Even with the all_trips scope, it seems we cannot update destination of a request requested by another app?
We are getting a 403: Forbidden response. Is there any way we can achieve that?
Correct, there is no way to do this (even with all_trips). Confirmed.
Related
I've build an Android app using Firebase, but I'd like to test the performance of the Cloud Firestore using REST requests (through Postman). I've looked up some info on some sites from Firebase, but everytime I send a request, I get a 404 Not Found.
The Authentication I use seems to work, by doing a POST request to
https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key=MY_API_KEY I'm able to get a Firebase Id Token.
After that I tried sending a GET request to https://firestore.googleapis.com/v1beta1/parent=projects/MY_PROJECT_ID/databases/(default)/documents/MY_COLLECTION_ID with the token as Authrorization header, but everytime I seem to get 404 Page Not Found.
I'm not sure what I'm doing wrong and I hope someone can help me with this.
Thanks in advance!
Apparently I wasn't supposed to include the parent= in the URL, I removed it and now it works just fine.
I am using BinarySecurityToken for OTA_AirRulesRQ, but I am getting USG_AUTHORIZATION_FAILED. I used the same token for BargainFinderMaxRQ and it worked. Is it some problem with the SOAP request I am sending or access to this method is not authorized form my PCC ?
Also I am able to hold PNR and Issue ticket with same credentials
Please Suggest
You should contact the API helpdesk providing your credentials
Do you point it to the according endpoint. E.g. getting creds from prod/testing and using it in prod/testing?
Can you post the message you are trying to send including headers. You can block out Pcc information, but it would help to see the message. It may be something simple you are overlooking and at the very least I could duplicate the call on my test bench and try to to duplicate the issue.
What status code should be returned if somebody request access to the entity that he is not permitted to see? You'll probably say it's 403: Forbidden. But is it common practice to return 404 instead? I don't want somebody know that this entity even exists if he is not permitted to see it. What do you think?
Use 404 Not found.
The 404 status code can also be used in 403 scenarios, when the server
does not want to send back the reason why it is refusing to serve the
request. A good example is when the server senses some kind of an
attack, which might be a brute force attack. In this case, the
server responds with a 404 Not found instead of a 403 Forbidden and an
explanation.
Source: Pro ASP.NET Web API Security
Return 403 Forbidden. If you return this for every request the client is not allowed to access and if you never return 404 Not Found, the client knows nothing.
It all depends on how important this is for you:
I don't want somebody know that this entity even exists if he is not permitted to see it.
If this really is important, always return 403 Forbidden.
Well.. it depends..
If your endpoints' URLs reveal sensitive information (e.g., in Dropbox API, you refer to files by their names, rather than their IDs - so the URLs contain the file names) or perhaps you're using sequential IDs (e.g., ascending IDs that can be brute-forced), return 404.
If you need to support a "Request Access" feature to resources you don't have permissions for, return 403, so your client-side could tell the difference.
Generally speaking, if your API uses IDs and never reveal information as part of its URLs and you're using UUIDs as IDs, I would go with 403.. as with many well-known and very secured applications nowadays (Google, Microsoft, etc..).
Hope you get some clarification on HTTP errors based on what I am posting below:
HTTP 401 error :: This error happens when a website visitor tries to access a restricted web page but isn't authorized to do so.
HTTP 403 error :: This error is similar to the 401 error, but note the difference between unauthorized and forbidden. This can for example happen if you try to access a directory(forbidden) on any website.
HTTP 404 error :: A 404 error happens when you try to access a resource on a web server (usually a web page) that doesn't exist.
In the .NetAggCatSample app, I've found that calling getInstitutions with an existing user context seems to work fine, but for new users, I'm getting an exceptions (message = "forbidden").
Could this be due to running into the max user limit in Dev mode (which I am in)?
Also, which API call actually creates the user at Intuit?
To add the answer,
Any API call after retrieving OAuth tokens from the SAML assertion will create the user in the system. As you mentioned, you are most likely getting the 403 error because you are at your max customer limit. Please enable logging and post the response XML from the call that returns a 403:
http://docs.developer.intuit.com/0020_Aggregation_Categorization_Apps/DevKits/0250.NET_AggCat_DevKit_1.0/0006_Logging#Request_and_Response_Log
thanks
Jarred
getting the error {"error":{"message":"(#100) Can only call this method on valid test users for your app","type":"OAuthException"}} whenever trying to write to any facebook end point. Reading (GET) works fine, writing (POST) fails. Does anybody know how to resolve this?
I have also opened a ticket on FB dev site:
http://developers.facebook.com/bugs/184198634991192?browse=search_4e93328871c8a3231774584
The problem does not occur is I would shoot the POST request from my browser as if I am the user.
The problem does occurs only when sending from our servers on behalf of the user from one of our dev machines which have other subdomain names instead of www (such as dev1.blablabla.com & dev2.blablabla.com, while the app is registered to www.blablabla.com).
So the question is, does facebook attempt to do a reverse DNS lookup on all write requests to verify the source?
I believe your requirement is to get the user details of the owner of Facebook access token (normally the currently logged in user)
For that you have to issue a GET request and not a POST request.
The reason why it works when fired from the browser is that when you submit a query through the address bar it is send as a GET request, and when sent from your server it is send as POST and fails producing the error message mentioned in your post.
Facebook doesn't do a reverse DNS lookup on your write request and not need to configure anything in your server related to it.
Hope the answer is clear enough for you.