Basic Authentication in 1.9 - still requires session_id?


#1

Hi,

I’ve upgraded to 1.9 - I was hoping to allow users to authenticate without recreating a session_id -
However when I try to send a request to the API with basic authentication, it only works with a session_id added to the header , otherwise I get a "“There is no valid session for the current request.” error- am I doing something wrong?


#2

I have tested using basic HTTP auth to make a simple API call. Here is my request:

GET https://dsp.domain.com/rest/db/Table

Headers:

Authorization: Basic dXNlckBkb21haW4uY29tOnBhc3N3b3Jk	
X-DreamFactory-Application-Name: mysql

Response:

{"record":[{"id":1,"Column":"column zero"},{"id":2,"Column":"column one"}]}

Proof that this user/browser did not have a valid session at the time:

GET https://dsp.domain.com/rest/user/session

Headers:

Authorization: Basic dXNlckBkb21haW4uY29tOnBhc3N3b3Jk	
X-DreamFactory-Application-Name: mysql

Response:

{"error":[{"context":null,"message":"There is no valid session for the current request.","code":401}]}

Using my successful call as a model, see if you can work it out. If not, please post your full request and response (obfuscate or remove your hashed credentials).


#3

I’m attaching the request info:

http://c**********f5.cloudapp.net:80/rest/C********d/Order_Decisions_p?filter=ID%3D50001&SHOP_ID%3D1028

HEADERS:

Accept: /
Accept-Encoding: gzip, deflate
Authorization: Basic aWthQHBh*********************MjM0
User-Agent: runscope/0.1
X-Dreamfactory-Application-Name: c
d

RESPONSE:

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: application/json; charset=utf-8
Date: Tue, 10 Feb 2015 10:17:39 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
P3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Pragma: no-cache
Server: Apache
Set-Cookie: PHPSESSID=1c69l1j2159v434p5fiibr1lj2; path=/
Transfer-Encoding: chunked
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/5.4.36
BODY view raw

{
“error”: [
{
“context”: null,
“message”: “There is no valid session for the current request.”,
“code”: 401
}
]

This request works as soon as I add the session id for the user in the header.
I’ve coded and decoded the authorization string to double check it is correct for the username / password.


#4

I’ve still been unable to get basic authorization to work too…


#5

You cannot drop into HTTP Basic auth if you already have an established session_id. Try using basic auth with a user that’s not also a user with a currently active session. DSP prioritizes the checking of credentials/sessions in this order, and will not drop to a lower tier if a higher tier is active:

  1. DSP-native auth via passing credentials in JSON or passing an existing session_id
  2. HTTP Basic auth
  3. Guest access