I have a bizarre issue with Drupal's REST API that I can't work out.
The exact same POST to /user/login?_format=json does NOT work in Postman (error 403 Forbidden) but with same parameters it works correctly in CURL.
This Curl works:
curl --header "Content-type: application/json" --request POST --data '{"name":"bobo", "pass":"xxx"}' http://[domain]/user/login?_format=json
I get back json with the uid, name, a csrf token, logout token and any roles.
Now in Postman, I select Post, my url is "http://[domain]/user/login?_format=json" for header i select 'Content-Type' and value 'application/json' and paste the {"name":"bobo", "pass":"xxx"} section into 'raw' under body.
Now I get 403 Forbidden and response: {"message":""}
Is there a setting in Postman I'm missing or is this a bug somewhere?? It seems utterly bizarre to me.
Actually, all is correct here.
User should be logged out to access /user/login endpoint (check user.routing.yml). Unlike curl, Postman behaves as a browser, i.e. saves all session cookies, so you are just logged in after first call and can't anymore access login endpoint. You may call /user/logout after logging in to be able to call it again.
Thus, I think your code works properly :)
Related
I am trying to set up a code which given grafana_session cookie will tell me whether it is valid for my Grafana instance
I tried using /api/auth/keys and passing grafana_session as a Bearer token but it doesn't work and I feel like it is intended to be used in a different way.
Is there a method to validate grafana_session using current API?
Ok found it!
You can send request to api/user with a special header:
header_key=cookie
header_value=grafana_session=<YOUR_GRAFANA_SESSION>
There is not official API for that. But you can call some Grafana API (for example /api/user) with that session cookie (please note: send it as a standard cookie, not as Bearer token). If you have response code 200, then cookie is valid, otherwise it is (very likely) invalid cookie.
curl example:
curl 'https://<grafana-domain>/api/user' \
-H 'Cookie: grafana_session=<grafana-session-cookie>'
URL :
https://circuitsandbox.net/rest/v2/webhooks
My Headers :
Content-Type : application/x-www-form-urlencoded
Authorization : Bearer ot-xxxxxxxxxxxx
Body :
url - Some URl
filter - CONVERSATION.CREATE
Error I am getting :
"The permission to access this resource is not granted. Scopes ::= [ALL, READ_CONVERSATIONS, READ_USER]"
Plus If i want to send extra filters thn will it be comma separated values?
If you are getting a 403, I would suspect a scope error (as mentioned by Roger) or an authentication problem.
For the first, please show us which scopes are currently selected for the application ; for authentication, can you check if you can make other API calls successfully ?
Here is what it looks like in Postman
Make sure your app registration contains the scopes that your app is asking for. For a simple outgoing webhook registration you would only need the scope READ_CONVERSATIONS.
See https://github.com/circuit/circuit-REST-bot/blob/master/app.js for an example on how to register for a webhook. This example registers for CONVERSATION.ADD, but CONVERSATION.CREATE is very similar.
If you still have problems please post a code example, or even a link to an app on repl.it.
Here is an example HTTP request to register the webhook. Note that the body is sent as text/plain (which is the default and its header can be omitted). Also note that the callback url is http. https is not yet supported.
POST https://circuitsandbox.net/rest/v2/webhooks HTTP/1.1
Host: circuitsandbox.net
Content-Type: text/plain
Authorization: Bearer <token>
url=http://90587c6d.ngrok.io/webhook&filter=CONVERSATION.CREATE
and here is a curl command
curl -X POST https://circuitsandbox.net/rest/v2/webhooks -H "Authorization: Bearer <token>" -d "url=http://90587c6d.ngrok.io/webhook&filter=CONVERSATION.CREATE"
I have started using Postman to map out my API and also wanted have a quick, easy way to document it and share it.
My API is using JWT for auth and this token needs to be present in each request except login.
In order to keep it DRY I have used Postman collection Authorization
as explained on their blog http://blog.getpostman.com/2017/12/13/keep-it-dry-with-collection-and-folder-elements/
Example of how I set up collection authorization type bearer
This header is being used by my API as type "Inherit auth from parent" and this works with no problems during my requests.
But if I choose to view collection in browser this header is not displayed in the request or examples see screenshot.
Collection documentation as viewed in web
Here is the cURL request in Postman:
curl -X GET \
https://example.api/v1/auth/user \
-H 'Content-Type: application/json'
Is it possible to display the auth header while using the collection settings or I should add the header myself for each request in order to make sure that this is added in the examples and documentation?
Edit:
I've found that if I hover over the Authorization header I get the following message:
This temporary header is generated by Postman and is not saved with your request.
Here is a screenshot from the app with Postman collection temporary headers.
This issue will fix in 2 or 3 mounths.
You can track the issue status in https://github.com/postmanlabs/postman-app-support/projects/40#card-33062423
If you are setting up that JWT Token as request headers then it should get displayed in the documentation. Below are the Steps how i am generating and setting up jwt token:
Login api to generate jwt token.
saving that token as environment
variable Using that variable in each request which requires
Authorization header.
please see the screenshot
I'm trying to create a bot which interacts with Facebook Messenger. I've set up my webhook and can receive messages coming from Facebook. However, when I try to send a message, I get the following error back from Facebook:
{"error":{"message":"(#100) The parameter recipient is required","type":"OAuthException","code":100,"fbtrace_id":"F3iVNecj10i"}}
However, I've definitely got the recipient ID in my request. I've sent the request with my bot, cURL and the Chrome Poster extension and get the same result each time. The JSON I send is:
{"recipient":{"id":"XXXXXXXXXXXXXX"},"message":{"text":"hello, world!"}}
When using cURL, I took the example directly from the Facebook documentation and send this:
curl -k -X POST -H "Content-Type: application/json" -d '{"recipient":{"id":"XXXXXXXXXXXXXXXX"},"message":{"text":"hello, world!"}}' "https://graph.facebook.com/v2.6/me/messages?access_token=ACCESS_TOKEN"
The only difference between this and the example on Facebook is the -k which stops cURL from checking the SSL certificate. I'm tunneling through to my app using ngrok for the incoming messages but sending my requests direct to the Facebook Graph API. The fact that it's happening in my app, cURL and Chrome Poster makes me think that it's something to do with the request (but I can't see what) or my Facebook app setup. Any help is greatly appreciated.
Turns out there were a few issues. The cURL request didn't include the quotes in the JSON so the quotes had to be escaped with \ characters. The Chrome Poster request didn't work because "content-type: application/json" wasn't set in the header. And my webapp didn't work because the JSON had a ";" at the end of it.
So, the Facebook message was an indication of poorly formatted JSON, just not a very direct one!
Check that the JSON payload is well formed.
I used the Postman.app to help me out with this — it's also available on Windows.
Steps
Copy the URL into the "Enter request URL field". This would include the access_token
Change the HTTP verb to GET
Under the "Headers" header, set Content-Type to application/json
Under the "Body" header, select "raw" and paste your JSON payload there. Make sure that this JSON payload is well formed by watching the error indicator displayed beside the line numbers.
Once I got this fixed, I was able to move on to the next step.
I got similar error some time back. Try using Postman. I tried the same request and replaced the user id and the page access token. It works fine.
Click on the Import button on the top and paste your curl request under raw. Then try running the call. If you get the same error, go to the body and modify it. Make sure you put this in the body part of the Postman request. Replace the recipient id with yours.
{
"recipient":
{
"id":"123456789"
},
"message":
{
"text":"hello, world!"
}
}
This is the full cURL call : Change Recipient ID and Page Access Token
curl -X POST -H "Content-Type: application/json" -d '{ "recipient":{"id":"1234567" }, "message":{ "text":"hello from bot" }}' "https://graph.facebook.com/v2.6/me/messages?access_token=PASTETHETOKENHERE"
I am testing Facebook Graph API v2.3 with Postman.
While it is possible to get response by putting access token in query string as follow:
https://graph.facebook.com/v2.3/me?access_token=my_access_token
I am wondering whether it's possible to do the same thing with HTTP request headers, which would be something like this:
GET /v2.3/me HTTP/1.1
Host: graph.facebook.com
Authorization: <my_access_token>
Cache-Control: no-cache
Postman-Token: <postman_token>
Based on this similar question (i.e. How should a client pass a facebook access token to the server?) on Stackoverflow, it seems that this should be possible.
Any thoughts on this?
Edit:
What raised my interest is that, when I used the API Graph Explorer provided by Facebook Developers, it seems that there's no query string in that sandbox either. How does that work?
Facebook API Graph Explorer DO use query string for access token. Thanks to #CBroe's response.
Yes it is possible
Authorization: Bearer AccessTokenHere
e.g.
curl --header "Authorization: Bearer CAAC...ZD" https://graph.facebook.com/me
This answer previously recommended using "OAuth" instead of "Bearer" as the token type. Both will work, but "Bearer" is the type that shows up in the standard. Also, on completing Facebook's OAuth flow, the token_type in their response is bearer. So all in all "Bearer" makes more sense.