I have used postman to test request with Twitter API (https://api.twitter.com/1.1/statuses/user_timeline.json), but it gives me
{"errors":[{"code":215,"message":"Bad Authentication data."}]}
My header is:
Authorization:OAuth oauth_consumer_key="MLcGSZNPmn2un5DKbtgnYi8JY",oauth_token="%20751004957898342400-YYpLg5dayAHVkaG47H9NVVkZiE7Z2bc",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1468092744",oauth_nonce="ABCDEFGHIJKLMNOPQRSTUVWXYZ123456",oauth_version="1.0",oauth_signature="fkf0NE2PmDLQZY%2BzMa7gQmA72kU%3D"
and postman auth setting is:
How can I solve this?
Remove the space in
oauth_token="%20751004957898342400-YYpLg5dayAHVkaG47H9NVVkZiE7Z2bc"
it should be
oauth_token="751004957898342400-YYpLg5dayAHVkaG47H9NVVkZiE7Z2bc"
while sending request to twitter
Make sure that you are providing the query parameters which are required.
I received the same error, 215 Bad Authentication Data when I was not providing the only required query parameter, the search string q, in the GetUsers call. But since I did not intend to search for any specific user, I resorted to the Streaming APIs.
Related
So I have this situation.
I am coding inside a controller API in spring boot that gets a request with authorisation header.
I need to hit a token endpoint with this header to get the access token.
After this I need to hit an API with this toke to get some information.
Now one way of approaching this is to ,
Create a clients one to get the token .
Create another client to hit the actual API.
Then when my API received the request , then hit these above endpoints in succession to get
the job done. Also, need to take care of caching the token so that we dont end up doing this
every time.
Because this looks like a pattern I want to create a system where i can create one client kind of like the Spring WebCLient and that can take care of hitting the token uri when required.
But all documentation I am reading suggest providing a token url(which I have) and also clientid/secret in the configuration.(These I dont. I only have the incoming auth code).
Is there a programmatic way I can achieve the same with webclient ?
I need to authenticate a webhook post from a third party integration on my backend api server. The only thing I can define is the endpoint url they will call. It can't be dynamic once they have to register and the process takes 3 days. And we use a multi-tenant solution, so we have to authenticate with different schema on every call.
So the problem is that I have to create a filter for this webhook, so I can authenticate it through a value contained in the json of a post body.
So I defined a WebSecurityConfigurerAdapter and added a AbstractPreAuthenticatedProcessingFilter so I can intercept the request, read the value in the json body authenticated with the appropriate credentials.
I follow this tutorial Reading HttpServletRequest Multiple Times in Spring so I could be able to read InputStream from the request without erase it.
So my question about it are two.
1: Is there a better/easy approach so I can archive this result?
2: I guess this tutorial are missing something, because I'm getting null pointer at servlet when try to read the request (again, after I have already read at the filter).
Any guess would be appreciated, thanks in advance.
Are we allowed to know which 3rd party service?
PayPal/Stripe for example have docs already to explain how to verify the data.
If you can add metadata/custom fields to the webhook, you could sign it for example.
As far as checking the signature/verifying it, why not do this in the #Contoller=>#Service?
I'm working on the Flutter app which is using APIs to get the data from the server. The flutter app is public and anyone can use without login to the application. And all working fine.
My question: is there is any way to identify where the API request comes from. Because anyone can use this API to get data and this may lead flooding the server.
If it is possible to find out from where the request is coming from, then I can process the request that is ONLY from my Flutter application.
Is it possible?
Use https as protocol and add an api key and client secret to your app.
Then protect your api with e.g. http basic auth or OAuth.
https://laravel.com/docs/7.x/authentication#stateless-http-basic-authentication
https://laravel.com/docs/7.x/passport
when the first request comes in to the server, issue a token, for example
(psuedo code)
//here stringContainingData can be a json string having details about the client and the connection
token = MyHashingFunctionUsingAPassword(stringContainingData,MyStrongPassword);
after sending back the token, next api access should contain the token with every request if not reject, if the token exists, do this
stringContainingData = MyDeHashingFunction(token,MyStrongPassword)
//verify data
mappedToken = stringToMap(stringContainingData);
if(mappedToken.containsKey('keyThatShouldBePresent') //acknowledge request
else //reject request
to reject further flooding, set max requests/second from a single IP
i'm building a WEB API with laravel and output only JSON. right now i'm struggling with authentication process, my question is:
if i use JWT do i need OAuth2.0?
if i use JWT do i need to make a view / layout for user to POST the login credential then set the Bearer token? if no need to provide a login screen then how can we get the login credential from user?
if i use JWT what is the standard TTL duration for real world api?
if i use JWT how can i passing the "refreshed token" to the HTTP Header Authorization, without using JS? (because i only output the JSON response then i think there is no space for javascript "< script >" tag to be in place.)
i am using postman to test my API so i really confuse about what or how to push the project into real world. PLEASE REALLY..., PLEASE correct me if i'm wrong developing the API and if there is any source of reading material please tell me the links. Thank you very much.
No.
No, you can send json fields.
No standard TTL duration, you can set what you like.
You can issue a request with HTTP Header Authorization in PHP.
I have read the page on implementing OAuth that Twitter have written. I've registered my app, it will only access my account, so I skip all the request token stuff. I have, from the "Your apps" page:
consumer token
consumer token secret
access token
access token secret
I write some ruby code and test its output against Beginner’s Guide to OAuth (suggested reading in the Twitter docs). I get the same output, i.e. the signature, the base string and the Authorization headers are identical.
However, when I connect to the Twitter Rest API and try the verify credentials command the response is invariably "Incorrect signature".
I try using different code (very similar to mine) from a gist by erikeldridge on github but it doesn't work either. Instead of connecting via cURL (using the curb library) I use Net/Http - same error response is returned.
I change over to using the OAuth gem. It uses Net/Http to connect. Same error response comes back.
Verify credentials isn't the only command I've tried to use in the API, but they all give the same error, whether it's GET or POST, requires extra params or not. I've been using the Search API successfully using the curb library without problems so I don't think it's the connection method.
What might I do to fix this?
Ruby 1.9.2; cURL 7.21.2; oauth 0.4.4; curb 0.7.8; json 1.4.6; OSX 10.6.5;
Even though your application is only accessing your data, you can't simply 'skip the request token stuff'. The request token is integral to the OAuthentication process.
Summarised, the 3 main parts of the OAuth process are as follows:
Get Request Token Key and Request Token Secret
Use Request Token to authorise application to access your data. This will provided the user(you) with a PIN
Use the PIN to exchange the Request Token and Secret for an Access Token and Secret.
A more detailed OAuthentication flow can be found here.
It's fixed - I regenerated the Consumer key and secret on the Twitter site and it started working. I've no idea why the previous set didn't work - the code was solid (works all the time now) and the details were correct. Perhaps they (Twitter) could provide more detailed error messages? But I'm happy :)