grape_oauth2 icon indicating copy to clipboard operation
grape_oauth2 copied to clipboard
verified publisher icon grape-oauth2

Access Token being checked even on endpoints not calling access_token_required!

Open jalexbrun opened this issue 8 years ago • 9 comments

I call access_token_required! in several of my api endpoints, but not in the UserLogin endpoints.

if I do the following


   mount Api::UserLogin
   mount Api::SomeOtherEndpoint

I get a 401 error when attempting to log in, even though access_token_required! is not being used in that file.

If I do the following instead


   include Grape::OAuth2.api

   mount Api::SomeOtherEndpoint

Then the user login controller is called without checking for an access token.

jalexbrun avatar Dec 07 '17 14:12 jalexbrun

Same here. Authentication processed regardless access_token_required! is given or not.

Update: This is probably caused Middleware that inject itself calls Bearer "authorization" method automatically. When that happens, Grape thinks you want authentication.

For the time being, the only workaround is using include in only specific endpoints. I hope we can get @nbulaj' s attention here.

gencer avatar Dec 07 '17 19:12 gencer

@johnbrun09 @gencer thanks for the reporting, I will check it ASAP.

nbulaj avatar Dec 11 '17 08:12 nbulaj

@johnbrun09 can yo please provide full code listing for the module where you are injecting include Grape::OAuth2.api ? I can't guess if you get a 401 error without the gem injection or with..

nbulaj avatar Dec 18 '17 20:12 nbulaj

Since no reply made. Let me gave you mine:

  module V2
    class Base < Grape::API
      version 'v2', using: :path, vendor: 'test'
      format :json
      # prefix :api

      include Grape::OAuth2.api
      mount V2::Query
      # ... other mounts

    end
  end

 module V2
   class Query < Grape::API
       # all actions in this class requires authentication. No matter you give :access_token_required! or not.
   end
 end

gencer avatar Dec 19 '17 13:12 gencer

@gencer @johnbrun09 what am I doing wrong?

https://gist.github.com/nbulaj/ff3716d1043143c01b2237c4fa34517a

I've added two endpoints to simple Grape API, one public and one protected (after injecting Grape::OAuth2), and tested it with rackup and curl.

nbulaj avatar Dec 22 '17 08:12 nbulaj

The gist you prepared is the same scheme I used. Only difference (not wrong) is how we used it.

For me; I use it with Rails5. Maybe Rails has something to do with this or some gem interfere?

Because, I am positively sure that mounting api endpoints after oauth.api, makes all mounts authenticable. But before them is public.

Should I prepare a skeleton/sample project for you maybe?

gencer avatar Dec 22 '17 09:12 gencer

@gencer it will be great, because it's hard for me to find a concrete problem without knowing all the environment.

nbulaj avatar Dec 22 '17 13:12 nbulaj

Hi @gencer . Any update here?

nbulaj avatar Jul 12 '18 19:07 nbulaj

@nbulaj, I completely forgot about this. I was switched to doorkeeper at that time.

However, I just illustrated a sample on my end and it seems it just passes my test. However, I can't remember exactly what was my previous environment like which was failed as this issue stated 🤕.

gencer avatar Jul 13 '18 13:07 gencer