http authentication using apiary / api blueprint - apiblueprint

Just dipping my toes into Apiary and API Blueprint, and having some problems with passing in some basic http authentication.
On an initial call, the API creates a token for any given user that needs to be used with any subsequent call. My problem is how to mark-up that authentication so it works with the Apiary production request.
The command-line curl (that works) is (in obfuscated code) this...
curl --user name#somewhere.com:tokenGoesHere http://test.server.uri/API/getUserInfo
So, how do I convert that curl command into the equivalent API Blueprint format?

Unfortunately there's no way, at the moment, to specify authentication/authorisation in APIBlueprint.
It's in the roadmap, but unfortunately we can't give you any precise ETA on that.
You might want to read our help page on the argument as well.

Related

How to use REST API with FaunaDB?

I have created a collection in my Fauna database. I also made an index that returns all the data in that collection. I want to know if there is a way to get JSON REST API to work with this data. What I mean by this is I want a URL that I can 'GET' using XMLHttpRequest and then parse into JSON.
You might say that Fauna is "HTTP native". All of the language drivers (JS, C#, Python, etc.) are built on top of http requests. That is, there are no special connections or connection-pools to maintain. You can get pretty far with using the JS driver in the browser, for example, without using a server.
But to answer your question more directly, there are many ways to serve a REST API, and it is going to depend on how you want to serve the API.
Examples
AWS
Here is a blog post on how to set up a REST API with AWS App Runner, for example.
https://fauna.com/blog/deploying-a-rest-api-with-aws-app-runner-and-fauna
Vercel and Netlify
There are also some example apps on github that demonstrate using a REST API with
Vercel:
https://github.com/vercel/next.js/tree/canary/examples/with-cookie-auth-fauna
Or Netlify:
https://github.com/netlify/netlify-faunadb-example
Both of which host serverless functions for you to create a REST API.

Google App-engine: How to restrict host header injection for google owned domains

I've developed an REST service using Golang Chi framework and deployed the same in GCP app engine standard environment. I've used secure:always in app.yaml so API always serves in HTTPS.
When we are calling API using command curl -X GET "HTTP_<API_ENDPOINT>" -H "Host: blogger.com" - I saw API response is 301 (Redirecting) and location header of response contains "blogger.com"
["blogger.com" is a google owned domain]
But,
When we are calling API using command curl -X GET "HTTP_<API_ENDPOINT>" -H "Host: msn.com" - I saw API response is 404.
["msn.com" is a non google owned domain]
I want to block any host header injection. I tried to fix it in application level but it seems app engine itself doing this redirection before request reached to application layer.
Kindly advise
It is not possible to restrict this behavior. The engineering team reviewed it in the past and considered negligible and not subject to exploits. The only thing you can do is to restrict such injection on client-side applications level.

API Gateway: can I POST to a method/resource with an API key, but by providing the key in the URL params instead of a header?

So, I set up a couple Lambdas and the API gateway. I got it all working! Cool, so then the next step was to require an API key. Ok cool plenty of resources out there on how to set it up.
So I got that working as well and I could POST using postman and python (requests). I can provide the 'x-api-key' in the headers of the POST and it works, no issues.
HOWEVER, and here's the problem: The program I'm going to ultimately be using to POST to my gateway API doesn't allow you to edit the details of your POST. The program is called splunk, here's what it looks like. Basically it posts some payload for you, the headers/auth/body can't be edited by you, it just sends some pre-configured thing. You just provide the endpoint and it does the rest. This works if I do not require an API key.
So I started thinking, ok no huge problem, I have seen APIs before where you provide the API-Key in the URL and it authenticates you fine. So this would be something like:
https://exampleAPI/sendmydata?x-api-key=12345
However, I cannot get this to work in AWS for the life of me. I haven't found anything by googling. Is this something that's even possible?
Thank you!
If you must use API key usage plans, you could consider getting the posted API key parameter to API Gateway endpoint A from LambdaA and proxy it with the relevant headers to API Gateway endpoint B.

How do you configure AWS API Gateway HTTP GET to return the BASE64 string as binary data?

I am trying to send binary data from my AWS Lambda function as a response to an AWS Gateway GET Method that DOES NOT use Lambda Proxy integration. I have tried all sorts of variations but still can't make it work, although I feel like I am close.
My API Gateway HTTP request is returning:
But what I want is is the actual binary data:
I did attempt using a mapping template, but was unsuccessful due to my lack of understanding the templating syntax/behavior(I tried $util.base64Decode($input.body) but that produced a server error).
But I wasn't sure if that was even necessary since I have the content handling set to Convert to binary.
I ran into this problem but I used a proxy url. Make sure to enable Binary Media Types. Also do not forget to deploy your changes, simply saving is not enough. Also make sure you have the correct content type in the header with client sending the payload.

Authorization header not sent using AFNetworking

I'm developing an iOS app that makes frequent requests to a web server, and I'm using AFNetworking (which I very much like). However, I'm running into a problem with authorization that I just can't solve.
The server requires me to provide an authorization header in order to get the response that I want. Specifically, the authorization headers should be like so:
Authorization = "ApiKey some-user-name:someNumericalApiKey"
I'm using AFNetworking throughout the project, and everything works fine, except for this authorization issue. I'm using the following code:
[myClient setDefaultHeader:#"Authorization" value:#"ApiKey some-user-name:someNumericalApiKey"];
where myClient points to an AFHTTPClient object. Strange enough, when I log the request in XCode using AFHTTPRequestOperationLogger, the logger claims that I have the correct headers set. However, the authorization header does not seem to reach the server - I can't see it in the server log.
To isolate the problem, I've tried to make the exact same request using good old NSURLRequest, as well as curl, and the requests library in Python - all of these work fine, i.e. the authorization header is sent & received (i.e. I can see it in the server log), and the server response is what it should be.
If anyone has run into the same problem (and has found a solution) I would very much appreciate to hear from you.
Thanks.
Sometimes (especially with Django) this is caused by redirection stripping of header parameters. For instance, /Object redirects to /Object/ in the background and removes the necessary auth parameter during the switch.
If you're using AFNetworkActivityLogger with level AFLoggerLevelDebug then you should be able to check this out in the console. If you see a POST request with /Object and the response with /Object/ then this might indicate redirection stripping is taking place.
If you construct your operation manually then the defaultHeaders are not applied, that might be the cause of your problem.

Resources