Bearer auth no longer available? [resolved]

timabell · August 20, 2023, 1:51pm

Hi,

For me the X-API-Key works but bearer auth does not.

I’m following the instructions for querying the REST API here: REST API — Syncthing documentation

It says:

To use an API key, set the request header X-API-Key to the API key value, or set it as a Bearer token in the Authorization header.

Are the docs wrong / out of date? Am I doing something wrong? I’m happy to create a PR and remove the bearer auth from the docs if they are just wrong.

Here’s what I get:

403 for Bearer auth:

$ token=<redacted>
$ curl -v -H "Authorization: Bearer $token" http://localhost:8080/rest/system/version
*   Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /rest/system/version HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.68.0
> Accept: */*
> Authorization: Bearer <redacted>
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Syncthing-Id: ZFTGXBV-4244BM2-7NR2SAG-I4IXX2N-TLOP4R4-ZTH5Q77-GUU5O35-H32VVAC
< X-Syncthing-Version: v1.18.2
< X-Xss-Protection: 1; mode=block
< Date: Sun, 20 Aug 2023 13:41:35 GMT
< Content-Length: 11
< 
CSRF Error
* Connection #0 to host localhost left intact

200 OK for X-API-KEY

$ curl -v -H "X-API-KEY: $token" http://localhost:8080/rest/system/version           
*   Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /rest/system/version HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.68.0
> Accept: */*
> X-API-KEY: <redacted>
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Cache-Control: max-age=0, no-cache, no-store
< Content-Type: application/json; charset=utf-8
< Expires: Sun, 20 Aug 2023 13:41:39 GMT
< Pragma: no-cache
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Syncthing-Id: ZFTGXBV-4244BM2-7NR2SAG-I4IXX2N-TLOP4R4-ZTH5Q77-GUU5O35-H32VVAC
< X-Syncthing-Version: v1.18.2
< X-Xss-Protection: 1; mode=block
< Date: Sun, 20 Aug 2023 13:41:39 GMT
< Content-Length: 421
< 
{
  "arch": "amd64",
  "codename": "Fermium Flea",
  "date": "2021-08-22T19:04:47+01:00",
  "isBeta": false,
  "isCandidate": false,
  "isRelease": true,
  "longVersion": "syncthing v1.18.2 \"Fermium Flea\" (go1.17 linux-amd64) teamcity@build.syncthing.net 2021-08-22 18:04:47 UTC [stnoupgrade]",
  "os": "linux",
  "stamp": "1629655487",
  "tags": [
    "stnoupgrade"
  ],
  "user": "teamcity",
  "version": "v1.18.2"
}
* Connection #0 to host localhost left intact

(I’m troubleshooting stuck files)

imsodin · August 20, 2023, 2:45pm

Support for Authorization header (besides x-api-key) has just been added - you probably aren’t on v1.23.7 yet.

timabell · August 20, 2023, 2:57pm

Ah, added rather than removed, yes, I’m still on v1.18.2. Thanks!

Nummer378 · August 20, 2023, 2:57pm

The docs that best fit your (outdated) version are here: REST API — Syncthing v1 documentation

system · September 19, 2023, 2:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.