Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Subscription API Routes Broken #28756

Closed
kdumontnu opened this issue Jan 11, 2024 · 9 comments · Fixed by #28765
Closed

Subscription API Routes Broken #28756

kdumontnu opened this issue Jan 11, 2024 · 9 comments · Fixed by #28765
Labels
type/bug
Milestone
1.21.4

Comments

@kdumontnu
Copy link
Contributor

Description

We're trying to write a script to unsubscribe (unwatch) users from all repos, but running into some issues. It looks like these API routes are broken in a couple of ways.

  • First, I created a token with read + write access to all repos (non-admin user)
image

Then, using that token on a repo I own:

curl -X 'GET' \
  'https://try.gitea.io/api/v1/repos/kdumontnu/template/subscription' \
  -H 'accept: application/json' \
  -H 'Authorization: ---'

returns a 500 error

Next, when I try "PUT" or "DELETE", I get a 401 error. "token is required". I should have access to this repo and I've provided all of the token routes.

Gitea Version

1.22-dev

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

try.gitea.io

Database

None
@jackHay22
Copy link
Contributor

jackHay22 commented Jan 11, 2024
edited
Loading

It looks like the GET endpoint doesn't currently require a token. I don't think that explains the 500 but I'll look into it. @kdumontnu For the PUT and DELETE endpoints the issue may be the formatting of your API token. The token value must be prepended by token in the header:

curl -X 'GET' \
  'https://try.gitea.io/api/v1/repos/kdumontnu/template/subscription' \
  -H 'accept: application/json' \
  -H 'Authorization: token ---'

Edit: requiring a token for the GET endpoint fixes the issue (by populating ctx.Doer).

@jackHay22 jackHay22 mentioned this issue Jan 11, 2024
Merged
@kdumontnu
Copy link
Contributor Author

It looks like the GET endpoint doesn't currently require a token. I don't think that explains the 500 but I'll look into it. @kdumontnu For the PUT and DELETE endpoints the issue may be the formatting of your API token. The token value must be prepended by token in the header:

curl -X 'GET' \
  'https://try.gitea.io/api/v1/repos/kdumontnu/template/subscription' \
  -H 'accept: application/json' \
  -H 'Authorization: token ---'

Edit: requiring a token for the GET endpoint fixes the issue (by populating ctx.Doer).

I just used the swagger UI for the API. If that doesn't work then maybe there's another bug.

@jackHay22
Copy link
Contributor

I just used the swagger UI for the API. If that doesn't work then maybe there's another bug.

Unfortunately, it's a manual step in Swagger:

Screen Shot 2024-01-11 at 2 34 40 PM

@kdumontnu
Copy link
Contributor Author

I just used the swagger UI for the API. If that doesn't work then maybe there's another bug.

Unfortunately, it's a manual step in Swagger:

Screen Shot 2024-01-11 at 2 34 40 PM

Gross - good catch.

@kdumontnu
Copy link
Contributor Author

So, once I fix the token header (thanks!), and I try to watch/unwatch a repo that I have access to, but I don't own, I get a 404.

The problem, as I see it, is that this route is a repo route when it should be a user route.

  • For instance, can a repo owner "unwatch" people from their repos?

lafriks pushed a commit that referenced this issue Jan 12, 2024
@jackHay22
Require token for GET subscription endpoint (#28765)
7c2f093 
Fixes  #28756

## Changes
- Require and check API token for `GET
/repos/{owner}/{repo}/subscription` in order to populate `ctx.Doer`.
@lunny lunny added this to the 1.21.4 milestone Jan 12, 2024
GiteaBot pushed a commit to GiteaBot/gitea that referenced this issue Jan 12, 2024
@jackHay22 @GiteaBot
Require token for GET subscription endpoint (go-gitea#28765)
8da1a0e 
Fixes  go-gitea#28756

## Changes
- Require and check API token for `GET
/repos/{owner}/{repo}/subscription` in order to populate `ctx.Doer`.
@GiteaBot GiteaBot mentioned this issue Jan 12, 2024
Merged
lunny pushed a commit that referenced this issue Jan 12, 2024
@GiteaBot @jackHay22
Require token for GET subscription endpoint (#28765) (#28768)
cb33623 
Backport #28765 by @jackHay22

Fixes  #28756

## Changes
- Require and check API token for `GET
/repos/{owner}/{repo}/subscription` in order to populate `ctx.Doer`.

Co-authored-by: Jack Hay <jack@allspice.io>
@jackHay22
Copy link
Contributor

So, once I fix the token header (thanks!), and I try to watch/unwatch a repo that I have access to, but I don't own, I get a 404.

@kdumontnu I haven't been able to recreate this 404 with a public or private repo; watch/unwatch works for a user other than the owner (the user that the token belongs to).

The problem, as I see it, is that this route is a repo route when it should be a user route.

Is the idea to create a route by which a user other than ctx.Doer (the token owner) can be watched/unwatched? (i.e. the repo owner could unwatch a different user)

@kdumontnu
Copy link
Contributor Author

So, once I fix the token header (thanks!), and I try to watch/unwatch a repo that I have access to, but I don't own, I get a 404.

@kdumontnu I haven't been able to recreate this 404 with a public or private repo; watch/unwatch works for a user other than the owner (the user that the token belongs to).

The problem, as I see it, is that this route is a repo route when it should be a user route.

Is the idea to create a route by which a user other than ctx.Doer (the token owner) can be watched/unwatched? (i.e. the repo owner could unwatch a different user)

You're able to subscribe + unsubscribe from public repos?

If I run

curl -X 'PUT' \
  'https://try.gitea.io/api/v1/repos/sdweiyu/%20test/subscription' \
  -H 'accept: application/json' \
  -H 'Authorization: token <full read/write token>'

I get a 404 response (this is just a random public repository I found). That implied to me that the API isn't using the right permissions.

@jackHay22
Copy link
Contributor

@kdumontnu Perhaps the space (encoded as %20) is causing the 404. I was able to successfully watch (and unwatch) the repo:

Request:

curl -X 'PUT' \
  'https://try.gitea.io/api/v1/repos/sdweiyu/test/subscription' \
  -H 'accept: application/json' \
  -H 'Authorization: token <token>'

Response (200):

{
  "subscribed": true,
  "ignored": false,
  "reason": null,
  "created_at": "2022-01-20T07:30:35Z",
  "url": "https://try.gitea.io/api/v1/repos/sdweiyu/test/subscription",
  "repository_url": "https://try.gitea.io/api/v1/repos/sdweiyu/test"
}

fuxiaohei pushed a commit to fuxiaohei/gitea that referenced this issue Jan 17, 2024
@jackHay22 @fuxiaohei
Require token for GET subscription endpoint (go-gitea#28765)
115687d 
Fixes  go-gitea#28756

## Changes
- Require and check API token for `GET
/repos/{owner}/{repo}/subscription` in order to populate `ctx.Doer`.
silverwind pushed a commit to silverwind/gitea that referenced this issue Feb 20, 2024
@jackHay22 @silverwind
Require token for GET subscription endpoint (go-gitea#28765)
c4d84ad 
Fixes  go-gitea#28756

## Changes
- Require and check API token for `GET
/repos/{owner}/{repo}/subscription` in order to populate `ctx.Doer`.
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 1, 2024

Automatically locked because of our CONTRIBUTING guidelines

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 1, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
1.21.4
Development

Successfully merging a pull request may close this issue.

Require token for GET subscription endpoint jackHay22/gitea
3 participants
@lunny @kdumontnu @jackHay22