Questions about login process using API

When i POST auth/login with correct user name and password it returns http status 200 with header ‘Set-Cookie: CAKEPHP=ephvljg3afl4bju5d6n7m59fpj; path=/; HttpOnly’ and not expected csrfToken. To get csrfToken i should call auth/checkSession and this is not documented in https://help.passbolt.com/tech/auth schema description.

I think that this is bug and Login POST as a result should return CAKEPHP and csrfToken.

Also it is not clear what to do when token is near expiration end. What should be token renewal procedure?

1 Like

If I use the csrfToken from /auth/checkSession.json for further POST/PUT requests I became an error
I combine the CSRF and CAKEPHP to one and put it inside CURLOPT_COOKIE (CURL).

CSRF token mismatch.

Any ideas why?

Hello @cola,

Did you see the “Working with CSRF token” section of the Passbolt API documentation?

To pass the CSRF token along with a PUT/POST/DELETE operation you can add it to your request header X-CSRF-Token.

@cedric thank you, yes I read the whole documentation. But dosent works. My token which I became back from “/resources.json” (in header set-cookie) is something like that
csrfToken=11169680a72bfe1b24e99b886cf59650b60318f6110fee5424c75bd7c307b5530dd598f644fd66c369d11419aea95971edc9299e3f4f9ca6fd7db11ad26116b1; path=/
now I try to to do a PUT on a resources and send the extracted token over X-CSRF-Token header and also the CAKEPHP as cookie. But always mismatch return

Just to be sure, can you confirm me the value you put in the X-CSRF-Token hearder?

@cedric
The value I put inside X-CSRF-Token header is
11169680a72bfe1b24e99b886cf59650b60318f6110fee5424c75bd7c307b5530dd598f644fd66c369d11419aea95971edc9299e3f4f9ca6fd7db11ad26116b1

@cedric we use the passbolt library https://github.com/passbolt/passbolt_api_php_example

Hello @cola,

I just added an example of create resource using the API.
Take a look at create_resource.php and the way it retrieve the cookie to associate to your curl request.

Hope it will help,
Best regards,
Cédric

@cedric nice, thank you for your help!

last two questions

  • if I update a secret I need to add all userids they have access to it (described here https://help.passbolt.com/api/resources/update). How is this working with the new folder feature? How can I know which users have access to the folders etc.?
  • from time to time I don’t have any access over PHP to the gpg. If this is the case (no access means problem to decrypt!) I need to execute i.e. this here “gpg -u 25XXXX2F21796C4E175057FA84D995EA991XXXXX --pinentry-mode loopback --output test.sig --detach-sig test.file” on my terminal, they prompt me for the passphrase and after enter it PHP is working well. How can I do this permanently?

For the first question about the update of a resource’ secrets. Folders doesn’t change the way the secrets of a resource are updated. When a resource is moved into a folder, the parent folder’s permissions are applied directly to a resource.

@cedric thank you for your help.
If I put a ressource in a folder I became on reading (permissions/resource/XYZ.json) all they have access to it. In my case also a group_id. If I will update it, I must put all they have access to this secrets, that mean to put an array with all ID’s and signet secret key. The question is now, how can I sign it for the group? Because the group don’t have a public key for signing? https://help.passbolt.com/api/secrets

Is very unclear described, if a ressource have a user and a group (they have access). So we try to read out as first the group (which user are in this group) and add all this users to the secreet. But they also don’t works. Always the return: The secrets of all the users having access to the resource are required.

The question is now, how can I sign it for the group? Because the group don’t have a public key for signing?

The group has no key. So you need to encrypt with the public keys of all the users in the group (and sign with your private key).

The secrets of all the users having access to the resource are required.

The update resource endpoint works such that you need to send all the secrets for all users that have access to it. It is therefore possible you are sending not enough / too much data for this to work.

In practice you can get the list of people who have access to a resource using:

GET /users.json?api-version=2&filter[has-access]=<RESOURCE_UUID>

For example a resource shared with a group containing five users, and having a direct permission for another user, you would see six users:

{
    "header": {
        "id": "dccbcaa5-ebb0-41e8-bcac-aef3191f738e",
        "status": "success",
        "servertime": 1592218148,
        "title": "app_users_index_success",
        "action": "d7bc9044-a64e-5421-a4d7-7a94eaa39d37",
        "message": "The operation was successful.",
        "url": "\/users.json?api-version=2\u0026filter%5Bhas-access%5D=06b9d1d2-cbc7-48eb-8011-8ccccb0a4b8c",
        "code": 200
    },
    "body": [
        {
            "id": "32d29702-85e2-539d-98ac-6abfa7aadf01",
            // etc.
        },
        {
            "id": "e7fa0375-61df-5dbc-9e42-e0d363bd0ecf",
            // etc.
        },
        {
            "id": "1e73e104-d53e-579d-a0c4-e9aeaca76c56",,
            // etc.
        },
        {
            "id": "d57c10f5-639d-5160-9c81-8a0c6c4ec856",,
            // etc.
        },
        {
            "id": "e1ebc592-b90d-5e22-9f40-50e52911673b",,
            // etc.
        },
        {
            "id": "0da907bd-5c57-5acc-ba39-c6ebe091f613",,
            // etc.
        }
    ]
}

Then send the data:

PUT /resources/06b9d1d2-cbc7-48eb-8011-8ccccb0a4b8c.json?api-version=2
{
  "id": "06b9d1d2-cbc7-48eb-8011-8ccccb0a4b8c",
  "name": "test",
  "username": "",
  "uri": "",
  "description": "",
  "secrets": [
    {
      "user_id": "32d29702-85e2-539d-98ac-6abfa7aadf01",
      "data": "-----BEGIN PGP MESSAGE-----"
    },
    {
      "user_id": "e7fa0375-61df-5dbc-9e42-e0d363bd0ecf",
      "data": "-----BEGIN PGP MESSAGE-----"
    },
    {
      "user_id": "1e73e104-d53e-579d-a0c4-e9aeaca76c56",
      "data": "-----BEGIN PGP MESSAGE-----"
    },
    {
      "user_id": "d57c10f5-639d-5160-9c81-8a0c6c4ec856",
      "data": "-----BEGIN PGP MESSAGE-----"
    },
    {
      "user_id": "e1ebc592-b90d-5e22-9f40-50e52911673b",
      "data": "-----BEGIN PGP MESSAGE-----"
    },
    {
      "user_id": "0da907bd-5c57-5acc-ba39-c6ebe091f613",
      "data": "-----BEGIN PGP MESSAGE-----"
    }
  ]
}

Also, @cola please create separate issues instead of putting multiple API questions into one, that way it’s easier to search / other people can see the solution.

@remy thank you! now is working… think would be good if you add this as example on your PHP examples

@remy with the latest version of passbolt, we became no cookie back. Can you check if they works on your environment?

@cola sorry I’m not understanding your issue, can you explain with some more details?

@cola in more recent versions of Passbolt the cookie is now called passbolt_session and not CAKEPHP, make sure your looking for the correct cookie.