Fix Swagger and API auth #18008
Fix Swagger and API auth #18008
Conversation
|
The new API should also allow sessions from cookies. Several routes use the CookieAuthMiddleware to allow this. |
Pierstoval
force-pushed
the
18005-fix-api
branch
from
fcef2d8
to
009caf0
Compare
|
Fix scope handling for authorization grant: diff --git a/src/Glpi/Api/HL/Controller/CoreController.php b/src/Glpi/Api/HL/Controller/CoreController.php
index c431416b7a..582d52cbe4 100644
--- a/src/Glpi/Api/HL/Controller/CoreController.php
+++ b/src/Glpi/Api/HL/Controller/CoreController.php
@@ -426,9 +426,9 @@ HTML;
$user_id = Session::getLoginUserID();
if ($user_id === false) {
// Redirect to login page
- $scope = implode(',', $auth_request->getScopes());
+ $scope = implode(',', array_map(static fn ($s) => $s->getIdentifier(),$auth_request->getScopes()));
$client_id = $auth_request->getClient()->getIdentifier();
- $redirect_uri = $this->getAPIPathForRouteFunction(self::class, 'authorize');
+ $redirect_uri = self::getAPIPathForRouteFunction(self::class, 'authorize');
$redirect_uri .= '?scope=' . $scope . '&client_id=' . $client_id . '&response_type=code&redirect_uri=' . urlencode($auth_request->getRedirectUri());
$redirect_uri = $CFG_GLPI['url_base'] . '/api.php/v2' . $redirect_uri;
return new Response(302, ['Location' => $CFG_GLPI['url_base'] . '/?redirect=' . rawurlencode($redirect_uri)]);
@@ -455,7 +455,7 @@ HTML;
return $response;
} catch (OAuthServerException $exception) {
return $exception->generateHttpResponse(new Response());
- } catch (\Throwable) {
+ } catch (\Throwable $exception) {
return new JSONResponse(null, 500);
}
}Fix IP restriction middleware when using a cookie session/non-OAuth client: diff --git a/src/Glpi/Api/HL/Middleware/IPRestrictionRequestMiddleware.php b/src/Glpi/Api/HL/Middleware/IPRestrictionRequestMiddleware.php
index f7ce761214..5b165a6c51 100644
--- a/src/Glpi/Api/HL/Middleware/IPRestrictionRequestMiddleware.php
+++ b/src/Glpi/Api/HL/Middleware/IPRestrictionRequestMiddleware.php
@@ -53,13 +53,17 @@ class IPRestrictionRequestMiddleware extends AbstractMiddleware implements Reque
$request_ip = $_SERVER['REMOTE_ADDR'];
- $allowed_ips = $DB->request([
+ $it = $DB->request([
'SELECT' => ['allowed_ips'],
'FROM' => 'glpi_oauthclients',
'WHERE' => [
'identifier' => $client['client_id']
]
- ])->current()['allowed_ips'];
+ ]);
+ $allowed_ips = [];
+ if (count($it)) {
+ $allowed_ips = $it->current()['allowed_ips'];
+ }
if (empty($allowed_ips)) {
// No IP restriction |
Pierstoval
force-pushed
the
18005-fix-api
branch
from
0f8f9da
to
798d81d
Compare
|
@cconard96 This fixes a few things, however the infinite loop issue remains.
|
It it supposed to redirect to the login page (index) if not authenticated with the the |
Pierstoval
force-pushed
the
18005-fix-api
branch
from
798d81d
to
a4ba651
Compare
|
@cconard96 I saw that in the Do you think you could checkout this PR locally and try to reproduce it? Because to me, even with a fresh setup, this creates the reported infinite redirection |
Makes sense. Like I said, it is like it isn't using cookies/sessions for this part anymore. Maybe because the new API URLs match both the NO_COOKIE_PATHS and NO_SESSION_PATHS patterns in SessionStart,php? Just changing these patterns didn't resolve the issue for me so there is probably more wrong here. Also, not sure even the legacy API should block sessions (if that is indeed what that property means) since that API doesn't function session-less. |
Pierstoval
force-pushed
the
18005-fix-api
branch
2 times, most recently
from
7a53119
to
38d2679
Compare
|
@Pierstoval Could you try to rebase on the current state of the main branch and see if the infinite loop issue persists ? |
Pierstoval
force-pushed
the
18005-fix-api
branch
from
38d2679
to
8966aa8
Compare
|
|
On my ungoogled chromium I have no redirection, but I still have the infinite loop on Firefox due to no cookie stored. The strangest part is that on other applications also using |
Fixes #18005
(this is still a WIP) for now