Unable to create a new project via Money Buster - "The server could not verify that you are authorized to access the URL requested".

[almet]

Here is a copy of what I see when trying to create a new project using Money Buster.

This is when using the last release. I deactivated the CAPTCHA. It's what's currently deployed on ihatemoney.org.

[almet]

No issues when using the REST API with this, for instance:

curl -X POST https://ihatemoney.org/api/projects -d 'name=yaya&id=yayaaaa&password=yaya&contact_email=yay@notmyidea.org'

[almet]

Server logs:

ihatemoney.org — - - [14/Nov/2021:22:19:00 +0100] "POST /api/projects HTTP/1.1" 201 10 "-" "MoneyBuster/0.1.11"
ihatemoney.org — - - [14/Nov/2021:22:19:00 +0100] "GET /api/projects/Yayaaaa/members HTTP/1.1" 401 236 "-" "MoneyBuster/0.1.11"

So, the project is created, but not available via Money Buster?

[almet]

So, the project is created, but not available via Money Buster?

Yes, it's the case. I don't understand why moneybuster cannot access the newly created project (it can access other projects created a long time ago)

[almet]

Discovered that the error message was the default message for a HTTP 401 in Werkzeug. The question is now why are we returning a 401 here.

[almet]

curl --basic -u yayaaaa:yaya https://ihatemoney.org/api/projects/yayaaaa
{"message": "The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required."}

[almet]

Setting SESSION_COOKIE_SECURE = False doesn't solve the issue.

[almet]

Using latest master doesn't solve the issue, and I cannot reproduce locally. I think something is odd with the deploy. I'm out of luck for tonight. I will check later if I can find some time. Don't hesitate to take over if you feel like it :-)

[zorun]

Possibly a lowercase/uppercase issue? Did you have an uppercase letter in your project ID when creating it? In this case the API apparently converts it to lowercase when returning the ID, so there may be some confusion somewhere.

[zorun]

Just tested this on my instance:

$ curl -X POST https://$SERVER/api/projects -d 'name=myproject&id=ABC&password=Sa2tiegi&contact_email=test@example.com'
"abc"

$ curl --basic -u "ABC:Sa2tiegi" https://$SERVER/api/projects/ABC
{"message": "The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required."}

$ curl --basic -u "abc:Sa2tiegi" https://$SERVER/api/projects/ABC
{"message": "The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required."}

$ curl --basic -u "ABC:Sa2tiegi" https://$SERVER/api/projects/abc
{"message": "The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required."}

$ curl --basic -u "abc:Sa2tiegi" https://$SERVER/api/projects/abc
{"id": "abc", "name": "myproject", "contact_email": "test@example.com", "logging_preference": 1, "members": [], "default_currency": "XXX"}

-> both username (for auth) and project name need to be lower case, even though I asked for a project ID equal to "ABC" when creating the project.

Clearly it's not intuitive, we might want to improve that, maybe refuse creation in this case... Or if we want to keep this behaviour, it needs to be well documented, and check MoneyBuster to see if it handles this case.

[almet]

Thanks @zorun , it seems related to this, yes. What about lower() the identifiers before checking on the database?