Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication via https://ACCESS_TOKEN@HOST/api/v1/entries.json seems to no longer work #8228

Open
15characterlimi opened this issue Feb 19, 2024 · 0 comments
Open

Authentication via https://ACCESS_TOKEN@HOST/api/v1/entries.json seems to no longer work #8228

15characterlimi opened this issue Feb 19, 2024 · 0 comments

Comments

@15characterlimi
Copy link

15characterlimi commented Feb 19, 2024
edited

Describe the bug

Authentication by specifying the access token in the Nightscout URL through HTTP authentication (putting it in front of the hostname separated by "@") no longer works.

To Reproduce
Steps to reproduce the behavior:

Below, replace ACCESS_TOKEN with an access token with role device-readwrite set up in Nightscout, and replace HOST with the hostname of a Nightscout instance (ends with ".code.run"). Then:

  • (a) If I open the URL https://HOST/api/v1/entries.json?token=ACCESS_TOKEN in a browser (i.e. via HTTP GET), it lists a array of my latest glucose values, in JSON format.
  • (b) If I instead open the URLhttps://ACCESS_TOKEN@HOST/api/v1/entries.json in a web browser then I get redirected to the same URL without ACCESS_TOKEN@, and with page body {"status":401,"message":"Unauthorized","description":"Invalid/Missing"}

This broke after I synced my fork of https://github.com/nightscout/cgm-remote-monitor to the latest commit 21e0591 today.

Unfortunately the previous version that I know to have worked was from around May 20, 2021, so I don't know when in the last 33 months or so this broke.

Expected behavior

Both methods should produce a list of my latest glucose values, in JSON format.

Your setup information

  • Nightscout built today from the latest commit 21e0591
  • Trying to upload via Xdrip. Due to bugs in Xdrip, the access token needs to either be specified in the manner I noted above, when one can't reuse the Xdrip webserver's API secret. Concretely, the code in Xdrip incorrectly treats the uploader base URL as a String and appends stuff to it, instead of parsing it as a Uri and then mutating just the path component; this breaks when the URL has query parameters.
  • See Nightscout URL should support tokens NightscoutFoundation/xDrip#1035 (comment) for an old comment of mine elaborating how the authentication used to be able to get to work in combination with Xdrip.

Additional context

Note that the documentation at https://nightscout.github.io/uploader/setup/#xdrip documents the format that no longer works (that page is very old so it still refers to API_SECRET rather than ACCESS_TOKEN, but the gist is the same).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@15characterlimi