How to create users using the API

Hello, we are inquiring because there was a problem using API on Passbolt.

We confirmed that the site access and function are performed normally after installing passbolt in the self-hosting method.
We want to create users through the API.
Thus, we succeeded login through Javascript (passbolt-cli) in the API Documentation, but there was no command to create users in passbolt-cli. The following is the result of executing “passbolt users” (1 user).

LAST-NAME: *****
USERNAME: *******@*****.com
FINGERPRINT: 9754B5F3D3804D131F0D97B154FE4C5B1F0F6778
UUID: cdb63628-b9b6-4344-bb59-29b19da83f3b

We viewed on the Users-Create tab of the documentation and execute POST with the new user information, but an error message such as “Missing or incorrect CSRF cookie type” was printed.

curl -d '{ "username": "**********", "profile": { "first_name": "**********", "last_name": "**********" } }' -H "Content-Type: application/json" -X POST -k "https://our-passbolt-dns/users.json"
{"header": ..., "message":"Missing or incorrect CSRF cookie type", ...}

So we execute a GET command to /users/me.json to get the CSRF token cookie, which was shown in the documentation, but the error message “Authentication is required to continue” was printed.

curl -X GET -k "https://our-passbolt-dns/users.json"
{"header": ..., "message":"Authentication is required to continue", ...}

We thought that login was necessary in a different way (not with passbolt-cli) to create users through API.
In the documentation, the verify step was optional so we performed the login step and the error message showing that authentication failed was printed. The POST command we executed through curl is as follows.

curl -d "'data' => ['gpg_auth' => ['keyid' => '9754B5F3D3804D131F0D97B154FE4C5B1F0F6778']]" -H 'Content-Type: text/html' -X POST -k "https://our-passbolt-dns/auth/login.json"
{"header": ..., "message":"There is no user associated with this key. No key id set.", ...}

It seemed that the verify step was necessary, but it was difficult to understand the method of creating a token in the 1. in verify step.
When the gpg --fingerprint command is executed, both the public fingerprint and the user fingerprint of admin are printed. When gpg --version is performed, it appears as follows.

gpg --fingerprint
pub   rsa2048 2022-07-19 [SC]
      5F4E 4011 608B CA84 F2B5  390D 0FBD C89D 5DC2 9C36
uid           [ultimate] ********** <*****@*****.com>
sub   rsa2048 2022-07-19 [E]

pub   rsa3072 2022-07-19 [SC]
      9754 B5F3 D380 4D13 1F0D  97B1 54FE 4C5B 1F0F 6778
uid           [ultimate] ********** <*****@*****.com>
sub   rsa3072 2022-07-19 [E]
gpg --version
gpg (GnuPG) 2.2.19
libgcrypt 1.8.5
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /root/.gnupg
Supported algorithms:
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

In this case, which version should be included in the token, 2.2.19 or 1.3.0 in the documentation?

Also, the UUID of the admin user is “cdb63628-b9b6-4344-bb59-29b19da83f3b” as mentioned above.
Therefore, we generated the token with the UUID and included the token in the POST command as follows, but was not normally performed.

curl -d "'data' => [ 'gpg_auth' => [ 'keyid' => '9754B5F3D3804D131F0D97B154FE4C5B1F0F6778', 'server_verify_token' => 'gpgauthv1.3.0|36|cdb63628-b9b6-4344-bb59-29b19da83f3b|gpgauthv1.3.0'] ]" -H "Content-Type: text/html" -X POST -k "https://our-passbolt-dns/auth/verify.json"
{"header": ..., "message":"There is no user associated with this key. No key id set.", ...}

We are inquiring because we think we misunderstood.

Additionally, if we want to use the User Create API, is it correct to perform both verify and login steps?
If we need to perform the verify step, please explain it in detail.
For example, we would like to ask you to answer how to create a token (whether it is created as a single file), whether there are additional files to be created, or whether it is right to execute the curl command as above, etc.

Thank you for reading the long question.

Hi @Juyeon the server_verify_token must be encrypted with the server’s public key before being returned.

Thank you for your reply.

I also read the contents in item 1 of Verify Step in Authentication of API Documentation. If the token I mentioned in the question (gpgauthv1.3.0|36|cdb63628-b9b6-4344-bb59-29b19da83f3b|gpgauthv1.3.0) was created normally including the version, I would like to ask you how to encrypt this token with the broadcasted public key. For example, some commands to execute or other methods.

Hi @Juyeon,

The CLI you tried is the one written in nodejs and some features such as create a user are not implemented yet :confused:

You should try this other CLI written in golang: GitHub - passbolt/go-passbolt-cli: A CLI tool to interact with Passbolt, a Open source Password Manager for Teams

Once configured, it is straightforward to create a user (documentation link):

passbolt create user -f firstname -l lastname -u user@domain.tld
UserID: e7fb118f-e1a5-4c89-bfca-424852d53cfc

From my knowledge, it is not possible to get the registration token from the API so you will have to fetch user email to get the full registration link.

If you are interested, I provided a bash script in this blog post about how to create a user, generate their GPG keys and enable them in passbolt.

Don’t hesitate if you have further questions.


1 Like