I'm trying to access ejabberd rest api without authentication but always get a 403 Forbidden response with this body :
{
"status": "error",
"code": 32,
"message": "AccessRules: Account does not have the right to perform the operation."
}
I cannot get an OK response on /api/status endpoint which is a command that all users from 127.0.0.1 should be able to use (see "public commands" section under api_permissions in ejabberd.yml).
Here's the request details (via Insomnia REST client):
> POST /api/status HTTP/1.1
> User-Agent: insomnia/5.1.0
> Host: localhost:5280
> Accept: */*
> Accept-Encoding: deflate, gzip
> Content-Type: application/json
> Content-Length: 2
| {}
Ejabberd version is 17.04, installed from a downloaded deb package and running on Debian 8.8 (jessie) x86_64 as ejabberd user.
Post install, I simply added the host "localhost", registered a new user "admin" for localhost and added it to the ACLs.
The only changes I made into ejabberd.yml :
hosts:
- "localhost"
acl:
admin:
user:
- "admin": "localhost"
Otherwise, I can access the webadmin interface which works fine...
What can I do in order to have a 200 OK response ?
Ok I found the solution. Like the message said it was a permission issue.
Here's the default configuration :
api_permissions:
## ...
"public commands":
who:
- ip: "127.0.0.1/8"
what:
- "status"
- "connected_users_number"
This does not allow to access to status or connected_users_number commands with or without authentication (I triple-checked).
For a no authentication usage, use -all :
"public commands":
who:
## This allows to use both commands without having to authenticate
- all
what:
- "status"
- "connected_users_number"
If you want to require a valid user (with basic authentication), replace - all by - access: local.
"public commands":
who:
## This allows to use both commands with basic authentication for local users
- access: local
what:
- "status"
- "connected_users_number"