Vikunja API Token wasn't working for get tasks api/v1/projects/1/tasks

Question

Vikunja API Token wasn't working for get tasks api/v1/projects/1/tasks

ubeyou opened this issue a year ago · 14 comments

Description

I have an api token with tasks read all enabled.

when i use api token, api/v1/projects/1/tasks it doesn't works. shows
{
"message": "missing, malformed, expired or otherwise invalid token provided"
}

api token works for get projects.

if i login and uses bearer token from inspect, api/v1/projects/1/tasks loads fine.

discovered this when setting up n8n. #go-vikunja/n8n-vikunja-nodes#1

Vikunja Frontend Version

0.22.0

Vikunja API Version

0.22.0

Browser and version

Chrome

Can you reproduce the bug on the Vikunja demo site?

No

Screenshots

No response

Answer 1 · 2024-01-03T15:08:47.000Z

Do the other endpoints work?

Answer 2 · 2024-01-03T17:42:25.000Z

tested endpoint such as get projects, it works. just tasks by project id not working.

Answer 3 · 2024-01-04T00:29:32.000Z

based on my quick testing, endpoint start with /projects , /routes , /teams all will return invalid token

/labels, /tasks, /info, /filters working fine

Answer 4 · 2024-01-04T00:35:57.000Z

here is the api token permission returned by the api/v1/tokens when using login, can't access this with api token too

[
  {
    "id": 4,
    "title": "test2",
    "permissions": {
      "filters": [
        "create",
        "read_one",
        "update",
        "delete"
      ],
      "labels": [
        "create",
        "read_one",
        "read_all",
        "update",
        "delete"
      ],
      "notifications": [
        "read_all",
        "update"
      ],
      "projects": [
        "create",
        "read_one",
        "read_all",
        "update",
        "delete"
      ],
      "projects_buckets": [
        "create",
        "read_all",
        "update",
        "delete"
      ],
      "tasks": [
        "create",
        "read_one",
        "read_all",
        "update",
        "delete"
      ],
      "tasks_assignees": [
        "create",
        "read_all",
        "delete"
      ],
      "tasks_attachments": [
        "read_all",
        "delete"
      ],
      "tasks_comments": [
        "create",
        "read_one",
        "read_all",
        "update",
        "delete"
      ],
      "tasks_labels": [
        "create",
        "read_all",
        "delete"
      ],
      "tasks_relations": [
        "create",
        "delete"
      ]
    },
    "expires_at": "2024-04-02T01:31:59Z",
    "created": "2024-01-03T01:31:59Z"
  }
]

Answer 5 · 2024-01-04T12:01:27.000Z

here is the api token permission returned by the api/v1/tokens when using login, can't access this with api token too

That endpoint only lists which permissions are available in general. It will not work with any api token, only user logins.

Answer 6 · 2024-01-04T13:36:33.000Z

Hi there, I would like to add to the discussion. I used Postman to see for myself the error message in case it provided further details as to what caused the 401 unauthorized error. Below are my findings:

URL and authorization header (URL and token obfuscated for security reasons)

Response body

API token scope

n8n Vikunja Get Many Tasks node error stack:

NodeApiError: Request failed with status code 401
    at RoutingNode.runNode (/usr/local/lib/node_modules/n8n/node_modules/n8n-workflow/dist/RoutingNode.js:117:23)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at Workflow.runNode (/usr/local/lib/node_modules/n8n/node_modules/n8n-workflow/dist/Workflow.js:733:23)
    at /usr/local/lib/node_modules/n8n/node_modules/n8n-core/dist/WorkflowExecute.js:656:53

Vikunja API server logs via Dozzle

I also deployed Vikunja frontend and API servers as docker containers (with VIKUNJA_LOG_LEVEL: DEBUG environment variable set) and faced this issue while trying to set up a workflow using n8n and Telegram bot. I hope this information helps!

Answer 7 · 2024-01-04T15:33:49.000Z

This looks a lot like a bug. I'll take a look.

Answer 8 · 2024-01-14T21:17:58.000Z

Fixed in 514ea71 - please check with the next unstable build if your problem went away.

Answer 9 · 2024-05-17T22:10:08.000Z

Hi, sorry for maybe reopening this issue - but is this really fixed? I also get a lot of missing, malformed, expired or otherwise invalid token provided errors while testing the API lately. For example, getting a project background (/api/v1/projects/{id}/background) does always yield me this error, even on the try.vikunja.io instance. (API Key with full permissions). Another route which does not work is /api/v1/routes, for example.

Answer 10 · 2024-05-18T01:09:25.000Z

Hey there, I can confirm those routes are not working after testing them myself. I tried /api/v1/projects/{id}/background with DELETE method and that doesn't work, even with full permission key too. I think there are more code 401 routes that is in need of testing. The last bug fix did work though so that is why I did not follow up after this case was closed. However, I am unsure if these bugs require a separate issue.

Answer 11 · 2024-05-18T10:29:35.000Z

Hey there, I can confirm those routes are not working after testing them myself. I tried /api/v1/projects/{id}/background with DELETE method and that doesn't work, even with full permission key too. I think there are more code 401 routes that is in need of testing. The last bug fix did work though so that is why I did not follow up after this case was closed. However, I am unsure if these bugs require a separate issue.

Thanks for confirming. I will create another issue.