in progress Proxima Invalid Item owner

KevinM
KevinM
@kevinm
6 years ago
36 posts
Im trying to update a user profile thru Proxima using the bridge app. I can sign in as Admin, and when I use the master key, session ID to GET to search the profiles I can see my queries come up fine. When I go to update (PUT) using the same master key and session ID, i get a 401 error stating Invalid item owner. I thought using the master key would allow me to get around those permissions but im hitting a wall trying to get around it. Any thoughts?
updated by @kevinm: 10/25/18 11:46:27PM
KevinM
KevinM
@kevinm
6 years ago
36 posts
I see that in the Proxima code that the _user_id has to match the sessions user id. Should this permission be bypassed when using the Master Key?
michael
@michael
6 years ago
7,715 posts
could you copy+paste the wording you receive as an error.

Thanks.

--edit--
When you're logging in, you're logging in as a master admin user too right?
updated by @michael: 05/22/18 11:24:25PM
KevinM
KevinM
@kevinm
6 years ago
36 posts
Hi Michael, I believe I solved that problem by adding this by modifying the code in jrProximaBridge include.php below:

if (!isset($_rt['_user_id']) || ($_rt['_user_id'] != jrProximaCore_get_session_user_id() && jrProximaCore_get_client_access_level() != 'master')) {
return jrProximaCore_http_response(401, 'invalid item owner');
}

I added jrProximaCore_get_client_access_level() != 'master') as I saw it in the proxima Core module too at lines 278 and 373. Let me know if this addition makes sense to you as it works when I use the Master Key!

I am logging in as Master admin (user_id=1) but am hitting the next group of code in ProximaBridge which is giving me the "invalid user session"..This code is below at line 383

// Validate Profile Quota
$_us = jrProximaCore_get_session_user_info();
if (!$_us) {
// Should not happen
return jrProximaCore_http_response(401, 'invalid user session');
}

Again I am logged in as Master Admin and using the master key in an app generated by the jrProximaCore (brand new app) and am receiving this error after putting in the session Id to get the basic Auth. I am testing all this with Postman but also seeing the error when running Xdebug in PHPStorm. When I comment out the questioning code above it runs and updates the datastore.

Any help would be greatly appreciated!

PS: here is the postman wording when using "PUT" to https://........./api/bridge/mymodule/1
Header has the basic Auth with the hex value and the body has a simple test key/value to update the item#1

{
"code": 401,
"text": "Unauthorized",
"note": "invalid user session"
}

PSS. using "GET" and searching the same bridge module returns my query fine with the same credentials.

Thanks
updated by @kevinm: 05/23/18 01:25:55AM
michael
@michael
6 years ago
7,715 posts
I'll need to get setup to debug this, haven't used proxima in a while.

My first though is: I don't think you're logged in.

If you are logged in as an admin level user I would expect jrProximaCore_get_client_access_level() to return 'master'.

Got to go out for a bit now, but will get setup to figure it out.
KevinM
KevinM
@kevinm
6 years ago
36 posts
Michael,

Is there ANY way of finding out who is logged in or if a session is still active in Proxima (or how I can correctly DELETE any active sessions)?
michael
@michael
6 years ago
7,715 posts
There is a USERS ONLINE tab in the DASHBOARD area which has that info. If its not currently available via proxima, you may need to build a module to return the info. The session info is stored in the 'session' table
 $tbl = jrCore_db_table_name('jrUser', 'session');
probably called 'jr_jruser_session' in the db.

Examples of the SQL queries can be seen in the _jrUser_mysql_session_online_user_count() function in jrUser/include.php

Still haven't setup to debug this yet, but its my guess you're signing on with the admin keys, but then not changing the keys to the returned session value after the login step.

After you authenticate, copy the session_id into the password field.
session_id.jpg
session_id.jpg  •  95KB

brian
@brian
6 years ago
10,148 posts
You should not get an "invalid item owner" if using the master key - I will check that out.


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net
KevinM
KevinM
@kevinm
6 years ago
36 posts
Michael,
Im signing in with the admin credentials along with the "master key" for the only app I have, to get the session_id to which I copy as the password for the remainder of the session. In the Header section I can see an Authorization "basic" value which has been generated. I try to POST or PUT into an activated bridge datastore and I get the invalid user session error. (Using GET with those credentials gets me the info). I see in the functions its calling that its looking for the $SESSION['app_user_session_id'] (or something similar) and probably not finding it as when I am in xdebug I can see no $SESSION variables with app_

Brian,
FYI,
I was getting that error and added the above code as I saw it was in the jrProxima_Core code for a workaround and its gotten me past that point using the master key but I havent been able to test it thoroughly against the regular key. It may have to do with the problem im having thou..

Im going to reinstall the proxima modules to see if that shakes it out.

Edited: Re-installed and no change.
updated by @kevinm: 05/26/18 12:59:39AM
michael
@michael
6 years ago
7,715 posts
I also see the same issue. I AM able to PUT to update anything in the USER table, but not able to PUT to update anything via the bridge module.

I believe the cause of it is the user's id info is not getting stored in the session data, but will need brian to take a look at what I think i've found.
KevinM
KevinM
@kevinm
6 years ago
36 posts
Thanks for the verify Michael, I think you are correct in that the info isnt getting stored in the session.

Brian have you found anything?
brian
@brian
6 years ago
10,148 posts
KevinM:
Thanks for the verify Michael, I think you are correct in that the info isnt getting stored in the session.

Brian have you found anything?

This was fixed in the last Proxima Bridge release (1.1.6):

https://www.jamroom.net/proxima/networkmarket/242/proxima-bridge

So you should be good to go.


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net
KevinM
KevinM
@kevinm
6 years ago
36 posts
Hey Brian,
Thanks for taking care of the PUT request, it seems to be working fine. Im still getting the 401- invalid user session when using POST, signing in with the Admin and the Master key.
I sourced the error is being called in ProximaBridge/include - line 110
    // Validate Profile Quota
    $_us = jrProximaCore_get_session_user_info();
    if (!$_us) {
        // Should not happen
        return jrProximaCore_http_response(401, 'invalid user session');
Regards!
Kevin
brian
@brian
6 years ago
10,148 posts
Are you trying to POST directly without being logged in? Even though you are using the Master key you should still establish a Proxima user session, otherwise JR will not have a valid _user_id value to create the item under.

Let me know if that helps.


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net
KevinM
KevinM
@kevinm
6 years ago
36 posts
Yes i am logging in each time. Also tried it in POSTMAN and am getting the same results after logging in as admin with master key. I can PUT and GET with the same session login but I try to POST and no joy.
updated by @kevinm: 07/21/18 01:15:13PM
KevinM
KevinM
@kevinm
6 years ago
36 posts
Hey Brian and Michael, I think I figured out the problem by looking at the last two upgrades.
Brian, I saw your code modification for the PUT function in Bridge, you added
    if (jrProximaCore_get_client_access_level() != 'master') {
and got it working. 
 I applied that code to the POST function in bridge starting at line 106 and here it is:
    // Validate Profile Quota
    if (jrProximaCore_get_client_access_level() != 'master') {
        $_us = jrProximaCore_get_session_user_info();
        if (!$_us) {
            // Should not happen
            return jrProximaCore_http_response(401, 'invalid user session');
        }
        if (isset($_us["quota_{$mod}_allowed"]) && $_us["quota_{$mod}_allowed"] != 'on') {
            return jrProximaCore_http_response(401, 'user is not allowed access to this module');
        }
    }
Let me know what you think! Hope that helps!
Kevin
brian
@brian
6 years ago
10,148 posts
Yeah that's not right. Even when logged in with a MASTER key you should still have a valid session - all you've done here is bypass the session check - that's not the right place to do this.


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net
KevinM
KevinM
@kevinm
6 years ago
36 posts
No worries, I was just trying to apply what i thought was the same fix for the PUT problem at ProximaBridge/Include.php line 276 to the POST problem. So is there a way to fix the POST an PUT problem when signed in as Admin with the Master?
brian
@brian
6 years ago
10,148 posts
KevinM:
No worries, I was just trying to apply what i thought was the same fix for the PUT problem at ProximaBridge/Include.php line 276 to the POST problem. So is there a way to fix the POST an PUT problem when signed in as Admin with the Master?

Double check that you're actually logging in as an account using the master key - i.e. the login is successful, because what we're seeing here is a session failure - not a permission issue.


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

Tags