Skip to content

Cannot create an OAuth token when using HTTP-basic #2278

Closed
@pmartin

Description

@pmartin

Hi,

Issue details

I am trying to create an oauth token for the API. It doesn't seem possible when my wallabag instance is protected by HTTP-basic.

It works if I disable HTTP-basic, or if I unset the corresponding variables in app.php.

Environment

  • wallabag version that exhibits the issue → 2.0.8
  • How did you install wallabag? → git
  • Last wallabag version that did not exhibit the issue (if applicable) → I discovered the issue with 2.0.6 but didn't try with previous versions
  • php version → PHP 7.0.9-1~dotdeb+8.1 (nginx + php-fpm, http/2)
  • OS → Linux debian 8.5
  • type of hosting → dedicated
  • which storage system you choose at install → MySQL

Steps to reproduce/test case

I'm trying to create an oauth token via the API, testing with curl in CLI (but I also had the problem with libcurl used from a C++ program).

The URL and the HTTP login/password and client_id/client_secret/username/password are all OK -- I just removed them to post this issue.

curl --user 'HTTP_USER:HTTP_PASSWORD' --data 'grant_type=password&client_id=MY_CLIENT_ID&client_secret=MY_CLIENT_SECRET&username=MY_USERNAME&password=MY_PASSWORD' https://MY_WALLABAG_URL/oauth/v2/token

I get the following response:

{"error":"invalid_client","error_description":"The client credentials are invalid"}

If I add the following line of code at the very top of web/app.php :

unset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);

=> The exact same curl command works and I get the oauth token:

{"access_token":"A VALID OAUTH TOKEN","expires_in":3600,"token_type":"bearer","scope":null,"refresh_token":"A VALID REFRESH TOKEN"}

It also works fine if I temporarily disable HTTP-basic on the server-side and do not send it in the request. But if I send the HTTP-basic identification infos in the request, event if it's disabled on the server-side, the application seems to use them and fail creating the token.

I'm guessing there might be some mixup somewhere between HTTP-basic info and login/password passed as GET parameter?
(sorry, I don't know symfony's security component to really help finding the culprit)

I also reproduced this behavior on the demo instance. Without specifying HTTP-basic login/password, I can create an oauth token :

$ curl --data 'grant_type=password&client_id=1_1bh4app65mv40csw4wg84og4wckkgwkogwkc0koocs4scgko48&client_secret=3pwsnib1kbmsoo8kkgosw8g088wscgwg0s8k0kg4gcwkck0wk8&username=wallabag&password=wallabag' http://v2.wallabag.org/oauth/v2/token

{"access_token":"YWFjZDQxMzE2YTU2ZDVlZjI3NzU2OWFlZTI0MzU4ZmRkZTI4NmNkMzNiOTlmYTkxZDk0NjRkYzU1ZjI2NTQ1Mg","expires_in":3600,"token_type":"bearer","scope":null,"refresh_token":"OWFhYjhlNjIzNmM0NjM4MDRhMzA5MzBlZDI2NmVlNjM1NzljMmU1ZjcyYmUxODNiNDZkNmU3NDU0OGIxOWFjNA"}

But if I add --user 'plop:glop' I get an error :

$ curl --user 'plop:glop' --data 'grant_type=password&client_id=1_1bh4app65mv40csw4wg84og4wckkgwkogwkc0koocs4scgko48&client_secret=3pwsnib1kbmsoo8kkgosw8g088wscgwg0s8k0kg4gcwkck0wk8&username=wallabag&password=wallabag' http://v2.wallabag.org/oauth/v2/token

{"error":"invalid_client","error_description":"The client credentials are invalid"}

I hope this helps :-)
Feel free to ping me if you need more information, of course!

Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions