Open-AudIT
https://www.open-audit.org/phpBB3/

[help] API authentication {"valid": false, "admin": false}
https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6566
Page 1 of 1

Author:  steven.cherry [ Thu Nov 24, 2016 2:42 am ]
Post subject:  [help] API authentication {"valid": false, "admin": false}

Hi All, when attempting to retrieve a valid auth token regardless of the credentials I always get {"valid": false, "admin": false} as a response. See detailed commands below

curl -L -v -u open-audit_enterprise -H "Content-Type: applicatil+json" -c ./cookiefile -XGET "http://localhost/open-audit/index.php/login/login_auth"
Enter host password for user 'open-audit_enterprise':
* About to connect() to localhost port 80 (#0)
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
* Server auth using Basic with user 'open-audit_enterprise'
> GET /open-audit/index.php/login/login_auth HTTP/1.1
> Authorization: Basic b3Blbi1hdWRpdF9lbnRlcnByaXNlOnMwMHBBS2lYOg==
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost
> Accept: */*
> Content-Type: applicatil+json
>
< HTTP/1.1 200 OK
< Date: Wed, 23 Nov 2016 16:32:38 GMT
< Server: Apache/2.2.15 (CentOS)
< X-Powered-By: PHP/5.3.3
* Added cookie PHPSESSID="carogn77idh05pv2n705odnmb1" for domain localhost, path /, expire 0
< Set-Cookie: PHPSESSID=carogn77idh05pv2n705odnmb1; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Content-Length: 32
< Connection: close
< Content-Type: application/json
<
* Closing connection #0
{"valid": false, "admin": false}

Despite being issued a cookie, when I try to use it, it rejects any API query I may choose to issue

Open Audit version 1.12.8.1

Author:  jpa [ Thu Nov 24, 2016 8:14 am ]
Post subject:  Re: [help] API authentication {"valid": false, "admin": fal

Login code in controllers\login.php looks to URI segment 3 and 4 for username and password or POST variables username and password. So try "http://localhost/open-audit/index.php/login/login_auth/specify_username/specify_password"

It does look like the response is not correct for a properly authenticated LDAP login for a non-admin user. Seems like line 386 [code]echo '{"valid": false, "admin": false}';[/code]should be [code]echo '{"valid": true, "admin": false}';[/code] And the response header should be 200 not 403.

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/