Sails JS forbidden POST request - sails.js

I'm trying to learn Sails JS and obviously REST API.
I've created a user model wich I think works fine (it communicates datas with my db). I've also created a signup controller with 4 needed inputs to store a new record in my user collection. (Some other datas are generated by this controller to complete the record at the moment of the registration)
I would like to test this controller with POSTMAN, so I go to my routes.js and see :
'POST /api/v1/entrance/signup': { action: 'entrance/signup' },
But when i enter a POST request at 192.168.1.13:1338/api/v1/entrance/signup with my 4 needed inputs declared I have this answer : Forbidden
I don't know what I do wrong. I've also enabled rest, shortcuts and actions in my blueprints.js
Does someone has an idea ? :)

The issue is indeed related to cross-site request forgery, but disabling the corresponding security rule altogether is quite obviously not a solution. CSRF and its treatment in sailsjs are well described in the corresponding part of the manual. In short, for POSTs to work you have to include _csrf in your requests. E.g. in a view template:
<form>
<input type="hidden" name="_csrf" value="<%- _csrf %>" />
</form>

As said below, removing CSRF protection is not an answer as it may expose the api to a security breach. I currently use JWT but it doesn't seems to be as secure as CSRF token so the only right way is to include the token in every HTTP's request header.

Related

How Do I Authenticate an API Request Using a Token With Postman

I am trying to test a Web API using Postman on a project which I have inherited from previous developers. All I know so far is that Authentication has been configured using ASP.Net Identity and Identity Server 4.0 which implements OAuth and issues short lived JSON Web Tokens (JWT) and Refresh Tokens.
If I navigate to the development website, log in (successfully), and use Chrome Developer Tools to inspect the initial log in request I can see that the body of the request contains a Form with 3 fields; userName, password and returnUrl. If I right-click on the request I can copy the request as cURL (bash) and in Postman I can import the data to create a new request. If I send the request I get a status 200 OK back and the response includes 6 cookies. However the body of the response contains an htlm page which Postman can't render and a message You need to enable JavaScript to run this app.
I'm lost now as to how I can use the response to authenticate a request for some data. Is the Token I need contained within one of the cookies? How do I extract the Token and use it within a request for some data? Any advice or suggestions would be very welcome.
Normally, with JavaScript enabled in the browser, <form> would be automatically posted to its' destination defined in action, using method. JavaScript would do somethign like the following:
window.addEventListener('load', function(){document.forms[0].submit();});
So without JavaScript, you would need to somehow parse the form that you received and recreate equivalent request.
The form, received upon successful login, contains data that should be sent back to your origin website, to authenticate the end-user.
For example, form's body contains hidden input fields, defined by OpenID protocol:
...
<input type='hidden' name='token_type' value='Bearer' />
<input type='hidden' name='expires_in' value='600' />
...
Form action attribute points back to sign-in endpoint on your website. For example:
<form method='post' action='https://{hostname:post}/signin-oidc'>

Cant got csrf through cors on Sails.js

I want to use Sails.js extensible project with auth, login, & password recovery with Vue.js frontend app. But I ran into the next problem:
I can't get a csrf token from sails api. On official manual said that should be router to action which generates csrf token:
{
"GET /csrfToken": { action: "security/grant-csrf-token" }
}
But no any info about methods to generate it. On built-in sails view's csrf turns out from view local <%= _csrf %>.
Is it possible to get csrf token from sails.js builted-in csrf module through cors? And what way be right to use sails.js with another frontend project: use extensible sails.js project with auth, login, & password recovery, or assemble authorization functionality on empty sails.js app?
If, in the config/security.js file, you have csrf: true, the tokens should automatically be generated. In the action, try logging this.req.session, and you should see a csrfSecret that gets generated.

Getting hold of Amazon Fiona (Kindle) CSRF token

Amazon has an administration page for content sent to your Kindle. This page uses an undocumented HTTP API that sends requests like this:
{
"csrfToken":"gEABCzVR2QsRk3F2QVkLcdKuQzYCPcpGkFNte0SAAAAAJAAAAAFkUgW5yYXcAAAAA",
"data":{"param":{"DeleteContent":{"asinDetails":{"3RSCWFGCUIZ3LD2EEROJUI6M5X63RAE2":{"category":"KindlePDoc"},"375SVWE22FINQY3FZNGIIDRBZISBGJTD":{"category":"KindlePDoc"},"4KMPV2CIWUACT4QHQPETLHCVTWEJIM4N":{"category":"KindlePDoc"}}}}}
}
I made a wrapper library for the previous API they used, but this time they have added CSRF tokens, making each session unique. That is a bit of a show stopper, and I was wondering how I can get hold of these tokens. I did not find it in the cookies. This is for use in a Chrome Extension, so issues like CORS is not an issue.
Actually, after manually going searching the Response tab of each request in the "XHR" and "Doc" tab, I was able to find out that this token is set in an inline script in the myx.html (main page):
var csrfToken = "gPNABCIemSqEWBeXae3l1CqMPESRa4bXBq0W7rCIAAAAJAAAAAFkUlo1yYXcAAAAA";
This means it is set on the window object, making it available for all there. I guess this means a Chrome extension would need to fetch this page and manually parse the html to retrieve this token. Sad, but doable, although highly fragile :-(

Drupal 8.x POST (create) node via REST doesn't work

I am working with Drupal 8.0 alpha 11. I've been able to follow the Drupal guides for REST services:
POST for creating content entities (https://drupal.org/node/2098511) and the related guides, GET on content entities and GET on Views-generated lists
"GET"s work great, but I haven't been able to get any "POST" to work (I've posted the issue on the drupal.org site, too).
I've tested POST for both a basic page and my own content entity and neither works. I've tried a lot of variations, including removing "entity" from the url as per the recent changes in Drupal 8, but the POST still does not work. I'm using Postman in Chrome for testing and again, I can "GET" a basic page and my own content entity just fine, but with POST, I always get a return code of 200 "OK", never "201" (which is what I should receive according to the guide) and the nodes don't get created.
I've updated the rest.settings.yml for both the basic page and my content type, have established permissions for the user, am using basic auth, and have added Content Type application/hal+json and cross-origin details to the header info.
Any idea what's missing? Do I need to add coding in my create entity form to "receive" the posted data? Where do I do this/in which directories should the files go? Is this required for the default Basic Page content type, too?
Thanks for any help...I've spent weeks on this and can't figure out what I'm missing.
Thank you!
On Drupal 8 alpha 11 it will work but make sure I am assuming that you have enabled REST , HAL, HTTP basic authentication, Serialization module on your site.
You have enabled POST method for 'entity:node' with basic_auth authentication type and hal_json as format
Give enough permission to a admin so that it can create node via REST , To do so navigate to admin/people/permissions on your drupal installation.
now /entity/node is REST end point to create node I am using REST Client to demonstrate POST request
this is link to image that will make it more clear
https://dl.dropboxusercontent.com/u/100492838/POST_Node.png
now make a POST request with Content-Type = hal+json and also set basic_auth header.
change URL according to your site.

Silex REST login - How does it work?

I'm using Silex for the backend of an angularjs app. I wanna realize an user-authentication. I used this tutorial (http://www.bubblecode.net/en/2012/08/28/mysql-authentication-in-silex-the-php-micro-framework/) and the official documentation to realize it so far. The backend returns pure JSON, no HTML.
My questions:
How do I have to send the login-request? I never get an appropriated
response, just a 301 redirect. It's the same reponse like I get if I
try to access a ressource I don't have access.
The backend always redirects me to the the login route if I don't have access to a page. All I want is an 401. How can I change this behaviour?
Thanks guys! Cheers Chris
The call needs to send the parameters _username and _password to the check url.
This is taken from official documentation which can be found here:
The form has very few requirements. First, by submitting the form to
/login_check (via the login_check route), the security system will
intercept the form submission and process the form for you
automatically. Second, the security system expects the submitted
fields to be called _username and _password (these field names can be
configured).
For your second question:
You can specifiy a redirect route as described here.
Then just return 401 as response for this route.
I hope this will help you.
Sorry for my bad english!