Mattermost, Inc.

[SOLVED] Authorization token usage clarification

I am working on native android using your github version as a base.
I am trying to access a team’s channels but I am getting authorization errors. Token is obtained from the cookie I get from /login. I am temporarily just using teemb as my team, I will make it dynamic later after this works for sure, I have tried:


Attempt 1

@GET("/api/v3/teams/teemb/channels/") Promise<User> getChannels(@Header("Authorization: Bearer TOKEN") String token);

with error:

{"status_code":401, "message":"Invalid or expired session, please login again.", "id":"api.context.session_expired.app_error", "is_oauth":false, "detailed_error":"token=TOKEN: xw1hjgourbn3d8mromd75i5qbe", "request_id":"kdgqmtp4itrsjdje13pr8jwiqr"}


Attempt 2
@GET("/api/v3/teams/teemb/channels/") Promise<User> getChannels(@Header("Authorization: Bearer") String token);

with error:

{"status_code":401, "message":"Invalid or expired session, please login again.", "id":"api.context.session_expired.app_error", "is_oauth":false, "detailed_error":"token= uhb5a8tt33rejp6qtrwtdhf8hy", "request_id":"5eerg4nttigybcmirx6u3q756o"}


Attempt 3
@GET("/api/v3/teams/teemb/channels/") Promise<User> getChannels(@Header("Authorization Bearer Token") String token);

with error:

{"status_code":500, "message":"Invalid or expired session, please login again.", "id":"api.context.session_expired.app_error", "is_oauth":false, "detailed_error":"token=xe8oza8z57gsxeh4b9rw3qhdoo Appears to bea CSRF attempt", "request_id":"pry8whe13py8zbhcgs6nr88qph"}


Attempt 4
@GET("/api/v3/users/me") Promise<User> getMe();

with error:

{"status_code":500, "message":"Invalid or expired session, please login again.", "id":"api.context.session_expired.app_error", "is_oauth":false, "detailed_error":"token=51nf7r71rfrxzfeog8go5jj16h Appears to bea CSRF attempt", "request_id":"heos31w83pn5mpxqrhna6qawbo"}

Other notes
Getting the user works and returns the user I logged in as.
@GET("/api/v3/users/me") Promise<User> getMe();

How exactly am I supposed to do this?

Hi @Julia,

The routes under /teams require the team’s ID, not its name. We’ve had a few people make the same mistake already, so I’ll make a note to make that more clear when we redo our API docs.

I tried them with the IDs instead, still same errors, were any of my attempts correct for authorization?

Have you tried to use the Token that is return in the Header of the login response?

That comes back as a cookie right? If so, then yes.

So you’re setting the Authorizarion Header of the request like

Authorization: Bearer <the-token-value-from-the-cookie> or Authorization: Token <the-token-value-from-the-cookie>

that should work.

I am trying that but I am getting error:
token=<the-token-value-from-the-cookie> Appears to bea CSRF attempt

Hmm ok that means that you have to include another Header in the request which is 'X-Requested-With': 'XMLHttpRequest'.

that should solve your problem

I am doing it like this but still getting the same error.

@Headers("X-Requested-With: XMLHttpRequest")
@GET("/api/v3/teams/{teamID}/channels/")
Promise<User> getChannels(
        @Header("Authorization: Bearer ") String token,
        @Path("teamID") String tid);

I figured it out, it should be
@Header("Authorization") String token, where token = "Bearer " + numericalToken
instead of
@Header("Authorization: Bearer ") String token,

Hello everyone,

I am facing a similar issue. Can someone help?

Request:

`POST /api/v4/posts HTTP/1.1
Host: 192.168.1.6:8065
Content-Type: application/json
Authorization: Bearer mchfahrf438ruqz81bq8ntuofy
cache-control: no-cache
Postman-Token: 48505faf-8ebe-4fba-bdc7-50927f7944cb

{
“channel_id”: “n717dzbmm789f8r5xmrjqikx3y”,
“message”: “Hello there…”,
“props”: {
“attachments”: [
{
“pretext”: “Wassup?”,
“text”: “sup”
}
]
}
}`

Response:
{"id":"api.context.session_expired.app_error","message":"Invalid or expired session, please login again.","detailed_error":"","request_id":"btojsoi3oj83fg1a5qgopcfpta","status_code":401}