Code comment says "We don't support admin api keys yet" - is this true?

#1

Details:

  • What’s your URL? https://grantwinney.com
  • What version of Ghost are you using? Ghost-CLI version: 1.9.9 / Ghost version: 2.18.1
  • What configuration? self-hosted (?)
  • What browser? Brave - Version 0.61.51 Chromium: 73.0.3683.75 (Official Build) (64-bit)
  • What errors or information do you see in the console? error below
  • What steps could someone else take to reproduce the issue you’re having? my steps are below

I’m trying to experiment with the Admin API, and I think I’m authenticating correctly with an Admin API Key id/secret, but I’m unable to actually authenticate.

missingAdminUserOrIntegration: “Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication.”

Looking at the code, I see this comment on the code:

We don’t support admin api keys yet, but we can already use this authorization helper, because we have not connected authenticating with admin api keys yet. req.api_key will be always null.

Is the comment outdated, or (the way I interpret it) can we only authenticate with the Admin API via username/password right now, and not an Admin API Key?

If the comment’s outdated, then I guess I’m just doing something wrong. :confused:


This probably won’t mean a ton to anyone, but here’s how I’m trying to authenticate in C#, using the Jwt.Net library.

var adminKeyParts = adminApiKey.Split(':');

var unixEpochInSeconds = new DateTimeOffset(DateTime.Now).ToUnixTimeSeconds();

var token = new JwtBuilder().WithAlgorithm(new HMACSHA256Algorithm())
                            .WithSecret(StringToByteArray(adminKeyParts[1]))
                            .AddHeader(HeaderName.KeyId, adminKeyParts[0])
                            .AddClaim("exp", unixEpochInSeconds + 300)
                            .AddClaim("iat", unixEpochInSeconds)
                            .AddClaim("aud", "/v2/admin/")
                            .Build();

var request = new RestRequest($"posts/{id}", Method.GET);
request.AddHeader("Authorization", $"Ghost {token}");
var response = Client.Execute<PostResponse>(request);
return response.Data;

...
...

public static byte[] StringToByteArray(string hex)
{
    int NumberChars = hex.Length;
    byte[] bytes = new byte[NumberChars / 2];
    for (int i = 0; i < NumberChars; i += 2)
        bytes[i / 2] = Convert.ToByte(hex.Substring(i, 2), 16);
    return bytes;
}
0 Likes

#2

Please share the details of your install, in particular Ghost-version, when asking for help - rather than deleting the whole template which we created asking for those details.

Not much anyone here can suggest unless you share context

0 Likes

#3

Absolutely, sorry about that. My question was more about whether the comment was accurate or outdated, but I’ve added the details.

1 Like

#4

The comment is definitely outdated, thanks for pointing it out!

As for the error, it’s suggesting that the kid header value doesn’t match any known integration key. I would try capturing the generated token and pasting it into the debugger at https://jwt.io to verify it matches what you expect, if it does then maybe check the URL that you’re connecting to.

1 Like

#5

Wow, that site’s awesome.

Everything seemed okay, based on when I created the token earlier.

{
  "kid": "expected id",
  "typ": "JWT",
  "alg": "HS256"
}

{
  "exp": 1553004583,    // 300 seconds after current time
  "iat": 1553004283,    // current time
  "aud": "/v2/admin/"
}

The URL seems okay too…

https://grantwinney.com/ghost/api/v2/admin/posts/{valid_post_id}

I’ll keep playing around with it… it’ll probably be obvious once I figure it out. :slight_smile:

0 Likes

#6

Don’t forget that URLs must end with a / - if the trailing slash isn’t there then Ghost will respond with a 301, perhaps your networking library isn’t forwarding the same headers if it’s following the redirect?

1 Like

#7

Wow, that was it. Thanks Kevin.

I didn’t expect that because I use the same URL format without the trailing slash for the Content API (except /ghost/api/v2/content/ instead of /ghost/api/v2/admin/) and it always returns the correct results. I’ll make sure I add the trailing slash with both APIs from now on. :+1:

2 Likes

closed #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

0 Likes