Author Topic: Problem trying to login via RESP (API) (Read 2391 times)

capo · January 08, 2013, 10:03:52 am

I'm trying to use the CiviCRM API for the first time, so I'm probably doing something wrong. I've been searching the forums before posting this question but I didn't find the solution. I hope I'm not bothering.

I've been performing some experiments using the API Explorer and I found it very useful and easy to use. What I want to do is to use the API (via REST) to create some contacts. I want to do that via REST because I'll try to communicate CiviCRM with a different database using Pentaho's Kettle. Anyway, it doesn't matter here.

I'm trying to follow the instructions written in http://book.civicrm.org/developer/current/techniques/api/ to be able to login via REST. I understood it's the first thing I've to do if I want to use the API for any other purpose.

If I make this call: http://localhost/drupal/sites/all/modules/civicrm/extern/rest.php, I obtain a XML saying that I've to provide the key parameter, so I guess the URL is correct. Now, I try to complete it providing the parameters:

q=civicrm/login
key: I'm providing the value for CIVICRM_SITE_KEY stored at civicrm.settings.php
user: I'm providing my Drupal's username
password: I'm providing my Drupal's password
version=3

So, the final URL I'm using to perform the POST call is:

http://localhost/drupal/sites/all/modules/civicrm/extern/rest.php?q=civicrm/login&name=myusername&pass=mypasswird&key=mysitekey&version=3

And, if I try to run it, I'm always obtaining a blank result, instead of the XML containing the api_key and PHPSESSION. I've also tried with json=1 parameter but made no difference.

Can someone help me?

I'm using:

Apache 2
CiviCRM 4.2.beta5
Drupal 7.18

Hershel · January 08, 2013, 11:20:16 am

Why do you have CiviCRM 4.2.beta5? Can you upgrade to the latest stable version, 4.2.7?

xavier · January 08, 2013, 12:31:45 pm

Hi,

we need to upgrade this part in the book: you don't need to login anymore, just to put on every call api_key and key params and you'll be good

If you plan to access from php, you can copy to your remote server api/class.api.php and read the doc inside, should hide all the technical details.

same goes for node.js https://npmjs.org/package/civicrm

X+

P.S. on api explorer until very recently, it display a wrong information and you need to swap api_key and key

capo · January 09, 2013, 12:32:47 am

Hershel, you're right. I'll create a new development environment today using the latest stable version.

Xavier, sorry for the aditional question. How can I find my api_key? In a message you left here (http://forum.civicrm.org/index.php?topic=21735.0) I saw you referenced the key parameter as "thesitesecretkey" and the api_key parameter as "theusersecretkey". I know I can find the key in my civicrm.settings.php but I don't know where can I find the api_key.

In the documentation page for the REST API, I found that I'll obtain the api_key when I make the login. Briefly, if I make the call:

Code: [Select]

/login&name=user&pass=password
I'll obtain an answer containing the api_key:

Code: [Select]

<?xml version="1.0"?>
<ResultSet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Result>
<is_error>0</is_error>
<api_key>9c41823fc549582b7b0ee0cc1adc6ee7</api_key>
<key>74829bff1e1ba8c786e240c45b9d87d8e86b6e44</key>
<PHPSESSID>e31243b598c6a01ad5906ea0c512b271</PHPSESSID>
</Result>
</ResultSet>

But my problem is precisely that I'm not able to login! :-( I'm I missing something?

Thank you very much!

Erik Hommel · January 09, 2013, 03:30:10 am

I will at least make sure that the book is updated!
The api_key needs to be set in the civicrm_contact table for the contact that can access CiviCRM with the REST interface (there is a field api_key in the table). You need to do this with phpmyadmin (or any other admin tool for MySQL)

capo · January 11, 2013, 06:17:18 am

Quote from: Erik Hommel on January 09, 2013, 03:30:10 am

I will at least make sure that the book is updated!
The api_key needs to be set in the civicrm_contact table for the contact that can access CiviCRM with the REST interface (there is a field api_key in the table). You need to do this with phpmyadmin (or any other admin tool for MySQL)

Thanks! It worked out!

Erik Hommel · January 11, 2013, 07:10:23 am

X, you got me confused though

Quote

we need to upgrade this part in the book: you don't need to login anymore, just to put on every call api_key and key params and you'll be good

The api_key is in the civicrm_contact table for a specific user. This used to be the user that logged in with the REST. Are you now saying you can use any api_key as long as it is in the table? Or do you mean you should be able to just use the site key?

xavier · January 11, 2013, 09:00:35 am

My point was about the login part: it's not needed anymore, it's now getting closer to a real REST:

for each api call, you add the two api_key and key params (both needed) and you don't need to login anymore.

http://localhost/drupal/sites/all/modules/civicrm/extern/rest.php?key=aaa&api_key=bbb&entity=contact&action=get
http://localhost/drupal/sites/all/modules/civicrm/extern/rest.php?key=aaa&api_key=bbb&entity=anotherone&action=anotheraction

pro tip: use post instead of get, so you don't let the keys visible in the log on the server.

or use api/class.api.php that does take care or hiding all these technical points.

Erik Hommel · January 11, 2013, 09:39:44 am

I got what you were trying to say. But how am I going to know what the api_key is? For example, I have a record in the contact table for John Doe with api_key test1 and a record for Sally Doe with api_key test2. Are you implying that I can use test1 and test2 and it does not really matter? So I should just set one api_key for one of the contacts in civicrm_contact and it does not really matter which contact?

Or should I still make sure that in my REST session Civi knows which api_key to get? And if the latter is the case, should I not still use the login?

capo · January 14, 2013, 07:31:03 am

Quote from: Erik Hommel on January 11, 2013, 09:39:44 am

I got what you were trying to say. But how am I going to know what the api_key is? For example, I have a record in the contact table for John Doe with api_key test1 and a record for Sally Doe with api_key test2. Are you implying that I can use test1 and test2 and it does not really matter? So I should just set one api_key for one of the contacts in civicrm_contact and it does not really matter which contact?

Hi Erik,

As far as I know, api_key's should be uniques. Every single user with access to the API, should have its own api_key. I understood that from Xavier's comments. So I've been making some tests and it seems to work.

The only problem I found is if you use the API to create a contact:

http://localhost/drupal/sites/all/modules/civicrm/extern/rest.php?key=aaa&api_key=bbb&entity=contact&action=create

Then, the new contact will have "bbb" as api_key (I guess it shouldn't be like that but I made some tests and, indeed, it is).

That's like that, probably, because there is only one parameter for "api_key" in this API call but we should have two: one for the authentication and another one for the new contact. Don't you think? Do you think it's a bug? Should I open a ticket?

Thanks for your attention

Erik Hommel · January 14, 2013, 07:48:58 am

Thanks Capo, I have the same assumption about api_keys. I was just wondering what Xavier meant before I update the developer manual :-)

The call for your create : the new contact will not have 'bbb' as the api_key, you can only set the api_key directly in the CiviCRM DB as far as I know. Your call will return an error because there is no contact_type and no email or first_name/last_name.

capo · January 14, 2013, 08:38:36 am

Quote from: Erik Hommel on January 14, 2013, 07:48:58 am

The call for your create : the new contact will not have 'bbb' as the api_key, you can only set the api_key directly in the CiviCRM DB as far as I know. Your call will return an error because there is no contact_type and no email or first_name/last_name.

Indeed, I created a set of contacts using the API and then I found, using phpMyAdmin, that all of them have "bbb" as the api_key. I'll try again, in a different context, just to verify it's not a mistake I'm making.

Erik Hommel · January 14, 2013, 11:30:25 pm

That is interesting behaviour indeed.....I will test it too :-)

xavier · January 15, 2013, 02:07:46 am

Quote

The api_key is in the civicrm_contact table for a specific user. This used to be the user that logged in with the REST. Are you now saying you can use any api_key as long as it is in the table? Or do you mean you should be able to just use the site key?

you need to use both the api_key (I think of it as a concatenated login+password that users can't change) and the site key. We should move to oAuth, but that's what it is.

Quote from: Erik Hommel on January 14, 2013, 11:30:25 pm

That is interesting behaviour indeed.....I will test it too :-)

I think the proper technical term is "bug". The api_key is understood both as a setting for the rest interface and a param for the api. Not good.

I didn't know it was possible to change the api_key via the api. It wasn't the case in previous versions.
IMO shouldn't be allowedpossible. IF we need to set the api_key via the api (I think the sql option is good enough), it needs to be a separated action that is restricted to admin, not via the regular contact create.

a quick fix is to modify api/v3/COntacts and unset ($params["api_key"] in the create function. I don't think we have a "api.discarded" option on _spec as we have api.default. Not sure it's a common enough pattern to justify makes that generic.

And the api_key should be unique anyway indeed. we might need to alter the schema to add a unique index on it.

Erik Hommel · January 15, 2013, 02:36:28 am

Xavier, I agree with the bug! I will raise an issue :-) (and assign it to.........

)

The question that is still open to me is that I am not clear about the login function. You mentioned it is no longer required and that still confuses me. Or maybe better said: that would be really undesirable behaviour...

I think you are saying that you can use any api_key with the REST as long as the api_key exists somewhere in the contact database, am I right? So I could create a user called John Doe with api_key 'testJD' . Anyone accessing that Civi install with the REST (entity=Contact, action=Get, array('version'=>3,key='<sitekey>',api_key='testJD') will get data, even if they never used a login and are not John Doe. Is that correct?
Second question: I DO still need the site_key too, right?

CiviCRM Community Forums (archive)

News:

Author Topic: Problem trying to login via RESP (API) (Read 2391 times)

capo

Problem trying to login via RESP (API)

Hershel

Re: Problem trying to login via RESP (API)

xavier

Re: Problem trying to login via RESP (API)

capo

Re: Problem trying to login via RESP (API)

Erik Hommel

Re: Problem trying to login via RESP (API)

capo

Re: Problem trying to login via RESP (API)

Erik Hommel

Re: Problem trying to login via RESP (API)

xavier

Re: Problem trying to login via RESP (API)

Erik Hommel

Re: Problem trying to login via RESP (API)

capo

Re: Problem trying to login via RESP (API)

Erik Hommel

Re: Problem trying to login via RESP (API)

capo

Re: Problem trying to login via RESP (API)

Erik Hommel

Re: Problem trying to login via RESP (API)

xavier

Re: Problem trying to login via RESP (API)

Erik Hommel

Re: Problem trying to login via RESP (API)