoint requiring default auth (#91)
|
Thanks for the good work, however i have the same issue as gabrielliwerant reported
Thanks |
|
Hi @thierrysikora. To answer your questions:
|
|
Hello! It's not worth re-opening this issue for this, but I am just commenting to say that I had a similar problem as above, but what I was doing wrong was using the user ID rather than the email address of the user I had created. It was not obvious from the docs that it would guess from the email which user I intended, rather than using the ID of the user object. I am new to Meteor though, so perhaps this is obvious to people usually. Otherwise, perhaps a recommendation for future docs updates would be that the "user" request parameter can be the email address. Thanks for the great repo by the way! |
|
@markmacgillivray I completely agree. This ambiguous field name was a carry-over from the original RestStop2 API that Restivus was inspired by. I just opened #121 to resolve this. Thanks for reporting this, and an even bigger thanks for the compliment! |
I created a fresh repo here that enables demonstration of the issue: https://github.com/gabrielliwerant/meteor-restivus-bug.
When attempting to use authentication with a GET route, we are presented with the following stack trace:
TypeError: Not a string or buffer at Hash.update (crypto.js:240:17) at Object.Accounts._hashLoginToken (packages/accounts-base/accounts_server.js:577:1) at [object Object].Restivus.config.auth.user (packages/nimble:restivus/lib/restivus.coffee:15:27) at Route.Route._authenticate (packages/nimble:restivus/lib/route.coffee:159:34) at Route.Route._authAccepted (packages/nimble:restivus/lib/route.coffee:146:8) at Route.Route._callEndpoint (packages/nimble:restivus/lib/route.coffee:124:9) at [object Object].Router.route.action (packages/nimble:restivus/lib/route.coffee:46:31) at boundNext (packages/iron:middleware-stack/lib/middleware_stack.js:251:1) at runWithEnvironment (packages/meteor/dynamics_nodejs.js:108:1) at packages/meteor/dynamics_nodejs.js:121:1
The text was updated successfully, but these errors were encountered: