🐛 Bug: API giving 403 after latest update

[sph33r]

Please confirm if bug report does NOT exists already ?

• I confirm there is no existing issue for this

Steps to reproduce ?

• Create a base or use an existing one. I made one with just 2 fields to keep it simple.
• Generate an API token if you don't have one
• Open the Rest API screen
• Authorize your token - pretty sure you just need to use xc-token but I tried in both just in case.
• Open the Post section to create a new record.
• Click "Try it out"
• In Request Body, set your strings as required.
• Click Execute
• Server returns 403 Unauthorized

Desired Behavior

I expect the server to authorize my user and insert the new row.

Project Details

Node: v18.17.1
Arch: x64
Platform: linux
Docker: true
RootDB: pg
PackageVersion: 0.202.9

Attachments

No response

[sph33r]

I'm the only user of the Base I used for testing and I have Owner access. This is repeatable on all my Base which I am owner on.

I don't see anything new in the Docker logs when I run the above steps and get the 403.

[dstala]

@sph33r

• do you see this issue even with auth token?
• can you try & generate a new token - and try again?

I tried using docker with PG as root DB on 202.9; worked fine for both xc-auth & xc-token.

[sph33r]

@dstala
Just tested with auth token and that works fine so I guess it's only the api token. I generated a brand new api token earlier when trying to troubleshoot but just in case, I just created another new one. The api token gives a 403 every time regardless of which one I'm using.

Just in case it was base related, I created a brand new base with a new table and fields, then I generated another new api token and I get a 403 when trying to post a new record.

[KefanAn]

@dstala @sph33r
I just upgraded to latest and ran into an exact same issue, with docker+202.9.
If a token was created by an organization level viewer and base level creator account, every request i tried gets a 403.
Another token created by super admin account is working properly.

Could there be any kind of glitch in user authorization managing?

[dstala]

@KefanAn I am able to reproduce the issue now. Thanks for the details

[KefanAn]

@dstala
Really glad to help.
Btw, apart from the swagger REST api page, is there any easier way for user to find the table id param for api v2?

[dstala]

Base ID & table ID will be part of URL
http://localhost:3000/#/nc/p3y2l9w3vfkpv20/mwwmuzt9g5o1a7h

Base ID : p3y2l9w3vfkpv20
Table ID : mwwmuzt9g5o1a7h

Field IDs are now easily accessible from multi fields editor context menu.
View IDs are available in view context menu

[KefanAn]

Really appreciate that