Authentication error

Hi all!

I’m trying to create a resource via API and I’m having a problem with the authentication for the POST operation.

I’m using the 3.8.1-1-ce version of Passbolt and the http client I’m currently using is curl.

Following the instructions at Passbolt Help | Authentication in passbolt, I successfully execute the login (getting a 200 response with the header X-GPGAuth-Authenticated = true and a perefct body response)

Then, I perform a call to “/users/me.json” (a call to “/” results the same) in order to retrieve de csrfToken. So far so good.

Then, I try a POST call to “/resources.json” in order to create a new resource, including the csrfToken both in the header and as a cookie, as well as the passbolt_session as another cookie. With this operation, I’m getting a 401 error “Authentication is required to continue”.

I’ve created a new resource for the same user using the web portal and it works ok.

Any GET operation I’ve tried with the API executes successfully. I can retrieve the user profile (GET /users/me.json), the resources associated to the user (GET /resources.json) and also the groups realated to the user (GET /groups.json). But I can´t perform any other operation, for example, I couldn’t delete (DELETE /resources/{resourceId}.json) the resource that I created via web portal. I’m always getting a 401 error.

An example of the latter call:

+ curl -L -s -X DELETE 'https://myserver/resources/3e2d6c4a-678e-402f-8726-e46be844d7f5.json' -b 'passbolt_session=leftrr1d82igo8v108qushuse6' -b 'csrfToken=5f56f5ffc26dfb73ec5f70ebf6f4d30bb5a3503556a9c3c0b421461cc542ea47dd3560c2323138c63e7bac264ba56db6308079fafdea77cbc9d8b468ba5ab387' -H 'X-CSRF-Token: 5f56f5ffc26dfb73ec5f70ebf6f4d30bb5a3503556a9c3c0b421461cc542ea47dd3560c2323138c63e7bac264ba56db6308079fafdea77cbc9d8b468ba5ab387'

HTTP/1.1 401 Unauthorized

Server: nginx

Date: Thu, 13 Jul 2023 08:26:49 GMT

Content-Type: application/json

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=5

Set-Cookie: passbolt_session=hgiioju8to9gket4jbh8d84138; path=/; secure; HttpOnly; SameSite=Lax

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

strict-transport-security: max-age=31536000; includeSubDomains

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self';frame-src 'self';

{"header":{"id":"190bd2ad-0fcd-43f3-8da7-6224710685a8","status":"error","servertime":1689236809,"action":"bf1a9a51-eb99-51b3-b15a-fe21a235585c","message":"Authentication is required to continue","url":"\/resources\/3e2d6c4a-678e-402f-8726-e46be844d7f5.json","code":401},"body":""}

Any help will be appreciated.


The API authentication can be a bit tricky to get down. Glad you are using curl though since that is usually what I use here as well. Here is a create example that works for me:

curl -X 'POST' \
  'https://www.passbolt.local/resources.json?api-version=v2' \
  -H 'X-CSRF-Token: bf5b110e92d1b24a5e8806ca86c062aca24bb47eac1d5a3893cec3386335812651dd7a73829377b72087769f3e71a9f75b6bd9ec7c2b62693af68b6e82f41147' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  --cookie "csrfToken=bf5b110e92d1b24a5e8806ca86c062aca24bb47eac1d5a3893cec3386335812651dd7a73829377b72087769f3e71a9f75b6bd9ec7c2b62693af68b6e82f41147; passbolt_session=1e4k5bq2onqqp717e36aiu8na3" \
  -k \
  -v \
  -d '{"name": "api_test","secrets": [{"data": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5+mCcukxkRWAQwAken5K6h4VC7cXfq0MNZ2vp0m4k8+Hl8ztIpcaAFd6Um/\nfOWCjy0EW6qRMuz+USRDmwfFsTk7pxCkQFMbqAt1Y895BxM2uMYmoBdCHYClvK2/\nzN1nmqoPYlMnGpbX6kZTH0Tq0fsY26ovUFxBaaz/DgKdqp2X4DCKTAonwL8/HDIv\nHRXPlYxevUzqHFF6e8g5gcBpocrrpBTWKmIPIpqrH46AoDEP3uB+BeDHAKynz1lo\nA1TafiLk9B2g+IX15wJH0SE0/TKsmaCO2bl0emT4jdfPg26TzKFcKoVuSBFNuUeF\ngeLMwc+63q8GkECZ7+J/wTzgPzvT/9z0hDJ8kOB8GarctOijZ5JUSmrNUtIoxP7X\nKMWSScMVGdcFxVnJHMkko9L0gaYbW0jYa1guWm6oMLJ6+8X4DabLsCx2c4jhrfKZ\nuKOnMA/g0+r0yJLu2g46y0Pd2Ty0cu6rZUU0a8F7dk/PIwixo/JLrDBsHryKM0Eu\nYx73XTO28+QCAN8oC3kM0kEB3LoQyax1vp17O8Mt+mJAHW8ZBCJkNLkPSNqOC7+x\nig0dSXag8QQBSGf2as9s9T48Q1OXczRCAXYvlH5esRtwUA==\n=Q9hb\n-----END PGP MESSAGE-----\n"}]}'

Could you try with that format and see if it works for you?

The other place that can trip people up is the passbolt_session vs PHPSESSID but I am guessing you have that correct since you got the csrf token already

1 Like

Thanks a lot @clayton!

I was setting the cookies twice, that was my problem.