etherpad-lite icon indicating copy to clipboard operation
etherpad-lite copied to clipboard
verified publisher icon ether

2.0.2 lost --apikey configuration and the abbility to specify an APIKEY via a file

Open Loki-Afro opened this issue 1 year ago • 5 comments

Describe the bug 2.0.2 lost --apikey configuration and the ability to specify an APIKEY via a file

some code references https://github.com/ether/etherpad-lite/commit/fb56809e5565aca22e279e4413652d2ecfd0acaf#diff-56c1caaf7d4537bb927753753c7af805d5076ebf007dc4355eb47f570ea9fbe6L48 https://github.com/ether/etherpad-lite/commit/fb56809e5565aca22e279e4413652d2ecfd0acaf#diff-44bdd670b7e9c3a0511454a28c560903253342a74370d0a0d8556564ecc2c555L37 https://github.com/ether/etherpad-lite/commit/fb56809e5565aca22e279e4413652d2ecfd0acaf#diff-44bdd670b7e9c3a0511454a28c560903253342a74370d0a0d8556564ecc2c555L198

that is more than a breaking change while only changing the patch version! based on the changelog it does introduce ADDITIONAL behavior rather then removing existing https://github.com/ether/etherpad-lite/blob/develop/CHANGELOG.md#202

on top of that there are still references to the APIKEY file in code, mostly in utility scripts found in bin

making me think that the removal of the apikey logic was not done on purpose

if oauth is the only way forward, is there a migration strategy?

Loki-Afro avatar May 10 '24 11:05 Loki-Afro

Thanks for the issue and sorry for my absense. As the APIKey option was not that difficult to add I'll readd support for that so you can choose between OAuth or API key. OAuth should be more secure as the key has a lifetime and you don't share the key with other people.

SamTV12345 avatar May 12 '24 19:05 SamTV12345

Hello,

Is there a chance this might be incomplete?. When trying to perform a pad deletion through the API I get a no or wrong API Key (currently at commit 08ab3c07e69d44e9761e016f5cc6b70c5feb52d5, development branch).

It seems it fails to pass this condition src/node/handler/APIHandler.ts

disturbio avatar May 16 '24 16:05 disturbio

@SamTV12345 I'm also at last commit and not able to use the API anymore, though I have set "authenticationMethod": "${AUTHENTICATION_METHOD:apikey}",

It seems from the log it's being loaded properly. [2024-05-22T04:06:22.562] [INFO] APIHandler - Api key file read from: "#####/APIKEY.txt"

But all API calls give

no or wrong API Key

dcht00 avatar May 22 '24 02:05 dcht00

I fixed authorization with authorization header. I guess you were only trying through that. The query parameter worked.

SamTV12345 avatar May 22 '24 19:05 SamTV12345

I think this still doesn't work: curl "https://#####/api/1.2.13/deletePad?apikey=#####&padID=test2"

dcht00 avatar May 22 '24 23:05 dcht00

Now it's finally fixed. Found the missing piece why it still didn't work via URL

SamTV12345 avatar May 24 '24 19:05 SamTV12345