Solved

Login and Logout APIs behaviour

  • 27 April 2022
  • 4 replies
  • 35 views

Hello community!

I’ve a question related to login/logout GoodData APIs that we are using, about a strange behaviour which is not blocking but for which we are curious to understand as it could hide a security defect.

 

So, we implemented and tested the login + logout queries, as explained in the Good Data documentation here.

https://help.gooddata.com/doc/enterprise/en/expand-your-gooddata-platform/api-reference#tag/login/paths/~1gdc~1account~1login/post

https://help.gooddata.com/doc/enterprise/en/expand-your-gooddata-platform/api-reference#tag/logout/paths/~1gdc~1account~1login~1{userId}/delete

 

The login query is working fine, however the logout query always fail, saying that the user is not logged in. Does somebody knows why we have this behaviour?

 

There are only few differences between the logout and the login queries : in the logout, we have to precise the id of the user to logout at the end of the URL (coming from the feedback of the login query), a valid TT (Temporary Token), and use a DELETE REST instead of a POST. So not sure what happens here… Could it be that the login query is not really logging the user, but only generating it a SST (Super Secure Token)?

 

If somebody knows about it, thanks a lot!

icon

Best answer by Julius Kos 27 April 2022, 17:10

View original

4 replies

Hi Quentin, 

 

Lots of similar cases are related to expired TT token, which last for only 10 minutes. Can you please try to login and log out immediately after that to see if it's working?

 

If this doesn’t solve the issue - could you please send us the particular error ID you get so we can check our logs?

 

Thanks,

Julius

Hi Julius,

Thanks for your answer. Just tried again, I still have this strange behaviour (the TT was renewed).

 

I get the error ID :

7540c34c-1963-4ca3-8fbd-08750356c1e4

Hi Quentin,

 

I was testing around a bit and the easiest and most probable way how to get 400 error is that you are missing the SST header (or cookie). Could you please double-check if you are including it in your request? If any issues persist - could you please send us your whole request including headers? 

 

Best Regards,

Julius

Yes, I confirm I did not included the SST to use the log-out, so I replaced the TT by the SST (using X-GDC-AuthSST header, I’m not using cookies). It didn’t worked either.

 

So I tried to add in header the TT + the SST : I’ve a 204 return message. That was it, the query needed the 2 differents tokens!

 

Thanks for the confirmation, and answer!

Regards,

Quentin

Reply