How do I create a new basic auth user?

1

I’m attempting to create a new basic auth user using the undocumented dashboard api (please add docs!)

However, even though the user has access to an API via a policy, I’m not able to access that API. Can you please let me know what I’m doing wrong. All calls below:

$ curl -X POST http://192.168.99.100:3000/api/apis/keys/basic/[email protected] -H 'Authorization: eafe2167d76547777ec75a1f7dc5312a' -d '{"last_check":0,"allowance":1000,"rate":1000,"per":1,"expires":0,"quota_max":-1,"quota_renews":1491497420,"quota_remaining":0,"quota_renewal_rate":31104000,"access_rights":{"151222f37e7447f56df39b0f94b8dc14":{"api_id":"151222f37e7447f56df39b0f94b8dc14","api_name":"Login API","versions":["Default"]},"feda9795301d4f4e5f6992ae3a638dcd":{"api_id":"feda9795301d4f4e5f6992ae3a638dcd","api_name":"Portal","versions":["Default"]}},"apply_policy_id":"57058d630b79010001000009","tags":["newuser"],"jwt_data":{"secret":""},"meta_data":{},"basic_auth_data":{"password":"test123","hash_type":"bcrypt"}}'
{"api_model":{},"key_id":"","data":{"last_check":0,"allowance":1000,"rate":1000,"per":1,"expires":0,"quota_max":-1,"quota_renews":1491497420,"quota_remaining":0,"quota_renewal_rate":31104000,"access_rights":{"151222f37e7447f56df39b0f94b8dc14":{"api_name":"Login API","api_id":"151222f37e7447f56df39b0f94b8dc14","versions":["Default"],"allowed_urls":null},"feda9795301d4f4e5f6992ae3a638dcd":{"api_name":"Portal","api_id":"feda9795301d4f4e5f6992ae3a638dcd","versions":["Default"],"allowed_urls":null}},"org_id":"570534390b79010001000001","oauth_client_id":"","basic_auth_data":{"password":"test123","hash_type":"bcrypt"},"jwt_data":{"secret":""},"hmac_enabled":false,"hmac_string":"","is_inactive":false,"apply_policy_id":"57058d630b79010001000009","data_expires":0,"monitor":{"trigger_limits":null},"meta_data":{},"tags":["newuser"]}}

$ echo '[email protected]:test123' | base64
dGVzdEB0ZXN0LmNvbTp0ZXN0MTIzCg==

$ curl http://192.168.99.100/login-api/login -H 'Authorization: Basic dGVzdEB0ZXN0LmNvbTp0ZXN0MTIzCg=='
{
    "error": "User not authorised"
}

$ curl -s -X GET http://192.168.99.100:3000/api/apis/ -H 'Authorization: eafe2167d76547777ec75a1f7dc5312a' | python -mjson.tool | grep -E 'api_id|"listen_path"'
                "api_id": "1f7701e7f1c640017b8fd0d66fbac8a7",
                    "listen_path": "/portal-assets/",
                "api_id": "04401112703f49af4d9bd4c2172e8eb9",
                    "listen_path": "/portal-api/",
                "api_id": "feda9795301d4f4e5f6992ae3a638dcd",
                    "listen_path": "/portal/",
                "api_id": "151222f37e7447f56df39b0f94b8dc14",
                    "listen_path": "/login-api/",

$ curl -s -X GET http://192.168.99.100:3000/api/portal/policies -H 'Authorization: eafe2167d76547777ec75a1f7dc5312a' | python -mjson.tool
{
    "Data": [
        {
            "_id": "57058d630b79010001000009",
            "access_rights": {
                "151222f37e7447f56df39b0f94b8dc14": {
                    "allowed_urls": [],
                    "apiid": "151222f37e7447f56df39b0f94b8dc14",
                    "apiname": "Login API",
                    "versions": [
                        "Default"
                    ]
                }
            },
            "active": true,
            "date_created": "0001-01-01T00:00:00Z",
            "hmac_enabled": false,
            "is_inactive": false,
            "key_expires_in": 0,
            "name": "Default API Policy",
            "org_id": "570534390b79010001000001",
            "per": 60,
            "quota_max": -1,
            "quota_renewal_rate": 60,
            "rate": 1000,
            "tags": []
        }
    ],
    "Pages": 0
}
2

Almost there :slight_smile:

  1. The dashboard API is documented here:

https://tyk.io/docs/tyk-dashboard-v1-0/dashboard-api/

  1. Specifically key creation (basic auth tokens are a special case of key, and mysteriously undocumented - will add that to our todo list):

https://tyk.io/docs/tyk-dashboard-v1-0/dashboard-api/api-tokens/

The object you are sending is wrong to create the key, you need to send a standard object, what you are sending is what the API returns on a key request:

{
	"last_check": 0,
	"allowance": 1000,
	"rate": 1000,
	"per": 1,
	"expires": 1460411319,
	"quota_max": -1,
	"quota_renews": 1460405379,
	"quota_remaining": 0,
	"quota_renewal_rate": 60,
	"access_rights": {
		"4f32eb942128475f4f76fe3e3bc34e16": {
			"api_id": "4f32eb942128475f4f76fe3e3bc34e16",
			"api_name": "Test",
			"versions": ["Default"]
		}
	},
	"apply_policy_id": "5654566b30c55e3904000003",
	"tags": [],
	"jwt_data": {
		"secret": ""
	},
	"meta_data": {},
	"basic_auth_data": {
		"password": "test123"
	}
}
3

Thanks for the update. I was able to create a key with the updated body. Since this is basic auth, what would I use for the username?

4

Whatever you like - with basic auth you are basically creating a custom token, so long as it is unique to your organisation it’s acceptable.

5

Sorry, I don’t think I was clear on my question. Is there another endpoint where I need to create the user and this is just their token? If so, how do I connect this key to a specific user?

If not, how to I specify the username within the POST to /api/keys?

I tried adding username to basic_auth_data like so:

and so:

neither let me access the api using:

curl http://192.168.99.100/login-api/login -H 'Authorization: Basic dGVzdEB0ZXN0LmNvbTp0ZXN0MTIzCg=='

6

Ah, since it’s a custom token you just post to the username:

POST http://domain.com:3000/api/apis/keys/basic/USERNAME-HERE

There is no concept of a “user”, a user, in the basic auth sense, is just a token with a password that runs through a specific auth type handler.

The only other concepts of users in the dashboard are administrators (the user that is using the dashboard) and developers - the ones that use the developer portal.

This is mentioned in the section on Basic Auth, but isn’t clear enough (nor in the right section):

A note on creating basic auth keys

Basic authentication keys are not created the same way as other keys, since the key ID is not generated by the system a basic auth key cannot use the /tyk/keys/create endpoint, and instead should POST to /tyk/keys/{username}, this will ADD a key to the system. Subsequent requests will overwrite this entry, sending a PUT request will update the entry.

Anyway, we’ll fill out those docs to make them more useful for people using basic auth.

7

Ah, thanks for that info.

We’re planning on using TIB as a proxy to our auth service in production but just figured basic would be quickest to get a demo up and running, haha, guess I should have chosen OAuth

8

Quickest would be a simple bearer token - OAuth can be tricky :wink:

We’re here to help, so just drop us a post if you’re lost. We’ve already add the basic auth docs to the site.

9

Thanks for all the help Martin!