Hello, we are inquiring because there was a problem using API on Passbolt.
We confirmed that the site access and function are performed normally after installing passbolt in the self-hosting method.
We want to create users through the API.
Thus, we succeeded login through Javascript (passbolt-cli) in the API Documentation, but there was no command to create users in passbolt-cli. The following is the result of executing “passbolt users” (1 user).
FIRST-NAME: *****
LAST-NAME: *****
USERNAME: *******@*****.com
FINGERPRINT: 9754B5F3D3804D131F0D97B154FE4C5B1F0F6778
UUID: cdb63628-b9b6-4344-bb59-29b19da83f3b
We viewed on the Users-Create tab of the documentation and execute POST with the new user information, but an error message such as “Missing or incorrect CSRF cookie type” was printed.
curl -d '{ "username": "**********", "profile": { "first_name": "**********", "last_name": "**********" } }' -H "Content-Type: application/json" -X POST -k "https://our-passbolt-dns/users.json"
{"header": ..., "message":"Missing or incorrect CSRF cookie type", ...}
So we execute a GET command to /users/me.json to get the CSRF token cookie, which was shown in the documentation, but the error message “Authentication is required to continue” was printed.
curl -X GET -k "https://our-passbolt-dns/users.json"
{"header": ..., "message":"Authentication is required to continue", ...}
We thought that login was necessary in a different way (not with passbolt-cli) to create users through API.
In the documentation, the verify step was optional so we performed the login step and the error message showing that authentication failed was printed. The POST command we executed through curl is as follows.
curl -d "'data' => ['gpg_auth' => ['keyid' => '9754B5F3D3804D131F0D97B154FE4C5B1F0F6778']]" -H 'Content-Type: text/html' -X POST -k "https://our-passbolt-dns/auth/login.json"
{"header": ..., "message":"There is no user associated with this key. No key id set.", ...}
It seemed that the verify step was necessary, but it was difficult to understand the method of creating a token in the 1. in verify step.
When the gpg --fingerprint command is executed, both the public fingerprint and the user fingerprint of admin are printed. When gpg --version is performed, it appears as follows.
gpg --fingerprint
/root/.gnupg/pubring.kbx
------------------------
pub rsa2048 2022-07-19 [SC]
5F4E 4011 608B CA84 F2B5 390D 0FBD C89D 5DC2 9C36
uid [ultimate] ********** <*****@*****.com>
sub rsa2048 2022-07-19 [E]
pub rsa3072 2022-07-19 [SC]
9754 B5F3 D380 4D13 1F0D 97B1 54FE 4C5B 1F0F 6778
uid [ultimate] ********** <*****@*****.com>
sub rsa3072 2022-07-19 [E]
gpg --version
gpg (GnuPG) 2.2.19
libgcrypt 1.8.5
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
In this case, which version should be included in the token, 2.2.19 or 1.3.0 in the documentation?
Also, the UUID of the admin user is “cdb63628-b9b6-4344-bb59-29b19da83f3b” as mentioned above.
Therefore, we generated the token with the UUID and included the token in the POST command as follows, but was not normally performed.
curl -d "'data' => [ 'gpg_auth' => [ 'keyid' => '9754B5F3D3804D131F0D97B154FE4C5B1F0F6778', 'server_verify_token' => 'gpgauthv1.3.0|36|cdb63628-b9b6-4344-bb59-29b19da83f3b|gpgauthv1.3.0'] ]" -H "Content-Type: text/html" -X POST -k "https://our-passbolt-dns/auth/verify.json"
{"header": ..., "message":"There is no user associated with this key. No key id set.", ...}
We are inquiring because we think we misunderstood.
Additionally, if we want to use the User Create API, is it correct to perform both verify and login steps?
If we need to perform the verify step, please explain it in detail.
For example, we would like to ask you to answer how to create a token (whether it is created as a single file), whether there are additional files to be created, or whether it is right to execute the curl command as above, etc.
Thank you for reading the long question.