Users running a non-download version of Vanilla (pulled from github), on branch release/2019.016 or master from the last 2 weeks should upgrade to release/2019.017 or latest master for security reasons. Downloaded official open sources releases are not affected.

API V2: tokens POST request requires transientKey

Hi!
When I try to use VanillaForum API v2 POST request 'tokens' (https://docs.vanillaforums.com/help/apiv2/swagger/#/Tokens/post_tokens) I unexpectedly get the error 400 "transientKey is required":

{
    "message": "transientKey is required.",
    "status": 400,
    "errors": [
        {
            "field": "transientKey",
            "code": "missingField",
            "message": "transientKey is required."
        }
    ]
}

The same problem appears when I send a test request (via "Try it out" button) from API v2 documentation on VanillaForum Settings Page. I change nothing in this test request:

curl -X POST "http://t103.lan/api/v2/tokens" -H  "accept: application/json" -H  "Content-Type: application/json" -H  "x-transient-key: EGWKXeQXNqHkjJog" -d "{  \"accessTokenID\": 0,  \"name\": \"Unknown Type: string,null\",  \"accessToken\": \"string\",  \"dateInserted\": \"2018-09-04T09:41:26.098Z\"}"


Error: Bad Request
Response body

{
  "message": "transientKey is required.",
  "status": 400,
  "errors": [
    {
      "field": "transientKey",
      "code": "missingField",
      "message": "transientKey is required."
    }
  ]
}

The problem doesn't appear for a couple of other POST requests I tried. Definitely, I don't pass non-documented transientKey.

  1. Is this a bug?
  2. Is there a workaround or quick patch for v2.6.1?
  3. Could you please show me an example of request (and information how to determine transientKey) if I do something wrong and transientKey is really needed?

Thanks a lot,
Anvar

Comments

  • I think the idea is you don't want the public generating tokens, otherwise it is a back door.

    grep is your friend.

  • having said that the Garden.Tokens.Add should cover that issue.

    grep is your friend.

  • x00x00 MVP
    edited September 2018

    doing a post without a session then you would need to give that permission to guests, but I don't think token can be held by guests, and it wouldn't be good security.

    grep is your friend.

Sign In or Register to comment.