GET /user does not return the current user when using an api token #2644

New Issue

Closed

opened 2024-08-24 15:29:44 +00:00 by ce72 · 3 comments

ce72 commented 2024-08-24 15:29:44 +00:00

Contributor

Copy Link

Description

1. Create an API token with all permissions on try.vikunja.io
2. curl -X GET -H "Authorization: Bearer tk_1183642d1f350dc258c601f253aba243f20670bb" "https://try.vikunja.io/api/v1/user"
   Expected result: User details and settings for the owner of the token
   Actual result: HTTP Status 401 {"message":"missing, malformed, expired or otherwise invalid token provided"}

The request is okay, as can be seen with curl -X GET -H "Authorization: Bearer tk_1183642d1f350dc258c601f253aba243f20670bb" "https://try.vikunja.io/api/v1/tasks/all".
Also, the endpoint is correct, as can be seen if you paste the token from your browser's local storage into the first statement.

Additionally: The swagger documentation of the GET user endpoint https://try.vikunja.io/api/v1/docs#tag/user might be outdated. The return type seems to be UserWihSettings.

Vikunja Version

v0.24.1-47-9ed33f5c08

Browser and version

chrome, curl

Can you reproduce the bug on the Vikunja demo site?

Yes

Screenshots

No response

### Description 1. Create an API token with all permissions on try.vikunja.io 2. `curl -X GET -H "Authorization: Bearer tk_1183642d1f350dc258c601f253aba243f20670bb" "https://try.vikunja.io/api/v1/user"` Expected result: User details and settings for the owner of the token Actual result: HTTP Status 401 `{"message":"missing, malformed, expired or otherwise invalid token provided"}` The request is okay, as can be seen with `curl -X GET -H "Authorization: Bearer tk_1183642d1f350dc258c601f253aba243f20670bb" "https://try.vikunja.io/api/v1/tasks/all"`. Also, the endpoint is correct, as can be seen if you paste the token from your browser's local storage into the first statement. Additionally: The swagger documentation of the GET user endpoint https://try.vikunja.io/api/v1/docs#tag/user might be outdated. The return type seems to be UserWihSettings. ### Vikunja Version v0.24.1-47-9ed33f5c08 ### Browser and version chrome, curl ### Can you reproduce the bug on the Vikunja demo site? Yes ### Screenshots _No response_

ce72 added the

kind/bug

label 2024-08-24 15:29:44 +00:00

ce72 commented 2024-08-30 07:27:50 +00:00

Author

Contributor

Copy Link

Blocks https://gitlab.com/ce72/vja/-/issues/7

Blocks https://gitlab.com/ce72/vja/-/issues/7

konrad commented 2024-09-07 11:28:28 +00:00

Owner

Copy Link

I've changed the api docs in 2dd21d96547d8c9b2386000766ab3697866e86a7.

I'm unsure about giving every token access to /user, but I can see the point. Maybe as a middle ground, we could add a permission to the endpoint? That would make that endpoint available for selection, when creating a token.

I've changed the api docs in 2dd21d96547d8c9b2386000766ab3697866e86a7. I'm unsure about giving every token access to /user, but I can see the point. Maybe as a middle ground, we could add a permission to the endpoint? That would make that endpoint available for selection, when creating a token.

konrad referenced this issue from a commit 2024-10-13 14:03:07 +00:00

fix(api): allow api tokens to retrieve the user who created the token

konrad closed this issue 2024-10-13 14:03:07 +00:00

konrad commented 2024-10-13 14:04:19 +00:00

Owner

Copy Link

Added in 3e9c41cfc6. You can now add the user scope to an api token. Tokens with that scope can then access the /user endpoint and retrieve the user who created the token.

Added in https://kolaente.dev/vikunja/vikunja/commit/3e9c41cfc6ae28edcd0589359015b9aa418822f3. You can now add the `user` scope to an api token. Tokens with that scope can then access the `/user` endpoint and retrieve the user who created the token.

👍 1

This repo is archived. You cannot comment on issues.

No Branch/Tag Specified

Branches Tags

main

fix-crowdin

fix-ci

feat/new-logger

jyte-better-dev-config

feat/add-team-member-with-enter

fix/button-and-icon-types

fix/notifications-component-name-collision

feature/null-time

renovate/tailwindcss-4.x

feature/unplugin-vue-router

feature/zod-schema

renovate/golangci-golangci-lint-1.x

fix/tiptap-editor-reactive-destructuring

release/0.24

feat/improve-add-task

fix/saved-filter-search

renovate/postgres-17.x

feature/use-modern-compiler-for-sass-files-as-well

feat/webp-and-avif-attachment-previews

feature/migrate-back-to-bulma

fix/sass-add-missing-list-import

feature/sticky-demo-bar

fix/gantt-view-switch

feature/typesense-position-join

feature/focus-visible

renovate/flexsearch-0.x

dependencies/golangci-lint

renovate/github.com-arran4-golang-ical-0.x

feature/better-filter-syntax

fix/tiptap-task-list

renovate/github.com-golang-jwt-jwt-v4-5.x

feature/hide-forbidden-related-tasks

renovate/golang-1.x

release/0.20

release/0.17

release/0.16

release/0.15

release/0.14

release/0.13

v0.24.6

v0.24.5

v0.24.4

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.0

v0.22.1

v0.22.0

0.21.0

v0.21.0

v0.20.4

v0.20.5

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.2

v0.19.1

v0.19.0

v0.18.1

v0.18.0

v0.17.1

v0.17.0

v0.16.1

v0.16.0

v0.15.1

v0.15.0

v0.14.1

v0.14.0

v0.13.1

v0.13

v0.12

v0.11

v0.10

v0.9

v0.8

v0.7

v0.6

v0.5

v0.4

v0.3

v0.2

v0.1

Labels

Clear labels

dependencies

duplicate

This issue or pull request already exists

help wanted

Need some help

invalid

Something is wrong

kind/bug

Something is not working

kind/feature

New feature

moved-to-github

needs reproduction

question

More information is needed

security

wontfix

This won't be fixed

No Label

kind/bug

Milestone

No items

No Milestone

Assignees

Clear assignees

dpschen frederick konrad renovate shilch

No Assignees

2 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: vikunja/vikunja#2644

No description provided.