How to replace embedded credentials in subresource requests? - ajax

I get this error in the console in my Ionic app:
[Deprecation] Subresource requests whose URLs contain embedded credentials (e.g. `https://user:pass#host/`) are deprecated, and will be blocked in M59, around June 2017.
The line of code is a URL for an ajax request:
function dbUrl() {
return unescape(encodeURIComponent("http://idname:idnamepasswd#mysite.com/pDB.json"));
}
How can I fix this?

The five-parameter version of the XMLHttpRequest.open method allows you to specify the username and password.
xhr.open(method, url, async, username, password)
Here's the documentation and the spec.

Related

Google Identity for server-side web app - redirect URI mismatch

I'm attempting to set up the Code Model for Google authentication, so that my user can oauth with Google and my app can retrieve their Calendar data. I'm stuck on step 5 here, where I'm supposed to exchange the authorization code for refresh and access tokens. I'm using nestjs in the backend and React in the frontend.
What I've done already that's working:
User clicks a button on my web app's page
Client sets up google.accounts.oauth2.initCodeClient with the /calendar scope, in ux_mode: popup
User is shown the Google popup and can auth thru that
Client receives a response from Google containing the authorization code
Client makes a POST call to my backend to send it just that authorization code
In step 5, the client makes the POST call to localhost:4000/auth/google-test. In the backend, I'm using the googleapis package and have:
export const oauth2Client = new google.auth.OAuth2(
process.env.GOOGLE_CLIENT_ID,
process.env.GOOGLE_CLIENT_SECRET,
'http://localhost:4000/' // <- note, I'm not sure if this is corect
);
And in the relevant controller route, I'm doing:
#Post('google-test')
public async googleTest(#Body() bodyReceived: any): Promise<any> {
let { code } = bodyReceived
let { tokens } = await oauth2Client.getToken(code)
oauth2Client.setCredentials(tokens);
console.log('Tokens: ' + tokens);
return
The error I'm getting is related to oauth2Client.getToken(code), and the error is a redirect_uri_mismatch. In GCP for the credentials for this app, I've added all of these as "Authorized redirect URIs":
http://localhost:3000/home
http://localhost:4000/auth/google-test
http://localhost:4000
What am I doing wrong?
It took a bit more Googling, but turns out that the right answer is to have my server make the token call with the redirect uri as "postmessage".
This SO question gives a bit more context. A somewhat unbelievable message, but it seems to work for my app.
It is evidently that what is happening is that the redirect URI does not match with the one in the GCP. This usually happens because backend tools such as Nestjs may be appending a trailing '/' to the URL and it may be interpreted as being part of the redirect_uri value.
You can try by temoving any trailing '/' via this following method oauthurl.replace(/\/$/, '')
Moreover, you can pass the generated auth URL to a meta tag. And check the html header to confirm what is the URL value.

Authorization in Sonar REST/Web API

I have migrated my Sonar version from 5.4 to 6.3.1.
In 5.4 version, there was no login API provided by Sonar.
Hence we were adding an Authorization header in every call with value as Base64 encoded "username":"password".
But post migration to 6.3.1, the authorization fails with current implementation.
We tried passing token (generated from UI) as value of Authorization header but in vain.
We also tried calling Sonar login API (api/authentication/login) but it is not giving back any response.
Kindly help us resolve this issue.
Thanks.
Edit
Following is the code for calling REST Webservice:
byte[] encodedUsernamePassword = Base64.getEncoder().encode("adminUserName:adminPassword".getBytes());
ResteasyClient client = new ResteasyClientBuilder().build();
String target = "http://IP:Port/api/issues/search/?statuses=" + "CLOSED" + "&assignees=" + username + "&resolutions=" + "FIXED" + "&createdBefore=" + end_date + "&createdAfter=" + start_date + "&facetMode=debt";
javax.ws.rs.core.Response response = client.target(target).request(MediaType.APPLICATION_JSON).header("Authorization", new String(encodedUsernamePassword)).get();
String strResponse = response.readEntity(String.class);
First thing: api/authentication/login is of no help here. Per Web API documentation , Web API authentication is made through HTTP basic authentication.
So just pass the username/password in the header of each Web API request. And if you use User Tokens, as per same documentation:
This is the recommended way. Benefits are described in the page User Token. Token is sent via the login field of HTTP basic authentication, without any password.
Two changes were made in above code:
Added 'Basic' prefix to the value of Authorization header as follows:
header("Authorization", new String("Basic YWRtaW46YWRtaW4zMjW="))
Removed extra '/' before '?'from below URL as shown below:
http://IP:Port/api/issues/search/?statuses

Identityserver3: Token validation requests not visible in Fiddler

In fiddler composer, I execute a call to a local api that is secured by a local identityserver3.
I added the token, and I configured the middleware to validate the token on the server. Tt works fine, in Idenityserver3 log file I see a succesful token validation logmessage for the configured scope.
I assume that, with htis config, each time the api is called, the Idsrv3 middleware calls the token validation endpoint under the hood.
My issue is that fiddler does not show this middleware request, just the call to the api itself. Is this due to fiddler settings or is there another reason this request is invisible to fiddler?
Is there a way to display it?
Thanks
It could be that .NET is not routing the localhost traffic to fiddler proxy. For workaround check this.
http://docs.telerik.com/fiddler/observe-traffic/troubleshooting/notraffictolocalhost
Also, check if you have configured validation mode properly. According to documentation https://identityserver.github.io/Documentation/docsv2/endpoints/identityTokenValidation.html validation endpoint is useful if you have no access to crypto libraries locally.
Valid validation modes are
ValidationMode.Both - Use local validation for JWTs and the validation endpoint for reference tokens
ValidationMode.Local - Use local validation oly (only suitable for JWT tokens)
ValidationMode.ValidationEndpoint - Use the validation endpoint only (works for both JWT and reference tokens)
You can set the validation mode in IdentityServerAuthenticationOptions
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = "https://localhost:44333/core",
//RequiredScopes = new[] { "write" },
// client credentials for the introspection endpoint
ClientId = "write",
ClientSecret = "secret",
ValidationMode = ValidationMode.Local
});

Google Oauth Error: redirect_uri_mismatch

I'm trying to use google Oauth 2 to authenticate with google calendar API for a web server running on AWS EC2.
When I generated the credentials I selected 'OAuth Client ID' and then 'Web Application'. For the Authorised redirect URIs I have entered:
http://ec2-XX-XX-XX-XXX.eu-west-1.compute.amazonaws.com
(I've blanked out the IP of my EC2 instance). I have checked this is the correct URL that I want the callback to go to.
The link that is generated in the server logs is of the form:
https://accounts.google.com/o/oauth2/auth?access_type=offline&client_id=XXXXXXXXXXXX-XXXXXXXXXXXXXX.apps.googleusercontent.com&redirect_uri=http://localhost:47258/Callback&response_type=code&scope=https://www.googleapis.com/auth/calendar.readonly
When I follow the link I get the error
'Error: redirect_uri_mismatch'.
I've read this SO question and have checked that I am using HTTP and there is no trialing '/'
I suspect that the URL generated should not have 'localhost' in it but I've reset the client_secret.json several times and each time I restart tomcat with the new client secret I still get a link with localhost but just over a different port.
Locally, I had selected Credentials type of 'other' previously and was not given an option for the Authorised redirect URI. I did try this for the EC2 instance but this won't give me the control I want over the redirect URI and sends the redirect over localhost.
Google throws redirect_uri_mismatch when the uri (including ports) supplied with the request doesn't match the one registered with the application.
Make sure you registered the Authorised redirect URIs and Authorised JavaScript origins on the web console correctly.
This is a sample configuration that works for me.
In case you are seeing this error while making API call from your server to get tokens.
Short Answer đŸ‘‡ - What solved my problem
use string postmessage in place of actual redirectUri that you configured on cloud console.
Here is my initilization of OAuth2 client that worked for me.
// import {Auth, google} from 'googleapis`;
const clientID = process.env.GOOGLE_OAUTH_CLIENT_ID;
const clientSecret = process.env.GOOGLE_OAUTH_CLIENT_SECRET;
oauthClient = new google.auth.OAuth2(clientID,clientSecret,'postmessage');
My Case
On the frontend, I am using react to prompt the user for login with google with the authentication-code flow. On success, this returns code in the payload that needs to be posted to the google API server to get token - Access Token, Refresh Token, ID Token etc.
I am using googleapis package on my server. Here is how I am retrieving user info from google
// import {Auth, google} from 'googleapis`;
const clientID = process.env.GOOGLE_OAUTH_CLIENT_ID;
const clientSecret = process.env.GOOGLE_OAUTH_CLIENT_SECRET;
oauthClient = new google.auth.OAuth2(clientID,clientSecret,'postmessage');
/*
get tokens from google to make api calls on behalf of user.
#param: code -> code posted to backend from the frontend after the user successfully grant access from consent screen
*/
const handleGoogleAuth = (code: string) => {
oauthClient.getToken(code, async (err, tokens: Auth.Credentials) {
if (err) throw new Error()
// get user information
const tokenInfo = await oauthClient.verifyIdToken({
idToken: tokens.id_token
});
const {email, given_name, family_name, email} = tokenInfo.getPayload();
// do whatever you want to do with user informaton
}
}
When creating a Oath client ID, DO NOT select web application, Select "Other". This way, the Redirect URI is not required.

OAuth token parameter missing when using request_youtube API

I try to using youtube API in code ingniter and using librari from https://github.com/jimdoescode/CodeIgniter-YouTube-API-Library when i call request_youtube()from direct link the https://accounts.google.com/o/oauth1/auth sent massage like this :
400. That’s an error.
OAuth token parameter missing.
That’s all we know.
This the code of request_youtube() :
public function request_youtube()
{
$params['key'] = xxxxxxxxxxxx.apps.googleusercontent.com';
$params['secret'] = 'xxxxxxxxxxxx';
$params['algorithm'] = 'HMAC-SHA1';
$this->load->library('google_oauth', $params);
$data = $this->google_oauth->get_request_token(base_url().'index.php/example/access_youtube');
$this->session->set_userdata('token_secret', $data['token_secret']);
redirect($data['redirect']);
}
what wrong with my code...or any step i miss???
The library that you are using is deprecated probably because of which it is unable to make calls to the Google Servers and is returning 404 errors. You can still follow the original way of authentication using OAuth where you validate your app with the client id client secret and get the Auth code. With the Auth code making a POST request and getting a access token and a refresh token in exchange. For details please refer to this official Google Youtube Documentation on OAuth.

Resources