I'm trying to create an app that uses drf-api-key for authorization. And I want to monitor which api key used in every connection used to database, Is there a way to that?
I tried to get the value of headers.get("Authorization") I get a none value, I just want to retrieve the name of api key used or the prefix of it.
You can simply get the token using:
token = request.auth
I figured it out by using
apiKey = request.headers['X-Api-Key'].split('.')[0]
Related
I have a laravel / angular app secured with tymon/jwt-auth.
Now I need a seperate Laravel (or Lumen) API. I want this API to accept the same tokens as the first one. I assumed that this would work if I would set the same secret and mount the middleware.
It doesn't. Using a freshly generated token I can query the first API but not the new one. Why is that? Is something else besides the secret used to verify the token?
What would be a good way to make this work? I would not mind to make a completely new authentication.
Edit: So it seems like a connection to the database is need to verify the token. Maybe it checks if the user specified in the token is actually present in the DB?
Edit2: Tore Nestenius commented about Aud-Claims. I wanted to go to the config/jwt.php file to check on that. But I had forgotten to create one. Now it works.
The aud claim in the token must match what both API's expect to see in the access token. I am glad my comment helped you to solve your issue.
I am using java-jwt plugin to generate jwt token from my spring boot services and i am succesfully able to do that.
But I have a situation where I am adding some user specific information in the token and while validating it I am trying to get that information by decoding the token and building the verifier to validate the token.
The way I am trying to get this information is by getting the claim first and from this claim i need to get the actual value that I added for some of the claims by providing their respective keys.
Lets suppose I added username as string but when i decode the token and from the claim I try to get it using claim.get("UsernameKey").toString() I get some jsonNode reference instead of the actual value.
Did I am missing something or I need to follow some other process to get the actual values that i used when I generated this token kindly let me know as am struggling to get it fixed and will be really helpful.
You use the wrong method. Use asString() and not toString().
You should use claim.get("UsernameKey").asString()
Found myself opening a couple of functions for access to users with invalid session tokens. The only way I could find to do that is to intercept the request using a bodyParser before Parse gets the request and removing sessionToken from the request.
Now trying to do a better job managing authorization to all functions - My question are:
can I relax the requirement that if a sessionToken is included it must be valid in any other way? Is session token validation done using a default validationHandler that can be replaced or is that done elsewhere?
to control access to cloud functions, is there anything like ACL roles? does cloud function's "validationHandler" accept only param? or can I inspect the user object as well?
Yes. In parse-server you can make sure that the sessions are valid because if you will try to run any CRUD operation with invalid session you will get http 403 error that your session is not valid or expired. You can control on the "Length" of your session by changing the sessionLength property in your parse-server app. The default is 1 year
There is no control access to cloud functions but you can check if a logged in user trigger this function by checking if the request.user is not undefined. Cloud functions can get only params in key-value pairs and those params cannot be Parse Objects. if you want to send ParseObject you can send the objectId of the parse object and then query for it in cloud code to get the full object. You can always access the user context in request.user (only if cloud code was triggered by the user). If you still want to "protect" your cloud code you can check if the calling user have a Role by query the Role DB and check if the user is contained there.
I'm starting to mess with the new Web API 2 template that uses OWIN/OAUTH2.
I want to setup a database table that stores an API key as opposed to a username/password that's passed in when generating a token.
Is this possible with OWIN?
I ended up using a custom grant_type which allows me to pass in whatever params I wanted.
I am using Restful api in CodeIgniter. Now I want to give api to third party, so I want to secure that api I am using digest, when I hit the api
in the browser a pop up comes which ask about username and password.
So I want to ask how to pass username and password in url to that it works.
Thank you in advance and sorry for the bad English
This doesn't directly answer you question but it does provide an alternative.
In my experience with API's you secure them with a HMAC. This is basically a hash that is generated using some data unique to the request, a timestamp and a private key. This hash along with the data used to create it will be passed to your API - NOT the private key - this data can all be sent in the headers of the request. When your API gets this data is uses the unique data, the timestamp and the private key to create another hash. The hash from the header and the newly created one are then compared. If they match you can be sure that the same private key was used to generate them. This saves sending any usernames/passwords over the internet.
I would also recommend that your server is setup to only serve HTTPS, this will help prevent man in the middle attacks.
This is a library that I have written for this very purpose.
https://packagist.org/packages/mardy-git/hmac
I hope this helps.