Re: [Roundup-users] V2.3.0 Docker image (amd64) : REST API broken ?

[John P. R. <ro...@cs...>]

Hi Norbert:

In message <DU2PR01MB8557460D914280A05A9284D7E8D4A@DU2PR01MB8557.eurprd01.prod.
exchangelabs.com>,
SCHLEMMER Norbert writes:
>The Roundup REST API seems to be changed compared to v2.1.0
>
>Code running well with 2.1.0 leads in 2.3.0 to this error during the "create issue" endpoint
>
>'http://tvmtmcsdebiansrv.myDomain.com:8917/issues/rest/data/issue/@poe'
>
>Header:
>	'X-requested-with:' put: 'rest';
>	'Referer' put: 'http://tvmtmcsdebiansrv. myDomain.com:8917/issues/rest';
>
>Erorr:
>153, { "error": { "status": 400, "msg": "Required Header Missing" } }
>
>Which header is now needed for 2.3.0 ?

Try adding the Origin header. It may be a side effect of:

     changeset:   7150:72a54826ff4f
     user:        John Rouillard <ro...@ie...>
     date:        Tue Feb 21 16:42:20 2023 -0500
     files:       roundup/cgi/client.py test/test_liveserver.py
     description:
     better rest Origin check; refactor CORS preflight code.

     A previous version allowed requests without an origin that should
     require it (e.g. an OPTIONS or PATCH request). Moved the origin
     checking logic into the main flow. It looks like this was limited to
     OPTIONS/PATCH requests as handle_csrf() (called later in the main
     flow) handles POST, PUT, DELETE verbs.

     Refactored CORS preflight request code into functions and call them
     from main flow. Also return immediately. Prior code processed the
     options request a second time due to falling through.

     Modified is_origin_header_ok to return True if origin was missing and
     it was a get request.

     Fixed tests that make OPTIONS requests to supply origin.

The Origin should always have be required for POST etc. From your
report plus one other I got off list, it appears that POST command
origin checking wasn't correct in earlier versions either.

I'll toss up an errata about it at:

  https://wiki.roundup-tracker.org/ReleaseErrata

Also the Referer header looks broken, does your domain name have a
space in it?

Have a great day.

--
				-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.