Admin API endpoint 403 forbidden

Ghost version: 3.18.1

The requested URL with GET: https://my.domain/ghost/api/v3/admin/members/5da6082f5718a95e9941e71e/signin_urls/

I did create a token and pass it in the request headers. Like explained here: https://ghost.org/docs/api/v3/admin/#token-generation-examples (Javascript version)

If I try to access any other endpoints it works, so my token is valid.

The response I get for members signin urls is: Request failed with status code 403
Error: Request failed with status code 403\n at createError (/var/www/api/node_modules/axios/lib/core/createError.js:16:15)\n at settle (/var/www/api/node_modules/axios/lib/core/settle.js:17:12)\n at IncomingMessage.handleStreamEnd (/var/www/api/node_modules/axios/lib/adapters/http.js:236:11)\n at IncomingMessage.emit (events.js:323:22)\n at endReadableNT (_stream_readable.js:1204:12)\n at processTicksAndRejections (internal/process/task_queues.js:84:21)

Help?

After some digging I get this as response:

[
   {
     message: 'Permission error, cannot read member_signin_url.',
     context: 'You do not have permission to read member_signin_urls',
     type: 'NoPermissionError',
     details: null,
     property: null,
     help: null,
     code: null,
     id: '97539ec0-aa65-11ea-b693-7b4a6240eabc'
   }
 ]

How do I get permission to read that?

Looks like you’re trying to access Members data with the Admin API. I want to point out that Members is still in Beta, meaning that it’s still in development and none of the APIs are stable so are likely to be imperfect and change over time :slightly_smiling_face:

But the same endpoint works from the ghost admin when impersonating a member.

I understand that it is in beta, but still, how can I give permission to that api endpoint?

The endpoint is intentionally limited for security. It’s only usable by the user with the Owner role, so you’d need to connect to the API using user authentication and the owner’s credentials rather than via an Integration’s Admin API key.

If you hit any roadblocks with the API, please always explain your use-case. With that knowledge we can help point you in alternative directions with a better fit, or it can give us information that can help shape the API development.

1 Like

From my point of view the usage of email for sign up/in is a bit, let’s say, cumbersome.

If your website is not that popular, creating ANOTHER account is a big deterrent to new subscribers. Chances are the visitor already has a Google/Facebook/Twitter/Github account, why not simplify his life? Using oAuth can offer better security, not to mention 2FA.

I use oAuth (Google/Github/Facebook/Twiiter) to authenticate my users (own API service). After a user signs in with the desired authentication provider, using the Ghost Admin API I create/update the user with details fetched from the oAuth service provider. However, to authenticate the user with Ghost, my API service needs to pass (via headers) a session cookie (used by Ghost) to the browser so the user is authenticated.

The only way I found to authenticate the visitor is to use the magic link provided by the apparently restricted API. Request the URL of the magic link and pass the cookie back to the browser.

If you have by any chance a better solution, please share. :slight_smile:

While I can’t comment on signing in, it’s possible to skip the verification email when signing up using Zapier via another tool. Using a service like Mailchimp and Zapier would let you optionally skip the verification email. Could save you a lot of coding :blush:

Email can be delivered with a delay.
It can go to spam.
It is not that secure, compared to oAuth with 2FA.
The amount of code written is not the issue here.

I would appreciate some guidance on what to do (what to modify) to make that endpoint not restricted for the Admin API. It is not that fun to poke around code you don’t know much about.

I’m not sure you’re understanding what I meant, Mailchimp would merely be a bypass for email verification. When people add their email via the Mailchimp form their email would be passed from Mailchimp to Ghost, thus signing them up without the verification email even arriving. From there you’ll be able to send email newsletters with Ghost

Sorry, but you don’t understand what I want and need.
I never said I want to send a newsletter. I actually don’t want to send any emails.
Also I don’t want do manage 3rd party.

All I want is to allow my visitors to sign up/in without using email. I have a way to make this work, but I’m blocked by the restricred Admin API.

Why can’t I get a straight answer to my question?
Pretty please, can I know what (code or db) should I change to make that endpoint not restricted?

You’ll need to update the database so that the “Admin Integration” role has the “read” “member_signin_url” permission.

^ this link shows you the relevant table you’ll need to update.

And to be clear: This is not officially supported, and not considered secure.

1 Like

Thank you. I really appreciate that you answered my question. I’ll make the changes too see how it goes, I’ll keep this thread updated.

I understand this is not officially supported and it might not be secure (tbh don’t see why), but Ghost developers must also understand that people will want to use it to fit their needs.

Robert, what you must understand is that if you want people to help you, then you will get a lot further by being polite and friendly than by being rude and demanding.

If you wish to continue to use the Ghost community, then please have a careful read of our community guidelines:

https://forum.ghost.org/conduct