Unable to download file with oauth2 authentication due to automatically filled Host

ArpadAdorjani · October 2, 2023, 9:26am

Hello,

Recently changed my authorization method from user api token to oauth2. Everything works, except the file download endpoint, which returns 400 status code and the following error:

<html>
<head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<hr><center>cloudflare</center>
</body>
</html>

I ran multiple tests via Postman and found out that the issue is caused by the automatically filled header variable Host, which is set to:
http://pipedrive-files.s3.eu-west-1.amazonaws.com
However the problemis that I am unable to override this in the platform.

After a little more digging, I noticed that even when I was using the user api token, it sent the above mentioned Host, but it did not cause an error, so it made me more confused than before.

Did anyone run into this issue, or has any additional info? Why does the request work with api token work and does not with oauth2?

Example oauth request:

curl --location 'https://{your_sandbox_account}-sandbox.pipedrive.com/files/1/download' \
--header 'Accept: application/octet-stream' \
--header 'Host: http://pipedrive-files.s3.eu-west-1.amazonaws.com' \
--header 'Authorization: Bearer v1:AQIBAHj+LzTNK2yuuuaLqifzh........'

Silver-Ed_Sillaots · October 10, 2023, 9:16am

Hello Arpad!

Could you please elaborate on why you want to manually set the ‘Host’ header?

This header should not be manually set regardless of the authentication method used, since it will be generated automatically based on the request.

I also used Postman to test it out and i did not manage to get a successful response even when using api token as the authentication method and manually setting the ‘Host’ header which is the expected behaviour.

ArpadAdorjani · October 10, 2023, 9:56am

Hello Silver-Ed_Sillaots,

As I mentioned, I am sending a http request from servicenow, which automatically sets the Host to http://pipedrive-files.s3.eu-west-1.amazonaws.com. However the problem is that this Host causes the request error.

I tried to replicate the issue with postman and the only way it worked was, if I removed the Host from the header or just left it blank. So I do not want to set the Host header, but I have to in order to receive 200 status code.

Whenever the above mentioned Host header is present in the request, the request fails.

Silver-Ed_Sillaots · October 10, 2023, 1:12pm

Hello again Arpad!

It is expected for the request to receive the 400 response if the ‘Host’ header is set either manually or by the platform you are using to perform these request.

As you mentioned, this request will work if the ‘Host’ header is left blank and the value is assigned automatically during the request itself.

Based on the example you initially provided, the request should look like this:

curl --location 'https://{your_sandbox_account}-sandbox.pipedrive.com/files/1/download' \
--header 'Accept: application/octet-stream' \
--header 'Authorization: Bearer v1:AQIBAHj+LzTNK2yuuuaLqifzh........'

ArpadAdorjani · October 10, 2023, 3:08pm

I understood that, so I reverted to using user’s api token. However I noticed, that the request, which uses user’s api token for authorization, also contains the Host, but it does not cause an error.

So it does not matter, which authentication method I use (oauth or user api token) the Host is sent anyway. Even though it ends in two different outcome:

api token - successful 200
oauth2 - error 400

Could you explain, what is causing the different response in case of oauth2?

Unfortunately, I am unable to remove or override the Host header in my system, so as long as the issue persists, I am forced to use user api token to retrieve files, which defeats the purpose of the oauth2 authentication.

Silver-Ed_Sillaots · October 13, 2023, 10:26am

Hey Arpad!

Sadly i am not able to produce the same outcome as you have, based on my testing everything is working as expected with examples below.

API token authentication method:

Successful 200:

curl --location 'https://{domain}.pipedrive.com/v1/files/1/download?api_token=<your_api_token>' \
--header 'Accept: application/octet-stream'

Error 400:

curl --location 'https://{domain}.pipedrive.com/v1/files/1/download?api_token=<your_api_token>' \
--header 'Accept: application/octet-stream' \
--header 'Host: http://pipedrive-files.s3.eu-west-1.amazonaws.com'

OAuth 2.0 authentication method:

Successful 200:

curl --location 'https://{domain}.pipedrive.com/v1/files/1/download' \
--header 'Accept: application/octet-stream' \
--header 'Authorization: Bearer <your_oauth_token>'

Error 400:

curl --location 'https://{domain}.pipedrive.com/v1/files/1/download' \
--header 'Accept: application/octet-stream' \
--header 'Host: http://pipedrive-files.s3.eu-west-1.amazonaws.com' \
--header 'Authorization: Bearer <your_oauth_token>'

If this issue still persists for you, feel free to reach out to me in direct messages so i can provide you quicker answers.