Web API - Get authenticated but can't access POST requests? Get 401 (Unauthorized)

NETSphereSoft · June 22, 2024, 9:42am

I’m using SonarQube Docker image sonarqube and .NET WebClient.

There I can login with the API api/authentication/login with a Form request (POST with UploadString) and values login=admin&password=admin. Get an empty string as response and response code is 200.

After this I’m picking the Cookies XSRF-TOKEN and JWT-SESSION from response headers and put them in the Cookie header for next request.

A next request to api/webservices/list (GET with DownloadString) happens well, get a JSON response with the whole list.

When I try the API request api/users/change_password with a Form request (POST with UploadString) and values login=admin&password=adminNew&previousPassword=admin, then I receive a HTTP exception with status 401 (Unauthorized).

Same happens when I try api/projects/create (POST with UploadString) and values project=TEST&name=Test.

When I use the Web UI to create a project there manually. then I can access the api/project_branches/list with QueryString value project=TEST and get a JSON response also.

Why can’t I use the API POST endpoints, but those with the GET?

Code sample

const String API_URL = "http://localhost:9000/api";
WebClient webClient = new WebClient();
String response;
String cookies;

webClient.Headers
         .Set(HttpRequestHeader.ContentType,
              "application/x-www-form-urlencoded");

response = webClient.UploadString($"{API_URL}/authentication/login",
                                  "login=admin&password=admin");

Console.WriteLine($"Login response := \"{response}\"");
Console.WriteLine();

// Take over (session) cookies
cookies = String.Join("; ",
                      webClient.ResponseHeaders[HttpResponseHeader.SetCookie]
                               .Split(',')
                               .Select(cookie => cookie.Split(';')[0]));

webClient.Headers
         .Set(HttpRequestHeader.Cookie,
              cookies);

// This works well, when authenticated
response = webClient.DownloadString($"{API_URL}/webservices/list");

Console.WriteLine($"WebServices response := \"{response}\"");
Console.WriteLine();

webClient.Headers
         .Set(HttpRequestHeader.Cookie,
              cookies);

// This also
response = webClient.DownloadString($"{API_URL}/user_tokens/search");

Console.WriteLine($"User tokens response := \"{response}\"");
Console.WriteLine();

webClient.Headers
         .Set(HttpRequestHeader.Cookie,
              cookies);

webClient.Headers
         .Set(HttpRequestHeader.ContentType,
              "application/x-www-form-urlencoded");

// This fails, but it's  authenticated
response = webClient.UploadString($"{API_URL}/users/change_password",
                                  "login=admin&password=adminNew&previousPassword=admin");

Console.WriteLine($"Change password response := \"{response}\"");

BTW: When inheriting the WebClIent it’s possible to àttach a CookieContainer also and the request header handling for Cookie is not required.

Colin · June 24, 2024, 8:35am

Hey there.

This seems like a pretty hacky way to authenticate with SonarQube. Sorry for my ignorance, but why not use a token?

Wild guess – this user is obligated to change their default credentials after first login. That could cause some issues. You might want to try with a different user.

NETSphereSoft · June 26, 2024, 2:02pm

Yes, looks like hacky. I want to use a kind out of the box SonarQube Docker image (community). That’s why I login that way and want take the session related cookies forward to the next request.

And yes, it seems the user is blocked in case of required change of the password.

I tried a similar scenario with DependencyTrack and there happens the same. For DependencyTrack I could solve it in the way that I was running the Docker image in a container, changed that initial password and took then a container snapshot as new image. At this image now I’am able to login. But this authentication schema return a token after login which I can use then to access the Web API there. You can find that image here: https://hub.docker.com/repository/docker/spheresoftnet/dependencytrack-bundled-api-ready .

A similar way I tried with SonarQube also, change the login and then create a token, take an image snapshot. Here I have the problem, the image snapshot does not work. The problem relates to the elasticsearch in the snapshot image. That fails and sonarqube shut’s down and container exists.

I don’t want to install or drive a regular SonarQube instance somewhere. So I’m looking now for a solution for the elasticsearch problem in direction to image snapshot.

NETSphereSoft · July 1, 2024, 11:15am

Found a solution. Haven’t had in mind that normal Basic Authorization would work. Out of the box and from scratch I was able to create a project and others with the initial credential of admin account.

system · July 8, 2024, 11:15am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.