For testing a command line tool against a Gitlab instance in Docker, I would like to login to Gitlab using username and password and grab the created session to authenticate my API requests.
Therefore I do the following:
- curl the user login page with
curl -i http://localhost:8080/users/sign_in -s
- get me the
_gitlab_session
from the headers - get me the
authenticity_token
from the login form - send a second curl request with
curl 'http://localhost:8080/users/sign_in' \
-H "_gitlab_session=${cookie}" \
-H 'Origin: http://localhost:8080' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' \
-H 'Referer: http://localhost:8080/users/sign_in' \
-H 'Connection: keep-alive' \
--data-urlencode "authenticity_token=${token}" \
--data-urlencode "user[login]=root" \
--data-urlencode "user[password]=12341234" \
--data-urlencode "user[remember_me]=0"
But instead of a valid user login, I get a
422 - The change you requested was rejected.
And in the logfiles, I see
==> gitlab-rails/production.log <==
Started POST "/users/sign_in" for 172.17.0.1 at 2017-12-23 00:22:16 +0000
Processing by SessionsController#create as HTML
Parameters: {"authenticity_token"=>"[FILTERED]", "user"=>{"login"=>"root", "password"=>"[FILTERED]", "remember_me"=>"0"}}
Can't verify CSRF token authenticity
Completed 422 Unprocessable Entity in 125ms (ActiveRecord: 7.8ms)
==> gitlab-rails/production_json.log <==
{"method":"POST","path":"/users/sign_in","format":"html","controller":"SessionsController",
"action":"create","status":422,"error":"
ActionController::InvalidAuthenticityToken:ActionController::InvalidAuthenticityToken",
"duration":126.29,"view":0.0,"db":7.78,"time":"2017-12-23T00:22:16.039Z",
"params":{"authenticity_token":"[FILTERED]","user":{"login":"root","password":"
[FILTERED]","remember_me":"0"}},"remote_ip":"172.17.0.1",
"user_id":1,"username":"root"}
==> gitlab-rails/production.log <==
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
lib/gitlab/middleware/multipart.rb:93:in `call'
lib/gitlab/request_profiler/middleware.rb:14:in `call'
lib/gitlab/middleware/go.rb:18:in `call'
lib/gitlab/etag_caching/middleware.rb:11:in `call'
lib/gitlab/middleware/read_only.rb:31:in `call'
lib/gitlab/request_context.rb:18:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:27:in `call'
I assume that I forgot to pass a necessary ingredient in the second request - but I can't figure out, which one.