Is it possible to validate connection between Private API and VPC endpoint (possibly with BuildKite pipeline).
I tested it with GET Method Lambda and got status 200.
I know that API url itself is working.
I am looking at ways to automate url testing.
Ideally, the test could be incorporated inside the BuildKite pipeline. I know that there is a possibility that it is impossible with private API, then maybe there is another way to do.
Maybe something like when we do curl -v api_url, but the automated one.
I would appreciate any advice.
Related
I've read through all the docs for Nuxt.js environment variables and the Axios module but I'm still quite confused on how to properly set them up for my use case.
I want to query 2 separate APIs:
my own backend with user authentication (e.g. JWT) built with Nuxt serverMiddleware
a public API that requires an account and provides an API key (e.g. TMDB)
My own backend serves as an "extension" of the public API so that I can store additional data for my users.
Now my question is how do I set up my environment variables so that I can safely send dynamic requests to the public API without exposing its private API key? Do I need to use my own backend as a "proxy" and forward client side requests to the public API from there? Or can I directly send requests inside asyncData and fetch when running in SSR mode?
I think I need a general explanation on how Nuxt publicRuntimeConfig and privateRuntimeConfig, and Axios baseURL and browserBaseURL all work together. The docs didn't explain them clearly enough for me.
This question is mixing a lot of stuff at the same time but in no specific order:
you need to run your private call on the server and use privateRuntimeConfig which is available only on the server
fetch() and asyncData() will run both on server and client side (can be forced to be run only on client side with fetchOnServer: false), and it's not a good idea to have those on client since everything there can be publicly seen
if you want to have several instances of axios, a quick search can be helpful to setup this
if you want to use axios in serverMiddleware you'll need to install and import a regular axios since it will be out of the scope of Nuxt
for the most part, if an API is supposed to be used from a front-end you can sometimes use the public API key provided (can be stored in publicRuntimeConfig), if it should remain secret, you'll need a backend to hide it in-between
baseURL is pretty much the default value, browserBaseURL as explained in the docs is mainly an override specific to client-side requests, use it if you need to have something different and that overrides the baseURL one
there are several questions that can be found about how to hide some calls when using an SPA (common question), the incoming edge-side rendering of Nuxt3 may maybe help on this one
one thing to bear in mind is that only the first initial reach to the server will run a server query, everything else will be a hydrated-SPA app meaning that you will not reach back the server after the hydration step (like a MPA Wordpress server would do)
You should send requests only to your private server and it should:
Perform the logic and send the result if it's your custom endpoint
Add API KEY to query and forward the query to the public API if it's public API endpoint.
I'm building a React.js application that will interact with my REST API built in Go.
React will use Javascript Fetch API to send requests to my API.
The problem is I would like to secure my API from being requested from elsewhere. No one should directly be able to access my API either through the URL or through any other client like Postman.
I know what JWT is but this does not solve my problem because anyone can access the token through the browser and then continue to request the API outside the React client using the token.
I have researched extensively but nothing has really fit my description.
Thanks a lot for you help, in advance.
This is an inherently unsolvable problem. React runs on the client. The client controls the code that it executes. Hence, any mechanism you use to restrict the API usage to just your React client will be discoverable and reusable in other client contexts. You cannot control the client, and attempts to do so will be broken if the payoff is valuable enough.
You can attempt to harden it somewhat by using short-term authorization tokens, but there is nothing preventing that token from being grabbed and reused in another context.
If you have to restrict access to an API, you should have a public API which is less dangerous or privileged, and the public API should make use of your private API, effectively proxying the calls to hide the private API, as well as to ensure that only validated queries are executed against the more privileged API.
If you could describe the problem you're trying to mitigate, though, there may be other solutions available.
I want to create an automated process for my tests. I am using jira and zapi. I want to try interacting with my tests in zephyr-jira using postman api. The thing is there isn't much documentation on how to use zapi.
First thing, what is the url? Is it test.atlassian.net/jira/?/?/?/apifunction?
Second thing, I can generate an access key and secret key but it seems like I also need an authorization jwt token, how can I generate one that I can use via postman?
Any help would be appriciated.
The apiary documentation is here https://getzephyr.docs.apiary.io/#
That will help you assemble the requests. What the requests and responses actually represent is still confusing (to me, anyway).
In postman: https://{{JiraHost}}/rest/zapi/latest/
some examples:
https://{{JiraHost}}/rest/zapi/latest/cycle/830
https://{{JiraHost}}/rest/zapi/latest/cycle?versionId=21689
I want to use hub to create some automation script but can't figure out how to post a message to the api. More specifically it is this api endpoint I want to post to: https://developer.github.com/v3/users/gpg_keys/#create-a-gpg-key
I've tried the following:
hub api user/gpg_keys -F armored_public_key='-----BEGING PGP ....'
hub api user/gpg_keys --raw-field "body={armored_public_key='-----BEGING PGP ....'}
None of the above work, the response back is:
{"message":"Not Found","documentation_url":"https://developer.github.com/v3/users/gpg_keys/#create-a-gpg-key"}
which is not very helpful. I thought that -F meant fields within the payload, but I guess I'm wrong.
So how do I post a message with a body using hub api?
UPDATE
I did download the repo to create a modified version that has some more logging, but can't figure out what's wrong. Everything looks good from what I understand in how the request is made.
Looking through the code I found the reason to why this is. It seems like it is hard coded that you should only get the repo scopes when you log in the first time. If you use a token you've created yourself that has more access everything will work as it should.
I'm trying to Enable/Disable a logic app on Azure using the management APIs. I always get a 403 saying the client: with object id does not have authorization to perform 'Microsoft.Logic/workflows/disable/action' ...
I do use the authentication token in my request and so far have been able to use the API to list all workflows, get trigger histories and in/out messages using the same method.
Any suggestion?
I've seen this issue a lot before if you are calling the http:// instead of https:// - we are looking into automatically redirecting, but for now you will need to make sure you are calling the https:// endpoint with the correct method (in this case a PUT)
EDIT: We discovered the issue was the account being used to perform the enable/disable didn't have contribute permissions.