github-starred/vikunja
2
0
Fork 0
mirror of https://github.com/go-vikunja/vikunja.git synced 2026-05-05 19:18:16 -05:00
Code Issues 690 Packages Projects Releases 11 Wiki Activity

[GH-ISSUE #266] Various API routes return 401 error with valid token #6025

New Issue
Closed
opened 2026-04-20 16:33:17 -05:00 by GiteaMirror · 3 comments
GiteaMirror commented 2026-04-20 16:33:17 -05:00
Owner
Copy Link

Originally created by @requ1Re on GitHub (May 18, 2024).
Original GitHub issue: https://github.com/go-vikunja/vikunja/issues/266

Description

While testing the API, I found out that multiple routes return missing, malformed, expired or otherwise invalid token provided errors (status code 401) even if you use valid, full-permission API tokens. For example, getting a project background (using GET /api/v1/projects/{id}/background) does always yield me this error, even on the try.vikunja.io-instance and if the project has an user-uploaded background. Another route which does not work is /api/v1/routes, for example. I think there are even more than that.

There was a similar issue, but that has since been closed as completed: #105

Vikunja Version

v0.23.0

Browser and version

n/a

Can you reproduce the bug on the Vikunja demo site?

Yes

Screenshots

image
Originally created by @requ1Re on GitHub (May 18, 2024). Original GitHub issue: https://github.com/go-vikunja/vikunja/issues/266 ### Description While testing the API, I found out that multiple routes return `missing, malformed, expired or otherwise invalid token provided` errors (status code 401) even if you use valid, full-permission API tokens. For example, getting a project background (using `GET /api/v1/projects/{id}/background`) does always yield me this error, even on the `try.vikunja.io`-instance and if the project has an user-uploaded background. Another route which does not work is `/api/v1/routes`, for example. I think there are even more than that. There was a similar issue, but that has since been closed as completed: #105 ### Vikunja Version v0.23.0 ### Browser and version n/a ### Can you reproduce the bug on the Vikunja demo site? Yes ### Screenshots <img width="1248" alt="image" src="https://github.com/go-vikunja/vikunja/assets/22103563/d12042a1-c0f2-4d73-9965-6167b8b0cdfc">
GiteaMirror commented 2026-04-20 16:33:19 -05:00
Author
Owner
Copy Link

@kolaente commented on GitHub (May 22, 2024):

/routes is not supposed to work, as there is no permission for it. The route is only really used for the form in the frontend when creating a token.

Should the project background be a separate permission or an existing one like project read?

<!-- gh-comment-id:2125667226 --> @kolaente commented on GitHub (May 22, 2024): `/routes` is not supposed to work, as there is no permission for it. The route is only really used for the form in the frontend when creating a token. Should the project background be a separate permission or an existing one like project read?
GiteaMirror commented 2026-04-20 16:33:20 -05:00
Author
Owner
Copy Link

@requ1Re commented on GitHub (May 23, 2024):

It should probably be part of the project read permission. I would've guessed API keys with "full permissions" (aka. all permission checkboxes checked) would have access to everything anyways.

I think there was another route (not /routes) which had the same error, I am not sure which it was though.

<!-- gh-comment-id:2127688778 --> @requ1Re commented on GitHub (May 23, 2024): It should probably be part of the project read permission. I would've guessed API keys with "full permissions" (aka. all permission checkboxes checked) would have access to everything anyways. I think there was another route (not `/routes`) which had the same error, I am not sure which it was though.
GiteaMirror commented 2026-04-20 16:33:21 -05:00
Author
Owner
Copy Link

@kolaente commented on GitHub (Jun 3, 2024):

Now fixed in 99a67e09b1. There are now new permissions for all routes, except user settings. Please check with the next unstable build (should be ready for deployment in ~45min, also on try).

<!-- gh-comment-id:2145975859 --> @kolaente commented on GitHub (Jun 3, 2024): Now fixed in https://github.com/go-vikunja/vikunja/commit/99a67e09b14f40ffddf7761da69275349a196541. There are now new permissions for all routes, except user settings. Please check with the next unstable build (should be ready for deployment in ~45min, also on [try](https://try.vikunja.io)).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
area/api
area/attachments
area/auth
area/avatars
area/backup-restore
area/caldav
area/calendar-view
area/comments
area/config
area/database
area/desktop
area/docker
area/email
area/favorites
area/filters
area/frontend
area/gantt
area/i18n
area/import-export
area/internal-code
area/kanban
area/labels
area/list-view
area/mobile
area/notifications
area/permissions
area/projects
area/pwa
area/recurring-tasks
area/reminders
area/search
area/shortcuts
area/subtasks
area/sync
area/table-view
area/task-editor
area/task-metadata
area/task-relations
area/teams
area/theming
area/time-tracking
area/typesense
area/views
area/webhooks
bug
changes requested
concern/accessibility
concern/performance
concern/regression
concern/ux
confirmed
db/mysql
dependencies
enhancement
good first issue
help wanted
integration/inbound
integration/outbound
kind/bug
kind/feature
needs reproduction
pull-request
Mirrored from GitHub Pull Request
 question
security
support
upstream issue
waiting for reply
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vikunja#6025
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?