400 bad request init session

parorrr · 2025-02-06 23:52:48

hi guys, on glpi 10.0.17, I try to init session :
- API client is enabled with app token generated
- in user profile, I got user token enabled
- IP address range OK

using this code :

<?php
$app_token="xxxx";
$user_token="ddddd";
$ch = curl_init();
$url="https://glpi.ddddd.com/apirest.php/initSession?Content-Type=%20application/json&app_token=" .$app_token . "&user_token=" .$user_token;
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$json = curl_exec($ch);
curl_close ($ch);
// returned json string will look like this: {"code":1,"data":"OK"}
$obj = json_decode($json);
print_r($obj);
?>

and got this output :

Accept: */*

* old SSL session ID is stale, removing
< HTTP/1.1 400 Bad Request
< date: Thu, 06 Feb 2025 21:50:29 GMT
< server: Apache/2.4.52 (Ubuntu)
< access-control-expose-headers: content-type, content-range, accept-range
< expires: Mon, 26 Jul 1997 05:00:00 GMT
< cache-control: no-store, no-cache, must-revalidate
< pragma: no-cache
< content-length: 202
< content-type: application/json; charset=UTF-8
< strict-transport-security: max-age=16000000; includeSubDomains; preload;

* Connection #0 to host glpi.sss.com left intact
Array
(
    [0] => ERROR_APP_TOKEN_PARAMETERS_MISSING

any idea ? also :

- when I'm on API web interfacee, the value of active listbox is always on NO (while in logs it mentioned status switch to yes when I created API client). is it a bug ?
- my user has admin role. how can I check he has API access permissions ?

need your expertise guys.... thanks ..!

parorrr · 2025-02-07 00:58:03

I also tried with this powershell command, same thing :

$AppURL =     "https://glpi.qqqqqq.com/apirest.php"
$UserToken =  "xxxxxx"
$AppToken =   "ddddddd"

$SessionToken = Invoke-RestMethod "$AppURL/initSession" -Method Get -Headers @{"Content-Type" = "application/json";"Authorization" = "user_token $UserToken";"App-Token"=$AppToken}

parorrr · 2025-02-07 10:33:14

guys, its working when I removed app token and IP adress range restriction in API client, any idea ?
also, do you confirm that IP addresse range restriction set in API client is juste for API client, I mean not need to set any app restricion if Im just using user token ?

LaDenrée · 2025-02-07 14:35:18

API is case sensitive, and I guess App-token should work instead of App-Token

cconard96 · 2025-02-07 14:43:38

What were you entering for the IP address restriction?

The user token and app tokens are different concepts that need used together.

The user token is just a way to authenticate to the API as a specific user using the username and password.
The app token identifies the script/application/whatever that is accessing the API.

When you give the app token to an external program/service, you can limit the damage if the token is ever leaked. If you know that token X is going to be used for a specific software, you can restrict its usage to only the IP used by that service.

Edit: You should never have an API client with no app token associated. I know there is a mobile app for GLPI that requires it, but it is pretty bad from a security perspective especially if that API client doesn't also have strict IP restrictions.

parorrr · 2025-02-07 16:29:42

hi guys, thanks for your feedback, yes of course I know app token is ttly different to user token, but except a bug I dont know what could be wrong, because here is the situation :

- with API enabled, but with no API client, and API user token generated for my account, using just API user token to init session : KO
- with API enabled, with an API client created, without APP token or IP address range, using just API user token to init session : OK

do we agree that by default, I should be able to init session without an API client ? (just by providing user token)
one thing, on Admin API panel, the value "is active" : is always set to no.... with or without api client.... could it be the root cause thanks in advance

PS : I want initially to fetch all content solution of all tickets, do you know if I need to specifiy a specific encoding value ? because the dump always contains html code for the ITILSolution/content field. thanks !

Last edited by parorrr (2025-02-07 16:32:47)

cconard96 · 2025-02-07 18:34:24

You need the app token/API client for all interactions with the API including starting a session.

I'm not sure about the issue with the API client always showing not active.

For the content, you get what is stored in the database. Solution content supports rich-text, so it is always going to be stored and retrieved as HTML. If you want only the text content, you will have to clean it yourself.

Forum GLPI-Project

Announcement

#1 2025-02-06 23:52:48

400 bad request init session

#2 2025-02-07 00:58:03

Re: 400 bad request init session

#3 2025-02-07 10:33:14

Re: 400 bad request init session

#4 2025-02-07 14:35:18

Re: 400 bad request init session

#5 2025-02-07 14:43:38

Re: 400 bad request init session

#6 2025-02-07 16:29:42

Re: 400 bad request init session

#7 2025-02-07 18:34:24

Re: 400 bad request init session

Board footer