API calls returning 401 Unauthorized #6279

Closed
opened 2025-11-02 06:50:47 -06:00 by GiteaMirror · 31 comments
Owner

Originally created by @AllTaken on GitHub (Nov 9, 2020).

  • Gitea version (or commit ref): 1.12.5 built with GNU Make 4.1, go1.14.9 : bindata, sqlite, sqlite_unlock_notify
  • Git version: 2.25.1
  • Operating system: Ubuntu 20.04.1 LTS

Gitea is as downloaded from the Releases page.

Description

Many different API calls result in 401 unauthorized, for no reason I can discern.
Setting up a blank repo in try.gitea.io with a single commit and trying to POST the following results in 401 unauthorized:

curl -X POST "https://try.gitea.io/api/v1/repos/test6661/Test/statuses/0b97b9b4de6c75125f635ee1f045f148ebd9b7b9" -H "accept: application/json" -H "Authorization: ba0969a9d789630ffa5321164315a27954221832" -H "Content-Type: application/json" -d "{ \"context\": \"Build\", \"description\": \"asdasdad\", \"state\": \"success\", \"target_url\": \"\"}"

Note that this happens when trying to use basic auth as well.

This used to work, probably as recently as 1.11.6

Originally created by @AllTaken on GitHub (Nov 9, 2020). - Gitea version (or commit ref): 1.12.5 built with GNU Make 4.1, go1.14.9 : bindata, sqlite, sqlite_unlock_notify - Git version: 2.25.1 - Operating system: Ubuntu 20.04.1 LTS Gitea is as downloaded from the Releases page. - Database (use `[x]`): - [ ] PostgreSQL - [ ] MySQL - [X] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [X] Yes (provide example URL) - [ ] No - Log gist: https://gist.github.com/AllTaken/e15cf3c7333d011340dfbc81e18b10c4 ## Description Many different API calls result in 401 unauthorized, for no reason I can discern. Setting up a blank repo in try.gitea.io with a single commit and trying to POST the following results in 401 unauthorized: `curl -X POST "https://try.gitea.io/api/v1/repos/test6661/Test/statuses/0b97b9b4de6c75125f635ee1f045f148ebd9b7b9" -H "accept: application/json" -H "Authorization: ba0969a9d789630ffa5321164315a27954221832" -H "Content-Type: application/json" -d "{ \"context\": \"Build\", \"description\": \"asdasdad\", \"state\": \"success\", \"target_url\": \"\"}"` Note that this happens when trying to use basic auth as well. This used to work, probably as recently as 1.11.6
GiteaMirror added the type/bugmodifies/api labels 2025-11-02 06:50:47 -06:00
Author
Owner

@dubiouscript commented on GitHub (Nov 11, 2020):

afaik now

-H "Authorization: token ba0969a9d789630ffa5321164315a27954221832"

should work !

@dubiouscript commented on GitHub (Nov 11, 2020): afaik `now` -H "Authorization: token ba0969a9d789630ffa5321164315a27954221832" should work !
Author
Owner

@AllTaken commented on GitHub (Nov 11, 2020):

Yes, it really should, but it just returns 401:

image

@AllTaken commented on GitHub (Nov 11, 2020): Yes, it really should, but it just returns 401: ![image](https://user-images.githubusercontent.com/6959993/98809665-33b43900-241e-11eb-8c78-2080d36faa94.png)
Author
Owner

@AllTaken commented on GitHub (Nov 11, 2020):

Same thing happens with various API calls, here is another:
image

@AllTaken commented on GitHub (Nov 11, 2020): Same thing happens with various API calls, here is another: ![image](https://user-images.githubusercontent.com/6959993/98809835-8261d300-241e-11eb-816c-21954b6c2a39.png)
Author
Owner

@AllTaken commented on GitHub (Nov 11, 2020):

Other API calls do work like /repos/search f.ex.

@AllTaken commented on GitHub (Nov 11, 2020): Other API calls do work like `/repos/search` f.ex.
Author
Owner

@6543 commented on GitHub (Nov 11, 2020):

this should not be the case ...

@6543 commented on GitHub (Nov 11, 2020): this should not be the case ...
Author
Owner

@6543 commented on GitHub (Nov 11, 2020):

this works just fine:

curl -X GET "https://try.gitea.io/api/v1/repos/test6661/Test/statuses/0b97b9b4de6c75125f635ee1f045f148ebd9b7b9" -H "accept: application/json" -H "Authorization: token ba0969a9d789630ffa5321164315a27954221832"
or
curl -X GET "https://try.gitea.io/api/v1/repos/test6661/Test/statuses/0b97b9b4de6c75125f635ee1f045f148ebd9b7b9?token=ba0969a9d789630ffa5321164315a27954221832" -H "accept: application/json"

@6543 commented on GitHub (Nov 11, 2020): this works just fine: `curl -X GET "https://try.gitea.io/api/v1/repos/test6661/Test/statuses/0b97b9b4de6c75125f635ee1f045f148ebd9b7b9" -H "accept: application/json" -H "Authorization: token ba0969a9d789630ffa5321164315a27954221832"` or `curl -X GET "https://try.gitea.io/api/v1/repos/test6661/Test/statuses/0b97b9b4de6c75125f635ee1f045f148ebd9b7b9?token=ba0969a9d789630ffa5321164315a27954221832" -H "accept: application/json"`
Author
Owner

@AllTaken commented on GitHub (Nov 11, 2020):

I'm fairly convinced this is a bug...

@AllTaken commented on GitHub (Nov 11, 2020): I'm fairly convinced this is a bug...
Author
Owner

@6543 commented on GitHub (Nov 11, 2020):

@AllTaken I would label it as souch as soon as I can reproduce it ... my problem is, I cant :/

@6543 commented on GitHub (Nov 11, 2020): @AllTaken I would label it as souch as soon as I can reproduce it ... my problem is, I cant :/
Author
Owner

@6543 commented on GitHub (Nov 11, 2020):

can you execute the curl statement on a bash shell?

it should return []

@6543 commented on GitHub (Nov 11, 2020): can you execute the curl statement on a bash shell? it should return `[]`
Author
Owner

@zeripath commented on GitHub (Nov 11, 2020):

@AllTaken your authorization header is missing the "token "

98809835-8261d300-241e-11eb-816c-21954b6c2a39-highlighted

@zeripath commented on GitHub (Nov 11, 2020): @AllTaken your authorization header is missing the "token " ![98809835-8261d300-241e-11eb-816c-21954b6c2a39-highlighted](https://user-images.githubusercontent.com/1824502/98813520-3150df80-241c-11eb-9086-a1d106771966.png)
Author
Owner

@AllTaken commented on GitHub (Nov 11, 2020):

I see, maybe the issue is only with basic authentication then.

@AllTaken commented on GitHub (Nov 11, 2020): I see, maybe the issue is only with basic authentication then.
Author
Owner

@6543 commented on GitHub (Nov 11, 2020):

Let me se ...

@6543 commented on GitHub (Nov 11, 2020): Let me se ...
Author
Owner

@AllTaken commented on GitHub (Nov 11, 2020):

image

@AllTaken commented on GitHub (Nov 11, 2020): ![image](https://user-images.githubusercontent.com/6959993/98815424-64e53700-2427-11eb-8436-5341f23b151e.png)
Author
Owner

@6543 commented on GitHub (Nov 11, 2020):

basic auth do not work on some endpoints !!!

@6543 commented on GitHub (Nov 11, 2020): basic auth do not work on some endpoints !!!
Author
Owner

@zeripath commented on GitHub (Nov 11, 2020):

I think the authorization header has to be Authorization: basic

curl -vvv -X POST "https://try.gitea.io/api/v1/repos/test6661/Test/statuses/0b97b9b4de6c75125f635ee1f045f148ebd9b7b9" \
  -H "Accept: application/json" -H "Authorization: basic dGVzdDY2NjE6eUAx0XdqBXd6dGthb15E" \
  -H "Content-Type: application/json" \
  -d '{"context":"string","description":"string","state":"success","target_url":"string"}'

works for me.


no looking again I get the 401 still! sorry.

@zeripath commented on GitHub (Nov 11, 2020): ~~I think the authorization header has to be `Authorization: basic`~~ ```bash curl -vvv -X POST "https://try.gitea.io/api/v1/repos/test6661/Test/statuses/0b97b9b4de6c75125f635ee1f045f148ebd9b7b9" \ -H "Accept: application/json" -H "Authorization: basic dGVzdDY2NjE6eUAx0XdqBXd6dGthb15E" \ -H "Content-Type: application/json" \ -d '{"context":"string","description":"string","state":"success","target_url":"string"}' ``` ~~works for me.~~ --- no looking again I get the 401 still! sorry.
Author
Owner

@zeripath commented on GitHub (Nov 11, 2020):

Ok so looking at api.go, this endpoint is controlled by:

3fd060eb37/routers/api/v1/api.go (L837-L840)

with reqToken() defined by:

3fd060eb37/routers/api/v1/api.go (L180-L196)

So let's assume that IsBasicAuth is being set correctly... Does this account have 2FA set?

@zeripath commented on GitHub (Nov 11, 2020): Ok so looking at api.go, this endpoint is controlled by: https://github.com/go-gitea/gitea/blob/3fd060eb37085df9b075baf23f3c315b92c1073e/routers/api/v1/api.go#L837-L840 with reqToken() defined by: https://github.com/go-gitea/gitea/blob/3fd060eb37085df9b075baf23f3c315b92c1073e/routers/api/v1/api.go#L180-L196 So let's assume that IsBasicAuth is being set correctly... Does this account have 2FA set?
Author
Owner

@AllTaken commented on GitHub (Nov 11, 2020):

No.

image

@AllTaken commented on GitHub (Nov 11, 2020): No. ![image](https://user-images.githubusercontent.com/6959993/98855810-eb683b80-245c-11eb-835a-bd9c925c99f6.png)
Author
Owner

@kevinzg commented on GitHub (Nov 23, 2020):

If you are trying to use the API logged in from the browser you need to send the CSRF token as a header.
The header name is X-Csrf-Token and the value should be in a meta tag in the HTML and in the cookies, default name is _csrf.

@kevinzg commented on GitHub (Nov 23, 2020): If you are trying to use the API logged in from the browser you need to send the CSRF token as a header. The header name is `X-Csrf-Token` and the value should be in a meta tag in the HTML and in the cookies, default name is `_csrf`.
Author
Owner

@AllTaken commented on GitHub (Nov 23, 2020):

@kevinzg I'm not sure I understand?
I'm trying to call the REST API using basic auth, there is no HTML and no browser?

@AllTaken commented on GitHub (Nov 23, 2020): @kevinzg I'm not sure I understand? I'm trying to call the REST API using basic auth, there is no HTML and no browser?
Author
Owner

@kevinzg commented on GitHub (Nov 23, 2020):

@AllTaken What I meant was that when you login and visit yourgitea.com/api/swagger and try to use execute the requests some of them will give you a 401 because they need the CSRF token.

From the code, it looks like basic auth still needs a CSRF token (if you don't have the OTP thingy). No, it doesn't.

Since you are not using the browser, you can just add any token in your request, for example in curl add this -H 'Cookie: _csrf=whatever' -H 'X-Csrf-Token: whatever', that should let you pass the validation. No need.

@kevinzg commented on GitHub (Nov 23, 2020): @AllTaken What I meant was that when you login and visit `yourgitea.com/api/swagger` and try to use execute the requests some of them will give you a 401 because they need the CSRF token. ~~From the code, it looks like basic auth still needs a CSRF token (if you don't have the OTP thingy).~~ No, it doesn't. ~~Since you are not using the browser, you can just add any token in your request, for example in curl add this `-H 'Cookie: _csrf=whatever' -H 'X-Csrf-Token: whatever'`, that should let you pass the validation.~~ No need.
Author
Owner

@zeripath commented on GitHub (Nov 27, 2020):

OK I just tried:

curl -vvv -X POST "https://try.gitea.io/api/v1/repos/arandomer/Adebar/statuses/c6175db588e3de7f51579c3e942dbf841083c169" --basic -H "Accept: application/json" -u 'arandomer:arandomer@mailinator.com' -H "Content-Type: application/json" -d '{"context":"string","description":"string","state":"success","target_url":"string"}'

and this worked.

Also:

curl -vvv -X POST "https://try.gitea.io/api/v1/repos/arandomer/Adebar/statuses/c6175db588e3de7f51579c3e942dbf841083c169" -H "Accept: application/json" -H "Authorization: Basic YXJhbmRvbWVyOmFyYW5kb21lckBtYWlsaW5hdG9yLmNvbQ==" -H "Content-Type: application/json" -d '{"context":"string","description":"string","state":"success","target_url":"string"}'

this works.

I think the suggested header is incorrect.

@zeripath commented on GitHub (Nov 27, 2020): OK I just tried: ``` curl -vvv -X POST "https://try.gitea.io/api/v1/repos/arandomer/Adebar/statuses/c6175db588e3de7f51579c3e942dbf841083c169" --basic -H "Accept: application/json" -u 'arandomer:arandomer@mailinator.com' -H "Content-Type: application/json" -d '{"context":"string","description":"string","state":"success","target_url":"string"}' ``` and this worked. Also: ``` curl -vvv -X POST "https://try.gitea.io/api/v1/repos/arandomer/Adebar/statuses/c6175db588e3de7f51579c3e942dbf841083c169" -H "Accept: application/json" -H "Authorization: Basic YXJhbmRvbWVyOmFyYW5kb21lckBtYWlsaW5hdG9yLmNvbQ==" -H "Content-Type: application/json" -d '{"context":"string","description":"string","state":"success","target_url":"string"}' ``` this works. I think the suggested header is incorrect.
Author
Owner

@kevinzg commented on GitHub (Nov 27, 2020):

@zeripath Yes, you are right, the CSRF token is not needed for basic auth, my bad.

I think the problem is that if you are logged-in (in the browser), Gitea authenticates the user with the session cookie and ignores the basic auth header, so ctx.Context.IsBasicAuth is false and the code goes by the ctx.RequireCSRF() path.
That's why the Swagger interface gets a 401, but the curl command works fine.

@kevinzg commented on GitHub (Nov 27, 2020): @zeripath Yes, you are right, the CSRF token is not needed for basic auth, my bad. I think the problem is that if you are logged-in (in the browser), Gitea authenticates the user with the session cookie and ignores the basic auth header, so `ctx.Context.IsBasicAuth` is false and the code goes by the `ctx.RequireCSRF()` path. That's why the Swagger interface gets a 401, but the curl command works fine.
Author
Owner

@zeripath commented on GitHub (Nov 27, 2020):

ah so if went to the swagger page directly using a private tab without logging I guess it would then work

@zeripath commented on GitHub (Nov 27, 2020): ah so if went to the swagger page directly using a private tab without logging I guess it would then work
Author
Owner

@zeripath commented on GitHub (Nov 27, 2020):

But interestingly the curl command in https://github.com/go-gitea/gitea/issues/13484#issuecomment-725448274 doesn't work - presumably because the basic authentication header here is incorrect - (I'll admit I haven't tried / bothered to decode it to check so it's potentially invalid)

@zeripath commented on GitHub (Nov 27, 2020): But interestingly the curl command in https://github.com/go-gitea/gitea/issues/13484#issuecomment-725448274 doesn't work - presumably because the basic authentication header here is incorrect - (I'll admit I haven't tried / bothered to decode it to check so it's potentially invalid)
Author
Owner

@AllTaken commented on GitHub (Nov 28, 2020):

Yeah there is a transcription error in #13484 (comment).
The auth value should be: Basic dGVzdDY2NjE6eUAxOXdqVXd6dGthb15E instead of basic dGVzdDY2NjE6eUAx0XdqBXd6dGthb15E

Using these values it works now.

I'm not sure if you're saying that it is "by design" that 401 is returned, even though the client is presenting valid credentials, merely because a CSRF cookie is present? I can't really see any chance of CSRF being an issue when valid credentials are present? And why only for basic credentials?

In addition this sort of renders the auto generated swagger page useless for trying/testing the API with basic credentials. This should at least be documented in the interface, if it is by design.

@AllTaken commented on GitHub (Nov 28, 2020): Yeah there is a transcription error in [#13484 (comment)](https://github.com/go-gitea/gitea/issues/13484#issuecomment-725448274). The auth value should be: `Basic dGVzdDY2NjE6eUAxOXdqVXd6dGthb15E` instead of `basic dGVzdDY2NjE6eUAx0XdqBXd6dGthb15E` Using these values it works now. I'm not sure if you're saying that it is "by design" that 401 is returned, even though the client is presenting valid credentials, merely because a CSRF cookie is present? I can't really see any chance of CSRF being an issue when valid credentials are present? And why only for basic credentials? In addition this sort of renders the auto generated swagger page useless for trying/testing the API with basic credentials. This should at least be documented in the interface, if it is by design.
Author
Owner

@zeripath commented on GitHub (Nov 30, 2020):

CSRF is only needed for POST with cookie session. Basic authentication without a cookie, or token authentication don't require CSRF.

@zeripath commented on GitHub (Nov 30, 2020): CSRF is only needed for POST with cookie session. Basic authentication without a cookie, or token authentication don't require CSRF.
Author
Owner

@kevinzg commented on GitHub (Dec 1, 2020):

A get to https://try.gitea.io/api/v1/user asks for the token.

@kevinzg commented on GitHub (Dec 1, 2020): A get to `https://try.gitea.io/api/v1/user` asks for the token.
Author
Owner

@lunny commented on GitHub (Jan 27, 2021):

OK. So Authorization: Basic work but Authorization: basic not. Is this still considered as a bug?

@lunny commented on GitHub (Jan 27, 2021): OK. So `Authorization: Basic` work but `Authorization: basic` not. Is this still considered as a bug?
Author
Owner

@6543 commented on GitHub (Jan 27, 2021):

OK. So Authorization: Basic work but Authorization: basic not. Is this still considered as a bug?

Fixed in master

@6543 commented on GitHub (Jan 27, 2021): > OK. So `Authorization: Basic` work but `Authorization: basic` not. Is this still considered as a bug? Fixed in master
Author
Owner

@AllTaken commented on GitHub (Jan 27, 2021):

Well.. you get 401 if you have a CSRF cookie and use Basic auth but not if you use other auth options...
Is this not considered a bug?

@AllTaken commented on GitHub (Jan 27, 2021): Well.. you get 401 if you have a CSRF cookie and use Basic auth but not if you use other auth options... Is this not considered a bug?
Author
Owner

@6543 commented on GitHub (Jan 27, 2021):

inconsistency ... @AllTaken I open a new issue since this here now described different issues (solved) etc ...

@6543 commented on GitHub (Jan 27, 2021): inconsistency ... @AllTaken I open a new issue since this here now described different issues (solved) etc ...
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#6279