Búsqueda
Cerrar
  1. Página de inicio
  2. Foro
  3. API users
  4. API Authentification nonger possibel
Lista de foro Lista de mensajes

API Authentification nonger possibel

  • klaus_schneider
    klaus_schneider 100% (86026x)
    PRO advanced

    293 mensajes

    Alemania

    Hello, the login has stopped working since last night. Were any changes made? Were any API keys invalidated? Regards
  • klaus_schneider
    klaus_schneider 100% (86026x)
    PRO advanced

    293 mensajes

    Alemania

    Update: Since about 11 a.m. this morning, the authentication process is no longer returning a token, but instead the error message "The API key is required!". Regards
  • @fred
    Administrador
    @fred
    free

    167 mensajes

    Bélgica

    Update: Since about 11 a.m. this morning, the authentication process is no longer returning a token, but instead the error message "The API key is required!". Regards
    Hi klaus_schneider,

    The API used to be very laxist with the data passed in a request. When a data was needed on an API call, the system retrieved the parameter by checking, in order, the GET parameters and then the POST parameters.
    It was considered a bad practice and it could potentially lead to security issues.

    Since this morning, we reinforced the way requests data are read on our side to be consistent with the API method. If the call is a POST, the data has to be passed in the POST data, and not in the url.

    For example, in your case, calling this url won't work anymore:
    POST /seller?apikey=xxx

    The correct way to authenticate can be found in the github documentation: Vinculo (https)

    Another example with curl:
    curl --location ' Vinculo (https) ' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'apikey=xxxx'

    Fred
  • Servitel
    Servitel
    free

    472 mensajes

    Suiza

    Hi klaus_schneider,

    The API used to be very laxist with the data passed in a request. When a data was needed on an API call, the system retrieved the parameter by checking, in order, the GET parameters and then the POST parameters.
    It was considered a bad practice and it could potentially lead to security issues.

    Since this morning, we reinforced the way requests data are read on our side to be consistent with the API method. If the call is a POST, the data has to be passed in the POST data, and not in the url.

    For example, in your case, calling this url won't work anymore:
    POST /seller?apikey=xxx

    The correct way to authenticate can be found in the github documentation: Vinculo (https)

    Another example with curl:
    curl --location ' Vinculo (https) ' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'apikey=xxxx'

    Fred
    A good idea is to ADVICE in advance for modifications. We have passed the afternoon changing all calls :angryfire:
  • my_postales
    my_postales 100% (70843x)
    PRO premium

    53 mensajes

    Alemania

    Dear delcampe API team

    you changed the API-AUTH-METHOD without informing the respective users in advance ?
    Why are you doing this ? It's clearly maximum inappropriate !

    Overthink you action/communication method pls !
  • uniquehorn
    uniquehorn 100% (28x)

    38 mensajes

    Suecia

    Dear delcampe API team

    you changed the API-AUTH-METHOD without informing the respective users in advance ?
    Why are you doing this ? It's clearly maximum inappropriate !

    Overthink you action/communication method pls !
    The correct word in English is "reconsider" - Delcampe should reconsider their methods.

    "Overthink" is something quite different.
  • my_postales
    my_postales 100% (70843x)
    PRO premium

    53 mensajes

    Alemania

    The correct word in English is "reconsider" - Delcampe should reconsider their methods.

    "Overthink" is something quite different.
    @ uniquehorn

    you are completely right ! thnx
  • @fred
    Administrador
    @fred
    free

    167 mensajes

    Bélgica

    Hi everyone,

    We're sorry about this update, we didn't think it would have this much impact on your codebase. This was a necessary change for security reason but we could have handled it better.

    In the future we will be more careful when doing this king of changes in the API and we will try to inform you in advance to prevent this situation.

    Fred
  • klaus_schneider
    klaus_schneider 100% (86026x)
    PRO advanced

    293 mensajes

    Alemania

    Hello,
    thank you for this admission, especially since it's not the first time something like this has occurred. We were able to quickly fix the problem on our end because it only required adjusting a central function, but it seems to have been more complex for others.

    I'd also like to take this opportunity to remind you about the open issue with the API between Delcampe and PayPal; see the post from a week ago. This problem is causing dead payments. This cannot continue...
    Best regards
  • ansichtskartenpool
    ansichtskartenpool 100% (77191x)
    PRO premium

    42 mensajes

    Alemania

    Did you change something again by "accident"? Since yesterday I've been getting the message "undefined method `authority' for #". Therefore, no token- nothing at all.
  • @fred
    Administrador
    @fred
    free

    167 mensajes

    Bélgica

    Did you change something again by "accident"? Since yesterday I've been getting the message "undefined method `authority' for #". Therefore, no token- nothing at all.
    Hi ansichtskartenpool,

    This message is weird and doesn't correspond to anything in our system. When did you get the error? When trying to get a token with the "POST /seller" endpoint?

    Fred
  • ansichtskartenpool
    ansichtskartenpool 100% (77191x)
    PRO premium

    42 mensajes

    Alemania

    Hi ansichtskartenpool,

    This message is weird and doesn't correspond to anything in our system. When did you get the error? When trying to get a token with the "POST /seller" endpoint?

    Fred
    yes
  • ansichtskartenpool
    ansichtskartenpool 100% (77191x)
    PRO premium

    42 mensajes

    Alemania

    But I just noticed that the message is coming from the REST client I'm using, which means it probably has nothing to do with you. I'll investigate further. It's just strange since there haven't been any changes.
  • fnwbr
    fnwbr 100% (1x)

    40 mensajes

    Alemania

    Hi klaus_schneider,

    The API used to be very laxist with the data passed in a request. When a data was needed on an API call, the system retrieved the parameter by checking, in order, the GET parameters and then the POST parameters.
    It was considered a bad practice and it could potentially lead to security issues.

    Since this morning, we reinforced the way requests data are read on our side to be consistent with the API method. If the call is a POST, the data has to be passed in the POST data, and not in the url.

    For example, in your case, calling this url won't work anymore:
    POST /seller?apikey=xxx

    The correct way to authenticate can be found in the github documentation: Vinculo (https)

    Another example with curl:
    curl --location ' Vinculo (https) ' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'apikey=xxxx'

    Fred
    Any chance that this change did not make it to the `/item/bulk` POST endpoint?

    We're seeing "401 Unauthorized" when trying to POST to `/item/bulk` and sending the token as part of the POST data, and not in the URL.
  • fnwbr
    fnwbr 100% (1x)

    40 mensajes

    Alemania

    Can confirm, that after sending the token as part of the URL it's working again.

    This works:
    POST /item/bulk/?token=xxx

    Sending the token as part of the POST data does **not** work for this endpoint `/item/bulk` in particular.

    Honestly, I can only repeat what other people have said on this thread already: it's disappointing and saddening to see, with how little care and attention to detail these changes are being deployed to your production systems.
  • ansichtskartenpool
    ansichtskartenpool 100% (77191x)
    PRO premium

    42 mensajes

    Alemania

    That should be the explanation then for Vinculo (https)
  • @fred
    Administrador
    @fred
    free

    167 mensajes

    Bélgica

    Can confirm, that after sending the token as part of the URL it's working again.

    This works:
    POST /item/bulk/?token=xxx

    Sending the token as part of the POST data does **not** work for this endpoint `/item/bulk` in particular.

    Honestly, I can only repeat what other people have said on this thread already: it's disappointing and saddening to see, with how little care and attention to detail these changes are being deployed to your production systems.
    Hi fnwbr,

    The token has to be in the url, as stated in the documentation: Vinculo (https)

    I will change the code to allow it to be either in the url or in the POST data, to be consistent with the http method used

    Fred