REST API - "Get Project" only works on public projects

[Christopher-Hayes]

Description

I noticed a quirk with the newly documented /api/projects/:id (Projects - Get project) REST API endpoint.

1. It returns a 401 if you use any kind of authentication, even on public projects.
2. It works on public projects if you omit the Authorization header.

Which means—you can never use this endpoint on private projects since it 401s if you try to use authentication.

The 401 response when you include authentication is: { "error": "Token does not have required scope" }. That response shows regardless of whether you have access to the private project or not.

[willeastcott]

Do you know the story here, @isumygin-sc?

[Christopher-Hayes]

Upon further investigation, playcanvas/vscode-extension despite referencing the endpoint in its codebase, it never actually runs the code.

Updating the server code may not be required if you never use it, the docs could be updated to mention this is a public project-only endpoint.

Edit 1: I checked the editor and the examples listing page, neither use this endpoint.
Edit 2: Actually the project overview page uses this endpoint, and it works on private projects. So, must use some other type of cookie authentication.

[Christopher-Hayes]

Looks like PlayCanvas makes its own Bearer token for the user, and that token is used when you access the Project Overview page. In Postman, I tried swapping the Bearer token I made, with the one being used in the browser, and the endpoint starts working again.

I can also confirm it correctly gives you access to your private projects while blocking access to projects you're not a part of.