This is a deno "fresh" framework app and I have a island that allows the admin to create new users. Obviously this is a security vulnerability but this is just a testing proof of concept and I'm just trying to get a "fresh" app to send form data to the backend. This is my Creator island.
islands/Creator.tsx
// import { useState } from "preact/hooks";
import { useState, useEffect } from "preact/hooks";
import { Handlers, PageProps } from "$fresh/server.ts";
import UserDb from "../database.ts";
interface CreatorProps {
email: string,
key: string
}
export default function Creator(props: CreatorProps) {
const handleSubmit = (event) => {
event.preventDefault();
const emailInput = event.target.email;
const ageInput = event.target.key;
console.log(emailInput.value);
console.log(ageInput.value);
createNewUser(emailInput.value, ageInput.value)
};
async function createNewUser(email, key) {
console.log(email);
console.log(key);
const headers = new Headers({
'Content-Type': 'text/plain'
});
const opts = {
method: 'POST',
headers: headers,
body: JSON.stringify({
email: email,
key: key,
})
}
const rawPosts = await fetch('http://localhost:8000/api/createUser', opts);
console.log(rawPosts);
}
return (
<div>
<form onsubmit={handleSubmit}>
<h1 class="text rounded-lg p-4 my-8"> Search </h1>
<input class="center rounded-lg p-4 my-8" type="text" name="email" />
<input class="center rounded-lg p-4 my-8" type="text" name="key" />
<br />
<button
class="px-5 py-2.5 text-sm font-medium bg-blue-600 rounded-md shadow disabled:(bg-gray-800 border border-blue-600 opacity-50 cursor-not-allowed)"
type="submit">Submit
</button>
</form>
<br />
{/* <ul>
{results.map((name) => <li key={name}>{name}</li>)}
</ul> */}
</div>
);
};
And when I typed uiui and rrgg in the email and key fields and hit enter, I got this error in my terminal:
Watcher File change detected! Restarting!
Listening on http://localhost:8000/
NOTICE: relation "users" already exists, skipping
Request {
bodyUsed: false,
headers: Headers {
accept: "*/*",
"accept-encoding": "gzip, deflate, br",
"accept-language": "en-US,en;q=0.9",
connection: "keep-alive",
"content-length": "29",
"content-type": "text/plain",
host: "localhost:8000",
origin: "http://localhost:8000",
referer: "http://localhost:8000/create",
"sec-ch-ua": '"Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"',
"sec-ch-ua-mobile": "?0",
"sec-ch-ua-platform": '"macOS"',
"sec-fetch-dest": "empty",
"sec-fetch-mode": "cors",
"sec-fetch-site": "same-origin",
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0...."
},
method: "POST",
redirect: "follow",
url: "http://localhost:8000/api/createUser"
}
Request {
bodyUsed: false,
headers: Headers {
accept: "*/*",
"accept-encoding": "gzip, deflate, br",
"accept-language": "en-US,en;q=0.9",
connection: "keep-alive",
"content-length": "29",
"content-type": "text/plain",
host: "localhost:8000",
origin: "http://localhost:8000",
referer: "http://localhost:8000/create",
"sec-ch-ua": '"Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"',
"sec-ch-ua-mobile": "?0",
"sec-ch-ua-platform": '"macOS"',
"sec-fetch-dest": "empty",
"sec-fetch-mode": "cors",
"sec-fetch-site": "same-origin",
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0...."
},
method: "POST",
redirect: "follow",
url: "http://localhost:8000/api/createUser"
}
Request {
bodyUsed: false,
headers: Headers {
accept: "*/*",
"accept-encoding": "gzip, deflate, br",
"accept-language": "en-US,en;q=0.9",
connection: "keep-alive",
"content-length": "29",
"content-type": "text/plain",
host: "localhost:8000",
origin: "http://localhost:8000",
referer: "http://localhost:8000/create",
"sec-ch-ua": '"Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"',
"sec-ch-ua-mobile": "?0",
"sec-ch-ua-platform": '"macOS"',
"sec-fetch-dest": "empty",
"sec-fetch-mode": "cors",
"sec-fetch-site": "same-origin",
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0...."
},
method: "POST",
redirect: "follow",
url: "http://localhost:8000/api/createUser"
}
Request {
bodyUsed: false,
headers: Headers {
accept: "*/*",
"accept-encoding": "gzip, deflate, br",
"accept-language": "en-US,en;q=0.9",
connection: "keep-alive",
"content-length": "29",
"content-type": "text/plain",
host: "localhost:8000",
origin: "http://localhost:8000",
referer: "http://localhost:8000/create",
"sec-ch-ua": '"Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"',
"sec-ch-ua-mobile": "?0",
"sec-ch-ua-platform": '"macOS"',
"sec-fetch-dest": "empty",
"sec-fetch-mode": "cors",
"sec-fetch-site": "same-origin",
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0...."
},
method: "POST",
redirect: "follow",
url: "http://localhost:8000/api/createUser"
}
Request {
bodyUsed: false,
headers: Headers {
accept: "*/*",
"accept-encoding": "gzip, deflate, br",
"accept-language": "en-US,en;q=0.9",
connection: "keep-alive",
"content-length": "29",
"content-type": "text/plain",
host: "localhost:8000",
origin: "http://localhost:8000",
referer: "http://localhost:8000/create",
"sec-ch-ua": '"Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"',
"sec-ch-ua-mobile": "?0",
"sec-ch-ua-platform": '"macOS"',
"sec-fetch-dest": "empty",
"sec-fetch-mode": "cors",
"sec-fetch-site": "same-origin",
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0...."
},
method: "POST",
redirect: "follow",
url: "http://localhost:8000/api/createUser"
}
Notice email and key aren't even logging on the server side, and the function appears to be running several times
And I got this in my web console:
So why are email and key being read and logged just fine in handleSubmit but not in createNewUser()?
You need to create an api route.
/routes/api/createNewUser.ts
import { HandlerContext } from "$fresh/server.ts";
export const handler = async (_req: Request, _ctx: HandlerContext): Response => {
if(_req.method === 'POST') {
const body = await _req.json();
const {email, key} = body;
console.log('email', email);
console.log('key', key);
/* your logic to use email & key to create user here */
return new Response(JSON.stringify({
message: 'User created successfully.'
}), {
status: 200,
headers: {
'Content-Type': 'application/json'
}
});
}
}
Related
I am trying to send a spot order using a unified account. There is absolutely no info about what this error message means and as far as I can tell from the ByBit v5 API docs I am doing everything correct. I have already established that the signature is formatted properly. This is the request being sent along:
RequestBuilder {
method: POST,
url: Url {
scheme: "https",
cannot_be_a_base: false,
username: "",
password: None,
host: Some(
Domain(
"api.bybit.com",
),
),
port: None,
path: "/v5/order/create",
query: None,
fragment: None,
},
headers: {
"content-type": "application/json",
"x-bapi-api-key": xxxxxxxxxxxxxx,
"x-bapi-timestamp": "1676755850417",
"x-bapi-sign": xxxxxxxxxxxxxxxx,
"x-bapi-recv-window": "5000",
},}
The request body that gets attached when the request is sent:
{"category":"spot","symbol":"ETHUSDT","side":"Sell","order_type":"Market","qty":"0.1"}
This is the Rust code used to send the request:
// Set up the HTTP client
let client = reqwest::Client::new();
let mut headers = HeaderMap::new();
headers.insert("Content-Type", HeaderValue::from_static("application/json"));
headers.insert("X-BAPI-API-KEY", HeaderValue::from_str(&api_key)?);
headers.insert("X-BAPI-TIMESTAMP", HeaderValue::from_str(×tamp)?);
headers.insert("X-BAPI-SIGN", HeaderValue::from_str(&sign)?);
headers.insert("X-BAPI-RECV-WINDOW", HeaderValue::from_static(recv_window));
let body = serde_json::to_string(&order)?;
// Submit the order
let request = client
.post("https://api.bybit.com/v5/order/create")
.headers(headers.clone())
.body(body.clone());
let response = request.send().await?;
And this is the response received:
Response {
url: Url {
scheme: "https",
cannot_be_a_base: false,
username: "",
password: None,
host: Some(
Domain(
"api.bybit.com",
),
),
port: None,
path: "/v5/order/create",
query: None,
fragment: None,
},
status: 200,
headers: {
"content-type": "application/json; charset=utf-8",
"content-length": "122",
"x-bapi-limit": "20",
"x-bapi-limit-status": "19",
"x-bapi-limit-reset-timestamp": "1676755851552",
"ret_code": "170130",
"traceid": "78d2bec29fead6e40447a63ba1eae5d9",
"timenow": "1676755851556",
"server": "Openresty",
"expires": "Sat, 18 Feb 2023 21:30:51 GMT",
"cache-control": "max-age=0, no-cache, no-store",
"pragma": "no-cache",
"date": "Sat, 18 Feb 2023 21:30:51 GMT",
"connection": "keep-alive",
},}
Had to ensure that it was "orderType" and not "order_type" in the signature string and request body.
I have a problem when I make a http request to the server
when I post on flutter it returns NO_RENEGOTIATION(ssl_lib.cc:1725) error 268435638 error, but when I try to use postman it works fine.
I've equated all the headers with postman, replaced Jcenter() with MavenCentral() and it doesn't work
This is the code I use:
final Map<String, dynamic> requestData = {
"email": Encryption().encryptKey(email),
"password": Encryption().encryptKey(password),
"user_ad": userType,
"token_fcm": _tokenFcm,
"is_encrypted": true,
};
Response response = await _dio.post(
"$basePath/login",
data: FormData.fromMap(requestData),
options: Options(
headers: {
"Connection": "keep-alive",
"Accept": "*/*",
"Accept-Encoding": "gzip, deflate, br",
"Host": "btnsmartdev.btn.co.id",
"Content-Type": "application/json",
"Cache-Control": "no-cache",
"Content-Length": "173"
},
validateStatus: (status) {
print("INI STATUS");
print(status);
return (status ?? 0) < 500;
},
followRedirects: false,
)
);
final data = response.data;
Here's what I get in terminal:
Here's the request from postman:
I am trying to create a POST to an REST-API but I get this output (Caught by an Logic Apps HTTP grab):
{
"headers": {
! "Connection": "Keep-Alive",
"Accept": "application/json",
"Accept-Encoding": "gzip,deflate",
! "Host": "prod-187.westeurope.logic.azure.com:443",
"User-Agent": "azure-data-factory/2.0",
"Content-Length": "55",
! "Content-Type": "application/json",
"Content-Encoding": "UTF-8"
},
"body": {
"$content-encoding": "UTF-8",
"$content-type": "application/json",
"$content": "eyJuYW1lIjoiSmVzcGVyIEIuIEhhbnNlbiIsInNhbGFyeSI6IjEyMzQ1IiwiYWdlIjoiMzQifQ=="
}
}
I would have expected this:
{
"headers": {
"Accept": "application/json",
"Accept-Encoding": "deflate,gzip",
"Host": "prod-187.westeurope.logic.azure.com",
"User-Agent": "Mozilla/5.0,(Windows NT 10.0; Win64; x64),AppleWebKit/537.36,(KHTML, like Gecko),Chrome/103.0.5060.134,Safari/537.36,Edg/103.0.1264.71",
"X-Real-IP": "212.237.135.241",
"Content-Length": "42",
"Content-Type": "application/json"
},
"body": {
"name": "Jesper B. Hansen",
"salary": "12345",
"age": "34"
}
}
Why is the output scrambled?
I tried using a REST Service on a sink, and also tried it with an externalCall no real difference...
I must say, I am new at ADF, but I hope you have some good help for me.
I'm trying to build an Oauth2 flow. Cors keeps blocking my GET request to my own server.
localhost:3000 is the browser.
localhost:3001 is the server.
I have cors setup in NestJS below and it works for every other non-redirecting endpoint:
// main.ts
import { corsConfig } from '#common/config/index';
async function bootstrap() {
const app = await NestFactory.create(AppModule);
app.enableCors({
origin: [
/^https?:\/\/localhost:3000/,
],
methods: ['GET', 'POST'],
credentials: true,
});
await app.listen(process.env.PORT || 3001);
}
bootstrap();
When requesting to my server endpoint... these are the request.headers
{
"host": "localhost:3001",
"connection": "keep-alive",
"sec-ch-ua": "\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"100\"",
"accept": "application/json, text/plain, */*",
"sec-ch-ua-mobile": "?0",
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) SomeStuff",
"sec-ch-ua-platform": "\"Windows\"",
"origin": "http://localhost:3000",
"sec-fetch-site": "same-site",
"sec-fetch-mode": "cors",
"sec-fetch-dest": "empty",
"referer": "http://localhost:3000/",
"accept-encoding": "gzip, deflate, br",
"accept-language": "en-US,en;q=0.9,fr;q=0.8,es;q=0.7,de;q=0.6",
"cookie": "Authentication=someStuff"
}
When responding from my server, these are the response.headers
{
"cross-origin-opener-policy": "same-origin",
"cross-origin-resource-policy": "same-origin",
"x-dns-prefetch-control": "off",
"expect-ct": "max-age=0",
"x-frame-options": "SAMEORIGIN",
"strict-transport-security": "max-age=15552000; includeSubDomains",
"x-download-options": "noopen",
"x-content-type-options": "nosniff",
"origin-agent-cluster": "?1",
"x-permitted-cross-domain-policies": "none",
"referrer-policy": "no-referrer",
"x-xss-protection": "0",
"access-control-allow-origin": "http://localhost:3000",
"vary": "Origin",
"access-control-allow-credentials": "true",
"x-ratelimit-limit": "30",
"x-ratelimit-remaining": "28",
"x-ratelimit-reset": "60"
}
And this is the Cors error in my browser console
Access to XMLHttpRequest at 'https://example.com/' (redirected from
'http://localhost:3001/test') from origin 'http://localhost:3000'
has been blocked by CORS policy: No 'Access-Control-Allow-Origin'
header is present on the requested resource.
What do I need to change to allow a GET request to be redirected in the browser? Or is this not possible and it requires simply visiting the site with window.location?
I know this is not the ideal solution, but for my personal projects in a local environment, I used the "Moesif Origin & CORS Changer" browser extension to combat this annoying issue.
Google Chrome: https://chrome.google.com/webstore/detail/moesif-origin-cors-change/digfbfaphojjndkpccljibejjbppifbc
Firefox: https://addons.mozilla.org/en-US/firefox/addon/moesif-origin-cors-changer1/
I'm using Azure B2C for authenticate my users. For authentication piece I have oauth2-proxy running in kubernetes cluster. Oauth2-Proxy is running behind ingress-nginx and it's passing most of required headers but I do not get X-Auth-Request-Groups header in my upstream service that is behind oauth2-proxy.
Here is my token that I get from B2C:
{
"typ": "JWT",
"alg": "RS256",
"kid": "kid_value"
}.{
"exp": 1604420825,
"nbf": 1604417225,
"ver": "1.0",
"iss": "iss_value",
"sub": "sub_value",
"aud": "aud_value",
"acr": "acr_name",
"nonce": "defaultNonce",
"iat": 1604417225,
"auth_time": 1604417225,
"groups": [
"group1"
],
"identityProviders": [
"email.com"
],
"firstname": "First Name",
"surname": "Last Name",
"idp": "IDP_VALUE",
"email": "username#email.com",
"preferred_username": "User Name"
}.[Signature]
And here are headers that I get in my upstream service after successful authentication:
{
Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
Accept-Encoding: "gzip, deflate, br",
Accept-Language: "en-US,en;q=0.9",
Content-Length: "0",
Cookie: "COOKIE",
Sec-Fetch-Dest: "document",
Sec-Fetch-Mode: "navigate",
Sec-Fetch-Site: "none",
Sec-Fetch-User: "?1",
Upgrade-Insecure-Requests: "1",
User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
X-Auth-Request-Access-Token: "ACCESS_TOKEN",
X-Auth-Request-Email: "username#email.com",
X-Auth-Request-Preferred-Username: "User Name",
X-Auth-Request-User: "UserID",
X-B3-Parentspanid: "Parentspanid",
X-B3-Sampled: "0",
X-B3-Spanid: "Spanid",
X-B3-Traceid: "Traceid",
X-Envoy-Attempt-Count: "1",
X-Forwarded-Client-Cert: "CEERT",
X-Forwarded-For: "Forwarded-For",
X-Forwarded-Host: "Forwarded-Host",
X-Forwarded-Port: "443",
X-Forwarded-Proto: "https",
X-Real-Ip: "Real-Ip",
X-Request-Id: "Request-Id",
X-Scheme: "https"
}
all X-Auth-Request-* headers are coming but not the one with Groups. I'm using docker image quay.io/oauth2-proxy/oauth2-proxy:v6.1.1 and I saw in config https://oauth2-proxy.github.io/oauth2-proxy/configuration option "--oidc-groups-claim" but when I try to use it container won't start because this option isn't available in this version.
Any ideas what I'm missing?
It seems that the problem is image that I'm using quay.io/oauth2-proxy/oauth2-proxy:v6.1.1, when I built own image from latest master (3rd of November 2020) everything seems to be working fine and X-Auth-Request-Groups header is passed to upstream service.