REST-API Calls always returning 302 redirect to login page

[Viras-]

Describe the bug
All calls to the REST-API return a 302 status code with redirect to the login page

To Reproduce
Steps to reproduce the behavior:

1. Fresh install of latest kimai
2. Use the api.html demo to call the endpoint (e.g. /public/api/ping)
3. See error

Logfile

General:
Request URL: https://XXXXXX/kimai2/public/api/ping
Request Method: GET
Status Code: 302 Found
Referrer Policy: no-referrer-when-downgrade

Response:
Cache-Control: max-age=0, must-revalidate, private
Connection: Keep-Alive
Content-Length: 460
Content-Type: application/json
Date: Tue, 15 Oct 2019 17:42:37 GMT
Keep-Alive: timeout=15, max=98
Location: https://XXXXXXX/kimai2/public/en/login
Server: Apache
X-Powered-By: PHP/7.3.9

Request:
Accept: */*
Sec-Fetch-Mode: cors
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1
X-AUTH-TOKEN: asdf1234
X-AUTH-USER: admin

I removed the URL information by intention. Log files are all empty and show no error.

[kevinpapst]

try using the official demo with susan_super / api_kitten

[Viras-]

The official demo works. So I guess it must be something with apache / htaccess setup (although I use the default ones without modification).

Anything I can check on my end? Maybe the issue is the "public" folder in my URL?

[kevinpapst]

I don't think its the public folder (even though this is a bad idea, I hope you don't run it like that in production.
Are you sure its the correct API password? The login will only be shown if the user cannot be authenticated

[Viras-]

No of course it is just a dev setup for me - I want to update my app to support Kimai2 as well.

I tried it with your only version and I get a 402 error if password ist wrong, in my case I receive the 302 Redirect error.

Any way I can turn on route debugging or something like that so I can see which routes matches my request?

[kevinpapst]

Is nothing in your var/log/dev.log ?
If you run in dev mode, you can try to run the app via bin/console server:run which will skip the public/ directory

[pkaltenboeck]

I have excatly the same problem. All requests to the api using the header are redirected to the login page.

The Headers and password are correct. The demo works with the same request configuration.

[2019-10-23 00:08:08] request.INFO: Matched route "ping". {"route":"ping","route_parameters":{"_route":"ping","_controller":"App\\API\\StatusController::pingAction","_format":"json"},"request_uri":"https://domain.tl/kimai/api/ping","method":"GET"} []
[2019-10-23 00:08:08] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"secured_area","authenticators":1} []
[2019-10-23 00:08:08] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"secured_area","authenticator":"App\\Security\\TokenAuthenticator"} []
[2019-10-23 00:08:08] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"secured_area","authenticator":"App\\Security\\TokenAuthenticator"} []
[2019-10-23 00:08:08] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2019-10-23 00:08:08] security.DEBUG: Access denied, the user is not fully authenticated; redirecting to authentication entry point. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException(code: 403): Access Denied. at /srv/www/web322/htdocs/kimai2/vendor/symfony/security-http/Firewall/AccessListener.php:72)"} []
[2019-10-23 00:08:08] security.DEBUG: Calling Authentication entry point. [] []
[2019-10-23 00:08:08] request.INFO: Matched route "fos_user_security_login". {"route":"fos_user_security_login","route_parameters":{"_route":"fos_user_security_login","_controller":"fos_user.security.controller:loginAction","_locale":"en"},"request_uri":"https://domain.tl/kimai/en/login","method":"GET"} []
[2019-10-23 00:08:08] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"secured_area","authenticators":1} []
[2019-10-23 00:08:08] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"secured_area","authenticator":"App\\Security\\TokenAuthenticator"} []
[2019-10-23 00:08:08] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"secured_area","authenticator":"App\\Security\\TokenAuthenticator"} []
[2019-10-23 00:08:08] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2019-10-23 00:08:08] doctrine.DEBUG: SELECT k0_.id AS id_0, k0_.name AS name_1, k0_.value AS value_2 FROM kimai2_configuration k0_ WHERE k0_.name LIKE ? ["theme.%"] []

Apache is configured with alias /kimai/ pointing to public - directory, AllowOverride All is enabled.

[kevinpapst]

Thanks @pkaltenboeck the log was very helpful!
Can you please try to replace the following piece of code (the complete method) in the file src/Security/TokenAuthenticator.php:

with this:

    public function supports(Request $request)
    {
        if (strpos($request->getRequestUri(), '/api/doc') !== false) {
            return false;
        }

        if (strpos($request->getRequestUri(), '/api/') !== false) {
            // javascript requests can set a header to disable this authenticator and use the existing session
            return !$request->headers->has(self::HEADER_JAVASCRIPT);
        }

        return false;
    }

Background: the token authenticator just started working, when the URI started with /api/.
Please let me know if that fixes your problem

[pkaltenboeck]

No problem, with the proposed changes it works fine.
Thank you!

If I just would not have been so lazy for creating an own (sub-)domain 😅.

[kevinpapst]

Merged to master, will be shipped with 1.5

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. If you use Kimai on a daily basis, please consider donating to support further development of Kimai.