Mattermost, Inc.

Clarification on ApiUserRequired in platform's api.go

I am working off the native android app in your github to connect to mattermost api here, specifically this one

BaseRoutes.Teams.Handle("/all_team_listings",ApiUserRequired(GetAllTeamListings)).Methods("GET")

and I am confused at where it says ApiUserRequired. Since it is a GET request, it cannot have a body so I am assuming that I have to put a User into the header? The line I am using in android is

@GET("/api/v3/teams/all_team_listings") Promise<Object> getAllTeamListings(@Header("user") User user);

getAllTeamListings creates a user with email, password, etc and passes it in.

As a side note, I am able to use /api/v3/teams/all without a problem. I think it has to do with ApiUserRequired as that seems to be the only difference in between them. I have tried not having a header and having it return Promise<User> but they don’t work.

The problem is that it returns a 401 error with a message that says "Invalid or expired session, please login again." and the detailed error report just lists the token id. When messing around with params and stuff, I also occasionally get Appears to be a CSRF attempt if anyone has any explanation for that, that would be nice.

Basically, I am asking, what is the difference between ApiAppHandler and ApiUserRequired? Or where can I find information on them?

Hi @Julia

First of all let me clarify the ApiUserRequired it actually means that the API route requires a valid user session, meaning that the user actually is logged in, that’s all it does.

Now regarding the other issues:

  1. login by using this route /api/v3/users/login as POST and in the body supply a json object like this
{
    "login_id": "account@email.com",
    "password": "the account password"
}

If all goes well you’ll get a response where in the header you’ll find token. use it’s value in subsequent API calls by adding a Header Authorization: Bearer thetokenfromtheresponse or Authorization: token thetokenfromtheresponse it doesn’t matter if its a GET or a POST requests.

With this both of your problems should be resolved.

Let me know if it works for you.