Im trying to get TripIt OAuth authentication working, but I find the documentation to go a bit over my head. TripIt docs
The paragraph below is from the documentation, I have tried putting together a POST request for a SOAP service where the documentation specified what to put into the headers and how to build an xml for the Http body. In this case I have no idea on how to build my request.
I have all the values the service asks for, just no idea of how to set these using only the info given below?
To obtain an authorized access token,
POST the following request parameters
to the URL:
https://api.tripit.com/oauth/access_token
oauth_consumer_key: The Consumer's public key.
oauth_nonce: A nonce no more than 80 characters in length.
oauth_signature: The signature of the reque…
oauth_signature_method: Current supported methods are HMAC-SHA1.
oauth_timestamp: The timestamp in seconds since the epoch.
oauth_token: The request token obtained in Step 1.
oauth_token_secret: The request token secret obtained in Step 1.
oauth_version: OPTIONAL - Assumed to be '1.0'
Could someone help me with how I'll go about building the POST request from the above?
Thank you:)
The way to do it yourself would be to read up on how the body of a POST request is put together (it looks a lot like a URL query string), build the string out of the various parts, and then use the request's -setHTTPBody: method.
Most people recommend using ASIHTTPRequest, which, among many other things, will do that work for you. See, in particular, the ASIFormDataRequest class, and its -setPostValue:forKey: method.
Here's some more detail on the format of the POST body:
From the W3C HTML4 spec, the section on forms.
The Wikipedia entry on "percent escaping".
From the HTML5 spec draft. These rules should be backwards-compatible, while being more precise than the text in the HTML4 spec, but no promises.
Related
I am writing a rest api which will provide some information based on the inputs in the request body. I am a bit confused which http method should I use i.e GET or PUT or POST.
As I know there will be request body so I am ruling out GET from this, as I did some research and found few server implementations may ignore request body for GET.
Now , the question remains should I use POST or PUT.
Considering the output of the API will remain same for same input provided (eg: if input is 1 and output is true, output will always remain true for input 1) which means the method should be idempotent, I am leaning more towards using PUT as compared to POST. Just want to confirm if I am thinking in the right direction.
Would be grateful for any help provided over this.
GET request should not have a request body in HTTP/1.1, more reading:
HTTP GET with request body
PUT as the name suggests puts a resource somewhere, so it's not the request to choose either.
POST is what I would choose to do something like that.
Or you could parse the data into the URL for GET.
(More reading: What's the difference between a POST and a PUT HTTP REQUEST?)
(It's one of my first answers - please leave feedback so I could improve!)
This question already has answers here:
HTTP GET with request body
(23 answers)
Closed 2 years ago.
I've been looking at how to implement the following:
I am developing a RESTful Web API (using .Net Core 2.2). I need to create an endpoint where the consuming client can send some text to the API, the API replaces some tokens in this text, and returns the text back to the consuming client.
I thought that the client should simply do a GET request, with the text in the body. The reply would then be the new text after the token replacements. However, from my research, it appears one should not stick anything with semantics in the body of a GET request. I'm not sure if arbitrary text with certain tokens that need to be replaced by the API qualifies as semantic? I've also seen it stated at "you should not be able to use the body of a GET request to alter the response". I guess I'm in trouble there, as depending what goes into he body, will affect the response.
So then, I've been struggling to figure out what is the correct way to do this. If anyone has an pointers I'd greatly appreciate it.
Thank you.
I thought that the client should simply do a GET request, with the text in the body. The reply would then be the new text after the token replacements. However, from my research, it appears one should not stick anything with semantics in the body of a GET request.
Right - RFC 7231
A payload within a GET request message has no defined semantics; sending a payload body on a GET request might cause some existing implementations to reject the request.
In basic HTTP, you've got choices. One is to include a representation of your document in the URI itself
/?your_document_as_a_query_string
/your/document/as/path/segments
For short documents, that approach can be fine; but implementations are not required to support infinitely long identifiers, so you may discover that intermediate components reject your request, or crop the URI in transit.
A safe mechanism for achieving your goal is to use POST, rather than GET. POST supports a message body, so you can send the blank form to the server, and receive back the edited version in the response.
POST is the wildcard method of HTTP, it can mean anything. In the spec, the body of the response includes "a representation of the status of, or results obtained from, the action".
You might also consider that the response duplicates a lot of the content of the body of the request, and consider instead the possibilities of fetching a map of your template values from the server, and then applying the template on the client.
I have attempted to use the provided test data from the Cybersource documentation to create a token for a test PAN. However, when attempting to do so (assuming it was a REST Api) it results in a "403 - Forbidden" error. The documentation is limited, as it doesn't give much information on the API other than the following:
(Test) Endpoint: https://testsecureacceptance.cybersource.com/silent/token/create
Request to create a standalone payment token:
reference_number=123456789
transaction_type=create_payment_token
currency=usd
amount=100.00
locale=en
access_key=e2b0c0d0e0f0g0h0i0j0k0l0m0n0o0p3
profile_id=0FFEAFFB-8171-4F34-A22D-1CD38A28A384
transaction_uuid=02815b4f08e56882751a043839b7b481
signed_date_time=2013-07-11T15:16:54Z
signed_field_names=comma separated list of signed fields
unsigned_field_names=comma separated list of unsigned fields
signature=WrXOhTzhBjYMZROwiCug2My3jiZHOqATimcz5EBA07M=
payment_method=card
card_type=001
card_number=4111111111111111
card_expiry_date=12-2022
card_cvn=005
bill_to_forename=Joe
bill_to_surname=Smith
bill_to_email=joesmith#example.com
bill_to_address_line1=1 My Apartment
bill_to_address_city=Mountain View
bill_to_address_postal_code=94043
bill_to_address_state=CA
bill_to_address_country=US
Is this a REST or SOAP API? How can this be tested in Postman? I tested to check if either works, and was unsuccessful. There is no information on what to include in the header either, so this is a bit puzzling.
Example POST test I am attempting:
POST https://testsecureacceptance.cybersource.com/silent/token/create
Content-Type:application/json
Accept:application/json
{
reference_number:123456789
transaction_type:create_payment_token
currency:usd
amount:100.00
locale:en
access_key:e2b0c0d0e0f0g0h0i0j0k0l0m0n0o0p3
profile_id:0FFEAFFB-8171-4F34-A22D-1CD38A28A384
transaction_uuid:02815b4f08e56882751a043839b7b481
signed_date_time:2019-03-07T06:16:54Z
signed_field_names:profile_id,access_key,transaction_uuid,signed_field_names,unsigned_field_names,signed_date_time,locale,transaction_type,reference_number,auth_trans_ref_no,amount,currency,card_type,card_number,card_expiry_date,card_cvn,payment_method,bill_to_forename,bill_to_surname,bill_to_email,bill_to_address_line1,bill_to_address_city,bill_to_address_postal_code,bill_to_address_state,bill_to_address_country
unsigned_field_names:
signature:WrXOhTzhBjYMZROwiCug2My3jiZHOqATimcz5EBA07M=
payment_method:card
card_type:001
card_number:4111111111111111
card_expiry_date:12-2022
card_cvn:005
bill_to_forename:Joe
bill_to_surname:Smith
bill_to_email:joesmith#example.com
bill_to_address_line1:1 My Apartment
bill_to_address_city:Mountain View
bill_to_address_postal_code:94043
bill_to_address_state:CA
bill_to_address_country:US
}
"Is this a REST or SOAP API?"
The URL, https://testsecureacceptance.cybersource.com/silent/token/create, is used for Secure Acceptance Checkout API. Secure Acceptance Checkout API is neither a SOAP API or a REST API. It is designed to be used as an HTML form POST from a customers browser.
If your goal is to use a REST API from the browser then you will want to use Secure Acceptance Flexible Token documented here.
If your goal is to use Secure Acceptance Checkout API the full documentation for that is here.
"How can this be tested in Postman?"
Since this is not meant to be a REST API call but an HTML form POST and HTML response you may have limited success with Postman. For example even if you get the request to work successfully the response will be an HTML document not JSON.
One problem I see is that you are using the example signature, and that will not work for you. Ensure that you follow the documentation on how to create your signature as well as set the signed and unsigned fields.
#J.J. - the error you encountered -- "This field is invalid or missing.Please contact Customer Support.: ots_profileid' ". Is telling you that you are missing (or have an invalid) profileID in your request payload. The system doesn't know what profile to use when processing this request.
https://www.absolute.com/-/media/Commercial/resources/api/abt-api-working-with-absolute.pdf?la=en
I am trying to make the canonical request part for this one. On page 6 there is this part: Encoded hash of payload: Hash the entire body, HexEncode, and apply lowercase . I am not sure what is the payload that I should work on here if I'm trying to do a GET request. Is it the GET/POST params, or is it something else?
Payload is some data you send on the body of POST requests.
You can see more information on the docs.
With Postman examples you can see some requests, and notice POST is the only one which has body.
I know I'm late, #Felipe is slightly wrong here. Mistook what OP meant by payload. Generally payload does mean Body, but with Absolutes REST API, you send the payload in the Authorization header. It is a standard. And there is way better documentation available in AWS than Absolute.
Absolute also have C# SDKs.
AbsoluteSDK
AWS Signature Version 4 Docs or Signing a Request
We received a request to create a REST api. I was a little confused in the example of provided by our client. As you can see below, they've identified the app_id and secret in the URL before the #. The remainder of the URI looks like what I would expect.
Is this valid? I thought maybe this is some weird cURL format I haven't seen before.
https://{application_id}:{api_secret}#api.example.com/entity/{entity_id}/
https://{application_id}:{api_secret}#api.example.com/entity/{entity_id}/entity_locations/{locations_id}/
Just seeing if anyone has seen this format before?
A URI is made up of various parts, one of them being the authority part, which can feature optional username:password element.
The full scheme is:
scheme://username:password#domain:port/path?query_string#fragment_id
This way your REST api remains stateless [not relying on previous app states like storing stuff in session]. But I advice you not to explicitly go with the username:password#stuff route, but to rely on Basic HTTP Auth, so the credentials are sent encoded in Base64 at least.
EDIT: a brief note about BasicAuth now you're asking - things go like this:
you make a request to http://johndoe:12345#service/api/foo/bar;
are credentials good? Ok, you get a 200 OK response with proper body;
are they not? You get a 401 Unauthorized response.
In the latter case, it's the browser [or any other program / script performing the request] that should prompt the user with the login popup.
Usually browsers ask you to cache credentials not to ask them every time, but this does not mean that they are not sent - it's just that every request to protected resources are featured with such header:
Authorization Basic base64encode(username:password)
Where base64encode is your custom way to encode the username:password string.