Retrieve Pyramid's auth_tkt via HTTP response headers on mobile client - rest

I am writing a mobile iOS application, which communicates with a Pyramid app on the backend. I am currently using Pyramid's built-in AuthTktAuthenticationPolicy.
I've met some speed bumps while attempting to authenticate via a mobile client (iPhone). For starters, how would I send and retrieve the auth_tkt cookie that is set by Pyramid.
I understand how this works with a web browser, but, if I want to send this "auth_tkt cookie" in the HTTP response, how can I accomplish this? How do I actually get the auth_tkt secret string. For example, what if I'd like to return it in the JSON body or a custom header of my choosing rather than as the cookie set by Pyramid's remember function?
Secondly, in future requests sent by the client what header do I set with the auth_tkt secret string so that Pyramid recognizes it and appropriately authenticates the client?

Using the Pyramid Helper Classes here, it looks like you can create your own auth_tkt and access it as well. Example from docs:
token = AuthTicket('sharedsecret', 'username',
os.environ['REMOTE_ADDR'], tokens=['admin'])
val = token.cookie_value()

The headers is a webob ResponseHeaders object, it derives from webob multidict. You can get it value by using this:
set_cookie = request.response.headers['set-cookie']
You can refer this link: webob multidict

Related

How do I save session cookie from response in flutter?

Let's say I log into an api with my flutter app. In an website, they automatically store the login cookie and then can use it. But in flutter app, how do I store the cookies and session? And how do I pass that into post to let the api know I have a valid login session?
Q: It's making me more confused, I just want the part to extract
cookie and how to use it.
There are a number of complexities, depending on exactly what you ultimately want to do.
But let's assume:
Your Flutter app makes an HTTP request (GET, PUT, etc.)
The server (e.g. your Flask app) returns cookies in the HTTP response (in the HTTP response header).
Let's further assume your HTTP code looks something like this:
Future<http.Response> fetchAlbum() {
return http.get(Uri.parse('https://jsonplaceholder.typicode.com/albums/1'));
}
In that case, you should be able to reference the cookies property of the Response object returned from the server.
SUGGESTION: See also these links:
Flutter For Web Cookie/Token Sessions and Authentication
Add Session Support to Flutter with Flutter Session

How to access protected assets in Play Silhouette with JWT Authenticator

I have Play with Silhouette authentication and authorization configured using the JWTAuthenticator. This authenticator works by reading the X-Auth-Token header, which is a jwt, to identify user in every request. This works fine for REST endpoints.
Now I have images that only owners should be able to access it, and I would like to use those in background-image css property (this is a requirement). In such scenario I'm not able to set the request header hence the request will be denied.
The next natural step is to embed the token in the background-image url itself as an url parameter. However I don't know then how to proceed at the server side. How can I tell the JWTAuthenticator to use the token in the url if not X-Auth-Token header is present?
Ok, I'm sharing here my founds so hopefully this can help others. While digging into silhouette code I found that we can easily configure from which part(s) of the request (header, query string, ...) we want to read the token. By default the jwt token is read from the X-Auth-Token header, but we can configure the JWTAuthenticator to read the token also from a query string variable:
val config =
configuration.underlying
.as[JWTAuthenticatorSettings]("silhouette.authenticator")
// this is the important line of code
.copy(requestParts = Some(Seq(RequestPart.Headers, RequestPart.QueryString)))
new JWTAuthenticatorService(config, None, encoder, idGenerator, clock)
Now if you want to use a protected asset behind a controller with a silhouette.SecureAction then you just need to add the X-Auth-Token as query string parameter to the url:
.my-class {
background-image: url("/image?X-Auth-Token=........")
}

Changing one variable in all the headers of api requests using jmeter

Situation:
Using recording with Jmeter I have generated a list of api requests. The way my test object works is that when you login using UI it creates a key for the entire session (which also keeps on changing), however there is an option of having a static api key for a user that you can use for all requests when sending the api requests NOT using the UI of my software.
Problem:
I have a list of api requests that I want to test but I would like to overwrite only one variable in the header of all my api requests (i.e. adding the static api key).
Is there a way of overwriting only one variable in all (most of) the headers?
The Header Manager lets you add or override HTTP request headers.
Create a header manager at the top and enter the common value. This value will be send with all the headers.
For more information check the below link:-
https://www.blazemeter.com/blog/using-jmeters-http-header-manager
Hope this helps.
Add/Copy desired HTTP Header Manager above the Thread Group OR above Recording Controller and remove/disable all HTTP Header Manager inside request samplers, all request samplers will use the Main HTTP Header by default.
Cheers!

Adding More parameters to REST HTTP GET

I am trying to access a REST web service using HTTP GET request.
For a example following URI provides Rest web service that return all the available parts for the given category.
http://localhost:8080/mycompany/parts/category
I want to authenticate/authorize users who are accessing above REST request in each time and I want to pass User authentication details (User Name and Token) with the HTTP Get Request.
Is there a possibility to cater to the above requirement in REST HTTP GET request (using HTTP header or query parameters)?
or
Is it better to use HTTP POST instead of HTTP GET?
Since you are getting information, you should use "Get". Here's the code that I use (it is Restlet based) for adding the oauth_token to the request...
import org.restlet.data.Reference;
import org.restlet.ext.oauth.OAuthUser;
import org.restlet.representation.Representation;
import org.restlet.resource.ClientResource;
Reference commitsRef = new Reference(Consts.RESOURCE_BASE + "commitments/");
OAuthUser u = (OAuthUser) request.getClientInfo().getUser();
String token = u.getAccessToken();
ref.addQueryParameter("oauth_token", token);
ClientResource commitsResource = new ClientResource(getContext(), commitsRef);
Representation commitsRep = commitsResource.get();
As mentioned, this is Restlet based, but there is probably something similar in the framework you are using. (And if you are not using a framework, Restlet can make this easier).
if you are using restlet than good because restlet have rich api for rest framework
but without this if you want to authenticate than
you can do same thing with GET or POST
but send your credential data trough cookie
and read same cookie using #CookieParam from server side
in this way you can easily authenticate user.

Place API key in Headers or URL

I'm designing a public API to my company's data. We want application developers to sign up for an API key so that we can monitor use and overuse.
Since the API is REST, my initial thought is to put this key in a custom header. This is how I've seen Google, Amazon, and Yahoo do it. My boss, on the other hand, thinks the API is easier to use if the key becomes merely a part of the URL, etc. "http://api.domain.tld/longapikey1234/resource". I guess there is something to be said for that, but it violates the principle of the URL as a simple address of what you want, and not how or why you want it.
Would you find it logical to put the key in the URL? Or would you rather not have to manually set HTTP headers if writing a simple javascript frontend to some data?
It should be put in the HTTP Authorization header. The spec is here https://www.rfc-editor.org/rfc/rfc7235
If you want an argument that might appeal to a boss: Think about what a URL is. URLs are public. People copy and paste them. They share them, they put them on advertisements. Nothing prevents someone (knowingly or not) from mailing that URL around for other people to use. If your API key is in that URL, everybody has it.
It is better to use API Key in header, not in URL.
URLs are saved in browser's history if it is tried from browser. It is very rare scenario. But problem comes when the backend server logs all URLs. It might expose the API key.
In two ways, you can use API Key in header
Basic Authorization:
Example from stripe:
curl https://api.stripe.com/v1/charges -u sk_test_BQokikJOvBiI2HlWgH4olfQ2:
curl uses the -u flag to pass basic auth credentials (adding a colon after your API key will prevent it from asking you for a password).
Custom Header
curl -H "X-API-KEY: 6fa741de1bdd1d91830ba" https://api.mydomain.com/v1/users
passing api key in parameters makes it difficult for clients to keep their APIkeys secret, they tend to leak keys on a regular basis.
A better approach is to pass it in header of request url.you can set user-key header in your code .
For testing your request Url you can use Postman app in google chrome by setting user-key header to your api-key.
I would not put the key in the url, as it does violate this loose 'standard' that is REST. However, if you did, I would place it in the 'user' portion of the url.
eg: http://me#example.com/myresource/myid
This way it can also be passed as headers with basic-auth.