HTTP 401 Unauthorized on bearer token access

Hi, good day.

Excuse me, in past days i've been working in an administrative portal to monitor devices that are not reporting their positions correctly. For that, i've used php_curl to request /api/statistics data.

It have been working for about two days, but suddenly it stopped working, returning 401 Unauthorized. After some tests, i've discovered that when i make a GET request on /api/statistics?from={date}&to={date} using curl_setopt($ch, CURLOPT_USERPWD, "$traccar_us:$traccar_pw") instead bearer token, the requests executes as expected. But, when i use Authorization: Bearer '.$traccar_token; on curl request headers, API returns HTTP 401 Unauthorized.

I guessed it might be some mistake on my procedure to send bearer token, but if i make a GET request to /api/server using bearer auth, i get response as expected. Of course token i'm using is administrator, so it have access to /statistics, /users /devices and any other section.

My server is running with nginx as reverse proxy, with locations /api correctly configured .

Resumed : When i auth using bearer, just /server works, not any other API section. When i auth using user/password, everything works as expected.

Can somebody give me a clue what is happening or where is my mistake on API data requesting?

Many thanks.

The /api/server does not require any authentication. That probably explains why it's working.

Hi Anton good day.

Yep, after my post i've discovered that.

So, i'm still with the tests, but without success. I've been using services like Reqbin dot com to see if i can get any data via API but still same error.

Seems like if token is not being saved on database when it's generated, but as far as i understand, in the moment the token is generated, in the same request token is saved on database, right?

Some clues about what is happening in my case?

Thank you.

We don't save tokens in the database.

Hi again.

So as i understand, then token is "decoded" each time it's used, like crypto hashes right?

Any clue why my server is not able to process received bearer token as expected? i think is not because nginx configuration, because local curl requests directly to traccar http service doesn't work too, so is not between nginx and traccar.

There's some way to debug authentications via token?

Thank you.

Maybe capture request with something like Wireshark and see what's actually being sent.

Hi again.

Going to configure Wireshark to analyze traffic between client and server.

One more thing i'm seeing :

When i make a request to /api/session?token={token}, i always get Token has expired-SecurityException(TokenManager: 80<LoginService: 81<SessionResource: 81<...<OverrideFilter: 49<...), even using tokens with validity until next year.

So the token is being received entirely on traccar, but maybe date is being interpreted wrong or something on date configuration on server?

How did you create the token?

Account -> Preferences -> Set date using calendar -> click on arrow circle , then copying that generated token to navigator on mysite.com/api/session?token={token}