I have such problem:
Previously Advanced REST API client was integrated with browser and I could send request to my app if I was logged in my app. And now it is separated and it doesn't use session from browser.
How can I use cookies/session to send requests to my app without logging in???
Install ARC cookie exchange from https://chrome.google.com/webstore/detail/arc-cookie-exchange/apcedakaoficjlofohhcmkkljehnmebp
Solved,
Against advanced Rest Api client I tried Postman, but Postman for using cookies from browser needs additional extension that called Postman Interceptor. it communicates with Postman and you can send requests.
Related
I am developing a SPA web app with REST API using Node. I read in many sources that the JWT should not be stored in localStorage of the browser; but instead should be set using cookie with httpOnly flag set. I have also read that mobile apps and SPAs should used token-based authentication.
If I should use token-based authentication, where should I store the token in the client?
While setting cookie is possible to do in web client, how can I use the same REST endpoint when I develop clients for mobile? I am not sure if mobile apps use the concept of cookies.
Suggestions would be highly appreciated.
I think your application should check cookies for the token first, if it is not there, then check the request Authorization header.
We are developing a financial application using SPA architecture. The client and API use the same domain. There are many posts on how to secure REST APIs using JWTs, httpOnly cookies and oAuth which protect the API from external attackers. However, I have not seen a specific discussion of how to prevent knowledgable, authenticated users from hacking APIs from the browser's dev tools. For example, when a user logs in using the login form a JWT is returned and must be stored somewhere on the client. Even if that token is stored in an httpOnly cookie (and inaccessible to JavaScript) the browser still sends it back to the server automatically regardless of how the API call was made (from JavaScript in the SPA client or JavaScript in the console). A valid login to the application does not imply full access to all APIs. What are some specific approaches to mitigate this vulnerability?
I'm currently building out an API in Python Flask and am working on my authentication layer. Everything seems to be working aside from my request to retrieve an access token from Facebook's API.
I'm redirecting to https://graph.facebook.com/oauth/authorize after my own authorize endpoint is hit and the response is HTML. On browser, this obviously works, but since my intention is to use this API as the backend of an IOS app, I'm looking for an endpoint that returns the url, rather than the html, of the facebook login. Is there another endpoint I should be using?
Any help would be greatly appreciated.
Thanks,
Chris
Okay, nevermind, I realized that I was redirecting my API to the authorization URL when I should be returning the URL so that the user on the client side can then be redirected there.
I can't see certain GET requests from iPhone using Postman interceptor proxy.
I'm trying to see certain requests sent from an app on an iPhone in postman app. I've followed the guide on the postman website here.
This works great for POST requests
But I'm not able to see any GET requests.
I just want to check that this is normal. I did note that in the guide to using the postman built-in proxy that
Note: for the Postman native apps, request captures over HTTPS will not work if the website has HSTS enabled. Most websites have this check in place.
I'd like to know why this would block certain GET requests but allow other POST requests. Both URL endpoints are https:// if that helps.
Thanks in advance.
TL;DR version:
Can you authenticate with Facebook without having a callback URL for a web application since the web application isn't actually running on a server.
Full explanation:
I'm working on building a connectedTV platform application where the "app" itself is a bunch of HTML/JS/CSS running locally (like File -> Open on your desktop browser) and I'd like to integrate Facebook into this.
The problem is that all of Facebook's OAuth calls for the web require you to have a callback URL to redirect the user to in order to complete authentication. Here's the gotcha -- there is no URL for this application -- it's a locally running webpage on the device.
I know this is what out-of-band authentication was designed for, but I can't seem to find any documentation on how to use this (or how to do a non-callback OAuth flow) with the Facebook OAuth system.
You're describing desktop authentication or any situation where you are authenticating to FB without a server. The redirect URL you pass to the OAuth dialog is https://www.facebook.com/connect/login_success.html When the browser redirects you can get the access token. You can read all about it in the FB documentation, way at the bottom in the Desktop Apps section (https://developers.facebook.com/docs/authentication/)
Just reread your question and since the application runs inside a browser you will need to open another window to authenticate and get the access token from that.
If you're doing HTML/Javascript, use their Javascript SDK. You can log the guy in simply by using FB.login and getting the access token from the callback from that.
I really don't think this is directly possible. Unless there is something totally undocumented, Facebook has no mechanism to send authentication data except by loading a url. I'm sure it's meant at least partly as a security measure, functioning as sort of a "whitelist" of where auth data will be sent.
The only way I can think of for you to work around it might be to set up a url on a server somewhere that could answer the redirect and store the auth data, and have your client-side code poll that server to get it. Kind of a proxy authentication service, in effect. You would probably have to open a second browser window with the Facebook auth screen in it, but in theory it could work.