API "/api/v1/me/" with JWT token but always reponse "message": "Not authorized"

[xavier-GitHub76]

Hello,
I try to use api endpoints but I have problem.
I succed to get JWT token with /api/v1/security/login

and I use it with another api endpoint like :

• /api/v1/me/
• /api/v1/me/roles/

These endpoints seem very simple to use (no parameters to define) but I have always the response :
{
"message": "Not authorized"
}

I don't see why it fails
Thanks for your help

[sebastianliebscher]

Hi @xavier-GitHub76, what version are you running? I can replicate this issue on latest master branch.

Steps to reproduce:

• checkout master
• hit the endpoint

curl --request GET \
  --url http://localhost:8088/api/v1/me/roles \
  --header 'Authorization: Bearer token' \
  --header 'X-CSRFToken: token'

• get 401 Unauthorized

[xavier-GitHub76]

Thanks for your test.
I use 3.0 version.

[siddhartha8916]

Make a request to http://localhost:8000/login with formdata as csrfToken and username and password. This will set a session in the browser which will then be used to call the /me api
The csrf token can be obtained from the login form

[xavier-GitHub76]

Hi, thanks a lot for your reply.
I don't understand why we must use http://localhost:8000/login whereas the endpoint api 'login' exists. I don't find documentation about using api superset (just the swagger which does not specify the logical order of the endpoints)

I try your example with postman but I have not the same result.

1. {{url}}/api/v1/security/login --> OK, I have an access_token (that I store in a variable)
2. {{url}}/api/v1/security/csrf_token/ --> OK, I have an csrf (that I store in a variable)
3. {{url}}/login

but I have the result :

On your screenshot, you have 10 parameters for the header, I have just 9.
Could you show me the detail of your header and the result of your execution ?

4. {{url}}/api/v1/me/ with access_token and csrf token
   

The result is always "Not authorized" 😞

[siddhartha8916]

Hit a GET request to /login endpoint. There you'll get the html document containing csrf_token as a hidden input field.
extract the csrf_token and save it in a variable.

Then make a POST request to /login endpoint with body as FormData containing the csrf_token, username, and password.
Then make a third request to /me route. (You need not to pass any extra Bearer Token or Header)

Hope this works...

[xavier-GitHub76]

hello,
first of all, thank you very much for your help. It is very pleasant. 👍
Unfortunately I fail. I don't understand the systematic use of the {{url}}/'login' web page although API endpoints exist:
{{url}}/api/v1/security/login
{{url}}/api/v1/security/csrf_token/

I nevertheless tried your scenario.

I made the GET request on {{url}}/'login' and I successfully retrieved the value of the hidden variable crsf_token.

I made the POST request on {{url}}/'login' with body as FormData containing the csrf_token, username, and password :

I make the request on {{url}}/api/v1/me/ (with no Auth) but I had "message": "Not authorized"

Best regards

[xavier-GitHub76]

ideally I was thinking of using 100% api endpoint

• {{url}}/api/v1/security/login
• {{url}}/api/v1/security/csrf_token/
• {{url}}/api/v1/me/

which would allow me to rely solely on APIs (/api/v1) and manipulate JSON results
Thanks for your help.

[peanut00]

Hello xavier-GitHub76,

Could you please advise on the interface you are using for API tests?

Thanks,

[xavier-GitHub76]

Hello @peanut00
I use Postman.

[peanut00]

Hello @peanut00 I use Postman.

Many Thanks for your help

[bryanjknight]

Adding some logging within superset/views/users/api.py seems to show that the global user is not getting set when the request comes in to CurrentUserRestApi. Interestingly, it seems the current user API is the only one that uses g.user based on a quick search

[rusackas]

@dosu-bot

[rusackas]

Are people still having issues here? It's not clear to me if this is still a bug, or if there's just general confusion about API use.

[xavier-GitHub76]

Hello @rusackas,
I can't find precise documentation on the API.

I have done a lot of research (Google, Github, Slack) on the subject but cannot easily use the API.
In particular, I read the following page:
https://superset.apache.org/docs/api/
The available functions are well listed but the use of the JWT is not detailed.
We know how to retrieve the value of the JWT token but for example it is not indicated that it must be passed in addition to the parameters specific to a function.
This explanation can be found on sites such as stackoverflow.

Unfortunately, sometimes providing a JWT token and a CSRF token is sufficient but this is not always the case (like this issue).

Providing a session cookie helps get around the problem but I don't understand why it is necessary when the technical identification elements are already provided.

By searching in /api/v1/_openapi
we can see the functions requiring the JWT token:
"security": [
{
"jwt":[]
}
],

Thanks for your help

[Vinayselukar21]

@xavier-GitHub76

Were you able to fetch current user info from "/api/v1/me" ??

[xavier-GitHub76]

@Vinayselukar21

I succed to see a result but by a means that does not seem correct to me.

The use of API functions should be based on the provision of a JWT token and a CSRF token, however if I execute /api/v1/me/ with these tokens, I systematically get the return:
{
"message": "Not authorized"
}

I manage to identify the user only by providing a cookie (retrieved after using the login page). This is not normal for me because the function returns a result without a JWT token

[xavier-GitHub76]

Result Not authorized with
JWT

and
CSRF

Result OK with just a cookie :

[Vinayselukar21]

@xavier-GitHub76 Thanks for the help.