[Bug]: Get Apps requires user key but get an app requires API Key

[PrinzJuliano]

What happened?

While debugging a 403 error, I noticed an inconsistency in the Docs:
The View Apps Endpoint https://api.onesignal.com/apps requires the Basic YOUR_USER_AUTH_KEY while https://api.onesignal.com/apps/{app_id} requires the Key YOUR_ORGANIZATION_API_KEY.

In the documentation https://documentation.onesignal.com/reference/view-apps this is flipped.

Regardless of that, why do I require the REST API key to view a single app, while needing the User Key to view all?
I cannot use the User Key to view a single app.
Right now this is wrong in the API Implementation 5.0.0-alpha-02 as well.

When setting the default Auth parameter, the getApp method will work, but of course, any api request that uses the USER Key will fail.

Steps to reproduce?

1. Install 5.0.0-alpha-02
2. 
const api = new DefaultApi(createConfiguration({
  authMethods: {
            rest_api_key: {
              tokenProvider: {
                getToken(): Promise<string> | string {
                  return 'ONE_SIGNAL_REST_API_KEY';
                },
              },
            },
            user_auth_key: {
              tokenProvider: {
                getToken(): Promise<string> | string {
                  return 'ONE_SIGNAL_USER_KEY';
                },
              },
            },
          }
}));
console.log(await api.getApps()); // will work
console.log(await api.getApp('APP_ID')); // will result in a 403, but should also yield 200 ok

What did you expect to happen?

Both API Requests should resolve to a 200 Ok using the right Authentication Methods and yield the requested data.

Relevant log output

Error: HTTP-Code: 403
Message: Unknown API Status Code!
Body: {}
Headers: {"alt-svc":"h3=\":443\"; ma=86400","cf-cache-status":"DYNAMIC","cf-ray":"8ed3d6c77813e0d5-MUC","connection":"keep-alive","content-encoding":"gzip","content-type":"text/plain","date":"Thu, 05 Dec 2024 11:54:00 GMT","server":"cloudflare","set-cookie":"__cf_bm=<cookie>; path=/; expires=Thu, 05-Dec-24 12:24:00 GMT; domain=.onesignal.com; HttpOnly; Secure; SameSite=None","strict-transport-security":"max-age=15552000; includeSubDomains","transfer-encoding":"chunked","via":"1.1 google"}
    at new ApiException (/some-app/node_modules/@onesignal/node-onesignal/apis/exception.ts:12:9)
    at DefaultApiResponseProcessor.<anonymous> (/some-app/node_modules/@onesignal/node-onesignal/apis/DefaultApi.ts:2699:15)
    at step (/some-app/node_modules/@onesignal/node-onesignal/dist/apis/DefaultApi.js:48:23)
    at Object.next (/some-app/node_modules/@onesignal/node-onesignal/dist/apis/DefaultApi.js:29:53)
    at fulfilled (/some-app/node_modules/@onesignal/node-onesignal/dist/apis/DefaultApi.js:20:58)
    at processTicksAndRejections (node:internal/process/task_queues:105:5)

Code of Conduct

• I agree to follow this project's Code of Conduct

[sherwinski]

Hi @PrinzJuliano,

The View Apps Endpoint https://api.onesignal.com/apps requires the Basic YOUR_USER_AUTH_KEY while https://api.onesignal.com/apps/{app_id} requires the Key YOUR_ORGANIZATION_API_KEY.

Apologies for the confusion here. To clarify, the USER_AUTH_KEY is the legacy version of the ORGANIZATION_API_KEY, which allows you to perform operations on the app management API. Please see our docs for more details. In regards to the auth header, it should not matter which prefix (Basic vs Key) you use for these app management endpoints.

In the documentation documentation.onesignal.com/reference/view-apps this is flipped.

Thanks for pointing that out, I agree that it can be confusing so I will surface this with our team to get it sorted out.

Regardless of that, why do I require the REST API key to view a single app, while needing the User Key to view all?
I cannot use the User Key to view a single app.
Right now this is wrong in the API Implementation 5.0.0-alpha-02 as well.

The SDK does not require a REST API key in order to view all apps or a single app. Please confirm that you are using a key generated from your organization's Key & IDs dashboard for the user_auth_key field.

[PrinzJuliano]

Well, to clarify: Right now, the SDK uses Bearer instead Key or Basic. Second: I checked with the official Postman Repository and the same keys I use with the Node SDK.

I hope this helps.

[sherwinski]

Right now, the SDK uses Bearer instead Key or Basic

Thanks for the clarification. I discussed this a bit in #84 (comment). The summary is that we will be standardizing the prefix in the future but in the meantime, know that the requests will still work regardless of the prefix that's currently being used.

I checked with the official Postman Repository and the same keys I use with the Node SDK.

To clarify: you tested the endpoints using the postman collection with the keys from your example and they both resolved to 200s? Or did you face similar issues using the postman collection?

[PrinzJuliano]

I faced similar issues. The Get all Apps endpoint requires a different key than the get app by id endpoint.
Get All Apps requires the User Key, Get app by id requires Rest API Key.

The Node SDK will use the user key for both.

[sherwinski]

Assuming you are using the (legacy) user auth key, this behavior matches the behavior outlined in our v9 docs [1][2]. However, if you look at our v11 docs [1][2] (which more corresponds to v5.0.0-alpha-02), both endpoints accept the YOUR_ORGANIZATION_API_KEY.

My best recommendation is to generate a rich auth org key and use that in place of your user_auth_keys. In my tests, I was able to make requests to both endpoints using this key.