I'm using CURL with the intention of making this example as simple as possible. I am not implementing the final version in CURL, but I am able to transform the curl sample in to the final form.
I'm using the jsonrpc version of the api. actual credentials and URL replaced with fake info
I can log in like this:
curl 'http://kiwi.example.com/json-rpc/' \
-H 'Content-Type: application/json' \
--data-binary '{"jsonrpc":"2.0","method":"Auth.login", "params":{"username":"me@example.com", "password" : "PASSWORD"}, "id":"jsonrpc"}';
This returns a session id, which, for these purposes is assumed to be "123456789abcdefghijklmnopqrstyvw" which is used below
I can then use that session id to do something like: (just an arbitrary API call)
curl 'http://kiwi.example.com/json-rpc/' \
-H 'Content-Type: application/json' \
-H 'Cookie: sessionid=123456789abcdefghijklmnopqrstyvw' \
--data-binary '{"jsonrpc":"2.0","method":"TestPlan.filter", "params":[{"is_active":true}],"id":"jsonrpc"}';
So why doesn't this work? Or, if you prefer, what should I do differently to log out?
curl 'http://kiwi.example.com/json-rpc/' \
-H 'Content-Type: application/json' \
-H 'Cookie: sessionid=123456789abcdefghijklmnopqrstyvw' \
--data-binary '{"jsonrpc":"2.0","method":"Auth.logout", "id":"jsonrpc"}';
I expect that after I log out, the session id wouldn't work anymore, but I can still use it to access the data in Kiwi-tcms
Auth.logout() calls django.contrib.auth.logout(request) which in turn calls request.session.flush()
I expect that after I log out, the session id wouldn't work anymore, but I can still use it to access the data in Kiwi-tcms
And indeed this is what happens for me:
$ curl 'http://127.0.0.1:8000/json-rpc/' \
-H 'Content-Type: application/json' \
-H 'Cookie: sessionid=xyz' \
--data-binary '{"jsonrpc":"2.0","method":"TestPlan.filter", "params":[{"is_active":true}],"id":"jsonrpc"}';
{"id": "jsonrpc", "jsonrpc": "2.0", "error": {"code": -32603, "message": "Internal error: Authentication failed when calling \"TestPlan.filter\""}}
You are probably using an older version of Kiwi TCMS which doesn't check API credentials properly: https://kiwitcms.readthedocs.io/en/latest/changelog.html#kiwi-tcms-8-6-23-aug-2020 <-- this is also a security vulnerability so upgrade immediately.