Unable to authenticate to API "Please provide token"

[sidhoah8]

Describe the bug
This follows on from https://github.com/codeaffen/phpipam-ansible-modules/discussions/52

Running the phpypam module on phpIPAM version 1.4.0 results in an unhandled error. Further debugging shows a HTTP 403 forbidden error with "Please provide token" from phpIPAM.

To Reproduce
Example code:

import phpypam

pi = phpypam.api(
  url='https://phpipam.server/',
  app_id='myappid',
  username='myusername',
  password='mypassword',
  ssl_verify=False
)
print(pi.get_entity(controller='sections'))

Version 1.40 of phpIPAM used

Expected behavior
With the above code, I expect an output of the configured sections in phpIPAM

Versions:

• phpIPAM 1.4.0
• phpypam 1.0.1

Additional context
Amending api.py in the core package as follows fixes the problem:

72c72
<     def _query(self, path='user/', headers=None, method=GET, data=None, params=None, auth=None, token=None):
---
>     def _query(self, path='user', headers=None, method=GET, data=None, params=None, auth=None, token=None):

It appears that from phpIPAM 1.4.1 and above, the trailing "/" is no longer needed. I tested there and it works fine without the trailing "/"

I'm not sure if the above "fix" is the best way to fix the problem. If it is, let me know and I will try creating a pull request for that together with a feature enhancement for undefined errors (display the HTTP error and message).

[cmeissner]

It appears that from phpIPAM 1.4.1 and above, the trailing "/" is no longer needed. I tested there and it works fine without the trailing "/"

I tested to login to a 1.4.0 with and without trailing slash it it works both. So this seems not to be the root cause. As I'm not able to reproduce the issue locally it is difficult to found the root cause.

And if I go to api.py#L72 I can't see a slash there, so I wonder why there is a slash in your module code. I also check the code in the module itselves which comes from pypi.org and there is also no slash in the default value of path.

[sidhoah8]

Urgh.. ok. I thought that was it. Here's what I see using python requests:

New venv with following packages:

$ pip3 freeze
certifi==2020.12.5
chardet==4.0.0
idna==2.10
requests==2.25.1
urllib3==1.26.3

Start of Python and requests import

$ python
Python 3.6.8 (default, Aug 24 2020, 17:57:11)
[GCC 8.3.1 20191121 (Red Hat 8.3.1-5)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests

## Working setup
Fresh install using Docker image from https://hub.docker.com/r/phpipam/phpipam-www

• phpIPAM 1.4.2
• PHP/7.3.25
• nginx/1.19.3

Request without trailing "/" - successful:

>>> r = requests.post('https://phpipam.local.test/api/ansible/user', auth=('admin', 'adminadmin'), verify=False)
>>> r.json()
{'code': 200, 'success': True, 'data': {'token': 'x44BZ9a33q-nyXfubntsJi7E', 'expires': '2021-02-28 18:24:43'}, 'time': 0.008}

Request with trailing "/" - successful:

>>> r = requests.post('https://phpipam.local.test/api/ansible/user/', auth=('admin', 'adminadmin'), verify=False)
>>> r.json()
{'code': 200, 'success': True, 'data': {'token': 'x44BZ9a33q-nyXfubntsJi7E', 'expires': '2021-02-28 18:24:53'}, 'time': 0.007}

Headers

>>> r.headers
{'Server': 'nginx/1.19.3', 'Date': 'Sun, 28 Feb 2021 12:38:12 GMT', 'Content-Type': 'application/json; charset=utf-8', 'Content-Length': '116', 'Connection': 'keep-alive', 'X-Powered-By': 'PHP/7.3.25', 'Set-Cookie': 'phpipam=qqaeqtscqb0ba3c1s01fti9i0o; expires=Mon, 01 Mar 2021 12:38:12 +0000; Max-Age=86400; path=/; SameSite=Lax; HttpOnly;', 'Expires': 'Thu, 19 Nov 1981 08:52:00 GMT', 'Cache-Control': 'no-cache', 'Pragma': 'no-cache', 'Strict-Transport-Security': 'max-age=31536000'}

## Non working setup
Production environment that I cannot change or debug (easily at least)

• phpIPAM 1.4.0
• PHP/5.4.16'
• Apache/2.4.6

Request without trailing "/" - UNsuccessful:

>>> r = requests.post('https://XXXXXX/api/ansible/user', auth=('XXXXXX', 'XXXXXX'), verify=False)
>>> r.json()
{'code': 403, 'success': False, 'message': 'Please provide token', 'time': 0.001}

Request with trailing "/" - successful:

>>> r = requests.post('https://XXXXXX/api/ansible/user/', auth=('XXXXXX', 'XXXXXX'), verify=False)
>>> r.json()
{'code': 200, 'success': True, 'data': {'token': 'XXXXXX', 'expires': '2021-02-28 19:35:55'}, 'time': 0.014}

Headers

>>> r.headers
{'Date': 'Sun, 28 Feb 2021 12:35:55 GMT', 'Server': 'Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16', 'X-Powered-By': 'PHP/5.4.16', 'Set-Cookie': 'phpipam=9ltgmulmhq84a3fvvkqo6nee01; expires=Mon, 01-Mar-2021 12:35:55 GMT; path=/; HttpOnly', 'Expires': 'Thu, 19 Nov 1981 08:52:00 GMT', 'Cache-Control': 'no-cache', 'Pragma': 'no-cache', 'Content-Length': '116', 'Keep-Alive': 'timeout=5, max=100', 'Connection': 'Keep-Alive', 'Content-Type': 'application/json; charset=utf-8'}

Looking at it now. I guess the problem likely lies with Apache/Nginx and/or PHP version differences as opposed to phpIPAM. What versions of PHP, server software are you testing with?

[cmeissner]

I test your request cases also against 1.4.0 and 1.4.2 and all cases works against my test environment.

• phpipam 1.4.0/1.4.2
• php-7.2.24
• httpd-2.4.37

All components running on:

CentOS 8.3.2011

[sidhoah8]

Ok, then I think we can rule out:

• phpipam as you've tried 1.4.0
• httpd/Apache as it's pretty much the same version as in the non-working environment
• OS as you're also on CentOS

So I guess it's PHP version 5.6 as version 7.x works for me and you... but 5 doesn't work without the trailing slash.

I don't have any easy way to test version 5 in a separate environment at the mo but as it's end of support anyway, I suspect the correct answer really then is to simply upgrade to version 7.

For now I can work around the problem by manually adjusting api.py to add the trailing slash and in the meantime, I'll push for an upgrade in our production environment.

Thanks again for your efforts and support and I look forward to using the Ansible modules now I know where the problem is in my environment :-)

[cmeissner]

So I'll close the issue for now. Feel free to reopen it if any new facts raise up.