REST API active users

RouterOS General
1

Not sure if this is a bug or if I’m doing something wrong but basically every time I make a REST api call to a mikrotik device, it creates a new active user, that seems to linger forever. At the moment I have about a hundred active users. I’ve tested this with 7.14.3 and 7.15rc1, same thing for both.

/user/active> print proplist=when,via
Columns: WHEN, VIA
 # WHEN                 VIA      
 0 2024-04-24 16:31:07  (unknown)
 1 2024-04-24 16:41:44  (unknown)
 2 2024-04-24 16:51:45  (unknown)
 3 2024-04-24 17:01:45  (unknown)
 4 2024-04-24 17:11:46  (unknown)
 5 2024-04-24 17:21:47  (unknown)
 6 2024-04-24 17:31:47  (unknown)
 7 2024-04-24 17:41:48  (unknown)
 8 2024-04-24 17:51:48  (unknown)
 9 2024-04-24 18:01:49  (unknown)
10 2024-04-24 18:11:49  (unknown)
11 2024-04-24 18:21:50  (unknown)
12 2024-04-24 18:31:50  (unknown)
13 2024-04-24 18:41:51  (unknown)
14 2024-04-24 18:51:52  (unknown)
15 2024-04-24 19:01:52  (unknown)
16 2024-04-24 19:11:53  (unknown)
17 2024-04-24 19:21:53  (unknown)
18 2024-04-24 19:31:54  (unknown)
19 2024-04-24 19:41:54  (unknown)
20 2024-04-24 19:51:55  (unknown)
21 2024-04-24 20:01:55  (unknown)
22 2024-04-24 20:11:56  (unknown)
23 2024-04-24 20:21:56  (unknown)
24 2024-04-24 20:31:57  (unknown)
25 2024-04-24 20:41:57  (unknown)
26 2024-04-24 20:51:58  (unknown)
v7.15rc [testing] is released!
v7.15.3 [stable] is released!
v7.15.3 [stable] is released!
Users logged in via REST API shown in "Active Users" do not disappear
2

I want to say it used say “api” for via, not “(unknown)” - so that’s also not right here.

When you say “forever”, so you mean longer than 2 minutes. AFAIK REST API is just a proxy layer over the native API, and that api uses sessions… so reasonable it stick around for REST timeout plus some extra to avoid re-auth to native API for subsequent stateless HTTP REST API requests.

But >5 minutes would seem to be a bug, likely even shorter than that too.

3

Yes, a lot longer than 5 minutes, those logins are hours old, also, it does create an api user too (only one as far as I’ve seen), but the unknowns just keep adding up.

...
60 2024-04-25 02:22:17  (unknown)
61 2024-04-25 02:32:17  (unknown)
62 2024-04-25 02:42:18  (unknown)
63 2024-04-25 02:42:18  api
4

I see two entries (plus winbox ones) in 7.15rc1. One that says (unknown) from the remote IP, and 2nd that says “api” with no IP.

 1 2024-04-24 11:18:10  xxxuser  192.XX.XX.148  (unknown)
 2 2024-04-24 11:18:10  xxxuser                  api

I don’t see multiple ones, but I only tested from my laptop, so only one remote IP. I’ll check tomorrow and see if it’s still there since this router doesn’t (or shouldn’t) get any REST API calls.

5

Ah, sorry forgot to mention that all my users are from the same ip too. A new user is created every 10 minutes, I think that that is the interval of the keep-alive in the rest api (a new connection created every 10 minutes).

# WHEN                 VIA        ADDRESS     
 0 2024-04-24 16:31:07  (unknown)  192.xx.xx.1
 1 2024-04-24 16:41:44  (unknown)  192.xx.xx.1
 2 2024-04-24 16:51:45  (unknown)  192.xx.xx.1
 3 2024-04-24 17:01:45  (unknown)  192.xx.xx.1
 4 2024-04-24 17:11:46  (unknown)  192.xx.xx.1
 5 2024-04-24 17:21:47  (unknown)  192.xx.xx.1
 6 2024-04-24 17:31:47  (unknown)  192.xx.xx.1
 7 2024-04-24 17:41:48  (unknown)  192.xx.xx.1
 8 2024-04-24 17:51:48  (unknown)  192.xx.xx.1
 9 2024-04-24 18:01:49  (unknown)  192.xx.xx.1
10 2024-04-24 18:11:49  (unknown)  192.xx.xx.1
11 2024-04-24 18:21:50  (unknown)  192.xx.xx.1
12 2024-04-24 18:31:50  (unknown)  192.xx.xx.1
13 2024-04-24 18:41:51  (unknown)  192.xx.xx.1
14 2024-04-24 18:51:52  (unknown)  192.xx.xx.1
15 2024-04-24 19:01:52  (unknown)  192.xx.xx.1
16 2024-04-24 19:11:53  (unknown)  192.xx.xx.1
17 2024-04-24 19:21:53  (unknown)  192.xx.xx.1
18 2024-04-24 19:31:54  (unknown)  192.xx.xx.1
19 2024-04-24 19:41:54  (unknown)  192.xx.xx.1
20 2024-04-24 19:51:55  (unknown)  192.xx.xx.1
21 2024-04-24 20:01:55  (unknown)  192.xx.xx.1
22 2024-04-24 20:11:56  (unknown)  192.xx.xx.1
23 2024-04-24 20:21:56  (unknown)  192.xx.xx.1
24 2024-04-24 20:31:57  (unknown)  192.xx.xx.1
25 2024-04-24 20:41:57  (unknown)  192.xx.xx.1
26 2024-04-24 20:51:58  (unknown)  192.xx.xx.1
27 2024-04-24 21:01:59  (unknown)  192.xx.xx.1
28 2024-04-24 21:11:59  (unknown)  192.xx.xx.1
29 2024-04-24 21:22:00  (unknown)  192.xx.xx.1
30 2024-04-24 21:32:00  (unknown)  192.xx.xx.1
31 2024-04-24 21:42:01  (unknown)  192.xx.xx.1
32 2024-04-24 21:52:01  (unknown)  192.xx.xx.1
33 2024-04-24 22:02:02  (unknown)  192.xx.xx.1
34 2024-04-24 22:12:02  (unknown)  192.xx.xx.1
35 2024-04-24 22:22:03  (unknown)  192.xx.xx.1
36 2024-04-24 22:32:04  (unknown)  192.xx.xx.1
37 2024-04-24 22:42:04  (unknown)  192.xx.xx.1
38 2024-04-24 22:52:05  (unknown)  192.xx.xx.1
6

Sent an email to Mikrotik support about this, they confirmed it is a real issue, and they are aware of it.

7

Hello, Same issue in 7.13.5

 /user/active/print
Columns: WHEN, NAME, ADDRESS, VIA
   # WHEN                 NAME   ADDRESS         VIA
   0 2024-02-29 18:09:04  admin  172.31.111.2    (unknown)
   1 2024-02-29 18:19:27  admin  172.31.111.2    (unknown)
   2 2024-02-29 18:29:27  admin  172.31.111.2    (unknown)
   3 2024-02-29 18:39:27  admin  172.31.111.2    (unknown)
   4 2024-02-29 18:49:57  admin  172.31.111.2    (unknown)
   5 2024-02-29 19:00:27  admin  172.31.111.2    (unknown)
   6 2024-02-29 19:10:27  admin  172.31.111.2    (unknown)
   7 2024-02-29 19:20:57  admin  172.31.111.2    (unknown)
   8 2024-02-29 19:31:27  admin  172.31.111.2    (unknown)
   9 2024-02-29 19:41:27  admin  172.31.111.2    (unknown)
  10 2024-02-29 19:51:27  admin  172.31.111.2    (unknown)
  11 2024-02-29 20:01:27  admin  172.31.111.2    (unknown)
  12 2024-02-29 20:11:57  admin  172.31.111.2    (unknown)
  
  /user/active/print count-only
 9306
8

Can you, please, share the support ticket number?

Thank you

9

The issue with stuck active users and unknown rest-api sessions will be addressed in RouterOS 7.16 version.

10

Thank you @matiss.

Could you share the SUP ticket number for a reference, please? - to have a possibility to check the status.

Thank you

11

Has been fixed in RouterOS version 7.16

12

I think something's still not working here.
If you create a user with REST API rights and without API rights, when you try to make a request, you'll see a REST API connection error in the logs.

828929340
8289293401474×831 246 KB

In the active users list, you'll see an active REST API user, which, as mentioned above, will remain active forever—in my screenshot, it's an hour.

828931100
8289311001499×951 211 KB

If you create a user with both REST API and API rights and make a request to the router, you'll see a successful API connection in the logs, but two entries in the active users list—the same user connected via both API and REST API. The API user will time out if they have a logout activity rule configured, but the REST API user will remain logged indefinitely; they don't know anything about timeouts.