I need Cypress authenticate a XHR request done in my app. The authentication is not Basic, but Digest, which has made finding help harder.
There also seems to be a bug for authenticating requests, such like:
cy.request({
url: 'http://postman-echo.com/digest-auth',
auth: { user: 'postman', pass: 'password', sendImmediately: false },
})
https://github.com/cypress-io/cypress/issues/2128
I'm wondering if there is a temporary workaround involving making Cypress manually entering the credentials in the dialog?
I've looked into listening to events such as window:alert and window:confirm, but these don't seem to catch the auth dialog.
TL:DR: How can I make Cypress enter the credentials manually in the dialog?
cy.visit currently only supports sending Basic HTTP auth, but I've opened a feature request for digest auth: https://github.com/cypress-io/cypress/issues/4669
In the meantime, the workaround would be to disable HTTP authentication in your local testing environment.
I tried this
Try and send the username and password in the url
Send Auth Headers with your request
Worked fine in the below example
https://www.youtube.com/watch?v=0HAn6B4E-Kc
You would probably need something like this
cy.visit('http://yoururl/')
cy.get('input#username').type('username')
cy.get('input#password').type('password')
cy.get('button#signin').click()
Related
The website used for user authentication is protected using Basic Authentication. How can I switch to a different baseUrl while still using Basic Authentication to view the page?
I think you are looking for the Cypress docs Add basic auth headers
Cypress will automatically apply the right authorization headers if you're attempting to visit an application that requires Basic Authentication.
Provide the username and password in the auth object. Then all subsequent requests matching the origin you're testing will have these attached at the network level.
cy.visit('https://www.acme.com/', {
auth: {
username: 'wile',
password: 'coyote',
},
})
so it's nothing to do with the cy.origin() per-se, rather the cy.visit() that takes you to that other origin.
I try to run Koel (or Kutr, a fork) behind a HTTP basic auth user/password dialog: https://koel:8001 behind an nginx reverse proxy https://koel with basic auth enabled.
Koel is a Laravel application and uses JWT tokens and the Authorization Header field like this:
Authorization: Bearer eyJ0eX…
This means that every request overwrites the basic auth header (that uses the same field) and the login dialog pops up again and again.
When I set APP_URL in the file .env to https://user:pass#koel, all links to static files are indeed properly fetched. API calls like https://koel/api/data unfortunately ignore this.
Can I use some kind of Middleware to inject user and password into the API calls?
The principle of JWT is to avoid using basic auth which is like no authentication at all (your credential are transmitted in clear with basic authentication).
So, I'd say that JWT using Authorization is a good thing, since it prevents your credential from leaking in case of bad configuration.
The principle of JWT is to, upon valid credential, to generate a token that's stored in your browser (a bit like a cookie). Then, with this token, there is no need to present any authentication whatsoever (so the credentials are present only once upon authentication, no during the complete session like for a basic or digest authentication).
With Koel, you can't do much to prevent this, since there is no way to change the login page in order to use basic authentication.
With Kutr however, I've done some hooking mechanism so you can plug your own login page (which can be as simple as validating a basic authentication).
It's available here
In your case, replace the top of the file from:
// Require your CMS bootstrap code here
require_once("yourCMSbootstrap.php");
// Bootstrap your CMS and check the session is valid (if not your CMS will fallback the login screen)
checkSession();
to
// Assert the user provided an basic or digest authentication
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit();
} else {
$login = $_SERVER['PHP_AUTH_USER'];
$pw = $_SERVER['PHP_AUTH_PW'];
if (!checkValidLoginAndPW($login, $pw))
{
header('HTTP/1.0 401 Unauthorized');
echo 'Game over';
exit();
}
}
Make sure the user's login also exists in Kutr's application
I am writing a small Ruby program that connects to a web service. The program prompts for username and password credentials, and I would like to ensure that they are correct before I proceed with other important business.
Is there any simple HTTP GET/POST request that I can send to the web server to authenticate the credentials?
Also note that I have little experience working with web services, so I also am not sure if this approach is a good idea in the first place...
EDIT here is my source code so far. I am using the JIRA Ruby gem FYI.
client = JIRA::Client.new(
username: username,
password: password,
site: 'https://foo.com/',
context_path: '',
auth_type: :basic)
puts client.request('HEAD', '/')
https://jira.foo.no/rest/api/2/search?maxResults=1
Gets the latest issue that you have rights to see. If you can't you will get a forbidden or unauthorized HTML page
How to authorize only my app to use my REST API ?
I have this code in Javascript
$.ajax({
type: 'DELETE',
url : 'removeTest',
data: { ... },
beforeSend:function(){
...
},
complete:function(){
...
},
success:function(data, textStatus, jqXHR){
...
}
});
This call will remove a user from the database with REST API in PHP. The problem is that everyone can remove a user, with POSTMAN (Chrome plugin) for exemple. How can I protect my REST API to authorize only my app.
Check the HTTP_REFERER is not enough. What could be better ?
Thanks for your help
You have several possibilities here. In general you could authorize the user, the app or both. This depends on your application requirements.
Authenticate Applications
To authenticate the application you could use a token based system, such as an API-Key. This means any request would be signed using additional request parameters. Take a look at the way amazon does this in their S3 service for example. If your application will be the only one that will access the rest API you could alternatively simply restrict the acces by the IP address.
If there will be multiple users using the service via your client, you may also need to authorize the access to certain functions. For example: Will every user be allowed to delete any resource? If the answer is no, you have to implement
Authenticate and authorize users
A simple way to authenticate users in a RESTful API is using HTTP Basic or Digest Auth. In this setting the user credentials are sent via the Authorization header in a form of username:password as Base64 encoded hash to the server. Please note that you should only do this via an secured connection using HTTPS!
Additionally you could also take a look at more complex/sophisticated practices like OAuth.
I would like to prompt a native login for my admin page (something like this http://demo2.opencrypt.com/oc/members/).
I'm aware that most like I have to use $.ajax and force it to response statusCode 401. However, I have no idea how I should proceed.
Thanks in advance!
I am not absolutly sure but I think if you want to handle a basic auth you cannot let the user show that form by your own. That comes directly from the webserver however if you just need to auth for that ajax request you could try to use this schema:
http://user:password#server/path/to/file
While you need to handle that username and password somehow yourself.