I try to download several files from OneDrive through Microsoft Graph.
I am very close to achieve my goal. For the moment I have managed the token system (notably through Jay Lee detailed answer), and achieved to resolve the confusion that I made among the different endpoints that exist in Microsoft Graph (thank you Marc LaFleur - MSFT).
Now I really work on the call of the API that would permit to download the files I want. This is how I proceeded:
1- As I've seen in the Microsoft Graph Documentation, the normal syntax would be the following:
curl -w %{time_total} https://graph.microsoft.com/v1.0/me/drive/items/01M...WU/content -H "Authorization: Bearer $access_token"
2- However, this gives me a 302 request, which I can't handle in bash. So I looked for another solution and I found this Microsoft article explaining that:
"To download files from OneDrive in a JavaScript app you cannot use the /content API, since this responds with a 302 redirect. A 302 redirect is explicitly prohibited when a CORS preflight is required, such as when providing the Authorization header.
Instead, your app needs to select the #microsoft.graph.downloadUrl property, which returns the same URL that /content would have redirected to. This URL can then be requested directly using XMLHttpRequest. Because these URLs are pre-authenticated they can be retrieved without a CORS preflight request."
It talks about Javascript but I think it can be applied to my case.
3- So I tried this method and I wrote:
curl "https://graph.microsoft.com/v1.0/me/drive/items/01MB...WU?select=id,#microsoft.graph.downloadUrl" -H "Authorization: Bearer $access_token"
It gave me the URL that normally would permit me to finally download the file, but when I execute it, I get the following response:
Code:
curl "https://graph.microsoft.com/v1.0/$metadata#users('e967dd4d-680e-4a06-9bf7-468875e1a04c')/drive/items/$entity" -H "Authorization: Bearer $access_token" (it is exactly what I got with the previous request)
Response:
Any help? Why is it a bad request since I've put exactly what I got from the graph.microsoft.com request?
https://graph.microsoft.com/v1.0/$metadata#users('e967dd4d-680e-4a06-9bf7-468875e1a04c')/drive/items/$entity is the #odata.context annotation, which is not what you're after. You need to pull the URL out of the #microsoft.graph.downloadUrl annotation and use that to grab the file contents. The URL you're after should mention download.aspx in it.
Related
Google released this blog post which says:
If you authorize download requests to the Drive API using the access
token in a query parameter, you will need to migrate your requests to
authenticate using an HTTP header instead. Starting January 1, 2020,
download calls to files.get, revisions.get and files.export endpoints
which authenticate using the access token in the query parameter will
no longer be supported, which means you’ll need to update your
authentication method.
and then says:
For file downloads, redirect to the webContentLink which will instruct
the browser to download the content. If the application wants to
display the file to the user, they can simply redirect to the
alternateLink in v2 or webViewLink in v3.
however if we use webContentLink then we will hit the 100mb virus page mentioned here.
I can see that the migration has been delayed, however sooner or later this will happen, and we want to future-proof the application.
How will we be able to download content without hitting the 100mb virus limit, after this change is implemented?
If you authorize download requests to the Drive API using the access token in a query parameter, you will need to migrate your requests to authenticate using an HTTP header instead.
Example query param:
GET https://www.googleapis.com/drive/v3/files/[FILEID]?access_token=[YOUR_ACCESS_TOKEN] HTTP/1.1
Accept: application/json
Example requests header:
GET https://www.googleapis.com/drive/v3/files/[FILEID] HTTP/1.1
Authorization: Bearer [YOUR_ACCESS_TOKEN]
Accept: application/json
Assuming that you can do the http header option then you should not have any issues with the download as mentioned. The issues with download only come into play if you cant add the authorization header. In which case i think you would need to go with option number two and export the files directly.
I've developed an REST service using Golang Chi framework and deployed the same in GCP app engine standard environment. I've used secure:always in app.yaml so API always serves in HTTPS.
When we are calling API using command curl -X GET "HTTP_<API_ENDPOINT>" -H "Host: blogger.com" - I saw API response is 301 (Redirecting) and location header of response contains "blogger.com"
["blogger.com" is a google owned domain]
But,
When we are calling API using command curl -X GET "HTTP_<API_ENDPOINT>" -H "Host: msn.com" - I saw API response is 404.
["msn.com" is a non google owned domain]
I want to block any host header injection. I tried to fix it in application level but it seems app engine itself doing this redirection before request reached to application layer.
Kindly advise
It is not possible to restrict this behavior. The engineering team reviewed it in the past and considered negligible and not subject to exploits. The only thing you can do is to restrict such injection on client-side applications level.
Just dipping my toes into Apiary and API Blueprint, and having some problems with passing in some basic http authentication.
On an initial call, the API creates a token for any given user that needs to be used with any subsequent call. My problem is how to mark-up that authentication so it works with the Apiary production request.
The command-line curl (that works) is (in obfuscated code) this...
curl --user name#somewhere.com:tokenGoesHere http://test.server.uri/API/getUserInfo
So, how do I convert that curl command into the equivalent API Blueprint format?
Unfortunately there's no way, at the moment, to specify authentication/authorisation in APIBlueprint.
It's in the roadmap, but unfortunately we can't give you any precise ETA on that.
You might want to read our help page on the argument as well.
The reason was that I was logged in to WP.
Looking for a reason here: WooCommerce REST API Authentication fails when logged in
I am trying to connect to Woocommerce REST API using Ajax (to read product data)
The following URL ...
https://example.com/wp-json/wc/v1/products/1744?consumer_key=ck_xxx&consumer_secret=cs_xxx
... gives me this error:
{"code":"woocommerce_rest_cannot_view","message":"Sorry, you cannot view this resource.","data":{"status":401}}
I also tried the same using CURL like:
curl https://example.com/wp-json/wc/v1/products/1744 \
-u ck_xxx:cs_xxx
And got the same error.
What could be wrong here?
The key is read only.
I am quite sure the error means that everything is ok but there's an issue with authentication.
Entering exactly the same information into Advanced REST Client Chrome extension gives me exactly what I am looking for. Why is it not working with CURL or Ajax?
Even just pasting the URL at http://onlinecurl.com/ gets me 200 OK
EDIT: Got the CURL working like this:
curl -XGET 'https://example.com/wp-json/wc/v1/products/30552?consumer_key=ck_xxx&consumer_secret=xxx'
I am trying to create rest based webservices, which I want to secure them using spring security Oauth2.
What I found is then, in oauth2 we have to send auth_token in query string.
But my need is to send in header.
I have searched a lot, but I didn't get the answer which I need.
Is there anybody who can help?
Reference link [ http://www.beingjavaguys.com/2014/10/spring-security-oauth2-integration.html
]
You can test sending the access token for example using Curl:
curl -H "Authorization: Bearer <ACCESS_TOKEN>" http://www.example.com
With this you should be able to see, if server is working as expected. How to do it in client application depends on the programming language you are using.