We are developing a BitBucket app and found out that in the PostInstallRedirect we also get the JWT as part of the querystring and we think this is a potential security issue, furthermore - we don’t use it as we already authenticate the jwt in the installation webhook.
Is there a way to remove it or at least move it to the header?
Related
We have installed and configured RedHat APIMan for our working API and the plan is migration form current home-grown tiny gateway to APIMan. The problem is that we have some unprotected endpoints which do not need login (Not everyone role! No login required at all). We are using Keycloak OAuth plugin for roles, and Authorization Policy for API security. When Authorization policy is not added, I can allow unauthenticated requests via a boolean value in Keycloak OAuth policy, but after adding Authorization policy, there is no way to let unauthenticated requests pass!
Kamyar. Apiman developer here.
Please file a feature request for this over at https://github.com/apiman/apiman/issues.
I think what you are trying to do may not currently be possible easily because the authentication policy is expecting a successful auth of some sort before it is hit (to get the roles, etc).
We probably need a slightly more detailed explanation of your use-case, and then we can figure out whether we can support it. It seems like it should be doable without major changes if I understand correctly.
If and when we add support for the specifics of your requirement, I will endeavour to update this ticket.
Background
We are writing some documentation for our support team.
We want to include links to files that are stored in private GitHub repositories.
We do not want the documentation to become stale if somebody refactors the code in the private GitHub repositories, so instead I am setting up a CI job that parses the documentation (with jsoup if you are interested) and finds all the links.
Once we have all the links we start checking them.
NOTE: we have written a custom link checker, because one of the critical set of links we have is for our monitoring solution, and sadly (also understandably) the SaaS we are using returns 404's for any unauthenticated requests on the URLs of the alerts.
The SaaS itself uses a 2FA to access the Web UI, so what we have ended up doing is parsing the URLs and then constructing an equivalent call to the SaaS API to validate the link.
For the monitoring system we use, this is easy: all the URLs are the same format.
Question
Can we validate a random GitHub URL as valid (ideally using only curl - I can translate to my chosen HTTP client from there, and curl gives a more generic answer) using a Personal Access Token? And if so, how?
The URLs could be:
simple direct to repo URLs: https://github.com/<org>/<repo>
direct to branch URLs: https://github.com/<org>/<repo>/tree/<branch>
file URLs: https://github.com/<org>/<repo>/blob/<path/to/file>
diff URLs: https://github.com/<org>/<repo>/compare/[<branch>...]<branch>
other URLs that are based on the presence of the repo and do not vary in child path, e.g. https://github.com/<org>/<repo>/pulls, https://github.com/<org>/<repo>/settings/collaboration, etc
plus who knows what other URLs people will add within the docs...
Things I have tried that didn't work
HTTP Basic authentication with the Personal Access Token as the password, e.g.
curl -I -u stephenc:2....token.redacted....b https://github.com/stephenc/<repo-name>
HTTP/1.1 404 Not Found
HTTP Bearer authentication, e.g.
curl -I -H "Authorization: bearer 2....token.redacted....b" https://github.com/stephenc/<repo-name>
HTTP/1.1 404 Not Found
It looks like it works for some URLs (no idea which ones).
I can access curl -u agentgonzo:$TOKEN https://raw.githubusercontent.com/agentgonzo/repo/path/to/file using the API Token as my username, but the same doesn't work on https://github.com URLs. Not sure if this will help you or not.
I got an answer from GitHub Support: No
Since a personal access token won't work for GitHub web UI URLs, no, there isn't a way to verify all possible GitHub private repo URLs without making API calls in some cases.
I have built a Service in Salesforce which I am passing in as payload URL to my GitHub Webhook. Invoking this service needs a Authorization header (Bearer "access_token").
Currently when I have set up this webhook in GitHub and it tries to push the events, it's encountering 401 Unauthorized (as it doesn't have the Authorization Header set)
Can anyone tell how do I set the Authorization header when configuring my webhooks?
A workaround on the Salesforce Side.
I found an older post on this subject https://developer.salesforce.com/blogs/developer-relations/2012/02/quick-tip-public-restful-web-services-on-force-com-sites.html
It appears you can expose your Apex Rest enabled class using Sites.
Once you have a site:
Edit your site details.
Click Public Access Settings.
Go to Apex Class Access and then add the class.
I had a test community created, and have used Sites settings to enable it there.
I'm trying to post an issue on GitHub with the GitHub API.
I looked at the API documentation,
https://developer.github.com/v3/issues/#create-an-issue
but I can't figure out where the account information should go in the request body.
How should I authenticate this request?
You can see example of scripts posting issues in:
"'mapserver-trac-importer" (authentication github_post, with user/password)
"simple basic-auth node github api" (authentication here, with user/password)
".bashrc" (authentication in curl, with oauth)
As described in API V3 authentication, you can either user username/password, or an oauth token.
Note that if you have activated the 2FA (2 Form Authentication), you will need an oauth token.
I prefer oauth anyway, because you can revoke the token at any time (token that you can create just for this script), without having the hassle to change your password (which you could use in multiple other instances).
I feel like this might be answered already somewhere, but no one seems to have answered this question directly about Drupal and I'm wondering if that might be making all the difference.
I have setup a vanilla Drupal installation with just the necessary modules to use a REST server to handle Push Notifications. In testing the REST server with the CocoaRestClient (found here http://code.google.com/p/cocoa-rest-client/) I am encountering a problem with Basic HTTP Authentication (Authentication is failing). I have tested with Session Authentication and that works perfectly. My username and password are most certainly correct. The Services basic authentication module doesn't provide much in the way of setup, so what could I be doing wrong?
Modules being used:
Push Notifications
Services
Services basic authentication
REST Server
Drupal 7.22 minimal (vanilla install - no themes or any other fancy modules than the ones listed).
Basic auth enables you to GET, POST, PUT, and DELETE, to your endpoints using a Basic Auth Header. I am not sure if it will do anything for the /login end point. The authorization header should be made up of Basic followed by a based-64 encoded string of 'user:password' (not including the quotes).
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
You can quickly test this using Postman or Fiddler.
you need use the content access to restrict the access. This will require users to provide a login and password.