3.13: Authentication tokens does not accept numbers/uuid

[Nils Wireklint]

Hi, thanks for Gerrit :)

I just upgraded to the gerritcodereview/gerrit:3.13.3-ubuntu24 docker image to develop integration tests for some tools that use the REST API. I want to use the short lived access tokens instead of the http password. 

I noticed that I get an error on using a bare number: "1" or an uuid, which should be accepted according to the error message.

$ curl -u admin:secret \
                               -X POST \
                               -d '{
                               "lifetime": "1d",
                             }' \
                               http://localhost:8080/a/accounts/admin/tokens/416f8c6f-2d5c-43f4bead-ad347347ce79
Token ID must contain only letters, numbers, hyphens and underscores.

$ curl -u admin:secret \
                               -X POST \
                               -d '{
                               "lifetime": "1d",
                               "token": "1",
                             }' \
                               http://localhost:8080/a/accounts/admin/tokens/1
Token ID must contain only letters, numbers, hyphens and underscores.

$ curl -u admin:secret \
                               -X POST \
                               -d '{
                               "lifetime": "1d",
                             }' \
                               http://localhost:8080/a/accounts/admin/tokens
/main
)]}'
{"id":"main","token":"..."}


The `)]}'` seems spurious but I did not look into why that is printed,
possibly a shell issue, but I did see it both times I generated a token. 

Best regards,
Nils

[Matthias Sohn]

See https://gerrit-review.googlesource.com/Documentation/rest-api-accounts.html#create-token.

"The account must have a username. The token-id must be unique among other token-ids used by the account. 

It has to start with a letter and must only contain upper- or lowercase letters, digits, - or _."

 

The `)]}'` seems spurious but I did not look into why that is printed,
possibly a shell issue, but I did see it both times I generated a token. 

This is done to prevent XSSI attacks. See https://gerrit-review.googlesource.com/Documentation/rest-api.html#output

-Matthias 

 

Best regards,
Nils

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/repo-discuss/ad43ac84-e086-4526-bca0-d7d1ee6eaba7n%40googlegroups.com.

[Nils Wireklint]

Thanks!

Shall I try to submit a patch to update the response then? The documentation is clear but the error message confused me.

/ Nils

[Matthias Sohn]

On Fri, Feb 13, 2026 at 11:17 AM 'Nils Wireklint' via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:

Thanks!

Shall I try to submit a patch to update the response then? The documentation is clear but the error message confused me.

yes, sure

 

To view this discussion visit https://groups.google.com/d/msgid/repo-discuss/148c20b2-a686-4b49-af25-3c90426d218fn%40googlegroups.com.