SugarCRM REST API Session expires frequently - rest

I use REST API in JavaScript. When I request REST API multiple times, it returns(response) invalid session id, but I am providing a valid session id, because I have pulled data with this session id.
Anyone came across this issue?
function sugarLogin(url, user, password) {
var request = new XMLHttpRequest();
var params = {
user_auth: {
user_name: user,
password: password
},
name_value_list: [{
name: 'notifyonsave',
value: 'true'
}]
};
var json = $.toJSON(params);
var crm_api = url;
request.open("POST", crm_api, true);
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
request.onreadystatechange = function () {
if (request.readyState == 4 && request.status == 200) {
var response = request.responseText;
var response_obj = jQuery.parseJSON(response);
if (response_obj) {
if (response_obj.name && response_obj.name == "Invalid Login") {
//invalid login
ProcessingFlag = 3;
} else {
session_id = response_obj.id;
ProcessingFlag = 1;
}
}
} else if (request.readyState == 4 && request.status == 404) {
ProcessingFlag = 2;
}
}
request.send("method=login&input_type=JSON&response_type=JSON&rest_data=" + json);}
I have used above code to login and set session_id (global scope)
and then using this session id I am calling search_by_module function of REST API.
It is working fine but if made multiple requests frequently then it says invalid session id.
Although I have tried to call login function again before making search_by_module call.
Main issue is when I tried calling other REST function after response returned from search_by_module and rendered HTML, it says me invalid session. I can't figure out why session expires immediately while we know that on server session expires after 24 minutes (server where our sugar instance hosted)

I bet you're getting this because of item number 3 :
1/ Defined an error callback that checks for that particular response -invalid login- and calls the login function. Reading your code, I guess this is ProcessingFlag = 3; job.
2/ make sure the login function updates the session_id correctly and globally so that future function calls will get the correct value.
3/ make sure you're passing that new session_id to all your subsequent calls as FIRST parameter in all you rest_data. I got caught on this and lost many hours only to find out that SugarCRM DOESN'T support named parameters in its rest_data (is it poorely implemented function-arguments-wise ?) This is because I was adding session_id as last parameter and all of my REST calls were returning invalid ID.

Related

Identity server stuck in redirect loop

I'm using identityserver4 for single sign-on. For most of the time application function smoothly but intermittently we face a redirect loop issue which becomes a show stopper for us until we restart's our app service. The page goes on loading continuously before finally showing a 'Bad request - Request Too Long' page with message: HTTP Error 400. The size of the request headers is too long. If we check the network tab, we can see that the application is looping between the identity server and client application redirect sign in pages. The application insight tells us that the client app gives a 401 on his home/index page and then a 302 on the signin-oidc url, then goes to the identity server connect/token, then connect/userinfo endpoints to get claims and comes back to the client home/index page to again get a 401. The loop continues (Identity server says user is authenticated while client says it is not). We are unable to find a fix for this since long. Any help is appreciated. Attaching the client side configuration for reference.
Findings
Our client app is an mvc app & we have used Session's & TempData in few area's. This areas are the triggering point of the redirect issue. What we have observed is, when the client initially login the authentication cookie is created (Cookie Name: AudDiscoveryAuth) and I could see it being passed in header for each request made to the controller actions. But once the user visit's any such area where we have used Session/TempData and Log out or any other user tries to login, Identity server successfully authenticates the user also the userendpoint to retrieve the details is being invoked however the cookie itself is not being created and is missing in every request to the Index/Home action method hence the redirect loop. Wondering what could be hampering in issuing cookie when using session variable elsewhere in the application or is their a setting missing.
Also in every redirect the occurrence of OpenIdConnect.nonce.XXX cookie is incremented. Once the count of OpenIdConnect.nonce.XXX reaches more then a certain level we get the bad request error page
public void Configuration(IAppBuilder app)
{
string baseClientAddress = ConfigurationManager.AppSettings["ApplicationUrl"];
int slidingExpiryHrs = Convert.ToInt32(ConfigurationManager.AppSettings["SlidingExpiryHrs"]);
int slidingExpiryMins = Convert.ToInt32(ConfigurationManager.AppSettings["SlidingExpiryMins"]);
TimeSpan expireTimeSpan = new TimeSpan(slidingExpiryHrs, slidingExpiryMins, 0);
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap = new Dictionary<string, string>();
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationType,
CookieName = "AudDiscoveryAuth",
ExpireTimeSpan = expireTimeSpan,
SlidingExpiration = true
});
app.UseOpenIdConnectAuthenticationPatched(new OpenIdConnectAuthenticationOptions
{
ClientId = "ratingspro.web",
Authority = IdsvrConstants.BaseAddress,
RedirectUri = baseClientAddress + "signin-oidc/",
PostLogoutRedirectUri = baseClientAddress + "signout-callback-oidc/",
ResponseType = "code id_token",
Scope = "openid api1 ratingspro.webapi offline_access",
UseTokenLifetime = false,
SignInAsAuthenticationType = DefaultAuthenticationType,
RequireHttpsMetadata = true,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async n =>
{
var client = HttpClientFactory.Create();
var tokenResponse = await client.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest
{
Address = IdsvrConstants.TokenEndpoint,
ClientId = "ratingspro.web",
ClientSecret = "secret",
Code = n.Code,
RedirectUri = n.RedirectUri,
});
if (tokenResponse.IsError)
{
LogHelper.LogMessage("RatingsproApp: Startup => tokenResponseError: " + tokenResponse.Error);
throw new AuthenticationException(tokenResponse.Error);
}
var userInfoResponse = await client.GetUserInfoAsync(new UserInfoRequest
{
Address = IdsvrConstants.UserInfoEndpoint,
Token = tokenResponse.AccessToken
});
if (userInfoResponse.IsError)
{
throw new AuthenticationException(userInfoResponse.Error);
}
var claims = userInfoResponse.Claims;
if (claims.Any(c => c.Type == "ApplicationAccessDenied"))
{
throw new AuthenticationException(claims.FirstOrDefault(c => c.Type == "ApplicationAccessDenied").Value);
}
// create new identity
var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
id.AddClaims(claims);
id.AddClaim(new Claim("AccessToken", tokenResponse.AccessToken));
id.AddClaim(new Claim("expires_at", DateTime.Now.AddSeconds(tokenResponse.ExpiresIn).ToLocalTime().ToString(CultureInfo.InvariantCulture)));
id.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken));
id.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
client.Dispose();
n.AuthenticationTicket = new AuthenticationTicket(
new ClaimsIdentity(id.Claims, n.AuthenticationTicket.Identity.AuthenticationType, "name", "role"),
n.AuthenticationTicket.Properties);
},
RedirectToIdentityProvider = n =>
{
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)
{
var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token").Value;
n.ProtocolMessage.IdTokenHint = idTokenHint;
}
return Task.FromResult(0);
},
AuthenticationFailed = x =>
{
x.ProtocolMessage.RedirectUri = "/";
return Task.CompletedTask;
}
}
});
}
}

Javascript injection goes wrong

In our Android project (download manager) we need to show built-in web browser so we able to catch downloads there with the all data (headers, cookies, post data) so we can handle them properly.
Unfortunately, WebView control we use does not provide any way to access POST data of the requests it makes.
So we use a hacky way to get this data. We inject this javascript code in the each html code the browser loads:
<script language="JavaScript">
HTMLFormElement.prototype._submit = HTMLFormElement.prototype.submit;
HTMLFormElement.prototype.submit = formSubmitMonitor;
window.addEventListener('submit', function(e) {
formSubmitMonitor(e);
}, true);
function formSubmitMonitor(e) {
var frm = e ? e.target : this;
formSubmitMonitor_onsubmit(frm);
frm._submit();
}
function formSubmitMonitor_onsubmit(f) {
var data = "";
for (i = 0; i < f.elements.length; i++) {
var name = f.elements[i].name;
var value = f.elements[i].value;
//var type = f.elements[i].type;
if (name)
{
if (data !== "")
data += '&';
data += encodeURIComponent(name) + '=' + encodeURIComponent(value);
}
}
postDataMonitor.onBeforeSendPostData(
f.attributes['method'] === undefined ? null : f.attributes['method'].nodeValue,
new URL(f.action, document.baseURI).href,
data,
f.attributes['enctype'] === undefined ? null : f.attributes['enctype'].nodeValue);
}
XMLHttpRequest.prototype.origOpen = XMLHttpRequest.prototype.open;
XMLHttpRequest.prototype.open = function(method, url, async, user, password) {
// these will be the key to retrieve the payload
this.recordedMethod = method;
this.recordedUrl = url;
this.origOpen(method, url, async, user, password);
};
XMLHttpRequest.prototype.origSend = XMLHttpRequest.prototype.send;
XMLHttpRequest.prototype.send = function(body) {
if (body)
{
postDataMonitor.onBeforeSendPostData(
this.recordedMethod,
this.recordedUrl,
body,
null);
}
this.origSend(body);
};
const origFetch = window.fetch;
window.fetch = function()
{
postDataMonitor.onBeforeSendPostData(
"POST",
"test",
"TEST",
null);
return origFetch.apply(this, arguments);
}
</script>
Generally, it works fine.
But in Google Mail web interface, it's not working for some unknown reason. E.g. when the user enters his login name and presses Next. I thought it's using Fetch API, so I've added interception for it too. But this did not help. Please note, that we do not need to intercept the user credentials, but we need to be able to intercept all, or nothing. Unfortunately, this is the way the whole system works there...
Addition #1.
I've found another way: don't override shouldInterceptRequest, but override onPageStarted instead and call evaluateJavascript there. That way it works even on Google Mail web site! But why the first method is not working then? We break HTML code somehow?

Server Returns Bad Request 400 On REST POST CALL, even though uri is correct

I am trying to add an option label and option value to an optionset field(new_contractserving) found on an entity called new_servingtime. Not sure if I am doing this correctly, but the server throws a 400 Bad request, what's the issue?!
var entity = {
"new_contractserving": String(OptionValue),
"new_contractserving#OData.Community.Display.V1.FormattedValue": String(OptionText)
};
var reqJSON = new XMLHttpRequest();
reqJSON.open("POST", url + "/api/data/v8.2/new_servingtimes", false);
reqJSON.setRequestHeader("OData-MaxVersion", "4.0");
reqJSON.setRequestHeader("OData-Version", "4.0");
reqJSON.setRequestHeader("Accept", "application/json");
reqJSON.setRequestHeader("Content-Type", "application/json; charset=utf-8");
reqJSON.onreadystatechange = function () {
if (this.readyState === 4) {
reqJSON.onreadystatechange = null;
if (this.status === 204) {
var uri = this.getResponseHeader("OData-EntityId");
var regExp = /\(([^)]+)\)/;
var matches = regExp.exec(uri);
var newEntityId = matches[1];
} else {
Xrm.Utility.alertDialog(this.statusText + ": Third Request!");
return;
}
}
};
reqJSON.send(entity);
HTTP 400 means bad data. If it was "URI not found" it would have been a HTTP 404
HTTP 400 on a POST usually means, your request (requestbody) failed some validation on the server side or it did not confine to the format which server is expecting
You should be using InsertOptionValue Action to add new option to the existing picklist attribute in an entity.
CRM REST Builder is the best choice to compose such requests & test.
The request you have written can be used to set attribute value in a record, but still it’s incomplete. Read this blog to understand how you can execute webapi action.

Azure Mobile Service: 500 Error but it's actually working?

I've got an Azure Mobile Service with a custom API. I have tested this API in the past from iOS and it seems to work fine. I am now testing this API on Android. This is the API method in question:
exports.post = function(request, response) {
var body = request.body;
var email = body.email;
var tables = request.service.tables;
var users = tables.getTable('User');
users.where({ email: email }).read({
success: function (userList) {
if (userList.length === 0) {
response.send(200, { Status: 'Error', Error: 'Email not found.' });
} else {
var user = userList[0];
var providerId = user.ObjectId;
var accounts = tables.getTable('Account');
accounts.where({ User: providerId }).read({
success: function (accountList) {
if (accountList.length === 0) {
response.send(200, { Status: 'Error', Error: 'Internal server error.' });
} else {
var account = accountList[0];
var mssql = request.service.mssql;
var sql = "EXEC [db].[usp_RequestPasswordReset] ?;";
mssql.query(sql, [account.id], {
success: function (results) {
console.log(results);
var codeRow = results[0];
if (codeRow == undefined) {
console.log("codeRow is undefined");
} else {
console.log(codeRow);
}
var code = codeRow.Code;
response.send(200, { Status: 'Success', Message: 'Please check your email for further instructions.', Code: code });
sendEmail(email, user.Name, code);
}
});
}
}
});
}
}
});
};
Now, sendEmail is a separate function that sends an email using Azure's SendGrid feature.
What is really perplexing me is that all of the code appears to be working fine.
The stored procedure executes just fine.
The database is updated exactly as I would expect.
The email comes through the SendGrid service exactly as expected.
The console.log messages that I have in the code display the expected values.
The only thing that is funky is that the call is returning a "500: Internal Server Error" error.
This is true both in my Android client and also in the API log on the Azure Management Portal.
The error message I am getting is telling me that var code = codeRow.Code; is trying to access 'Code' of 'undefined'. But it's not undefined.
Going back and checking my iOS client against this produces the same results.
Everything works fine except for the message returned to the user.
To be clear, the error code is 500, not 200, since it's possible for my code to return an "Internal Server Error" message.
Also, I am very sure that my mssql.query success block is firing, based on the console log messages and the outcome.
So, what gives?
mssql.query can call your callback more than once depending on what's in your stored procedure. You can define a variable outside your callback, e.g.
var callbackReceived = false;
and then in your callback, only send a response for the call that actually receives the updated record:
if (callbackReceived === false && results && results.length > 0) {
callbackReceived = true;
// continue as before
}
See also this question answered by one of the Azure developers:
Azure mobile service custom API calling SQL SP multiple times

No 'Access-Control-Allow-Origin', only errors on first call but works subsequently

I have an AngularJS app which is trying to auth with my Web Api. I receive the below error during the first call to my server if the user does not exist in my database, but does not happen on subsequent calls to the same method once the user exists in my db. (relevant code at the bottom)
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:1378' is therefore not allowed access. The response had HTTP status code 500.
The flow of the logic is:
AngularJS auths with Facebook when the user clicks login
App does an $http.post to my server for auth/login passing their credentials
Server polls Facebook API for user details
If user exists, update their profile and auth 'em
Else, create new membership user, update with FB details, and auth 'em
The only thing that's different if they don't exist in the database (which is when the defect occurs) is that the login method asynchronously calls a createUser method then returns data. No additional external calls are made.
API startup method enabling CORS:
public void Configuration(IAppBuilder app)
{
HttpConfiguration config = new HttpConfiguration();
var cors = new EnableCorsAttribute("*","*","*");
config.EnableCors(cors);
ConfigureOAuth(app);
app_start.WebApiConfig.Register(config);
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
app.UseWebApi(config);
}
API Controller:
[Route("Login")]
[HttpPost]
[AllowAnonymous]
public async Task<FacebookUserModel> Login(FacebookUserRequest user)
{
FacebookUserModel fbUser = new FacebookUserModel();
// Build FacebookUser object
try {
// Grab basic user details
string profileRequestUri = "https://graph.facebook.com/" + user.fbID + "?access_token=" + user.access_token;
HttpWebRequest profileRequest = (HttpWebRequest)WebRequest.Create(profileRequestUri);
profileRequest.Method = WebRequestMethods.Http.Get;
profileRequest.Accept = "application/json";
HttpWebResponse profileResponse = (HttpWebResponse)profileRequest.GetResponse();
Stream profileResponseStream = profileResponse.GetResponseStream();
StreamReader profileStreamReader = new StreamReader(profileResponseStream);
fbUser = JsonConvert.DeserializeObject<FacebookUserModel>(profileStreamReader.ReadToEnd());
} catch (Exception) ...
try {
// Grab profile picture
string pictureRequestUri = "https://graph.facebook.com/" + user.fbID + "/picture";
HttpWebRequest pictureRequest = (HttpWebRequest)WebRequest.Create(pictureRequestUri);
pictureRequest.Method = WebRequestMethods.Http.Get;
HttpWebResponse pictureResponse = (HttpWebResponse)pictureRequest.GetResponse();
fbUser.profilePictureUri = pictureResponse.ResponseUri.ToString();
} catch (Exception) ...
// If user exists, change password to new token and return)
if(userExists)
{
try {
IdentityUser identityUser = _repo.FindUser(ID, pass).Result;
FacebookUserModel dbUser = db.FacebookUserObjects.First(u => u.identityUserID == identityUser.Id);
db.Entry(dbUser).CurrentValues.SetValues(fbUser);
db.SaveChangesAsync();
fbUser.identityUserID = identityUser.Id;
return fbUser;
}
catch (Exception e)
{ return null; }
}
// Else, create the new user using same scheme
else
{
UserModel newUser = new UserModel
{
UserName = ID,
Password = pass,
ConfirmPassword = pass
};
// Create user in Identity & linked Facebook record
createUser(newUser, fbUser);
return fbUser;
}
}
private async void createUser(UserModel newUser, FacebookUserModel fbUser)
{
IdentityResult result = await _repo.RegisterUser(newUser);
var identityUser = await _repo.FindUser(newUser.UserName, newUser.Password);
fbUser.identityUserID = identityUser.Id;
db.FacebookUserObjects.Add(fbUser);
db.SaveChangesAsync();
}
AngularJS calls to my server:
var _login = function (fbID, fbToken) {
$http.post(serviceBase + 'auth/login', { "fbID": fbID, "access_token": fbToken }).then(function (response) {
var data = "grant_type=password&username=" + fbID + "&password=" + pass;
$http.post(serviceBase + 'auth/token', data, { headers: { 'Content-Type': 'application/x-www-form-urlencoded' } })
.success(function (tokenResponse) {
authServiceFactory.bearerToken = tokenResponse.access_token;
})
.error(function (err) {
console.log("token error:", err);
});
authServiceFactory.userObject = response.data;
window.localStorage['userObject'] = JSON.stringify(authServiceFactory.userObject);
})
};
Why would I get the No 'Access-Control-Allow-Origin' error only on the first call, but not subsequent ones?
Update
I have a workaround in place that works, but I don't really like. The issue only arose when calling a second method from my login controller, so if I moved that code up into the login controller instead of a secondary method it works without the CORS error. This really bothers me though and is inefficient, I'd love to know a better way around it.
if you're working with angularjs you might want to check out satellizer. It makes the auth process really simple and has some awesome built in window popup control.
As far as the Access-Control-Allow-Origin calls it could be happening because you explicitly set headers on the one call and the other ones are falling back to the default http provider? Check out $http and see if providing those defaults might work around it.