Skip to content

Authentication with Cookie Token is badly documented, and implemented poorly. #34

Description

@A-c0rN

I have been at this for hours, and finally figured it out.

For obvious reasons, I would like to avoid logging in every time I start my app, and using Cookie Tokens when possible. The problem rises when attempting to do so via the configuration:

The documentation in the Config says to do the following:

    :Example:

    API Key Authentication Example.
    Given the following security scheme in the OpenAPI specification:
      components:
        securitySchemes:
          cookieAuth:         # name for the security scheme
            type: apiKey
            in: cookie
            name: JSESSIONID  # cookie name

    You can programmatically set the cookie:

conf = vrchatapi.Configuration(
    api_key={'cookieAuth': 'abc123'}
    api_key_prefix={'cookieAuth': 'JSESSIONID'}
)

    The following cookie will be added to the HTTP request:
       Cookie: JSESSIONID abc123

However, if we scroll down to the auth_settings function, we find that the key configuration documentation is incorrect, as it reads:

def auth_settings(self):
        """Gets Auth Settings dict for api client.

        :return: The Auth Settings information dict.
        """
        auth = {}
        if 'authCookie' in self.api_key:
            auth['authCookie'] = {
                'type': 'api_key',
                'in': 'cookie',
                'key': 'auth',
                'value': self.get_api_key_with_prefix(
                    'authCookie',
                ),
            }
        if self.username is not None and self.password is not None:
            auth['authHeader'] = {
                'type': 'basic',
                'in': 'header',
                'key': 'Authorization',
                'value': self.get_basic_auth_token()
            }
        if 'twoFactorAuthCookie' in self.api_key:
            auth['twoFactorAuthCookie'] = {
                'type': 'api_key',
                'in': 'cookie',
                'key': 'twoFactorAuth',
                'value': self.get_api_key_with_prefix(
                    'twoFactorAuthCookie',
                ),
            }
        return auth

It implements Cookies incorrectly, as if you use the documentation with the correct authCookie key, it will put the pair into the cookies, but with one flaw:
Cookies are specified as key=value and the function writes key value, and therefore never actually validates. If you try this with a valid cookie, you will get a HTTP/1.1 401 Unauthorized with response {"error":{"message":"\\"Missing Credentials\\"","status_code":401}}.
To actually authenticate, you need to set api_key_prefix to {"authCookie": ""} and api_key to {"authCookie": "auth=authcookie_<CODE_HERE>"}

I am not actually sure, as I don't have a way to test, but I believe that the twoFactorAuthCookie key/value pair will also have this bug.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions