Is API token required when fetching artifacts?

:wave: Hi! This is Mengdi from React.js team
We download build artifacts as part of our release process. For example: fetch(‘${buildID}/artifacts’)

It’s working fine now, but some of my coworkers told me it was broken not long ago, and they had to pass in their Circle API token as ‘Circle-Token’ in header.

Can you confirm if API token is required for GET requests?

Thank you!

I am pretty sure the answer to 'is API token required" question is yes.

The slight complication is that this value can be passed as a header token, user name if using curl or in the passed url. So there is always the chance that other changes have caused an old way of doing something to break. As an example has the script been refactored to remove the use of curl and so the user parameter has been dropped without a header parameter being added?

If you have not changed anything on your end and authentication has been failing it would be worth raising a support ticket as the support team may be able to map the issue you have been seeing against any outages they have logged internally.

My situation is that we are usually able to GET the artifacts without providing the token in the header. But it did not work for a while, so we had to add the token.

If the token should be always required, is it a bug that we are now able to download without a token?

I am not a staff member, so my answers are based on what I know and what I can find in the docs, with some additional backup from circleci.

If you have been able to access the artefacts of a build without authentication it is something for staff members to look into as it means the only security in place was “Security through obscurity” rather than “Security through security”. The API docs clearly show that the Circle-Token should be part of each request.

I would say that you should raise a support ticket so that a staff member can look into this in more detail. I’ll also raise this thread via the channel I have access too.

Hi @mondaychen - during a brief period last week there was a regression to artifacts fetching on certain OSS projects. The only projects affected were ones that have enabled a specific setting that allows unauthenticated access to artifacts. I suspect that was what your coworkers noticed. I’m sorry for the disruption that caused you, and your colleagues.

Thanks a lot @rit1010 you were absolutely right to spot that this type of security related inconsistency is something to be concerned about. In this case the unintended change briefly disabled the permissive access, forcing authentication where it was not previously required.

1 Like

Thank you very much for the clarification!

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.