This is how I would do this http request with curl
curl -v --basic --user USERNAME:PASSWORD
how would I set this as a header in a different REST client?
I can create curl commands in php, but in other GUI based rest clients I am unsure what part of the rest call "basic authentication" really falls in, is it in the body? in a header structured a certain way? thanks for the insight
Basic authentication in HTTP is achieved by setting the Authorization header equal to Basic token where the token is equal the base64 of username:password. Follow the link for more details.
Related
I'm using Vapor to handle http requests. I've implemented a registration and login, as well as other functioning code. On registration, a Bearer Token is generated, so I can return that to or write it into the page I'm about to render.
The page contains two forms, one of which generates a request that requires authorization, so I need to associate that request with the bearer token. How do I do this? Through explicitly setting headers for the form request that will be sent to the server? Via a cookie?
If you're writing a traditional web app using HTML then bearer authentication is not suitable as you can't attach custom headers with requests. You should use session based authentication as described in the docs
I have a project including both a frontend (made with Vue) and a backend (made with Node.js). My server handles all the frontend requests and has its own mongodb. I am using firebase only for the authentications.
My problem is this: how can I make the server sure that a certain request is sent by a logged in user that has the privilege to do that request?
For instance if I have the request POST /user/:uid/products, that makes a user add a product to its account, I want to be sure that it was the actual user that made this request.
I came up with this: https://firebase.google.com/docs/auth/admin/verify-id-tokens#web, getting the user token from the frontend and checking it in the server through the firebase admin api.
I just want to know which is the right header where I should put this token. I mean, should the frontend put the created token in the "Authorization" header? Which header is the most appropriate?
It's customary to put it in the "Authorization" header, just as you said.
Typically the header is formatted like this:
Authorization: Bearer <token>
This is documented in the OAuth 2.0 Authorization Framework: Bearer Token Usage, section 2.1. Your backend should of course parse the same format.
I'm now testing custom sharing flow in StockTwits and got stuck on authorizing the user.
I'm following the server-side oauth flow described here.
I'm using an npm lib stocktwits, but I've already tried this request from terminal using curl:
curl -X POST https://api.stocktwits.com/api/2/oauth/token -d 'client_id=439fb********3e6&client_secret=5420fa774******970c24f074b90e617&code=ccb99afde1**********de6d782029c68&grant_type=authorization_code'
After getting the code I call the https://api.stocktwits.com/api/2/oauth/token (POST) to perform exchange for access_token but I get an unexpected response with HTML in it asking to bypass a captcha instead of JSON like described in here.
I didn't solve the issue with server side flow. My purpose was to authorize in any possible way, so I just switched from server-side flow to client side and it works just fine. both approaches are described here
I am invoking one of my APIs using curl as follows(cross origin).
curl -H "Origin: foo.com" -H "Content-Type: application/json" -H "Authorization: Basic YWRtaW46YWRtaW4=" -v https://localhost:9443/api/v10/configs -k
I have not set the necessary cross origin headers in the server side. But the API call works. Why is that?
on server side API class, in the options call I am only setting the Allow header.
#OPTIONS
public Response options() {
return Response.ok().header(HttpHeaders.ALLOW, "GET").build();
}
The following headers are not set.
Access-Control-Allow-Methods:
Access-Control-Allow-Origin:
Access-Control-Allow-Headers:
CORS is a mechanism to enable cross domain requests but in the browser using AJAX. If you use curl you can do what you want ;-)
So in your case (using curl), you try to execute the request outside a browser. So you are free to do what you want! With curl, the request will be always executed and you will see the exchanged headers for example. This can be something helpful to see if you have the expected headers for CORS...
Hope it helps you,
Thierry
You may want to read HTTP access control (CORS) to get a better understanding of how it works, and the main purpose it serves.
Just some into snippet
For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts. For example, XMLHttpRequest follows the same-origin policy. So, a web application using XMLHttpRequest could only make HTTP requests to its own domain. To improve web applications, developers asked browser vendors to allow XMLHttpRequest to make cross-domain requests.
The W3C Web Applications Working Group recommends the new Cross-Origin Resource Sharing (CORS) mechanism. CORS gives web servers cross-domain access controls, which enable secure cross-domain data transfers. Modern browsers use CORS in an API container - such as XMLHttpRequest - to mitigate risks of cross-origin HTTP requests.
So CORS was introduced to allow for cross-domain access (from scripts) in browsers. How it works is that when a a request is made that requires cross-domain authorization, the browser first makes an OPTIONS ("preflight") request to look for the access response headers. If they are there, then it make the initial request. Otherwise there is a request error.
As an aside, I would avoid implementing CORS support in resource methods. I would instead use a filter mechanism so all requests are handled in the filter, instead of having to implement an #OPTIONS method for all endpoints.
I have an API that I've built that uses JWT for authorization. How would I go about generating an appropriate JWT using Paw? I could just write a simple app to take in all my info and spit out a JWT, but I would rather be able to put the info in Paw somehow and have it generate the JWT and send it to the API.
The answer to this was staring me in the face since Paw is so powerful. I just used a dynamic value of my login call that produces the JWT. Now my JWT gets included in my headers automatically. More info can be found here: https://luckymarmot.com/paw/doc/Response_Parsed_Body_Dynamic_Value
You can add an header name Authorization and add the OAuth 2 Autorization in header value.
Then you need put your token at Token - Bearer field. (The selected field in the image bellow.)
Here's the solution that worked for me:
Creating an Authorization header and adding the string Bearer (with a space) before the token as follows:
Authorization: Bearer [YOUR_TOKEN]
P.S: There's a space between Bearer and your token.