web icon indicating copy to clipboard operation
web copied to clipboard

Published 20 hours ago verified publisher icon pi-hole

API text on README doesn't explain authencation is needed

Open tejohnso opened this issue 2 years ago • 7 comments

Versions

  • Pi-hole: 5.15.3
  • AdminLTE: 5.18.3
  • FTL: 5.20.1

Platform

  • OS and version: Raspbian 10 buster
  • Platform: Raspberry Pi

Expected behavior

The api should work as documented in README.

With either no parameters or /admin/api.php?summary it returns the following JSON ...

Actual behavior / bug

Calling /admin/api.php as indicated in the readme page returns []

Steps to reproduce

Steps to reproduce the behavior:

curl http://localhost/admin/api.php

Additional context

I noticed there's an additional post about upcoming changes with additional authorization requirements, but there is no indication from the response that authorization is required. And when I include authorization (?summary&auth=[token]) I get the same [] result.

Also the additional info link from the readme leads to a page that reiterates no authorization is necessary for "summary (default if no parameters are given)".

The following api call works:

curl "http://localhost/admin/api.php?type&version"
{"type":"FTL","version":3}

tejohnso avatar Feb 05 '23 14:02 tejohnso

You need to add &token=<your_pihole_api_token> to every URL.

This behavior was changed last year.

It was announced in November (as you already noticed) and December Release Notes (under "Pi-hole Web changes").

rdwebdesign avatar Feb 05 '23 17:02 rdwebdesign

Just to make it clear: This is a documentation error.

The behavior you saw is the correct one. The issue is on the README text not on the code.

rdwebdesign avatar Feb 05 '23 17:02 rdwebdesign

Agree there's a documentation problem.

But I think there's a code error as well. If auth is required, the response shouldn't be 200 OK with an empty json array in the body. That's misleading.

Also, from the announcement, the parameter to include is auth not token as you indicated. But regardless of which of those I use, I still get the empty json array as a response.

tejohnso avatar Feb 05 '23 18:02 tejohnso

Yeah... sorry. auth is the correct parameter.

But regardless of which of those I use, I still get the empty json array as a response.

Which URL are you using exactly?

rdwebdesign avatar Feb 05 '23 18:02 rdwebdesign

Sorry I had a problem on my end with cURL. I'm able to get it working now.

So I'd say the only issue now is the documentation and the false 200 response.

tejohnso avatar Feb 05 '23 18:02 tejohnso

This issue is stale because it has been open 30 days with no activity. Please comment or update this issue or it will be closed in 5 days.

github-actions[bot] avatar Mar 08 '23 08:03 github-actions[bot]

I second the request for a better error code than 200 when authentication is required but no token supplied. It wasn't apparent why I was getting an empty response with a 200 code. Receiving 401 (or 403 if the token was wrong) would have made it clear what was wrong.

domdfcoding avatar Aug 21 '23 21:08 domdfcoding