REST API: /uploads/{id}/item/{itemId}/info does not work because it is incorrectly excluded from authentication about fossology HOT 4 CLOSED

I tried to add some debugging code to lib/php/common-plugin.php, function find_plugin().

It seems that when trying to call view_info from REST API, loaded plugins are only smauth, auth, init, refresh, treenav, advice_license, Getting Started, home, thirdPartyLicenses-FOSSology, about, agent_copyright_once, topnav, while when calling it from WebUI all plugins are loaded

from fossology.

Some little progress in debugging...
I added:

$NewPlugin->PostInitialize();

at the end of www/ui/ui-view-info.php, and now I get a different error: "403: Upload is not accessible"

So I added a debug line to www/ui/api/Controllers/RestController.php before that error is thrown, in order to show group id, and group id is 2 (as I wasn't logged in, but I am, and all other REST API calls work normally....)

from fossology.

Found the bug!

It's in src/www/ui/api/Middlewares/RestAuthMiddleware.php

    $authFreePaths = ["/version", "/info", "/openapi", "/health"];

    $isPassThroughPath = false;
    foreach ($authFreePaths as $authFreePath) {
      if (strpos($requestPath, $authFreePath) !== false) {
        $isPassThroughPath = true;
        break;
      }
    }

Any path ending with "/info" (or with other authFreePaths) is treated as an auth free path, so also /uploads/{id}/item/{itemId}/info falls into this "exception". Removing "/info" from that list solves the problem, but it's the next foreach cycle that needs to be changed. I will work on it later

from fossology.

Bug found and solved!

In RestAuthMiddleware class, there is some code that excludes some endpoints from authentication ("/info", "/openapi", "/health") but the problem is that code simply searches for such strings inside the request path, so also paths like /uploads/{id}/item/{itemId}/info are excluded from authentication. In such case, user is set to "Default User" even if the request is authenticated with a token, and thus all plugins that do require authentication (including view_info) are not loaded - so the above error occurs (500: Unable to find plugin view_info).

If one tries to force loading of view_info (by adding a call to PostInitialize() in the corresponding source file) and adds some debug code, they can verify that user is set to "Default User" and group id to 2, even if the request is authenticated, and therefore one gets a 403 error ("Upload is not accessible") .

By appropriately modifying src/www/ui/api/Middlewares/RestAuthMiddleware.php in the following way, the endpoint works correctly, instead:

    $authFreePaths = ["/info", "/openapi", "/health"];

    $isPassThroughPath = false;
    // path is /repo/api/v2/<endpoint>, we need to get only the endpoint part
    $parts = explode("/", $requestPath, 5);
    $endpoint = "/".end($parts); 
    foreach ($authFreePaths as $authFreePath) {
      if ( $endpoint === $authFreePath ) {
        $isPassThroughPath = true;
        break;
      }
    }

I will open a PR

from fossology.