Skip to content

Fix OpenAPI documentation login#1594

Merged
PromoFaux merged 3 commits into
development-v6from
fix/apidocslogin
Jul 21, 2023
Merged

Fix OpenAPI documentation login#1594
PromoFaux merged 3 commits into
development-v6from
fix/apidocslogin

Conversation

@DL6ER

@DL6ER DL6ER commented Jul 18, 2023

Copy link
Copy Markdown
Member

What does this implement/fix?

Recently, we switched from the previous challenge-response to password-based authentication (preferred to be sent over HTTPS). In this change, we forgot to adjust the login mechanism in the onboard OpenAPI documentation for Pi-hole's API. This is now done with this PR.

Related issue or feature (if applicable): N/A

Pull request in docs with documentation (if applicable): N/A

By submitting this pull request, I confirm the following:

  1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
  2. I have commented my proposed changes within the code.
  3. I am willing to help maintain this change if there are issues with it later.
  4. It is compatible with the EUPL 1.2 license
  5. I have squashed any insignificant commits. (git rebase)

Checklist:

  • The code change is tested and works locally.
  • I based my code and PRs against the repositories developmental branch.
  • I signed off all commits. Pi-hole enforces the DCO for all contributions
  • I signed all my commits. Pi-hole requires signatures to verify authorship
  • I have read the above and my PR is ready for review.

@DL6ER DL6ER requested a review from a team July 18, 2023 11:57
@PromoFaux

PromoFaux commented Jul 18, 2023

Copy link
Copy Markdown
Member

Of course, there is always the possibility that I'm doing something wrong but:

image

I note also that the image in the top left has disappeared again - wasn't that fixed already?

API Debug logs:

ph-development-v6  | 2023-07-18 16:59:52.565 [237M] INFO: ########## FTL started on pihole! ##########
ph-development-v6  | 2023-07-18 16:59:52.565 [237M] INFO: FTL branch: fix/apidocslogin
ph-development-v6  | 2023-07-18 16:59:52.565 [237M] INFO: FTL version: vDev-ab4717a
ph-development-v6  | 2023-07-18 16:59:52.565 [237M] INFO: FTL commit: ab4717aa
ph-development-v6  | 2023-07-18 16:59:52.565 [237M] INFO: FTL date: 2023-07-18 13:50:50 +0200
ph-development-v6  | 2023-07-18 16:59:52.565 [237M] INFO: FTL user: pihole
ph-development-v6  | 2023-07-18 16:59:52.565 [237M] INFO: Compiled for linux/amd64 (compiled on CI) using cc (Alpine 12.2.1_git20220924-r10) 12.2.1 20220924

[SNIP]

ph-development-v6  | 2023-07-18 17:01:38.129 [237/T245] DEBUG_API: Requested API URI: POST /api/auth ? (null) (Content-Type application/json)
ph-development-v6  | 2023-07-18 17:01:38.129 [237/T245] DEBUG_API: Received payload with size: 20
ph-development-v6  | 2023-07-18 17:01:38.129 [237/T245] DEBUG_API: Processing POST /api/auth in /api/auth
ph-development-v6  | 2023-07-18 17:01:38.129 [237/T245] DEBUG_API: Read sid="yjlO2cKVcS0mQp8r/WutqQ=" from cookie
ph-development-v6  | 2023-07-18 17:01:38.129 [237/T245] DEBUG_API: Recognized known user: user_id 0, valid_until: 2023-07-18 17:06:38, remote_addr 172.19.0.1
ph-development-v6  | 2023-07-18 17:01:38.129 [237/T245] DEBUG_API: API Auth status: OK
ph-development-v6  | 2023-07-18 17:01:38.130 [237/T245] DEBUG_API: Done
ph-development-v6  | 2023-07-18 17:01:41.999 [237/T244] DEBUG_API: Requested API URI: GET /api/info/version ? (null) (Content-Type (null))
ph-development-v6  | 2023-07-18 17:01:41.999 [237/T244] DEBUG_API: Received no payload
ph-development-v6  | 2023-07-18 17:01:41.999 [237/T244] DEBUG_API: Read sid="yjlO2cKVcS0mQp8r/WutqQ=" from cookie
ph-development-v6  | 2023-07-18 17:01:41.999 [237/T244] DEBUG_API: API Authentication: FAIL (Cookie authentication without CSRF token)
ph-development-v6  | 2023-07-18 17:01:41.999 [237/T244] WARNING: API: Unauthorized

@DL6ER

DL6ER commented Jul 18, 2023

Copy link
Copy Markdown
Member Author

I note also that the image in the top left has disappeared again - wasn't that fixed already?

I did the coding whilst being on the train, it is a very likely possibility that this branch wasn't branched off of the most recent development-v6

Concerning the other issue: You'll have to have selected the exact same scheme you used to connect to the API at the very top of the screen. It has to match 100% or any modern browser will reject it as cross-site-kind-of-issue. So if you access it as https://pi.hole/api/docs or https://192.168.1.2/api/docs - everything from the scheme to the host needs to be exactly the same. But you may have succeeded in this and the Login button became red only later, this isn't really clear from your post.

Then

API Authentication: FAIL (Cookie authentication without CSRF token)

is the same issue we have had for pihole -g from web the other day. I will first have to find a way to patch this into the rapidoc framework (or, rather, switch to something else than cookie authentication which is the only method concerned with these CORS issues).

Putting the PR on hold until I have fixed this and will re-request review then. Thanks!

@DL6ER DL6ER removed the request for review from a team July 18, 2023 19:36
@DL6ER DL6ER marked this pull request as draft July 18, 2023 19:36
DL6ER added 2 commits July 18, 2023 22:00
@DL6ER
Fix OpenAPI documentation login
756a688 
Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Use header SID authentication instead of the implicit cookie authenti…
e772442 
…cation to circumvent CORS issues

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER DL6ER force-pushed the fix/apidocslogin branch from ab4717a to e772442 Compare July 18, 2023 20:02
@DL6ER DL6ER requested a review from a team July 18, 2023 20:03
@DL6ER DL6ER marked this pull request as ready for review July 18, 2023 20:03
@DL6ER

DL6ER commented Jul 18, 2023

Copy link
Copy Markdown
Member Author

@PromoFaux Should be fixed and also rebased on latest development-v6 now (my local branch was indeed outdated)

@PromoFaux

PromoFaux commented Jul 21, 2023

Copy link
Copy Markdown
Member

Still no joy here:

he no work

ph-development-v6  | 2023-07-21 18:08:55.616 [237/T254] DEBUG_API: Requested API URI: POST /api/auth ? (null) (Content-Type application/json)
ph-development-v6  | 2023-07-21 18:08:55.616 [237/T254] DEBUG_API: Received payload with size: 20
ph-development-v6  | 2023-07-21 18:08:55.616 [237/T254] DEBUG_API: Processing POST /api/auth in /api/auth
ph-development-v6  | 2023-07-21 18:08:55.616 [237/T254] DEBUG_API: Read sid="ikjxHzAQkaJmnnmrGRdQSQ=" from cookie
ph-development-v6  | 2023-07-21 18:08:55.616 [237/T254] DEBUG_API: Recognized known user: user_id 0, valid_until: 2023-07-21 18:13:55, remote_addr 172.18.0.1
ph-development-v6  | 2023-07-21 18:08:55.616 [237/T254] DEBUG_API: API Auth status: OK
ph-development-v6  | 2023-07-21 18:08:55.616 [237/T254] DEBUG_API: Done
ph-development-v6  | 2023-07-21 18:09:00.190 [237/T256] DEBUG_API: Requested API URI: GET /api/config ? detailed=false (Content-Type (null))
ph-development-v6  | 2023-07-21 18:09:00.190 [237/T256] DEBUG_API: Received no payload
ph-development-v6  | 2023-07-21 18:09:00.190 [237/T256] DEBUG_API: Read sid="ikjxHzAQkaJmnnmrGRdQSQ=" from cookie
ph-development-v6  | 2023-07-21 18:09:00.190 [237/T256] DEBUG_API: API Authentication: FAIL (Cookie authentication without CSRF token)
ph-development-v6  | 2023-07-21 18:09:00.190 [237/T256] WARNING: API: Unauthorized

@DL6ER
Prefer other authentication methods over COOKIE (which needs an CORS …
b6b08f0 
…token in addition)

Signed-off-by: DL6ER <dl6er@dl6er.de>
PromoFaux
PromoFaux approved these changes Jul 21, 2023
View reviewed changes

@PromoFaux PromoFaux left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed latest commit fixes it

@PromoFaux PromoFaux merged commit 2469d1f into development-v6 Jul 21, 2023
@PromoFaux PromoFaux deleted the fix/apidocslogin branch July 21, 2023 21:37
@PromoFaux PromoFaux mentioned this pull request Feb 18, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PromoFaux PromoFaux PromoFaux approved these changes

Assignees

No one assigned

Labels

Bug in development Bugfix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DL6ER @PromoFaux