Remotes API calls using authentication return strange response body

How are you triggering authentication. This is a setting in the desktop
client which will trigger a http 401.
On 22 Feb 2016 10:26 a.m., "Daniel Borges" <email address hidden>
wrote:

> Public bug reported:
>
> Any calls to API using HTTP authentication returns a strange response
> body. Its looks like that the HTTP header returns as body.
>
> Example of BODY RESPONSE using authentication:
>
> HTTP/1.0 200 OK
> Server: BaseHTTP/0.6 Python/3.4.3
> Date: Sun, 21 Feb 2016 06:31:43 GMT
> Content-type: text/html
> Cache-Control: no-cache, no-store, must-revalidate
> Pragma: no-cache
> Expires: 0
>
> Without authentication none body is returned, as expected.
>
> OpenLP 2.2.1
> Mac OS 10.11.3
>
> ** Affects: openlp
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are a member of OpenLP
> Core, which is subscribed to OpenLP.
> https://bugs.launchpad.net/bugs/1548014
>
> Title:
> Remotes API calls using authentication return strange response body
>
> Status in OpenLP:
> New
>
> Bug description:
> Any calls to API using HTTP authentication returns a strange response
> body. Its looks like that the HTTP header returns as body.
>
> Example of BODY RESPONSE using authentication:
>
> HTTP/1.0 200 OK
> Server: BaseHTTP/0.6 Python/3.4.3
> Date: Sun, 21 Feb 2016 06:31:43 GMT
> Content-type: text/html
> Cache-Control: no-cache, no-store, must-revalidate
> Pragma: no-cache
> Expires: 0
>
> Without authentication none body is returned, as expected.
>
> OpenLP 2.2.1
> Mac OS 10.11.3
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/openlp/+bug/1548014/+subscriptions
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openlp-core
> Post to : <email address hidden>
> Unsubscribe : https://launchpad.net/~openlp-core
> More help : https://help.launchpad.net/ListHelp
>

But all is configured as expected: In desktop app setting, the user id and password are set.

The operation occur perfectly, but the content's body contains a summary of the response header, apparently.

Did you tick the box as well?
On 22 Feb 2016 12:45 p.m., "Daniel Borges" <email address hidden>
wrote:

> But all is configured as expected: In desktop app setting, the user id
> and password are set.
>
> The operation occur perfectly, but the content's body contains a summary
> of the response header, apparently.
>
> --
> You received this bug notification because you are a member of OpenLP
> Core, which is subscribed to OpenLP.
> https://bugs.launchpad.net/bugs/1548014
>
> Title:
> Remotes API calls using authentication return strange response body
>
> Status in OpenLP:
> New
>
> Bug description:
> Any calls to API using HTTP authentication returns a strange response
> body. Its looks like that the HTTP header returns as body.
>
> Example of BODY RESPONSE using authentication:
>
> HTTP/1.0 200 OK
> Server: BaseHTTP/0.6 Python/3.4.3
> Date: Sun, 21 Feb 2016 06:31:43 GMT
> Content-type: text/html
> Cache-Control: no-cache, no-store, must-revalidate
> Pragma: no-cache
> Expires: 0
>
> Without authentication none body is returned, as expected.
>
> OpenLP 2.2.1
> Mac OS 10.11.3
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/openlp/+bug/1548014/+subscriptions
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openlp-core
> Post to : <email address hidden>
> Unsubscribe : https://launchpad.net/~openlp-core
> More help : https://help.launchpad.net/ListHelp
>

Yes, the box is checked and the two fields (user id and password) are filled.

Try reproduce this:
1. Run OpenLP with Remotes enabled;
2. Call the method: http://localhost:4316/api/songs/live?data={"request": {"id": "3"}} for example
3. Note that the program show the song 3 in live and the response body is empty;
4. Configure OpenLP to require an authentication user and password;
5. Call http://localhost:4316/api/songs/live?data={"request": {"id": "3"}} again;
6. Note that the header content's response is in body response, but it was to be empty.

I'm not a Python programmer, but analyzing the code, I noted that the function do_htttp_success() is being called two times (here http://bazaar.launchpad.net/~openlp-core/openlp/trunk/view/head:/openlp/plugins/remotes/lib/httprouter.py#L193 and here http://bazaar.launchpad.net/~openlp-core/openlp/trunk/view/head:/openlp/plugins/remotes/lib/httprouter.py#L679).
I'm supposing that this is the problem.

Tested on trunk

http://localhost:4316/api/songs/live?data={%22request%22:%20{%22id%22:%20%225%22}}
 with authentication sets to live. This is the same as your string just a
different song!

Switch on security

Repost in the browser triggers basic auth and when uid and password i
entered it get
HTTP/1.0 200 OK Server: BaseHTTP/0.6 Python/3.4.3 Date: Mon, 22 Feb 2016
17:52:56 GMT Content-type: text/html Cache-Control: no-cache, no-store,
must-revalidate Pragma: no-cache Expires: 0

in the browser but the song goes live as well.

When I look at the trace on the console It see:

127.0.0.1 - - [22/Feb/2016 17:50:37] "GET
/api/songs/live?data={%22request%22:%20{%22id%22:%20%223%22}} HTTP/1.1" 200
-
127.0.0.1 - - [22/Feb/2016 17:52:15] "GET
/api/songs/live?data={%22request%22:%20{%22id%22:%20%225%22}} HTTP/1.1" 200
-
127.0.0.1 - - [22/Feb/2016 17:52:39] "GET
/api/songs/live?data={%22request%22:%20{%22id%22:%20%225%22}} HTTP/1.1" 401
-
127.0.0.1 - - [22/Feb/2016 17:52:56] "GET
/api/songs/live?data={%22request%22:%20{%22id%22:%20%225%22}} HTTP/1.1" 200
-
127.0.0.1 - - [22/Feb/2016 17:52:56] "GET
/api/songs/live?data={%22request%22:%20{%22id%22:%20%225%22}} HTTP/1.1" 200
-

The 401 is the request to trigger basic auth.

This is the correct behaviour.

How is your code working? In the Android I add the user id and password to
all calls and then forget about security unless I get a 404 error.

for example
http://bazaar.launchpad.net/~openlp-core/openlp/android2/view/head:/app/src/main/java/org/openlp/android2/common/OpenLPDialog.java

line 59.

On 22 February 2016 at 16:44, Daniel Borges <email address hidden>
wrote:

> Yes, the box is checked and the two fields (user id and password) are
> filled.
>
> Try reproduce this:
> 1. Run OpenLP with Remotes enabled;
> 2. Call the method: http://localhost:4316/api/songs/live?data={"request":
> {"id": "3"}} for example
> 3. Note that the program show the song 3 in live and the response body is
> empty;
> 4. Configure OpenLP to require an authentication user and password;
> 5. Call http://localhost:4316/api/songs/live?data={"request": {"id":
> "3"}} again;
> 6. Note that the header content's response is in body response, but it was
> to be empty.
>
> I'm not a Python programmer, but analyzing the code, I noted that the
> function do_htttp_success() is being called two times (here
> http://bazaar.launchpad.net/~openlp-core/openlp/trunk/view/head:/openlp/plugins/remotes/lib/httprouter.py#L193
> and here
> http://bazaar.launchpad.net/~openlp-core/openlp/trunk/view/head:/openlp/plugins/remotes/lib/httprouter.py#L679
> ).
> I'm supposing that this is the problem.
>
> --
> You received this bug notification because you are a member of OpenLP
> Core, which is subscribed to OpenLP.
> https://bugs.launchpad.net/bugs/1548014
>
> Title:
> Remotes API calls using authentication return strange response body
>
> Status in OpenLP:
> New
>
> Bug description:
> Any calls to API using HTTP authentication returns a strange response
> body. Its looks like that the HTTP header returns as body.
>
> Example of BODY RESPONSE using authentication:
>
> HTTP/1.0 200 OK
> Server: BaseHTTP/0.6 Python/3.4.3
> Dat...

"This is the correct behaviour."
Yes, it's correct. The song changes normally.

My question is: why, in the response body, is there the content of response header?

On iOS i'm getting an error when the library that I'm using try to parse the response. So, the app thinks that something wrong happens.

I solved this with a simple verification http://bazaar.launchpad.net/~danielborges93/openlp/ios-remote/view/head:/Remote/Classes/Util/ErrorUtil.swift on line 16, but this is bothering me.

This is the function that calls this method on API http://bazaar.launchpad.net/~danielborges93/openlp/ios-remote/view/head:/Remote/Classes/Network/LiveAPI.swift

https://gist.github.com/fxsjy/5465353 is where I got the code from I think

Do you pass the userid and password in every request ?

Yes, I pass the user id and password in every request if the user has set them on settings.

Then that is correct.
The action has happened and taken effect successfully in your case a song sent live.
Try without or the wrong UID and password you would get an error.
Try with authentication switched off you would get a empty 200.

You request is telling OpenLP to do something and 200 says done it.

Please, see the image.
This image shows is the difference between the raw data of the same request used before (in the last comments) when OpenLP don't requires an authentication (left side) and when OpenLP requires an authentication (right side).
Note that, in the right side, the header contents are duplicated on response body. This is the problem.

OpenLP works perfectly! The issue that I am reporting is this duplicated content. On iOS I am getting an error saying that the data cannot be parsed because of this strange response body.

This is the correct image.

It can be looked at but you will need to be able to handle the above code
as it is used by android and web interface and we have no control of the
versions people will use. There will be nothing to stop anyone using 2.0
with your code.
On 28 Feb 2016 2:10 a.m., "Daniel Borges" <email address hidden>
wrote:

> This is the correct image.
>
> ** Attachment added: "raw.png"
>
> https://bugs.launchpad.net/openlp/+bug/1548014/+attachment/4583035/+files/raw.png
>
> --
> You received this bug notification because you are a member of OpenLP
> Core, which is subscribed to OpenLP.
> https://bugs.launchpad.net/bugs/1548014
>
> Title:
> Remotes API calls using authentication return strange response body
>
> Status in OpenLP:
> New
>
> Bug description:
> Any calls to API using HTTP authentication returns a strange response
> body. Its looks like that the HTTP header returns as body.
>
> Example of BODY RESPONSE using authentication:
>
> HTTP/1.0 200 OK
> Server: BaseHTTP/0.6 Python/3.4.3
> Date: Sun, 21 Feb 2016 06:31:43 GMT
> Content-type: text/html
> Cache-Control: no-cache, no-store, must-revalidate
> Pragma: no-cache
> Expires: 0
>
> Without authentication none body is returned, as expected.
>
> OpenLP 2.2.1
> Mac OS 10.11.3
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/openlp/+bug/1548014/+subscriptions
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openlp-core
> Post to : <email address hidden>
> Unsubscribe : https://launchpad.net/~openlp-core
> More help : https://help.launchpad.net/ListHelp
>

Tim has massively refactored the remote code. Is this still a problem in trunk?