Can't register the application on a pod. HTTP 400

uzver · January 25, 2023, 8:30am

Hi.

I’m trying to register the app on a pod (0.7.18.1), but it won’t register, and instead of the authorization confirmation page it gives me empty page and http error 400.
I’m stuck at the receiving the authenticity_token

Tried it on another pod (0.7.15.0), and app registration okay there.

Details:

Let’s say I register an application:

client_name="myapp_uzver@diasp.online"

I’m successfully getting:

client_id="..."
client_secret="..."

via request:

curl -ksS https://diasp.online/api/openid_connect/clients \
  -d "redirect_uris[]=https://diasp.online/" \
  -d "client_name=${client_name}"

And I’m successfully getting:

x-csrf-token="..."

via request:

curl -ksS -L https://diasp.online/api/openid_connect/authorizations/new \
    -d "client_id=${client_id}" \
    -d "redirect_uri=https://diasp.online/" \
    -d "response_type=code" \
    -d "scope=openid%20read%20write" \
    -d "nonce=hi" \
    -d "state=hi" \
    --cookie-jar /tmp/cookie

But when I try to get an authenticity_token
(by sending login information to the login page)
via request:

curl -ksS -L https://diasp.online/users/sign_in \
    -H "X-CSRF-TOKEN: ${x-csrf-token}" \
    -d "user[username]=${username}" \
    -d "user[password]=${password}" \
    -d "user[remember_me]=1" \
    --cookie-jar /tmp/cookie --cookie /tmp/cookie

The login failed, and
I get a empty response with http error 400 (like a bad request):

HTTP/2 400 
server: nginx/1.18.0 (Ubuntu)
date: Wed, 25 Jan 2023 07:26:07 GMT
content-type: text/html; charset=UTF-8
content-length: 0
strict-transport-security: max-age=31536000
x-request-id: 42bcaffe-9f66-42a6-90ea-9065ddcd3979
x-runtime: 0.003256
x-frame-options: sameorigin
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-download-options: noopen
x-permitted-cross-domain-policies: none

Whereas the login should have been successful and the application authorization confirmation page should have been loaded.

And after confirmation, the remaining tokens would be available and the registration of the app would be complete. But something goes wrong.

I have a bash script that i can give for testing. With it you can test app registration via curl.

denschub · January 26, 2023, 2:32am

You are not meant to authenticate an user with username and password. The login form is not designed to be interacted with by a script. The authenticity_token is a hidden parameter added to user-facing fonts as a basis protection against CSRF, but it’s not relevant for the API whatsoever.

To authenticate an user, you have to use one of two possible OAuth flows, Authentication - diaspora* API has details. None of that flow ever involve the application ever getting access to a user’s password, nor does an API-based app ever need a user’s password. Instead, the app requests an app-specific authentication token.

Note that the API is not officially supported on any 0.7.x pod, and is only truly available in recent develop sources.