I have a laravel application with a form, where upon a GET request (example.my.lan/form) of the formular the user receives a *_session cookie and a XSRF-TOKEN cookie. Now I'm trying to call the controller (example.my.lan/form/confirmation) via POST on the command line with cURL:
curl -vvv -k -X POST -d "param1=value1¶m2=value2" \
-H "Content-Type: application/x-www-form-urlencoded" \
--cookie "my_form_session=a...z" \
--cookie "XSRF-TOKEN=a...z" https://example.my.lan/form/confirmation
curl -vvv -k -X POST -d "param1=value1¶m2=value2" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "my_form_session=a...z" \
-H "XSRF-TOKEN=a...z" https://example.my.lan/form/confirmation
curl -vvv -k -X POST -d "param1=value1¶m2=value2" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "my_form_session: a...z" \
-H "XSRF-TOKEN: a...z" https://example.my.lan/form/confirmation
From my browser everything works as expected. But if I call the controller on the CLI using cURL, the laravel app is always responding with a 419 (The page has expired). I know this is some cookie related issue, but still can't figure ou how to solve it - maybe someone has an idea?
So roughly speaking here's what needs to happen:
You need to perform an initial request to get a valid session cookie (which is essentially an encrypted session id) and along with that you also need to somehow obtain a valid CSRF token.
To get the token you have two options.
Visit a page which has a form which includes it via #csrf
Grab the cookie called XSRF-TOKEN which contains the encrypted csrf token
When you send the request you need to be sure you send the correct session cookie e.g. --cookie "my_form_session=a...z".
If you got the token from the #csrf field then you either send the header X-CSRF-TOKEN or as an additional form field _token=csrftoken
If you got the token from the XSRF-TOKEN cookie, which contains an encrypted CSRF token, this needs to go in the X-XSRF-TOKEN field.
By convention, all non-standard HTTP headers should be prefixed with X- (indicating an extension to the protocol) which is why those headers start with X-
Related
I am building an Github OAuth app and attempting to see if I can validate the access_token returned by github upon login. The access_token is returned by github by making a POST call to the end point https://github.com/login/oauth/access_token and passing in CLIEND_ID and CLIENT_SECRET provided by github. Using this access_token, we can then access users information. My main question is, is there an end point to validate this token? I wanted this because I am running a node server which accesses files on github. As of now, the node end point is open and anyone can just call the functions in it. In each function, I would like to check if the user has a valid token or not before returning data to them and as such, have some form of security to my node API.
This is how I get the access_token in node
const params = "?client_id="+CLIENT_ID+"&client_secret="+ CLIENT_SECRET +"&code="+req.query.code;
await fetch("https://github.com/login/oauth/access_token"+params,{
method: "POST",
headers:{
"Accept": "application/json"
}
}).then((response) => {
return response.json();
}).then((data)=> {
res.json(data);
});
I have tried the following cURL end points, and it does return data
curl -H 'Authorization: token myGitHubAccessToken' https://api.github.com/user/repos
reference: https://onecompiler.com/questions/3uxsn58yz/how-to-test-a-github-access-token-is-valid
The above command does return data and my client ID, so it is somewhat useful. However, the access_token, which github returns a new one every time the user logs in, it itself seems to never expire. So I can copy a previously returned token to get the same data dump in the above command. I had read whats the lifetime of Github OAuth API access token that the token never expires, but then that itself is an issues. Is there some other method I should use to get around this issue? I dont want my API's to be open. If I could validate the access_token provided by github in every one of the node functions and also have it expire upon logging out, the issue will be resolved.
Also tried some options mentioned here: https://developer.github.com/changes/2/
of which, https://docs.github.com/en/rest/apps/oauth-applications?apiVersion=2022-11-28#check-a-token
made the most sense to me. But the cURL command given on that page:
curl \
-X DELETE \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/applications/Iv1.8a61f9b3a7aba766/token \
-d '{"access_token":"e72e16c7e42f292c6912e7710c838347ae178b4a"}'
does not seem to work. It returns Bad Data.
Please advise! Thank you!!
Found the answer:
To check access token:
curl -H 'Authorization: token access_token' https://api.github.com/user/repos
The above command returns repos. For me, this is enough because I just want some reply from github using the token thats not a 404
To delete the token:
curl \
-X DELETE \
-H "Accept: application/vnd.github.v3+json" \
-u CLIENT_ID:CLIENT_SECRET \
https://api.github.com/applications/CLIENT_ID/token \
-d '{"access_token":"ACCESS_TOKEN"}'
Reference: Remove/revoke GitHub OAuth 'access_token'
Apologies for the bad editing. Cant get it to look just right.
How can I pass username and
Password in invoke http processor. ( I am invoking this nifi-api/token to generate token ) it’s required username and password to authorise .
I am passing username and password in request username and request password. But still it’s not working
When you want to generate a token for the NiFi API for it to be used in subsequent API calls of NiFi you need to pass the credentials as x-www-form-urlencoded.
This can be achieved like this using a cURL command
curl --location --request POST 'https://server_URL/nifi-api/access/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=<USER_NAME>' \
--data-urlencode 'password=<PASSWORD>'
If you are familiar with Postman then you can use the Body tab and select x-www-form-urlencoded and define the credentials as Key and Value pair. This would generate you the token for the NiFi.
In postman there is an option to send binary datatype in a api.
I am sending that in a api where but i am unable to detect that binary file in laravel request method.
curl --location --request POST 'http://192.168.*.*/api/v1/contact_us/save' \
--header 'Authorization: Bearer some_key' \
--header 'Content-Type: image/jpeg' \
--data-binary '#/Users/username/Desktop/filename.jpeg'
Above is my curl code generated in postman.
Although i am successfully getting this file when i request in multipart/form-data
I did see a question related to it but it is not the exact case
related question
If the HTTP request payload is purely a file (ie. not from a HTML form) then you can access it in Laravel using:
$request->getContent()
The Following CUrl works perfectly whenever I test it:
curl --request PUT \
--url https://api.sandbox.URL_HERE/document-analysis/90471702021 \
--header 'Accept: application/json' \
--header 'Authorization: Bearer AUTH_TOKEN' \
--header 'Content-Type: multipart/form-data; boundary=---011000010111000001101001' \
--header 'api-version: 1.0' \
--form documentType=RG \
--form documentSide=FRONT \
--form 'image=data:image/jpeg;name=RG_Front.jpg;base64,/9j/4AAQSkZJRgABAQEAAQABAAD/4Tn0RXhpZgAATU0AKgAAAAgABgALAAIAAAAmAAAIYgESAAMAAAABAAEAAAExAAIAAAAmAAAIiAEyAAIAAAAUAAAIrodpAAQAAAABAAAIwuocAAcAAAgMAAAAVgAAEUYc6gAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8JeLF8wysb6N95+837vqfyr2KvwCwP8VH2ABmkb5RQGx2qNm8zhTj3rk5rH0xImduKSY7UP0NPHFMlXcpHTrWiE9j8eNcuLbT/FWpXcipPi/uC1uyNIANzjHHBIyDjOOKyLW8eOS7gNrCTdRF7O3RiESOLUbZY4IdzF41TcQC2R87bm5bmv0mK4xg4HpSKvvUuTvoP6nT7n5yXf7KPxc1ZZVu/Blg6SzNM6HWwgJBCoC6PvYJGCqqWIGScE1auP2SPi/N5/k6PpzPNGgaS81OKRvMRsrIw2FXO0BeRkjqa/RPb6mk9s5p8zBYOmj88ZP2Q/i2bGZY9G0a3U5aOFdV3m2YjD+QzIfJDDIKgkYPGOtQ/8MY/F545IF0/w9DaTFQYDqLHZGH3MrfJ+8LHGWfeeOMV+ie31PNJt96lTfYr6pTPz7uv2Mfi1eNMGj8OqZFYSTSavcOZN3396mMpg4U4CjGwY4zmP/hhv4pLkJN4XXdsORqFwJBIo4lRxFuRupwDt55Br9BiWVckcD0py4ZfahzYfVKZ8FzfsY/FqaczjVPCkcwiMcbLLKFiJxmRUEITzG6l2UsSeopY/wBjH4sRRzww6l4at02qiqt5clSqjCAAx5GDluSQWJJB6V96YpazUmxfU6Z8Ff8ADC3xDa4eU6p4XVWDYgae6aJCTkFRtyMNlsZxknjHFWY/2IviSm+Qa54dt7qUbJbi3aVfMXn5inlbA4zw6gMvY55r7s/GkxVuTZX1Sl2PhrUv2JfHV7Ggh1Pw3BIhk2SMZ2I3kZY/J8zkKFJbOB0rPuP2F/iDJIZzrvhuKbIPmwrP5seAAuxsZGMYAHGCRz1r70C+9Ky7hg9KmMmxrC0k9j4Mtf2F/HlxZrt8ReGpY2V0fCTbZo2cNsdduOCOowck8mtLUP2KfiJeafZWr+INDuRZktH9pedgWzkM42fvCvG3eW24GMDivuCOBY12rgD2GKk21pqJ4Sk3sfBq/sP/ABNbAl8QeGpAsLQ5LTh3DtmTJCBvn6HBHy8DAqC3/YV+IdtZ+Ql/4R8pZBMIVM4jLjI3Y8v5SVwpweQBmvvnbRirF9Updj4Ot/2JfiVZyWskOq+FxLbAqkpeZmaM/wDLJw0RWVM5P7wMeevTEH/DE/xSEjynUfClxLJKJpWnuLhnmYcqrN5fCA/wJtX2r7320bB/kmkL6nTPgif9hv4kXWm2llc3vhG+jttzo11Lc5Dv98gogwWODkc5HBqoP2FPihHfPdprPhn7Vu3CWSSR9/GDvBhw/wBWyR2r9Atopdop3D6nTPgZf2I/icNJ+wDVvDpt/M4tje3IjEZBzECIw4QHB8sPtz+IPWfB39kbx54F+LWheJ9W1Lw/Np+nzO7x6c8yv5flNGkaIUCBFBGAOeTknivsvb15pjAD+LAHXNTKWg44WnF3Q9felIxTc84xUlZWTO0jf/V5709elFFa9QFooopgMXvT6KKACiiigAooooAKKKKACkHSiikAtFFFCAKKKKYBRRRQAVG1FFSwFX7tPoopIBrULRRR1AdTKKKUtgCnUUUgEXvUUP8AqxRRUMCSiiihbgFFFFNgMqWiinABaKKK2AKKKKACiiigAooooAZJ3qP+9RRWD3Akp9FFVED/2Q=='
The Base64 string above was cut just to fit the comment field, but you get the idea.
I just have to send some info to the endpoint using HTTPClient but got stuck especially because Genexus says that the line is too big when I try to convert the image (1Mb) to a base64 string.
Has anyone gone through that?
It seems that the Web Service is expecting the new "multipart/form-data" instead of the old "application/x-www-form-urlencoded" for uploading files as explained here and the specification section for forms in HTML 4.01 is here. So, going to your question, I think that you can use the AddFile method of the HTTPClient data type (as explained here) to get your client working. Readink the wiki, it says:
In particular, if the content of the HttpClient message is multipart / form-data (given by Content-Type Header), then the AddFile method adds the file as multipart. In this case, the second parameter is needed to indicate the name of the variable that the file represents. Also, you have to necessarily precede your sentence with a header that specifies a specific Content-Type, like this:
&Httpclient.Addheader("Content-Type", !"multipart/form-data")
I say "I think" because I dindn't test myself, you can try and let us know if it works or not.
In OKTA Admin screen, I expired the password associated with my username.
Tried the primary authentication (/authn) as described in http://developer.okta.com/docs/api/resources/authn.html. Got the proper status back as PASSWORD_EXPIRED and also a state token.
Invoked the change password API (ie /authn/credentials/change_password) with the above state token and old/new passwords. Instead of getting the success message, I am getting the error message "E0000011: Invalid token provided".
My developer API token and state tokens are correct. Not sure why I am getting this error. Can you please help?
Thanks
Nara
After you expire the password in the the UI, the user of the expired password is no longer in an ACTIVE state. Specifically, they're set to a PASSWORD_EXPIRED state which does not allow password resets. This is a security feature as the intent of explicitly setting a user in the state is to limit constrain their access to the system.
Note that the user event model is documented in the Okta Developer Guide at http://developer.okta.com/docs/api/resources/users.html#user-status
Before you can change a user password, you need to re-activate the user.
curl -X POST \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-H "Authorization: SSWS {{apikey}}" \
-H "Cache-Control: no-cache" \
-d '' https://{{url}}/api/v1/users/00u36pr8k9DMRAQBVMWZ/lifecycle/activate?sendEmail=false