Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API: /trains/checkin does not report an error when using an unauthorized bearer token #128

Closed
derf opened this issue Oct 4, 2020 · 2 comments
Closed

API: /trains/checkin does not report an error when using an unauthorized bearer token #128

derf opened this issue Oct 4, 2020 · 2 comments
Labels
bug Something isn't working

Comments

@derf
Copy link

derf commented Oct 4, 2020

Describe the bug
When checking into a train via /trains/checkin using an unauthorized bearer token, the server does not return an error such as HTTP 401. Instead, it returns an HTTP 302 redirect to the HTML login page.

To Reproduce
Steps to reproduce the behavior:

  1. Obtain a token from the API, e.g. via curl or travelynx.de
  2. Revoke the token from the Träwelling settings page
  3. Use /trains/checkin to check into a train

Expected behavior
The server should return HTTP 401 and preferably a JSON document explaining the error instead of HTML.

Note that I did not test whether this also happens with entirely invalid bearer tokens.

Travelynx Log

-- Non-blocking request (https://traewelling.de/api/v0/trains/checkin)
-- Reusing connection e0813e072e572ed952a845dea5dd99ae (https://traewelling.de:443)
-- Client >>> Server (https://traewelling.de/api/v0/trains/checkin)
POST /api/v0/trains/checkin HTTP/1.1\x0d
Content-Length: 103\x0d
Accept-Encoding: gzip\x0d
Authorization: Bearer [redacted]\x0d
Content-Type: application/json\x0d
Host: traewelling.de\x0d
User-Agent: travelynx/1.17.5-11-g562dd7c-dirty on / +https://finalrewind.org/projects/travelynx\x0d
\x0d
{"destination":"8000142","start":"8000080","toot":false,"tripID":"1|221647|5|80|4102020","tweet":false}
-- Client >>> Server (https://traewelling.de/api/v0/trains/checkin)

-- Client <<< Server (https://traewelling.de/api/v0/trains/checkin)
HTTP/1.1 302 Found\x0d
Date: Sun, 04 Oct 2020 10:33:56 GMT\x0d
Content-Type: text/html; charset=UTF-8\x0d
Transfer-Encoding: chunked\x0d
Connection: keep-alive\x0d
Server: nginx\x0d
Cache-Control: no-cache, private\x0d
X-RateLimit-Limit: 60\x0d
X-RateLimit-Remaining: 56\x0d
Location: https://traewelling.de/login\x0d
X-Xss-Protection: 1; mode=block\x0d
X-Frame-Options: SAMEORIGIN\x0d
Strict-Transport-Security: max-age=31536000\x0d
X-Content-Type-Options: nosniff\x0d
Referrer-Policy: strict-origin-when-cross-origin\x0d
\x0d
166\x0d
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='https://traewelling.de/login'" />

        <title>Redirecting to https://traewelling.de/login</title>
    </head>
    <body>
        Redirecting to <a href="https://traewelling.de/login">https://traewelling.de/login</a>.
    </body>
</html>\x0d

-- Client <<< Server (https://traewelling.de/api/v0/trains/checkin)
0\x0d
\x0d
@derf derf added To Do bug Something isn't working labels Oct 4, 2020
@MrKrisKrisu
Copy link
Member

MrKrisKrisu commented Oct 4, 2020
edited

Please try sending Header "Accept: application/json" to the server. With this Header it should work.

@derf
Copy link
Author

derf commented Oct 4, 2020

Oops. Yup, that's it, my bad :)

@derf derf closed this as completed Oct 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@derf @MrKrisKrisu