Having trouble calling Patch/Delete via rest - 403 {u'message': u'Access is forbidden', u'type': u'Forbidden'}

#1

Hi

I have am trying to patch (update attributes on a device) and/or delete delete a device.
using the REST api (python losant-rest)

I can perform the following fine.
Send state, get the device and device state, however I always get a

403 {u’message’: u’Access is forbidden’, u’type’: u’Forbidden’}

For Patch and Delete operations.

The access keys don’t have any specific permission other than restricted to device.

So not sure why/how Forbidden could be thrown.
It’s possible my payload for Patch has some properties that shouldn’t be patched etc… but I would assumed malformed data.

However given that Delete is also forbidden suggests some other issue.

Thanks

Tim

0 Likes

#2

When authenticating as a device, which it sounds like you are doing here, you do not have permission to edit or delete the device itself, only to send state and commands.

Note that you may retrieve information about the device (GET /applications/:applicationId/devices/:deviceId).

0 Likes

#3

Ok,

So is deviceID optional in the credentials supplied to authenticate_device() ?

T

0 Likes

#4

Hmm

So I don’t really understand what is going on here. To authenticate you must provide deviceId
or I get

400 {u'message': u'credentials.deviceId is required', u'type': u'Validation'}

however you say

"When authenticating as a device,which it sounds like you are doing here, you do not have permission to edit or delete the device itself, only to send state and commands " .

which I gather is what I am doing.

So this raises the question how does one authenticate without authenticating as a device, or do I create some other random device so that I can patch a different device :wink: Call me a little confused :wink:

I haven’t seen any other method of authentication for the rest api.

Thanks

Stumped :wink:

0 Likes

#5

Ok now I have worked it out.

Sorry for the noise.

The summary docs for losant-rest-python only showed a device authentication and it wasn’t till I started looking in your examples that I noticed the existance of client.auth.authenticate_user. and then I found it in the auth docs.

I really should have spent some time RTFM’ing before asking silly questions.

There is one issue I see with this is situation.

What do I do if I want an application to connect to the REST api (not as me, and not as a device).
Any plans for application specific auth/tokens ?

Still finding my way around the system.
Thanks

Tim

0 Likes

#6

I see where your confusion came from. It took me a minute to find an example in the repo for how to connect as a user and not as a device (it’s here for those who come across this later), which is what you need to do to perform the device creation / editing operations you started the thread about.

As for authenticating as an application … can you give us an example of what you’re hoping to achieve by doing so? If you have permission to edit the application as a user, you can just authenticate as the user and add/edit devices, workflows, etc.

0 Likes

#7

Hi Dylan

Thanks for the response.

As to application authentication vs user auth here is my scenario.

We have a number of engineers out in the field who program/configure COMAP controllers (amongst others). There are engine/punp/motor controllers which we communicate to via modbus. The registers available can be downloaded via a proprietary COMAP application. We use that register config to drive out data logger and what get’s published (currently pubnub/losant) and logged. These tables change from controller type , application etc…

Ideally the engineer can submit the register file to our internal systems ( ESB) which translates that it into the current set of device attributes for the device on Losant and then the ESB updates via the REST api and can

  1. possibly create a new device.
  2. Update the attributes of the device to match the current configs.

With the current auth system the ESB needs to log in as a specific user (for instance me.) This means if I change my password I need to change it in the code run by the ESB, It means I can’t enable 2 factor auth.

The device auth you have is ideal for applications but is currently specific to device auth.

Other strategies/suggestions are welcome.

Thanks

Tim

0 Likes

#8

One alternative might be allowing gateways to be able to create/modify peripherals.

T

0 Likes

#9

One other observation.

In the API docs there doesn’t appear to be any indication of which methods are permitted for by a particular auth scheme.

ie. that only a user auth can perform Device PATCH requests

Regards

Tim

0 Likes

#10

We understand your use case and are looking into adding application-level authentication. We’ll let you know when we have a timetable for the feature.

As for the documentation, you’re right. We just pushed an update that adds a couple paragraphs describing the scope of user authentication vs. device authentication.
https://docs.losant.com/rest-api/overview/

0 Likes

#11

Hi Dylan

Thanks for the response. Looking forward to app level auth, and thanks for updating the docs.

T

0 Likes

#12

Hi Dylan

Has there been any further thoughts on application level auth ?

T

0 Likes