Search code examples
kiwi-tcms

How to log out using KIWI-tcms api

I'm using CURL with the intention of making this example as simple as possible. I am not implementing the final version in CURL, but I am able to transform the curl sample in to the final form.

I'm using the jsonrpc version of the api. actual credentials and URL replaced with fake info

I can log in like this:

curl 'http://kiwi.example.com/json-rpc/' \
  -H 'Content-Type: application/json' \
  --data-binary '{"jsonrpc":"2.0","method":"Auth.login", "params":{"username":"[email protected]", "password" : "PASSWORD"}, "id":"jsonrpc"}';

This returns a session id, which, for these purposes is assumed to be "123456789abcdefghijklmnopqrstyvw" which is used below

I can then use that session id to do something like: (just an arbitrary API call)

curl 'http://kiwi.example.com/json-rpc/' \
  -H 'Content-Type: application/json' \
  -H 'Cookie: sessionid=123456789abcdefghijklmnopqrstyvw' \
  --data-binary '{"jsonrpc":"2.0","method":"TestPlan.filter", "params":[{"is_active":true}],"id":"jsonrpc"}';

So why doesn't this work? Or, if you prefer, what should I do differently to log out?

curl 'http://kiwi.example.com/json-rpc/' \
  -H 'Content-Type: application/json' \
  -H 'Cookie: sessionid=123456789abcdefghijklmnopqrstyvw' \
 --data-binary '{"jsonrpc":"2.0","method":"Auth.logout",  "id":"jsonrpc"}';

I expect that after I log out, the session id wouldn't work anymore, but I can still use it to access the data in Kiwi-tcms

Solution

  • Auth.logout() calls django.contrib.auth.logout(request) which in turn calls request.session.flush()

    I expect that after I log out, the session id wouldn't work anymore, but I can still use it to access the data in Kiwi-tcms

    And indeed this is what happens for me:

    $ curl 'http://127.0.0.1:8000/json-rpc/' \
     -H 'Content-Type: application/json' \
     -H 'Cookie: sessionid=xyz' \
     --data-binary '{"jsonrpc":"2.0","method":"TestPlan.filter", "params":[{"is_active":true}],"id":"jsonrpc"}';

{"id": "jsonrpc", "jsonrpc": "2.0", "error": {"code": -32603, "message": "Internal error: Authentication failed when calling \"TestPlan.filter\""}}

    You are probably using an older version of Kiwi TCMS which doesn't check API credentials properly: https://kiwitcms.readthedocs.io/en/latest/changelog.html#kiwi-tcms-8-6-23-aug-2020 <-- this is also a security vulnerability so upgrade immediately.