API: no credentials

tdausner · June 1, 2023, 1:11pm

Hi all,

on setup of a simple API the credentials are missing. The package Neos.ApiTest was setup by flow command package:create.

What I do:

Log into NEOS as Administrator utilizing chrome browser (https://mydomain/neos)
Same browser, other tab, open: https://mydomain/neos/apitest
Error message from NEOS:

The security context contained no tokens which could be authenticated.
Evaluated following 1 privilege target(s):
"Neos.Neos:AllControllerActions": ABSTAIN
(0 granted, 0 denied, 1 abstained)

Exception Code	1258721059
Exception Type	Neos\Flow\Security\Exception\NoTokensAuthenticatedException
Log Reference	20230601145725fd7f46
Thrown in File	Data/Temporary/Development/Cache/Code/Flow_Object_Classes/Neos_Flow_Security_Authorization_Interceptor_PolicyEnforcement.php
Line	104
Original File	Packages/Framework/Neos.Flow/Classes/Security/Authorization/Interceptor/PolicyEnforcement.php

In file Security_Development.log (full file content below) first there’s noted Session oIxWMKyiKtNvFw2Dx5tkFv04JldpsfJ4 contains auth token... authentication successful but next there are two entries Session oIxWMKyiKtNvFw2Dx5tkFv04JldpsfJ4 contains auth token Neos\Flow\Security\Authentication\Token\PasswordToken for provider Neos.Setup:Login. Status: no credentials given

What’s missing?

Files

ApiTestServiceController.php

<?php

namespace Neos\ApiTest\Controller;

use Neos\Flow\Mvc\Controller\ActionController;

/**
 * Controller for Api Test Services
 *
 * @package "Neos.ApiTest"
 */
class ApiTestServiceController extends ActionController
{
    /**
     * index action
     */
    public function indexAction(): void
    {
    }
}

Settings.yaml

Neos:
  Flow:
    mvc:
      routes:
        'Neos.ApiTest': true

Routes.yaml

-
  name:  'Index'
  uriPattern: 'neos/apitest'
  defaults:
    '@package':    'Neos.ApiTest'
    '@controller': 'ApiTestService'
    '@action':     'index'

Policy.yaml

privilegeTargets:
  'Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege':
    'Neos.ApiTest:AnyAction':
      matcher: 'method(Neos\Folder\Controller\ApiTestServiceController->.*Action())'

roles:
  'Neos.Neos:Administrator':
    privileges:
      -
        privilegeTarget: 'Neos.ApiTest:AnyAction'
        permission: GRANT

System_Development.log

23-06-01 14:49:11 16         DEBUG                          Session: Resumed session with id oIxWMKyiKtNvFw2Dx5tkFv04JldpsfJ4 which was inactive for 11 seconds. (11s)
23-06-01 14:49:11 16         DEBUG                          Router route(): A cached Route with the cache identifier "c7a2b453ab1d772a508d55da6389cd59" matched the request "https://neos-dev.tds/neos/apitest (GET)".
23-06-01 14:49:11 16         DEBUG                          CSRF: No token required, safe request
23-06-01 14:49:11 16         CRITICAL                       Exception #1258721059 in line 62 of /www/neos-dev.tds/Data/Temporary/Development/Cache/Code/Flow_Object_Classes/Neos_Flow_Security_Aspect_PolicyEnforcementAspect.php: The security context contained no tokens which could be authenticated.
Evaluated following 1 privilege target(s):
"Neos.Neos:AllControllerActions": ABSTAIN
(0 granted, 0 denied, 1 abstained) - See also: 20230601144911c39925.txt

Security_Development.log

23-06-01 14:49:11 16         172.18.0.1     DEBUG     Neos.Flow            Session oIxWMKyiKtNvFw2Dx5tkFv04JldpsfJ4 contains auth token Neos\Flow\Security\Authentication\Token\UsernamePassword for provider Neos.Neos:Backend. Status: authentication successful
23-06-01 14:49:11 16         172.18.0.1     DEBUG     Neos.Flow            Session oIxWMKyiKtNvFw2Dx5tkFv04JldpsfJ4 contains auth token Neos\Flow\Security\Authentication\Token\PasswordToken for provider Neos.Setup:Login. Status: no credentials given
23-06-01 14:49:11 16         172.18.0.1     DEBUG     Neos.Flow            Session oIxWMKyiKtNvFw2Dx5tkFv04JldpsfJ4 contains auth token Neos\Flow\Security\Authentication\Token\UsernamePassword for provider Flowpack.Neos.FrontendLogin:Frontend. Status: no credentials given
23-06-01 14:49:11 16         172.18.0.1     NOTICE                         No authentication entry point found for active tokens, therefore cannot authenticate or redirect to authentication automatically.

20230601144911c39925.txt

Exception #1258721059 in line 62 of /www/neos-dev.tds/Data/Temporary/Development/Cache/Code/Flow_Object_Classes/Neos_Flow_Security
_Aspect_PolicyEnforcementAspect.php: The security context contained no tokens which could be authenticated.
Evaluated following 1 privilege target(s):
"Neos.Neos:AllControllerActions": ABSTAIN
(0 granted, 0 denied, 1 abstained)

35 Neos\Flow\Security\Authorization\Interceptor\PolicyEnforcement_Original::invoke()
34 Neos\Flow\Security\Aspect\PolicyEnforcementAspect_Original::enforcePolicy(Neos\Flow\Aop\JoinPoint)
33 Neos\Flow\Aop\Advice\AroundAdvice::invoke(Neos\Flow\Aop\JoinPoint)
32 Neos\Flow\Aop\Advice\AdviceChain::proceed(Neos\Flow\Aop\JoinPoint)
31 Neos\ApiTest\Controller\ApiTestServiceController::indexAction()
30 Neos\Flow\Mvc\Controller\ActionController_Original::callActionMethod()
29 Neos\Flow\Mvc\Controller\ActionController_Original::processRequest(Neos\Flow\Mvc\ActionRequest, Neos\Flow\Mvc\ActionResponse)
28 Neos\Flow\Mvc\Dispatcher_Original::initiateDispatchLoop(Neos\Flow\Mvc\ActionRequest, Neos\Flow\Mvc\ActionResponse)
27 Neos\Flow\Mvc\Dispatcher_Original::dispatch(Neos\Flow\Mvc\ActionRequest, Neos\Flow\Mvc\ActionResponse)
26 Neos\Flow\Mvc\DispatchMiddleware_Original::process(GuzzleHttp\Psr7\ServerRequest, Neos\Flow\Http\Middleware\MiddlewaresChain)
25 Neos\Flow\Http\Middleware\MiddlewaresChain_Original::handle(GuzzleHttp\Psr7\ServerRequest)
24 Neos\Flow\Http\Middleware\SecurityEntryPointMiddleware_Original::process(GuzzleHttp\Psr7\ServerRequest, Neos\Flow\Http\Middlewa
re\MiddlewaresChain)
23 Neos\Flow\Http\Middleware\MiddlewaresChain_Original::handle(GuzzleHttp\Psr7\ServerRequest)
22 Neos\Flow\Http\Middleware\RequestBodyParsingMiddleware_Original::process(GuzzleHttp\Psr7\ServerRequest, Neos\Flow\Http\Middlewa
re\MiddlewaresChain)
21 Neos\Flow\Http\Middleware\MiddlewaresChain_Original::handle(GuzzleHttp\Psr7\ServerRequest)
20 Neos\Flow\Mvc\FlashMessage\FlashMessageMiddleware_Original::process(GuzzleHttp\Psr7\ServerRequest, Neos\Flow\Http\Middleware\Mi
ddlewaresChain)
19 Neos\Flow\Http\Middleware\MiddlewaresChain_Original::handle(GuzzleHttp\Psr7\ServerRequest)
18 Neos\Flow\Http\Middleware\PoweredByMiddleware_Original::process(GuzzleHttp\Psr7\ServerRequest, Neos\Flow\Http\Middleware\Middle
waresChain)
17 Neos\Flow\Http\Middleware\MiddlewaresChain_Original::handle(GuzzleHttp\Psr7\ServerRequest)
16 Neos\Flow\Mvc\Routing\RoutingMiddleware_Original::process(GuzzleHttp\Psr7\ServerRequest, Neos\Flow\Http\Middleware\MiddlewaresC
hain)
15 Neos\Flow\Http\Middleware\MiddlewaresChain_Original::handle(GuzzleHttp\Psr7\ServerRequest)
14 Neos\Neos\Routing\RequestUriHostMiddleware_Original::process(GuzzleHttp\Psr7\ServerRequest, Neos\Flow\Http\Middleware\Middlewar
esChain)
13 Neos\Flow\Http\Middleware\MiddlewaresChain_Original::handle(GuzzleHttp\Psr7\ServerRequest)
12 Neos\FluidAdaptor\Core\Widget\AjaxWidgetMiddleware_Original::process(GuzzleHttp\Psr7\ServerRequest, Neos\Flow\Http\Middleware\M
iddlewaresChain)
11 Neos\Flow\Http\Middleware\MiddlewaresChain_Original::handle(GuzzleHttp\Psr7\ServerRequest)
10 Neos\Flow\Http\Middleware\SessionMiddleware_Original::process(GuzzleHttp\Psr7\ServerRequest, Neos\Flow\Http\Middleware\Middlewa
resChain)
9 Neos\Flow\Http\Middleware\MiddlewaresChain_Original::handle(GuzzleHttp\Psr7\ServerRequest)
8 Neos\Flow\Http\Middleware\MethodOverrideMiddleware_Original::process(GuzzleHttp\Psr7\ServerRequest, Neos\Flow\Http\Middleware\Mi
ddlewaresChain)
7 Neos\Flow\Http\Middleware\MiddlewaresChain_Original::handle(GuzzleHttp\Psr7\ServerRequest)
6 Neos\Flow\Http\Middleware\TrustedProxiesMiddleware_Original::process(GuzzleHttp\Psr7\ServerRequest, Neos\Flow\Http\Middleware\Mi
ddlewaresChain)
5 Neos\Flow\Http\Middleware\MiddlewaresChain_Original::handle(GuzzleHttp\Psr7\ServerRequest)
4 Neos\Flow\Http\Middleware\StandardsComplianceMiddleware_Original::process(GuzzleHttp\Psr7\ServerRequest, Neos\Flow\Http\Middlewa
re\MiddlewaresChain)
3 Neos\Flow\Http\Middleware\MiddlewaresChain_Original::handle(GuzzleHttp\Psr7\ServerRequest)
2 Neos\Flow\Http\RequestHandler::handleRequest()
1 Neos\Flow\Core\Bootstrap::run()


HTTP REQUEST:
target: /neos/apitest
Cookie: Neos_Session=oIxWMKyiKtNvFw2Dx5tkFv04JldpsfJ4
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate, br
Sec-Fetch-Dest: document
Sec-Fetch-User: ?1
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchan
ge;v=b3;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Upgrade-Insecure-Requests: 1
Dnt: 1
Sec-Ch-Ua-Platform: "Windows"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua: "Google Chrome";v="113", "Chromium";v="113", "Not-A.Brand";v="24"
Cache-Control: max-age=0
Connection: keep-alive
Host: neos-dev.tds
Content-Length:
Content-Type:

PHP PROCESS:
Inode: 363875
PID: 23
UID: 33
GID: 33
User: www-data

sebobo · June 1, 2023, 1:37pm

You are missing probably the requestPatterns for the Neos authentication provider config. See the Settings.yaml in Neos.Neos and other packages that add custom routes.

tdausner · June 4, 2023, 3:12pm

Thank you @sebobo for your instant help. Today I’ve found time to add the recommended settings so now Settings.yaml looks like:

Neos:
  Flow:
    security:
      authentication:
        providers:
          'Neos.Neos:Backend':
            provider: PersistedUsernamePasswordProvider
            requestPatterns:
              'Neos.ApiTest:Controllers':
                pattern: 'ControllerObjectName'
                patternOptions:
                  controllerObjectNamePattern: 'Neos\ApiTest\Controller\.*'
    mvc:
      routes:
        'Neos.ApiTest': true