You are here

REST API Doesn't correctly handle logout as defined in the docs

1 post / 0 new
leeswit
leeswit's picture
REST API Doesn't correctly handle logout as defined in the docs

Evening,

According to the documents it should be possible to send a DELETE request to /rest/login in order to correctly logout from an API session:

http://docs.opsview.com/doku.php?id=opsview-core:restapi#logging_in_to_the_api

Tested this using the OPSView CE appliance (3.20120925.0) as well as a supported version of Enterprise (4.3.2) with same results

Through both a perl script and also using curl from the command line, the code doesn't appear to handle this correctly.

$curl -v -H "Content-Type: application/json" -H "Accept: application/json" -X DELETE -H "X-Opsview-Username: admin" -H "X-Opsview-Token: cd188b8daebdedd84009b966bdee60c6432097e6" -d '{}' http://127.0.0.1/rest/login < HTTP/1.1 400 Bad Request < Date: Tue, 08 Oct 2013 20:05:29 GMT < Vary: Content-Type,Accept-Encoding < Content-Length: 197 < Content-Type: text/plain < Set-Cookie: opsview_web_session=d2271a7acae6845569a17667af3f88695dc1acde; path=/; expires=Tue, 08-Oct-2013 21:05:29 GMT; HttpOnly < Via: 1.1 127.0.1.1 < Connection: close Content-Type application/json had a problem with your request. ***ERROR*** hash- or arrayref expected (not a simple scalar, use allow_nonref to allow this) at (eval 1932) line 151, <$fh> line 1.   If the same request in run again, the JSON data returns saying says invalid which indicates it was correctly deleted: < HTTP/1.1 401 Unauthorized < Date: Tue, 08 Oct 2013 20:05:58 GMT < Vary: Content-Type < Content-Length: 27 < Content-Type: application/json < Via: 1.1 127.0.1.1 < * Connection #0 to host 127.0.0.1 left intact * Closing connection #0 {"message":"Token invalid"}   Also this is confirmed by checking for the ticket id in the api_sessions table in the database. After the 1st run despite the error the ticket id is deleted.   More information can be found on the original forum post: http://www.opsview.com/forum/developers/opsview-api/correct-way-logout-after-finished-using-api   I believe that the correct action should be to return a 200 response indicating the session has been deleted along with a brief message in the data confirming this although the message is probably redundant.