Cannot delete file pushes using API

[dniasoff]

🐛 Bug Report

Trying to delete file pushes using API but getting 302 instead of 200

Exactly the same request works on file pushes

I can retrieve and push file pushes using API but just not delete

🔬 How To Reproduce

Here is a web capture of a successful file delete

DELETE https://pwpush.xxxxx/p/xxxxxxxxxxxxx.json HTTP/1.1
Host: pwpush.xxxxxxxxxxxxxxxx
X-User-Email: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
X-User-Token: xxxxxxxxxxxxxxxxxxxxxx

HTTP/1.1 200 OK
Date: Sun, 15 Sep 2024 21:57:02 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 312
Connection: keep-alive
x-frame-options: SAMEORIGIN
x-xss-protection: 0
x-content-type-options: nosniff
x-permitted-cross-domain-policies: none
referrer-policy: strict-origin-when-cross-origin
etag: W/"9b12e2da3468ac48aa10623dbaeaf004"
cache-control: max-age=0, private, must-revalidate
x-request-id: cfb657b82630cade8f9e13b7b2291684
x-runtime: 0.021039
Strict-Transport-Security: max-age=15724800; includeSubDomains

{"expired":true,"deleted":true,"expired_on":"2024-09-15T21:57:02.485Z","expire_after_days":3,"expire_after_views":1,"url_token":"4zzcsuamge0f","created_at":"2024-09-15T21:56:06.580Z","updated_at":"2024-09-15T21:57:02.486Z","deletable_by_viewer":false,"retrieval_step":true,"days_remaining":3,"views_remaining":1}

and here is a similar failing file request

DELETE https://pwpush.xxxxxxxxxxxxxxxxxxxxx/f/xxxxxxxxxxxxxxxxx.json HTTP/1.1
Host: pwpush.xxxxxxxxxxxxxxxxxx
X-User-Email: xxxxxxxxxxxxxxxxxxxxxx
X-User-Token: xxxxxxxxxxxxxxxxxx

HTTP/1.1 302 Found
Date: Sun, 15 Sep 2024 21:57:02 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
x-frame-options: SAMEORIGIN
x-xss-protection: 0
x-content-type-options: nosniff
x-permitted-cross-domain-policies: none
referrer-policy: strict-origin-when-cross-origin
location: https://pwpush.xxxxxxxxxxxxxxxxxxx/en
cache-control: no-cache
set-cookie: _PasswordPusher_session=xxxxxxxxxxxxxxx--NFCvu1gXrDNvi8WEoA1T0Q%3D%3D; path=/; httponly; SameSite=Lax
x-request-id: 2853164d37711b84861294d05cded8c2
x-runtime: 0.008960
Strict-Transport-Security: max-age=15724800; includeSubDomains

Code sample

string _dapi = $"{_url}/f/{p.UrlToken}.json";
HttpResponseMessage dresponse = await _httpClient.DeleteAsync(_dapi);
if (!dresponse.IsSuccessStatusCode)
{

    throw new Exception($"Error deleting password: {dresponse.StatusCode}");
}

Environment

Where are you running/using Password Pusher?

running in Kubernetes, tried 1.45 and 1.39

[github-actions]

Hello @dniasoff, thanks for contributing to the Password Pusher community! We will respond as soon as possible.

[pglombardo]

Hi @dniasoff - I'll take a closer look at this tomorrow when I'm back at my desk but a couple thoughts:

1. Logins and file pushes are definitely enabled I assume
2. See if the pushes created from the API show up in your dashboard. The API can sometimes fall back to anonymous when bad credentials are given. That would explain the DELETE fail..

I'll give it some more thought and take a look again tomorrow.

[dniasoff]

Hi @pglombardo

Thanks for your quick response.

yes I have the following set

PWP__ENABLE_LOGINS: true
PWP__ENABLE_FILE_PUSHES: true

I can see and expire the file push using the GUI. I tried reproducing the POST request the dashboard uses to delete file pushes but couldn't get it to work.

Thanks

Daniel

[pglombardo]

Morning @dniasoff - You may have to update your container versions. Which Docker tag are you using?

My bad - just saw 1.45... these locale paths don't exist in the latest versions - /en etc...

In any case, this is the code that does the redirect if conditions are correct.

[dniasoff]

Thanks @pglombardo

Using 1.45 from here - https://hub.docker.com/layers/pglombardo/pwpush/1.45/images/sha256-95fd3b50f0bd500fa7a74148db3f5b2deafcdc5416fb5ed781d1c0ba0749b0d2?context=explore

Not using locales?

[pglombardo]

Hi @dniasoff - this should be fixed in v1.45.11. Just tested now and all works ok. I greatly simplified that code to fix another bug in that area too.

Could you try this latest version out and let me know?

[pglombardo]

Hi @dniasoff - have you had a chance to try this out?

[dniasoff]

not yet, just upgraded to 1.47, will try and test tomorrow

…

On Sun, 20 Oct 2024 at 20:43, Peter Giacomo Lombardo < ***@***.***> wrote: Hi @dniasoff <https://github.com/dniasoff> - have you had a chance to try this out? — Reply to this email directly, view it on GitHub <#2516 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA7BXDJFA6MECYTRLOMCDFTZ4QBU5AVCNFSM6AAAAABOIGDBT2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMRVGE4TCNZXGY> . You are receiving this because you were mentioned.Message ID: ***@***.***>