API tokens requests returns 401 Unauthorized for user operations /api/v1/user/... #348

New Issue

Closed

opened 2025-11-01 20:54:40 -05:00 by GiteaMirror · 2 comments

GiteaMirror commented 2025-11-01 20:54:40 -05:00

Owner

Copy Link

Originally created by @alvarolm on GitHub (Jan 31, 2025).

Description

There is no issue with the jwt token generated on authenthication but the using an API token with all the permissions granted results on 401 responses no matter what for requests to the endpoint /api/v1/user/...

I have tried with the same token for https://try.vikunja.io/api/v1/docs#tag/labels/paths/~1labels/get and works as expected.

token permissions granted:

filters: create, delete, read one, update
labels: create, delete, read all, read one, update
migration: ticktick migrate, ticktick status, vikunja-file migrate, vikunja-file status
notifications: read all, update
other: notifications, routes, users
projects: background, background delete, backgrounds upload, create, delete, projectusers, read all, read one, update
projectsDuplicate: create
projectsShares: create, delete, read all, read one
projectsTeams: create, delete, read all, update
projectsUsers: create, delete, read all, update
projectsViews: create, delete, read all, read one, update
projectsViewsBuckets: create, delete, read all, update
projectsViewsBucketsTasks: update
projectsViewsTasks: read all
projectsWebhooks: create, delete, read all, update
reactions: create, read all
reactionsDelete: delete
tasks: create, delete, read all, read one, update, update bulk
tasksAssignees: create, create bulk, delete, read all
tasksAttachments: create, delete, read all, read one
tasksComments: create, delete, read all, read one, update
tasksLabels: create, create bulk, delete, read all
tasksPosition: update
tasksRelations: create, delete
teams: create, delete, read all, read one, update
teamsMembers: create, delete
teamsMembersAdmin: update
webhooks: events

Currently using:
v0.24.6

Vikunja Version

v0.24.6

Browser and version

No response

Can you reproduce the bug on the Vikunja demo site?

Yes

Screenshots

No response

Originally created by @alvarolm on GitHub (Jan 31, 2025). ### Description There is no issue with the jwt token generated on authenthication but the using an API token with all the permissions granted results on 401 responses no matter what for requests to the endpoint /api/v1/user/... I have tried with the same token for https://try.vikunja.io/api/v1/docs#tag/labels/paths/~1labels/get and works as expected.   token permissions granted: > filters: create, delete, read one, update > labels: create, delete, read all, read one, update > migration: ticktick migrate, ticktick status, vikunja-file migrate, vikunja-file status > notifications: read all, update > other: notifications, routes, users > projects: background, background delete, backgrounds upload, create, delete, projectusers, read all, read one, update > projectsDuplicate: create > projectsShares: create, delete, read all, read one > projectsTeams: create, delete, read all, update > projectsUsers: create, delete, read all, update > projectsViews: create, delete, read all, read one, update > projectsViewsBuckets: create, delete, read all, update > projectsViewsBucketsTasks: update > projectsViewsTasks: read all > projectsWebhooks: create, delete, read all, update > reactions: create, read all > reactionsDelete: delete > tasks: create, delete, read all, read one, update, update bulk > tasksAssignees: create, create bulk, delete, read all > tasksAttachments: create, delete, read all, read one > tasksComments: create, delete, read all, read one, update > tasksLabels: create, create bulk, delete, read all > tasksPosition: update > tasksRelations: create, delete > teams: create, delete, read all, read one, update > teamsMembers: create, delete > teamsMembersAdmin: update > webhooks: events Currently using: [v0.24.6](https://github.com/go-vikunja/vikunja/releases/tag/v0.24.6) ### Vikunja Version v0.24.6 ### Browser and version _No response_ ### Can you reproduce the bug on the Vikunja demo site? Yes ### Screenshots _No response_

GiteaMirror closed this issue 2025-11-01 20:54:40 -05:00

GiteaMirror commented 2025-11-01 20:54:41 -05:00

Author

Owner

Copy Link

@alvarolm commented on GitHub (Jan 31, 2025):

it seems there is no implementation for handling these routes:

CanDoAPIRoute path /api/v1/user/export/request
CanDoAPIRoute routeGroupName-before user_export_request
CanDoAPIRoute routeGroupName user_export_request
CanDoAPIRoute routeParts [user export request]
CanDoAPIRoute token.Permissions:
{
  "other": ["notifications", "routes", "users"],
  "projects_shares": ["create", "delete", "read_all", "read_one"],
  "projects_webhooks": ["create", "delete", "read_all", "update"],
  "tasks_attachments": ["create", "delete", "read_all", "read_one"],
  "tasks": ["create", "delete", "read_all", "read_one", "update", "update_bulk"],
  "teams_members_admin": ["update"],
  "reactions_delete": ["delete"],
  "projects_duplicate": ["create"],
  "projects_views_buckets": ["create", "delete", "read_all", "update"],
  "tasks_assignees": ["create", "create_bulk", "delete", "read_all"],
  "tasks_comments": ["create", "delete", "read_all", "read_one", "update"],
  "webhooks": ["events"],
  "filters": ["create", "delete", "read_one", "update"],
  "migration": ["ticktick_migrate", "ticktick_status", "vikunja-file_migrate", "vikunja-file_status"],
  "projects": ["background", "background_delete", "backgrounds_upload", "create", "delete", "projectusers", "read_all", "read_one", "update"],
  "projects_teams": ["create", "delete", "read_all", "update"],
  "projects_views_tasks": ["read_all"],
  "tasks_labels": ["create", "create_bulk", "delete", "read_all"],
  "tasks_relations": ["create", "delete"],
  "teams_members": ["create", "delete"],
  "reactions": ["create", "read_all"],
  "notifications": ["read_all", "update"],
  "projects_users": ["create", "delete", "read_all", "update"],
  "tasks_position": ["update"],
  "teams": ["create", "delete", "read_all", "read_one", "update"],
  "labels": ["create", "delete", "read_all", "read_one", "update"],
  "projects_views": ["create", "delete", "read_all", "read_one", "update"],
  "projects_views_buckets_tasks": ["update"]
}
missing group for token.Permissions
missing group (routeParts[0]) for token.Permissions

logs.txt
api_routes.go.diff.txt

@alvarolm commented on GitHub (Jan 31, 2025): it seems there is no implementation for handling these routes: ``` CanDoAPIRoute path /api/v1/user/export/request CanDoAPIRoute routeGroupName-before user_export_request CanDoAPIRoute routeGroupName user_export_request CanDoAPIRoute routeParts [user export request] CanDoAPIRoute token.Permissions: { "other": ["notifications", "routes", "users"], "projects_shares": ["create", "delete", "read_all", "read_one"], "projects_webhooks": ["create", "delete", "read_all", "update"], "tasks_attachments": ["create", "delete", "read_all", "read_one"], "tasks": ["create", "delete", "read_all", "read_one", "update", "update_bulk"], "teams_members_admin": ["update"], "reactions_delete": ["delete"], "projects_duplicate": ["create"], "projects_views_buckets": ["create", "delete", "read_all", "update"], "tasks_assignees": ["create", "create_bulk", "delete", "read_all"], "tasks_comments": ["create", "delete", "read_all", "read_one", "update"], "webhooks": ["events"], "filters": ["create", "delete", "read_one", "update"], "migration": ["ticktick_migrate", "ticktick_status", "vikunja-file_migrate", "vikunja-file_status"], "projects": ["background", "background_delete", "backgrounds_upload", "create", "delete", "projectusers", "read_all", "read_one", "update"], "projects_teams": ["create", "delete", "read_all", "update"], "projects_views_tasks": ["read_all"], "tasks_labels": ["create", "create_bulk", "delete", "read_all"], "tasks_relations": ["create", "delete"], "teams_members": ["create", "delete"], "reactions": ["create", "read_all"], "notifications": ["read_all", "update"], "projects_users": ["create", "delete", "read_all", "update"], "tasks_position": ["update"], "teams": ["create", "delete", "read_all", "read_one", "update"], "labels": ["create", "delete", "read_all", "read_one", "update"], "projects_views": ["create", "delete", "read_all", "read_one", "update"], "projects_views_buckets_tasks": ["update"] } missing group for token.Permissions missing group (routeParts[0]) for token.Permissions ``` [logs.txt](https://github.com/user-attachments/files/18620397/logs.txt) [api_routes.go.diff.txt](https://github.com/user-attachments/files/18620484/api_routes.go.diff.txt)

GiteaMirror commented 2025-11-01 20:54:41 -05:00

Author

Owner

Copy Link

@kolaente commented on GitHub (Feb 3, 2025):

it seems there is no implementation for handling these routes

That's correct and by design. User routes have to use a user login token and won't work with an api token.

@kolaente commented on GitHub (Feb 3, 2025): > it seems there is no implementation for handling these routes That's correct and by design. User routes have to use a user login token and won't work with an api token.

GiteaMirror referenced this issue 2025-11-01 21:02:46 -05:00

[PR #351] [CLOSED] tasks: also delete corresponding task positions #718

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat-websocket-notifications

claude/csv-import-feature-01Kavsoc8Zabn7Q7WwwfVjBh

csv-import-feature

feat-quick-entry

codex/add-task-sorting-functionality

fix-duplicate-close-button

codex/analyze-codebase-for-email-task-feature

feat-list-view-sorting

feat/official-vite-sentry-plugin

feat/highlight-overdue-tasks

feat/add-enter-key-form-submission-handling

feat/TipTap-nits

feat/update-caldavtimetotimestamp-parsing

feat-oauth-server

feat-phosphor-icons

wip-plans

claude/investigate-issue-2173-llKme

poc-yaegi-plugins

fix-description-text-drag

feat-custom-keyboard-shortcuts

pr-1845-ci

codex/fix-drag-and-drop-behavior-inconsistency

copilot/add-clickable-labels-for-filtering

copilot/fix-issue-1786

playwright-migration

fix-kanban-repeating-wip

copilot/fix-1498

feature/replace-axios

codex/upgrade-to-tailwind-4.1.8-using-pnpm

codex/add-cypress-test-for-avatar-types

feature/biome

feature/oxc

codex/update-flexsearch-to-0.8.205

4r6ni9-codex/fix-deprecated-sass-@import-usage

codex/fix-deprecated-sass-@import-usage

codex/add-cypress-test-for-task-list-refresh-fix

codex/fix-quick-add-magic-not-adding-tasks

codex/fix-all-type-errors

codex/fix-mimetype-for-docs.json

feature/caldav-from-scratch

feature/gh-actions-hetzner

fix-ci

feat/new-logger

jyte-better-dev-config

feat/add-team-member-with-enter

fix/button-and-icon-types

fix/notifications-component-name-collision

feature/null-time

renovate/tailwindcss-4.x

feature/unplugin-vue-router

fix/deprecated-import

feature/zod-schema

renovate/golangci-golangci-lint-1.x

fix/tiptap-editor-reactive-destructuring

release/0.24

feat/improve-add-task

fix/saved-filter-search

feature/use-modern-compiler-for-sass-files-as-well

feat/webp-and-avif-attachment-previews

feature/migrate-back-to-bulma

fix/sass-add-missing-list-import

feature/sticky-demo-bar

fix/gantt-view-switch

feature/typesense-position-join

feature/focus-visible

dependencies/golangci-lint

feature/better-filter-syntax

fix/tiptap-task-list

renovate/github.com-golang-jwt-jwt-v4-5.x

feature/hide-forbidden-related-tasks

renovate/golang-1.x

release/0.20

release/0.17

release/0.16

release/0.15

release/0.14

release/0.13

v2.1.0

v2.0.0

v1.1.0

v1.0.0

v1.0.0-rc4

v1.0.0-rc3

v1.0.0-rc2

v1.0.0-rc1

v1.0.0-rc0

v0.24.6

v0.24.5

v0.24.4

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.0

v0.22.1

v0.22.0

0.21.0

v0.21.0

v0.20.4

v0.20.5

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.2

v0.19.1

v0.19.0

vue3

v0.18.1

v0.18.0

v0.17.1

v0.17.0

v0.16.1

v0.16.0

v0.15.1

v0.15.0

v0.14.1

v0.14.0

v0.13.1

v0.13

v0.12

v0.11

v0.10

v0.9

v0.8

v0.7

v0.6

v0.5

v0.4

v0.3

v0.2

v0.1

Labels

Clear labels

area/api

area/caldav

area/filters

area/frontend

area/gantt

area/internal-code

area/typesense

bug

changes requested

confirmed

dependencies

enhancement

good first issue

help wanted

kind/bug

kind/feature

needs reproduction

pull-request

Mirrored from GitHub Pull Request

question

security

support

upstream issue

waiting for reply

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vikunja#348