openpanel icon indicating copy to clipboard operation
openpanel copied to clipboard
verified publisher icon Openpanel-dev

401 Unauthorized when using Rest API

Open chillbrodev opened this issue 1 year ago • 2 comments

Hello, giving this a try via the Rest API and I am immediately getting a 401 Unauthorized. I omitted the client secret for security reasons. Here is the log from Postman for the request that I copied from the docs.

image

--Postman Log-- POST /event HTTP/1.1 content-type: application/json openpanel-client-id: f5ddae6d-caf5-492c-bb41-43e0fc25d3e2 openpanel-client-secret: <SECRET_OMIT> User-Agent: PostmanRuntime/7.37.3 Accept: / Cache-Control: no-cache Postman-Token: a3298bb7-aa18-46ac-9ee5-8a8210cfe27e Host: api.openpanel.dev Accept-Encoding: gzip, deflate, br Connection: keep-alive Content-Length: 85

{"name":"my_event","properties":{"foo":"bar"},"timestamp":"2024-05-22T08:42:54.319Z"}

HTTP/1.1 401 Unauthorized Date: Thu, 23 May 2024 15:54:06 GMT Content-Length: 0 Connection: keep-alive access-control-allow-origin: * access-control-allow-credentials: true CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=4CyDfFF5fmGh4gjkklDeW5UgpML0HSRO4l5MrMZaMY5dV8O50DAHXILvRVByQyvwn8kpWR96%2Bc%2Bn1M%2FtqdVMuQLnHSdsWjWjQZWCnkWiTrIoDboTtEpJlE0lPfNCPLoq0A%2B9ZQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888638fd4afe5ec6-PDX alt-svc: h3=":443"; ma=86400

chillbrodev avatar May 23 '24 15:05 chillbrodev

image

Looks like your client secret is wrong. Might be a bug on my side if you copied the client secret from the onboarding. You probably have got the hashed secret and not the plain text secret.

Could you try creating a new client? Settings -> Projects and then under your project you can create a new client.

lindesvard avatar May 24 '24 07:05 lindesvard

image Looks like your client secret is wrong. Might be a bug on my side if you copied the client secret from the onboarding. You probably have got the hashed secret and not the plain text secret.

Could you try creating a new client? Settings -> Projects and then under your project you can create a new client.

Okay sounds good, I'll give it a try with a new client. I copied this curl from the onboarding UI.

I also noticed that once a client is created, the secret is never viewable again. While this makes sense, it's kinda tricky to do onboarding. Say a Product person or non tech person creates the project but doesn't copy down the secret. Project is basically bricked.

I accidentally deleted the project, it took me to a Not Found page that I was unable to get back unless I edited the page url. image

So when I created a New Project and New App, I was taken to this page and indeed the secret looks hashed. image

Then I created a new client and was able to see the correct secret. It would be good to note on this dialog that the Secret is no longer viewable after closing the dialog. image

Then I tried the REST API and was able send an event in, got back status 202 with "ok" text. I would recommend sending back JSON instead.

Anyway, thanks for the quick support and an interesting project. Looking forward to following all things OpenPanel.

chillbrodev avatar May 24 '24 16:05 chillbrodev

Great! Glad you solved it and thanks for the detailed report! I assume the cookie does not get set.

I store the secret in a cookie (1 hour)

Will investigate and improve this flow more 👌

lindesvard avatar May 25 '24 17:05 lindesvard

Thanks for reporting this @chillbrodev

It was indeed issues with the cookie. Have moved away from cookie now and using sessionStorage instead

lindesvard avatar May 28 '24 17:05 lindesvard