'Incomplete credentials' error returned, though credentials are provided

[samtuke]

Short problem description

The following JSON request is sent but 'incomplete credentials' are reported:

{
    "loginName": "admin",
    "password": "password"
}

Using a local PHP development server (http://127.0.0.1:8000/api/v2/sessions), with .htaccess in root dir removed (to avoid permission issues).

Steps to reproduce

1. Send a login request with above JSON using Postman Chrome app
2. Observe reported error

Expected behaviour

Session is created, success status returned

Actual behaviour

Error reported

System configuration

Package version

Installed base-distribution via composer

PHP and Composer version

PHP 7.1.11
Composer version 1.5.2 2017-09-11 16:59:25

[oliverklee]

I'll test this and find out what is missing in the integration tests.

[oliverklee]

Using the development server for the rest-api package (bin/console server:run -d web/), I get a ´401 not authorized´ response (which is correct). These are the parameters I've used in Postman:

POST
http://127.0.0.1:8000/api/v2/sessions
Header: Content-Type application/json
Body:

{
    "code": 401,
    "message": "Not authorized"
}

Does the problem also occur when you're using the development server?

(I'll also retest using the PhpStorm REST tools and the base-distribution package in a minute.

[oliverklee]

I get the same results with the base-distribution package.

[oliverklee]

The same with the REST client in PhpStorm.

[oliverklee]

@samtuke Are you using PHP's built-in web server (in development context) or Apache (in production context)? And if you're using Apache, does the problem also occur if you're using the built-in web server instead?

[samtuke]

I believe I tried it with both and experienced the same outcome

[oliverklee]

Could you please re-try? Maybe there was an error in the JSON request data? I currently cannot reproduce the problem.

[samtuke]

Following a composer update and copy & paste of login credentials from the docs, I get the same error when running a local development server:

{
    "loginName": "admin",
    "password": "eetIc/Gropvoc1"
}

[oliverklee]

I've used the standalone version of Postman for this (as the Chrome app has been discontinued). Could you please retest with the stand-alone Postman or the PhpStorm REST tools to exclude any problems with the Chrome app?

[oliverklee]

Oh, and in your screenshot, the content type (the drop-down right next to the type radio buttons (raw, binary etc.) is not set to "JSON (application/JSON)" (as it is in my Postman). Could you please set that as well?

[samtuke]

@oliverklee Changing the content type fixed it -- well spotted! It seems that if a request is provided, but not with JSON headers, then it returns an 'Incomplete credentials' error, as opposed to 'empty JSON data', which is returned if either empty JSON or text is submitted. Two potential improvements would be:

• If an empty request is submitted with text (not JSON) headers, then respond with error 'JSON missing' or similar
• If non-JSON is submitted, respond with 'Invalid request' or similar, instead of 'Incomplete credentials', as this implies that the request was JSON but the data incomplete.

[oliverklee]

Yes, we should definitely return an "invalid request" status with a helpful error message in that case. What exact Content-type header did you use?

[samtuke]

@oliverklee it looks like no content-type was set at all:

POST /api/v2/sessions HTTP/1.1
Host: 127.0.0.1:8000
Cache-Control: no-cache
Postman-Token: 83ca8f5e-6771-c158-0f6a-9fae28441756

{
    "loginName": "admin",
    "password": "phplist"
}