rest-api 'Incomplete credentials' error returned, though credentials are provided

Short problem description

The following JSON request is sent but 'incomplete credentials' are reported:

{
    "loginName": "admin",
    "password": "password"
}

Using a local PHP development server (http://127.0.0.1:8000/api/v2/sessions), with .htaccess in root dir removed (to avoid permission issues).

Steps to reproduce

Send a login request with above JSON using Postman Chrome app
Observe reported error

Expected behaviour

Session is created, success status returned

Actual behaviour

Error reported

System configuration

Package version

Installed base-distribution via composer

PHP and Composer version

PHP 7.1.11 Composer version 1.5.2 2017-09-11 16:59:25

Nov 28 '17 20:11 samtuke

I'll test this and find out what is missing in the integration tests.

Nov 29 '17 10:11 oliverklee

Using the development server for the rest-api package (bin/console server:run -d web/), I get a ´401 not authorized´ response (which is correct). These are the parameters I've used in Postman:

POST http://127.0.0.1:8000/api/v2/sessions Header: Content-Type application/json Body:

{
    "code": 401,
    "message": "Not authorized"
}

Does the problem also occur when you're using the development server?

(I'll also retest using the PhpStorm REST tools and the base-distribution package in a minute.

Nov 29 '17 15:11 oliverklee

I get the same results with the base-distribution package.

Nov 29 '17 15:11 oliverklee

The same with the REST client in PhpStorm.

Nov 29 '17 17:11 oliverklee

@samtuke Are you using PHP's built-in web server (in development context) or Apache (in production context)? And if you're using Apache, does the problem also occur if you're using the built-in web server instead?

Nov 30 '17 11:11 oliverklee

I believe I tried it with both and experienced the same outcome

Nov 30 '17 11:11 samtuke

Could you please re-try? Maybe there was an error in the JSON request data? I currently cannot reproduce the problem.

Nov 30 '17 11:11 oliverklee

Following a composer update and copy & paste of login credentials from the docs, I get the same error when running a local development server:

{
    "loginName": "admin",
    "password": "eetIc/Gropvoc1"
}

postman_340

Dec 03 '17 17:12 samtuke

I've used the standalone version of Postman for this (as the Chrome app has been discontinued). Could you please retest with the stand-alone Postman or the PhpStorm REST tools to exclude any problems with the Chrome app?

Dec 03 '17 19:12 oliverklee

Oh, and in your screenshot, the content type (the drop-down right next to the type radio buttons (raw, binary etc.) is not set to "JSON (application/JSON)" (as it is in my Postman). Could you please set that as well?

Dec 03 '17 19:12 oliverklee

@oliverklee Changing the content type fixed it -- well spotted! It seems that if a request is provided, but not with JSON headers, then it returns an 'Incomplete credentials' error, as opposed to 'empty JSON data', which is returned if either empty JSON or text is submitted. Two potential improvements would be:

If an empty request is submitted with text (not JSON) headers, then respond with error 'JSON missing' or similar
If non-JSON is submitted, respond with 'Invalid request' or similar, instead of 'Incomplete credentials', as this implies that the request was JSON but the data incomplete.

Dec 04 '17 14:12 samtuke

Yes, we should definitely return an "invalid request" status with a helpful error message in that case. What exact Content-type header did you use?

Dec 04 '17 14:12 oliverklee

@oliverklee it looks like no content-type was set at all:

POST /api/v2/sessions HTTP/1.1
Host: 127.0.0.1:8000
Cache-Control: no-cache
Postman-Token: 83ca8f5e-6771-c158-0f6a-9fae28441756

{
    "loginName": "admin",
    "password": "phplist"
}

Dec 04 '17 14:12 samtuke