I would like to expose my Play Framework REST calls to clients other than my play app.
I would like a mobile app to call those secured rest calls.
I asked a question on SO earlier in the year and got an answer but this only works for OAuth2 and I am only using OAuth1
My questions are:
Is exposing my REST calls secured by Securesocial on my PlayFramework app to non web clients like Mobile apps a good idea?
Is there a way to do this using Securesocial for OAuth1?
Are there any examples apart from the one in the link from my last question?
Latest changes in master-SNAPSHOT include a LoginApi controller that lets you authenticate a user using an API. It supports the UsernamePasswordProvider and all the OAuth2Providers.
In the case of the UsernamePasswordProvider you can post the user credentials and if they’re ok you will get a json with a token that can be used in an X-Auth-Token header to invoke SecuredActions. For example:
curl --data "username=some#email.com&password=some_password” http://localhost:9000/auth/api/authenticate/userpass
For OAuth2 based providers you have to post a JSON with an accessToken generated by the external service (that was obtainer in the client side) along with the user email. The module will use the accessToken to verify if it works and will compare the email returned by the external service to the one passed in. If they match then the user is considered to be authenticated. This is very similar to what the guys at FortyTwo were doing and I thought it would be good to have the functionality built in (http://eng.42go.com/mobile-auth-with-play-and-securesocial/).
For example, having a file test.json with the accessToken and expiresIn values returned after authenticating with Facebook on the client side (e.g.: using Javascript):
{
"email": “some#email.com”,
"info": {
"accessToken": “an_access_token”,
"expiresIn": a_number_with_expiration_in_seconds
}
}
You can invoke:
curl -v --header "Content-Type: application/json" --request POST --data-binary "#test.json" http://localhost:9000/auth/api/authenticate/facebook
A sample json response for any of the calls above would be:
{"token":"98b9613dac60890b8e0abf5bc0f77591523df4e6de50b085c832116b8db2cc65511e0de6780f6a49f8755eddabbd46e6afada92160758fd6d4bbb25dc57e0f7b1e4b5b59fbbe543cf80ad1b6d91de7764e3ac1aaa0afac0c312a47bf27258f455606c6c19b1a3d40f8631ce98e6b76e128dddcb29511eb81200ffe9de95cba7a","expiresOn":"2014-05-07T07:43:10.987-03:00"}
You can then invoke a secured action as:
curl -v --header "Content-Type: application/json" -H "X-Auth-Token: 819a9cb9227d2c82af9c1ee2a62b9e7d35725e235e086ab95ecce0b509f3f7b389f430e217e341306ecaebfd1972ac083de73a32341a26f97150ae71fb0417f0031534d818356b2266ffc100e5ee6a50bd1f9ec76b0f68d2ff8ce4d196b4a86b61e002b29b00532ef166cb2eb8476d3ae008c112891628bc0f444c7512c01345" http://localhost:9000/my-protected-action
I recommend to use Silhouette (repo). Silhouette was designed to be flexible.
Here you can find a seed project using Silhouette that expose a rest api for signup, singin and social authentication.
Related
I'm currently learning to use REST API (from WooCommerce in this case) and got some basic questions:
How to see complete request string in Postman software?
I'm testing a simple GET request which works great with for example:
<host>/wp-json/wc/v3/products
to receive the product list. In this case I use the authorization tab to enter my user/pass as Basic Auth.
I also tested curl.exe using another simple Windows command prompt. This also returned product list:
curl.exe <host>/wp-json/wc/v3/products -u mykey:mysecret
What is the difference between them? The last example is a simple GET, i assume, although it's not stated. How about POST or DELETE etc? This is what i don't understand: A https request can only have an address and eventual parameters. Where and how does "GET" come into the picture?!
If possible, I would like the see the complete URL request (as one string) from the working Postman example?
My last question is about testing the same method on another server/service which is not WooCommerce. Afaik this service is created with something called swagger:
curl "<host>/orderapi/item" -H "accept: application/json" -H "X-Customer: <customer>" -H "X-ApiKey: <mykey>" -H "X-ApiSecret: <mysecret>" -H "Content-Type: application/json"
This also returns a list of, in this case orders instead of products. All good.
But for this example I haven't figured out how to achieve the same request in Postman. What auth method should I use?
And again, I don't understand the GET/POST/DELETE thing. And I also would like to see the complete request as one-string.
1) How to see complete request string in Postman software? I would like the see the complete URL request (as one string) from the working Postman example
On version 9.x.x:
The code window(image) shows the choosen method (yellow mark) and the code window(red arrow), where you get the actual
curl code(image)
2) What is the difference between them? The last example is a simple GET, i assume, although it's not stated. How about POST or DELETE etc? Where and how does "GET" come into the picture?
From the curl documentation:
-X, --request
(HTTP) Specifies a custom request method to use when communicating
with the HTTP server. The specified request method will be used
instead of the method otherwise used (which defaults to GET). Read the
HTTP 1.1 specification for details and explanations. Common additional
HTTP requests include PUT and DELETE, but related technologies like
WebDAV offers PROPFIND, COPY, MOVE and more.
GET is the default method for curl, which means:
curl.exe <host>/wp-json/wc/v3/products -u mykey:mysecret
is the same as:
curl.exe <host>/wp-json/wc/v3/products -u mykey:mysecret -X "GET"
so, for a POST/DELETE/... you should change your '-X' parameter for example:
curl.exe <host>/wp-json/wc/v3/products -u mykey:mysecret -X "POST" [...otherOptions]
(Assuming that you can receive a POST on the url above)
3) [On another server/service] I haven't figured out how to achieve the same request in Postman. What auth method should I use?
The -H specify the header parameter you are passing. You have those in your example:
accept: application/json
X-Customer:
X-ApiKey:
X-ApiSecret:
Content-Type: application/json
You need to add those in your postman on the headers(image) tab. In this case you don't need to specify a auth method, once you're sending the ApiKey on the header. In addition to that, you can specify the authorization Type to be "Api Key" and put X-ApiKey as key and your apikey value on the value field(image). It'll generate the same request as shown in the headers image.
curl, at least the GNU one on Linux, uses GET method by default. If you want to change a HTTP method in your request, there's -X option, for example:
$ curl -X DELETE https://example.com
Postman has something called Postman Console which you can open by pressing Alt + Ctrl + C:
and where you can see more details about requests and responses.
Postman also lets you import curl commands, so you don't need to manually prepare the request, you can only paste the curl command in Postman.
There are many resources online on the specifics, e.g. how to import a curl command.
I have started using Postman to map out my API and also wanted have a quick, easy way to document it and share it.
My API is using JWT for auth and this token needs to be present in each request except login.
In order to keep it DRY I have used Postman collection Authorization
as explained on their blog http://blog.getpostman.com/2017/12/13/keep-it-dry-with-collection-and-folder-elements/
Example of how I set up collection authorization type bearer
This header is being used by my API as type "Inherit auth from parent" and this works with no problems during my requests.
But if I choose to view collection in browser this header is not displayed in the request or examples see screenshot.
Collection documentation as viewed in web
Here is the cURL request in Postman:
curl -X GET \
https://example.api/v1/auth/user \
-H 'Content-Type: application/json'
Is it possible to display the auth header while using the collection settings or I should add the header myself for each request in order to make sure that this is added in the examples and documentation?
Edit:
I've found that if I hover over the Authorization header I get the following message:
This temporary header is generated by Postman and is not saved with your request.
Here is a screenshot from the app with Postman collection temporary headers.
This issue will fix in 2 or 3 mounths.
You can track the issue status in https://github.com/postmanlabs/postman-app-support/projects/40#card-33062423
If you are setting up that JWT Token as request headers then it should get displayed in the documentation. Below are the Steps how i am generating and setting up jwt token:
Login api to generate jwt token.
saving that token as environment
variable Using that variable in each request which requires
Authorization header.
please see the screenshot
I'm very new to REST and google cloud endpoints. I've followed the tutorial
Getting Started with Endpoints Frameworks on App Engine and I've executed the API query as stated in the tutorial successfully:
curl --header "Content-Type: application/json" --request POST --data '{"message":"hello world"}' http://localhost:8080/_ah/api/echo/v1/echo
But I didn't manage it to find the corresponding URI query statement to be used in the browser.
I tried
http://localhost:8080/_ah/api/echo/v1/echo?{"message":"hello world"}
http://localhost:8080/_ah/api/echo/v1/echo?=message="hello world"
and a lot of combinations without success and which resulted in receiving no response.
How does the URI statement, corresponding to the cURL request as stated above, look like?
Thank you in advance.
BTW: This is the endpoint implementation of the API method "echo":
#ApiMethod(name = "echo")
public Message echoPathParameter(Message message, #Named("n") int n) {
return doEcho(message, n);
}
From the man page of curl:
-d/--data
(HTTP) Sends the specified data in a POST request to the HTTP server, in the same way that a browser does when a user has filled in an HTML form and presses the submit button. This will cause curl to pass the data to the server using the content-type application/x-www-form-urlencoded.
application/x-www-form-urlencoded means that the body of the request contains
message=hello+world
I am new in API gateways. I have python based API deployed on an EC2 server. I can access this as URL http://xxx.xxxxxxx.com/RPC2/. I can see objects, methods in this URL. I am trying to use API gateway for same.
Created API. (ExampleAPI)
Created POST method. (given path http://xxx.xxxxxxx.com/RPC2/ as end point URL ). I have not created the resource since I am expecting HTTP Proxy for all Methods of the resource. Its looks fine when I put my content in the request body. I get a response.
Now I have deployed it to one stage dev1. Got a new endpoint URL.
Also created an API key and attached it with dev1. Also Set API key required true in POST Method Request.
Questions.
1. When I hit dev1 URL (https://xxxxxxxxxxx-api.us-east-1.amazonaws.com/dev1), it does not give me same page as http://xxx.xxxxxxx.com/RPC2/. It gives me {"message":"Missing Authentication Token"} error. Am I missing some fundamentals here?
http://xxx.xxxxxxx.com/RPC2/ do have several methods, so how can I use it? All of them are POST methods. Can I set some parameters or some request body, or some templates? How can I improve this process?
How can I use API key here? Or it won`t work in POST method?
If i do curl -H "Content-Type: application/JSON" -X POST -d "{\"method\": \"app.menu\",\"params\":[] }" https://xxxxxxxxxxx-api.us-east-1.amazonaws.com/dev1 i get same response as i curl http://xxx.xxxxxxx.com/RPC2/. is it the only way to access my dev1 URL or I can create individual methods or string parameters.
Regards,
Ashish
See answers posted to this forum:
When i hit dev1 URL (https://xxxxxxxxxxx-api.us-east-1.amazonaws.com/dev1), it do not give
me same page as http://xxx.xxxxxxx.com/RPC2/. It gives me
{"message":"Missing Authentication Token"} error. Am i missing some
fundamentals here ?
If you are hitting the URL in a browser with a GET method, it will not
work. You have to specify all of the HTTP methods on a resource that
you want the client to access. If you hit a method that is not
defined, you get that message.
http://xxx.xxxxxxx.com/RPC2/ do have several methods, so how can i use it? all of them are POST methods. Can i set some parameters or
some request body, or some templates. how can i improve this process.
Yes if you are mapping to an RPC API then you can build the REST
methods/resources in API Gateway and set a static value for the header
or in the body, wherever the RPC action is expected by the backend.
How can i use API key here? or it won`t work in POST method? Because while accessing from curl, it works fine without API key.
First you should set API Key Required on the method (Method Request
page), then you'll have to add the API Stage to the API Key and make
sure it's enabled. After all that, if you send the API Key in a header
called 'x-api-key' it should work, otherwise you should get a 403
response saying "Forbidden".
If i do "curl -H "Content-Type: application/json" -X POST -d "{\"method\": \"app.menu\",\"params\":[] }"
https://xxxxxxxxxxx-api.us-east-1.amazonaws.com/dev1" i get same
response as i curl http://xxx.xxxxxxx.com/RPC2/. is it the only way to
access my dev1 URL or i can create individual methods or string
parametrs.
You will have to create each method in API Gateway (like GET) and they
can all point to the same backend url but specify a different RPC
action in the header or wherever it is specified.
I'd encourage you to check the public developer guides for parameter
mapping and payload transformation to learn what tools we have in API
Gateway.
I'm building an spotify-echonest app using the web apis from both. I'm using spotify api to get as many songs as I can from user input, what I need now is to get information about these songs from echonest but as far as I can see you can only set one filter as foreing_id in the rest service.
http://developer.echonest.com/api/v4/artist/similar?api_key=YOUR_API_KEY&id=spotify:artist:4Z8W4fKeB5YxbusRsdQVPb&bucket=id:spotify
I'm using the Java API from Echonest, anyway any help is usefull.
You should query audio features from Spotify's Web API instead as Spotify doesn't support echonest anymore. I think you've already known how to get track IDs from the API, all you need to do is use the track IDs to query audio features.
Example:
Step 1: Get track id
curl -X GET "https://api.spotify.com/v1/search?q=track%3Anumb+artist%3Alinkin+park&type=track" -H "Accept: application/json"
Step 2: Get access token
curl H "Authorization: Basic YOUR_CLIENT_CREDENTIALS" -d grant_type=client_credentials https://accounts.spotify.com/api/token
Step 3: Get audio features
curl -X GET "https://api.spotify.com/v1/audio-features/YOUR_TRACK_ID" -H "Authorization: Bearer {YOUR_ACcess-TOKEN}"