Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to revoke tokens in dotCMS: API call returning 415 error #30142

Closed
bryanboza opened this issue Sep 25, 2024 · 2 comments · Fixed by #30211
Closed

Unable to revoke tokens in dotCMS: API call returning 415 error #30142

bryanboza opened this issue Sep 25, 2024 · 2 comments · Fixed by #30211
Labels
Merged QA : Approved QA : Passed Internal Release : 24.10.08 Bug Fixing Team : Scout Type : Defect

Comments

@bryanboza
Copy link
Member

bryanboza commented Sep 25, 2024
edited
Loading

Problem Statement

Users are unable to revoke tokens in dotCMS via the API, as the API call to revoke tokens is returning a 415 Unsupported Media Type error. This issue prevents administrators and security teams from effectively managing user sessions and access, leaving tokens potentially active when they should be revoked. This impacts all users and environments where token-based authentication is in use and poses a security risk if tokens cannot be properly revoked.

image

Log: https://gist.github.com/bryanboza/d820bf57144834122ee9305181999ed9

Steps to Reproduce

  • Log into the dotCMS backend.
  • Attempt to revoke a token using the API (e.g., through Postman or a script).
  • Observe that the API call fails and returns a 415 Unsupported Media Type error.

Acceptance Criteria

  • Ensure that the token revocation API call works correctly, allowing administrators to revoke tokens without errors.
  • The API should handle the request with the correct Content-Type and return a success response (e.g., 200 OK) when a token is revoked.
  • Postman Test

dotCMS Version

Tested on the latest trunk // Docker // FF

Proposed Objective

Quality Assurance

Proposed Priority

Priority 2 - Important
@nollymar nollymar moved this from New to Current Sprint Backlog in dotCMS - Product Planning Sep 25, 2024
valentinogiardino added a commit that referenced this issue Oct 2, 2024
@valentinogiardino
#30142 fix api token revoke request
751be7f
@valentinogiardino valentinogiardino self-assigned this Oct 2, 2024
@valentinogiardino valentinogiardino moved this from Current Sprint Backlog to In Progress in dotCMS - Product Planning Oct 2, 2024
@valentinogiardino valentinogiardino linked a pull request Oct 2, 2024 that will close this issue
fix(chore) Unable to revoke tokens in dotCMS #30142 #30211
Merged
3 tasks
@valentinogiardino valentinogiardino moved this from In Progress to In Review in dotCMS - Product Planning Oct 2, 2024
github-merge-queue bot pushed a commit that referenced this issue Oct 2, 2024
@valentinogiardino
fix(chore) Unable to revoke tokens in dotCMS #30142 (#30211)
98f280e 
### Proposed Changes
* Added the `'Content-Type': 'application/json'` header to the API call
for revoking tokens.

### Checklist
- [x] Tests
- [x] Translations: No changes needed.
- [x] Security Implications Contemplated: Fix ensures that API token
revocation works as expected, reducing the security risk of lingering
active tokens.

### Additional Info
This fix resolved the issue where users were receiving a `415
Unsupported Media Type` error when attempting to revoke tokens via the
`/api/v1/apitoken/{keyId}/revoke` endpoint due to the absence of the
`Content-Type` header in the request. By explicitly setting
`'Content-Type': 'application/json'`, the server can now properly handle
the request.

### Screenshots


https://github.com/user-attachments/assets/94f70c12-b932-4548-af2d-f15f31d10469
@github-project-automation github-project-automation bot moved this from In Review to Internal QA in dotCMS - Product Planning Oct 2, 2024
@github-actions github-actions bot mentioned this issue Oct 2, 2024
Merged
3 tasks
@nollymar nollymar reopened this Oct 2, 2024
@github-project-automation github-project-automation bot moved this from Internal QA to Current Sprint Backlog in dotCMS - Product Planning Oct 2, 2024
@nollymar nollymar moved this from Current Sprint Backlog to Internal QA in dotCMS - Product Planning Oct 2, 2024
@jdcmsd jdcmsd mentioned this issue Oct 4, 2024
Closed
@jdcmsd
Copy link
Contributor

jdcmsd commented Oct 4, 2024

Seems even after the 415 is solved for revocation, the same problem persists for deleting the inactive tokens.

Video etc in issue #30268

@valentinogiardino valentinogiardino mentioned this issue Oct 7, 2024
Merged
3 tasks
@jgambarios jgambarios self-assigned this Oct 7, 2024
@jgambarios jgambarios removed their assignment Oct 7, 2024
@jgambarios jgambarios moved this from Internal QA to QA - Backlog in dotCMS - Product Planning Oct 7, 2024
@bryanboza
Copy link
Member Author

Fixed, tested on the last trunk // Docker // FF and now we are able to revoke tokens without problems

dotcms-1         | 20:10:53.342  INFO  util.SecurityLogger - class com.dotcms.auth.providers.jwt.factories.ApiTokenAPI : Revoking token {id:apic16c8c55-2fa3-4559-926c-941304f897d5, userId:dotcms.org.1, issueDate:Mon Oct 07 20:10:48 UTC 2024, expiresDate:Thu Oct 07 06:00:00 UTC 2027, revoked:null, requestingUserId:dotcms.org.1, issuer:93e1a4dc51, allowNetwork:null} -- ip:192.168.65.1,user:Admin User [ID: dotcms.org.1][email:[email protected]]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Merged QA : Approved QA : Passed Internal Release : 24.10.08 Bug Fixing Team : Scout Type : Defect
Projects
dotCMS - Product Planning
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(chore) Unable to revoke tokens in dotCMS #30142 dotCMS/core
5 participants
@jgambarios @bryanboza @nollymar @valentinogiardino @jdcmsd