Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-98199

Using an invalid or wrong personal access token with REST API is incorrectly handled as anonymous user instead of as an unauthorized request

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Low Low
    • None
    • 7.9.0, 9.0.0
    • Personal Access Tokens
    • None

      Issue Summary

      When trying to authenticate a REST API request with wrong credentials through basic authentication, Confluence properly respond with a 401 HTTP response status.

      The same behavior would be expected when using personal access tokens.
      If a wrong, nonexistent token is used, Confluence doesn't respond with 401 HTTP status, but passes the request as an anonymous user (if anonymous access is enabled).

      Note that regular product permissions is still followed and the results will only show data that an anonymous user would have access to.

      Steps to Reproduce

      1. Create a vanilla instance of Confluence Data Center.
        • This was validated on Confluence version 9.0.
      2. Enable anonymous access.
      3. Create a sample Space with a couple of pages.
      4. Create a regular user with access to the sample space.
      5. Try accessing the following REST API using the correct credentials for the sample user. 
        CONFLUENCE_BASE_URL=http://127.0.0.1:8090
CONFLUENCE_USR_NAME=user001
CONFLUENCE_USR_PWD=user001

curl -v -o /dev/null \
  -u ${CONFLUENCE_USR_NAME}:${CONFLUENCE_USR_PWD} \
  ${CONFLUENCE_BASE_URL}'/rest/api/latest/content?limit=1'
      6. Try accessing the same REST API using the wrong credentials as below. 
        CONFLUENCE_BASE_URL=http://127.0.0.1:8090
CONFLUENCE_USR_NAME=user001
CONFLUENCE_USR_PWD=not_my_password

curl -v -o /dev/null \
  -u ${CONFLUENCE_USR_NAME}:${CONFLUENCE_USR_PWD} \
  ${CONFLUENCE_BASE_URL}'/rest/api/latest/content?limit=1'
      7. Create a personal access token (PAT) to the sample user.
      8. Try accessing the same REST API using the correct PAT. 
        CONFLUENCE_BASE_URL=http://127.0.0.1:8090

curl -v -o /dev/null \
  -H 'Authorization: Bearer MDM4MTUwMzY5OTUwOsozS9OggiMR2teDPOUWhnZTODOf' \
  ${CONFLUENCE_BASE_URL}'/rest/api/latest/content?limit=1'
      9. Try accessing the same REST API using the wrong credentials as below. 
        CONFLUENCE_BASE_URL=http://127.0.0.1:8090

curl -v -o /dev/null \
  -H 'Authorization: Bearer not_my_token' \
  ${CONFLUENCE_BASE_URL}'/rest/api/latest/content?limit=1'

      Expected Results

      The request is not authorized as it's using a nonexistent token and Confluence responds the request with a 401 HTTP status.

      Actual Results

      The request is fulfilled with a 200 HTTP response status.
      Since the used PAT doesn't exist, the request is made as anonymous.

      Workaround

      When using PAT, refer to the X-AUSERNAME response header to ensure the authentication worked with the expected user.

        1. screenshot-1.png
          screenshot-1.png
          285 kB
        2. screenshot-2.png
          screenshot-2.png
          265 kB

            [CONFSERVER-98199] Using an invalid or wrong personal access token with REST API is incorrectly handled as anonymous user instead of as an unauthorized request

            No work has yet been logged on this issue.

              Unassigned Unassigned
              tmasutti Thiago Masutti
              Affected customers:
              1 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated: