HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
API V2: tokens POST request requires transientKey
Hi!
When I try to use VanillaForum API v2 POST request 'tokens' (https://docs.vanillaforums.com/help/apiv2/swagger/#/Tokens/post_tokens) I unexpectedly get the error 400 "transientKey is required":
{
"message": "transientKey is required.",
"status": 400,
"errors": [
{
"field": "transientKey",
"code": "missingField",
"message": "transientKey is required."
}
]
}
The same problem appears when I send a test request (via "Try it out" button) from API v2 documentation on VanillaForum Settings Page. I change nothing in this test request:
curl -X POST "http://t103.lan/api/v2/tokens" -H "accept: application/json" -H "Content-Type: application/json" -H "x-transient-key: EGWKXeQXNqHkjJog" -d "{ \"accessTokenID\": 0, \"name\": \"Unknown Type: string,null\", \"accessToken\": \"string\", \"dateInserted\": \"2018-09-04T09:41:26.098Z\"}"
Error: Bad Request
Response body
{
"message": "transientKey is required.",
"status": 400,
"errors": [
{
"field": "transientKey",
"code": "missingField",
"message": "transientKey is required."
}
]
}
The problem doesn't appear for a couple of other POST requests I tried. Definitely, I don't pass non-documented transientKey.
- Is this a bug?
- Is there a workaround or quick patch for v2.6.1?
- Could you please show me an example of request (and information how to determine transientKey) if I do something wrong and transientKey is really needed?
Thanks a lot,
Anvar
0
Comments
I think the idea is you don't want the public generating tokens, otherwise it is a back door.
grep is your friend.
having said that the
Garden.Tokens.Addshould cover that issue.grep is your friend.
doing a post without a session then you would need to give that permission to guests, but I don't think token can be held by guests, and it wouldn't be good security.
grep is your friend.