Search code examples
restejabberdejabberd-api

ejabberd rest API without authentication, 403 Forbidden (error code 32)


I'm trying to access ejabberd rest api without authentication but always get a 403 Forbidden response with this body :

{
    "status": "error",
    "code": 32,
    "message": "AccessRules: Account does not have the right to perform the operation."
}

I cannot get an OK response on /api/status endpoint which is a command that all users from 127.0.0.1 should be able to use (see "public commands" section under api_permissions in ejabberd.yml).

Here's the request details (via Insomnia REST client):

> POST /api/status HTTP/1.1
> User-Agent: insomnia/5.1.0
> Host: localhost:5280
> Accept: */*
> Accept-Encoding: deflate, gzip
> Content-Type: application/json
> Content-Length: 2
| {}

Ejabberd version is 17.04, installed from a downloaded deb package and running on Debian 8.8 (jessie) x86_64 as ejabberd user. Post install, I simply added the host "localhost", registered a new user "admin" for localhost and added it to the ACLs.

The only changes I made into ejabberd.yml :

hosts:
  - "localhost"
acl:
  admin:
    user:
      - "admin": "localhost"

Otherwise, I can access the webadmin interface which works fine...
What can I do in order to have a 200 OK response ?


Solution

  • Ok I found the solution. Like the message said it was a permission issue.
    Here's the default configuration :

    api_permissions:
    ## ...
      "public commands":
        who:
          - ip: "127.0.0.1/8"
        what:
          - "status"
          - "connected_users_number"
    

    This does not allow to access to status or connected_users_number commands with or without authentication (I triple-checked).

    For a no authentication usage, use -all :

      "public commands":
        who:
    ## This allows to use both commands without having to authenticate
          - all
        what:
          - "status"
          - "connected_users_number"
    

    If you want to require a valid user (with basic authentication), replace - all by - access: local.

      "public commands":
        who:
    ## This allows to use both commands with basic authentication for local users
          - access: local
        what:
          - "status"
          - "connected_users_number"