The bounty expires in 3 days. Answers to this question are eligible for a +100 reputation bounty.
Peter wants to draw more attention to this question.
I'm using token authentification to start jobs (because authentification would otherwise be complicated, due to our cloud security):
curl -X POST <<jenkind URL>>/job/ACC_INT-on-demand/build?token=012345678901234567890123456789012345678901234567890
But for stopping jobs, the token seems to be ignored:
curl -X POST <<jenkind URL>>/job/ACC_INT-on-demand/299/stop?token=012345678901234567890123456789012345678901234567890
I get error 403 (Authentication required).
Related
Our team is developing a simple Angular website that sends a form data to our backend via API. This website will be published under a public IP, so the interaction will be protected with Google reCAPTCHA v3.
Recently we decided to run some stress tests in a pre-productive environment in order to see if everything is stable and works correctly. So we set up a simple JMeter tests group with 100 users and 100 loops. This way we had 10000 requests in total to our API. So, having all that configured, we ran the frontend in order to generate a reCAPTCHA token, executed the action which sends the data to the API and copied the generated token into the JMeter configuration.
The API, before passing the form data to the backend, checks if the token is valid by making a request to “https://www.google.com/recaptcha/api/siteverify”, specifying this token and the secret key generated in the reCAPTCHA admin console.
After executing the JMeter tests, we saw that a certain amount of requests bypass the validation of the token and end up in the backend, while the token has already been used.
What we tried?
Stress test of our API with 10k requests in order to try the validation of an already used reCAPTCHA token.
What we expected to happen?
All the requests to return an error code of 401, beacause the reCAPTCHA token has already been used before and those tokens are single use only (the 401 code is returned by our API if the request to "/siteverify" returns a "success:false" in the response body or a status code other than 200).
What actually resulted?
5% of the requests bypassed the validation and ended up in the backend.
JMeter results
(The 400 bad request errors are returned by the backend, after the validation of the token has already been done, meaning that the token was assumingly valid)
We chequed the logs of our API and we've been able to verify that, in fact, the "/siteverify" requests return a status code of 200 and a response body of "success:true" in those 5% of the tests.
To me, it seems like some kind of balancing problem, maybe some node didn’t have enough time to replicate the status of that token? Or maybe the problem comes from our implementation… Hopefully someone could give us a hint!
I have an app built with Spring Boot, it's using Apache Tomcat 8.5.53.
It all works fine, but sometimes my users get the following message:
HTTP Status 403 - ForbiddenType Status ReportMessage Invalid CSRF Token '1423gi43-3452-65t3-cg8d-21a75cd7gc3x' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'
Then they refresh the page, login and it all works fine.
This doesn't always happen, and it doesn't happen for the same request. My users perform normally other operations before they see this message. However, it happens most of the time on post or patch requests.
I have seen issues on stackoverflow where token is null, but in my case it randomly expires.
I don't want to remove the token.
Has anyone experienced (and hopefully solved) this issue before?
I've got project, where I have to login through google sign in. I have created google project. Set up client/secret keys. I got to the point where I'm making post request to my web app server and sending there the accessToken:
OAuth2ConnectionFactory<Google> connectionFactory = (OAuth2ConnectionFactory<Google>) connectionFactoryLocator().getConnectionFactory(Google.class);
AccessGrant accessGrant = new AccessGrant(accessToken);
Connection<Google> connection = connectionFactory.createConnection(accessGrant);
The request is:
GET https://www.googleapis.com/plus/v1/people/me
Accept: application/json, application/*+json
Authorization: Bearer etc.
Here I got exception: 403 Forbidden. I had to manually track what the actual request is done and made rest request manually to replicate the issue with given headers.
Here is the result I'm getting:
"code": 403, "message": "Legacy People API has not been used in
project ... before or it is disabled. Enable it by visiting
https://console.developers.google.com/apis/api/legacypeople.googleapis.com/overview?project=...
then retry. If you enabled this API recently, wait a few minutes for
the action to propagate to our systems and retry."
First of all the link fails to load. I didn't find any "Legacy People API". Only new People API.
I wonder if there is any solution to this problem? I have enabled People API and waited for long enough but the same error remains.
EDIT 1:
I think the project spring-social is dead. Will rewrite login logic and kick spring-social out of it..
ME TOO . this my problem. I'm waiting 6 hours
"code": 403, "message": "Legacy People API has not been used in project
Try using the Google Identity Platform OAuth API instead of the Legacy People API.
We are using our own logging solution because stackdriver is su...bpar. I want to pull the metrics on how many unacknowledged messages there are in the pubsub. Started to read the docs on that and they are all over the place.
Found this page:
https://cloud.google.com/monitoring/api/metrics
Despite being under the api it does not describe any api calls, but does contain the description of the metric I want to extract.
Now I am thinking I need to use the monitoring api to extract what I need somehow:
https://cloud.google.com/monitoring/api/ref_v3/rest/
So I use the api explorer to try a couple of methods:
https://developers.google.com/apis-explorer/#search/monitoring/monitoring/v3/monitoring.projects.groups.list
I query and gives me an available url:
GET https://monitoring.googleapis.com/v3/projects/myprojectname/groups?key={YOUR_API_KEY}
I go to my project's console (api & credentials page) and generate an api key without restrictions and paste it in trying to curl.
curl https://monitoring.googleapis.com/v3/projects/myproject/groups?key=myrandomkeylkjlkj
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
Why is this happening? How can I get the metrics? I went to the url provided but it explains oauth token creation and has nothing regarding the api keys. I just need to curl things to make sure I am going the right way.
Why does this have to be so hard? Killed several hours of my life trying to get this.
curl -H "Authorization: Bearer $(gcloud config config-helper --format='value(credential.access_token)')" https://monitoring.googleapis.com/v3/projects/myproject/groups
I try to download several files from OneDrive through Microsoft Graph.
I am very close to achieve my goal. For the moment I have managed the token system (notably through Jay Lee detailed answer), and achieved to resolve the confusion that I made among the different endpoints that exist in Microsoft Graph (thank you Marc LaFleur - MSFT).
Now I really work on the call of the API that would permit to download the files I want. This is how I proceeded:
1- As I've seen in the Microsoft Graph Documentation, the normal syntax would be the following:
curl -w %{time_total} https://graph.microsoft.com/v1.0/me/drive/items/01M...WU/content -H "Authorization: Bearer $access_token"
2- However, this gives me a 302 request, which I can't handle in bash. So I looked for another solution and I found this Microsoft article explaining that:
"To download files from OneDrive in a JavaScript app you cannot use the /content API, since this responds with a 302 redirect. A 302 redirect is explicitly prohibited when a CORS preflight is required, such as when providing the Authorization header.
Instead, your app needs to select the #microsoft.graph.downloadUrl property, which returns the same URL that /content would have redirected to. This URL can then be requested directly using XMLHttpRequest. Because these URLs are pre-authenticated they can be retrieved without a CORS preflight request."
It talks about Javascript but I think it can be applied to my case.
3- So I tried this method and I wrote:
curl "https://graph.microsoft.com/v1.0/me/drive/items/01MB...WU?select=id,#microsoft.graph.downloadUrl" -H "Authorization: Bearer $access_token"
It gave me the URL that normally would permit me to finally download the file, but when I execute it, I get the following response:
Code:
curl "https://graph.microsoft.com/v1.0/$metadata#users('e967dd4d-680e-4a06-9bf7-468875e1a04c')/drive/items/$entity" -H "Authorization: Bearer $access_token" (it is exactly what I got with the previous request)
Response:
Any help? Why is it a bad request since I've put exactly what I got from the graph.microsoft.com request?
https://graph.microsoft.com/v1.0/$metadata#users('e967dd4d-680e-4a06-9bf7-468875e1a04c')/drive/items/$entity is the #odata.context annotation, which is not what you're after. You need to pull the URL out of the #microsoft.graph.downloadUrl annotation and use that to grab the file contents. The URL you're after should mention download.aspx in it.