0

I've noticed when you are about to delete an organization the suggested request in docu is this one (subsection DELETE AN ORGANIZATION inside ORGANIZATION CRUD ACTIONS):

curl -iX DELETE \
  'http://localhost:3005/v1/organizations/{{organization-id}}' \
  -H 'Content-Type: application/json' \

Which does not include the X-Auth-token as part of the header.

Could this result in a security issue (allowing anyone to delete any organization)?

jfernandz
  • 185
  • 1
  • 10

1 Answers1

1

The command for delete of organization in the referenced document is incomplete.

curl -iX DELETE \
  'http://localhost:3005/v1/organizations/{{organization-id}}' \
  -H 'Content-Type: application/json' \

the X-Auth-Token in the above mentioned command is missing, without X-Auth-Token one will not be able to delete the oraganization or perform any other operations.

The command without X-Auth-Token will have the following response:

{
    "error": {
        "message": "Expecting to find X-Auth-token in requests",
        "code": 400,
        "title": "Bad Request"
    }
}

The correct command will have X-Auth-Token in its header:

curl -iX DELETE \
      'http://localhost:3005/v1/organizations/{{organization-id}}' \
      -H 'Content-Type: application/json' \
      -H 'X-Auth-Token: {{X-Auth-Token}}

the above command(with X-Auth-Token) will have response with Http Status HTTP/1.1 204 No Content

Screenshot:
response
response

Community
  • 1
  • 1
thebluemagician
  • 183
  • 1
  • 1
  • 12
  • 1
    First ... thank you so much. I would have assume that docu was incomplete if not were because [here](https://keyrock.docs.apiary.io/#reference/keyrock-api/organization/delete-an-organization) is also incomplete. But anyway, of course the better way to check this was trying it. I think both sites must be completed. – jfernandz Oct 11 '19 at 07:14
  • 2
    The [tutorial](https://fiware-tutorials.readthedocs.io/en/latest/identity-management/index.html#organization-crud-actions) has now been updated – Jason Fox Oct 11 '19 at 07:26
  • @JasonFox I think you should update the [apiary reference](https://keyrock.docs.apiary.io/#reference/keyrock-api/organization/delete-an-organization) maybe this is more relevant than tutorial. – jfernandz Oct 11 '19 at 08:15
  • 1
    The apiary definition is not under my control - I have raised an [issue](https://github.com/ging/fiware-idm/issues/117) on the relevant GitHub repository which should make the development team aware. – Jason Fox Oct 11 '19 at 08:48