Laravel 5: AJAX Requests & Validation - laravel

Laravel 5.2 docs state:
AJAX Requests & Validation
In this example, we used a traditional form to send data to the
application. However, many applications use AJAX requests. When using
the validate method during an AJAX request, Laravel will not generate
a redirect response. Instead, Laravel generates a JSON response
containing all of the validation errors. This JSON response will be
sent with a 422 HTTP status code.
Src: https://laravel.com/docs/5.2/validation#quick-ajax-requests-and-validation
However, this doesn't seem correct. A simple CURL call to a route using validation, still returns HTML/a redirect:
curl -X POST -H "Content-Type: application/json"
-H "Cache-Control: no-cache"
-d '{}' "http://yours.com/user/register"
The response of the above is HTML, and a redirect. It's not JSON.
Even this page: https://laravel.com/docs/5.2/requests#retrieving-input states:
Retrieving JSON Input Values
When sending JSON requests to your application, you may access the
JSON data via the input method as long as the Content-Type header of
the request is properly set to application/json.
So what have we missed? What is the solution?

You also seem to need the following header:
"X-Requested-With: XMLHttpRequest"
Thus:
curl -X POST -H "Content-Type: application/json"
-H "X-Requested-With: XMLHttpRequest"
-H "Cache-Control: no-cache"
-d '{}' "http://yours.com/user/register"
And now $this->validate(...) is properly returning a JSON response.

Related

Insomnia configure OAuth 2.0 grant_type password access token for other API calls

I am trying to embed OAuth 2.0 grant_type password access token to my insomnia client API calls but getting "Failed to fetch token url= state us=0"
When we try below curl command its returning the access token. each time we have to copy access token and add it as header in insomnia rest call (Their is no client secret as it not confidential).
curl --request POST \
--url https://mydomain/auth/realms/my-app/protocol/openid-connect/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data client_id=myclientid \
--data username=app.admin \
--data 'password=password!' \
--data grant_type=password
Above curl if you create in insomnia client as POST request that is also working only thing is we need to copy and paste as header in other API calls
NOTE: the same is working in postman rest client through pre-request script but I want it to be achieved in insomnia client
After doing lot of research found out the solution by myself
follow this blog https://www.ankursheel.com/blog/automatically-set-access-token-authenticated-requests-insomnia
You need to create separate Generate token request, and set the bearer token in the API request where you want to embed Auth token automatically, click on the Bearer tab and enter Response ⇒ Body Attribute for the token and follow those instruction it worked for me :)

Why does my SuiteQL POST request work when I use Postman, but when I cURL the same code in VS Code terminal, it returns 'INVALID_LOGIN'

I'm trying to use SuiteQL to query a workbook for a client implementation, but I'm having trouble getting it to work in VS Code. I downloaded the Postman environment template and collections archive from the SuiteTalk tools download page and then sent a test request. It returned a successful JSON response. I then tried to send the same sample request using cURL in the VS Code terminal, then with node-fetch, and then using an npm library called netsuite-rest. All of these return 401 'INVALID_LOGIN'. Why does it work when I use Postman, but nowhere else? Here's a sample of my cURL request:
curl --location --request POST 'https://<ACCOUNT_ID>.suitetalk.api.netsuite.com/services/rest/query/v1/suiteql?limit=5' \
--header 'prefer: transient' \
--header 'Content-Type: application/json' \
--header 'Authorization: OAuth realm="<ACCOUNT_ID>",oauth_consumer_key="<CONSUMER_KEY>",oauth_token="<TOKEN>",oauth_signature_method="HMAC-SHA256",oauth_timestamp="<TIMESTAMP>",oauth_nonce="<NONCE>",oauth_version="1.0",oauth_signature="<SIGNATURE>"' \
--header 'Cookie: NS_ROUTING_VERSION=LAGGING' \
--data-raw '{
"q": "SELECT id, companyName, email, dateCreated FROM customer WHERE dateCreated >= '\''01/01/2019'\'' AND dateCreated < '\''01/01/2020'\''"
}'
I see this is an old thread however, I myself am just getting started with NetSuite and Postman. For me, the netsuite Postman query will work fine when you get your access token and this will work for a short period of time. Eventually it will fail and at that time you need to use your refresh token to get a new access token. Then, add the fresh access token into your query authorization as a bearer token - and then the query will start working again.
Once it is actively working then there is a magic Area of postman = Code Snippet. So click on that and then notice that there is a pulldown menu of many code bases - that will display the entire code request for your query! For example you could choose nodeJS - Axios - and just copy the code and paste it in to your webpage.
The one thing you will have to remember is that the access token Will expire after a period of time and then you will have to replace the access token with a fresh one (using the refresh token).

how to send multipart/form-data via InvokeHttp NiFi

I have a 3rd party REST, which I am successfully able to call like this using CURL (shell). This API return JSON. I tried calling same API, by changing content type to application/x-www-form-urlencoded but it doesn't work. I think I am forced to use content-type: multipart/form-data
curl --request POST --url https://************************* --header 'Authorization: Bearer ********' --header 'content-type: multipart/form-data; ' --form cluster_id=0717-035521-puny598 --form start_time=1534357800000 --form end_time=1534444199999 --form order=ASC --form limit=500
Now I want to call same API using InvokeHTTP processor (NiFi). So I configured it as follows. But I am not able to do a successful call. (it is not a proxy issue).
Following is how I am creating POST body (by FF)
I have tried replacing "enter" by \r\n etc, or changing body as name1=val1&name2=val2&.... etc. nothing worked.
This is the response I am getting.
[
I am able to run CURL (shell, from same server where Nifi is running). Also I am able to access url via postman.
[
finally, it worked. flow is somewhat like this.
GenerateFlowFile->UpdateAttribute->AttributesToJSON->InvokeHTTP
Only change, I made to InvokeHTTP. reverted content-type back to ${mime.type}.
I was struggling with this for a few hours. I've got a backend API that has
ResponseEntity<ByteArrayResource> post (#RequestPart("file") MultipartFile file) and a NiFi processor that sends XLSX data to this. I was getting the same issue... The key for me were the bottom two properties:
FlowFile Form Data Name -> file (this is the name of the variable in the API call)
Set Flowfile Form Data File Name -> true

How to secure ajax content

I was on almaconnect.com, on home page there is a textbox which auto-suggest some results of universities when you type (load content by making an ajax call). I did make a curl request of same ajax call but request resulted in some encrypted lines on terminal
curl 'https://www.almaconnect.com/suggestions/portaled_institute?q=am' -H 'Host: www.almaconnect.com' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br' -H 'X-Requested-With: XMLHttpRequest' -H 'Referer: https://www.almaconnect.com/' -H 'Cookie: Almaconnect=; _ga=GA1.2.315358219.1489989532; __utma=117457241.315358219.1489989532.1490871434.1492414070.3; __utmz=117457241.1490871434.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); _gat=1; __utmb=117457241.1.10.1492414070; __utmc=117457241; __utmt=1'
I want exactly the same functionality for my website so that if any user try to fetch my website data , he would not be able to.
Whatever binary data you see in the terminal when you make the curl call is not encrypted content. It is just compressed content. You can verify it by running
curl $params > output
You can check if the file matches any known file formats by running
file output
You will see that the result as something similar to
output: gzip compressed data, from Unix
Running gzip -d -c output will decompress and print the plaintext content to the terminal screen.
Reason
The reason why this happens is because, you send the accept-encoding header with the curl call. Unlike the browser, curl does not decompress the result automatically. That is the reason for this confusion.
-H 'Accept-Encoding: gzip, deflate, br'
Removing this particular header from the curl call will get you the response in an uncompressed plaintext format directly. You can try the following command for that.
curl 'https://www.almaconnect.com/suggestions/portaled_institute?q=am' -H 'Host: www.almaconnect.com' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Accept-Language: en-US,en;q=0.5' -H 'X-Requested-With: XMLHttpRequest' -H 'Referer: https://www.almaconnect.com/' -H 'Cookie: Almaconnect=; _ga=GA1.2.315358219.1489989532; __utma=117457241.315358219.1489989532.1490871434.1492414070.3; __utmz=117457241.1490871434.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); _gat=1; __utmb=117457241.1.10.1492414070; __utmc=117457241; __utmt=1'
Summary
almaconnect.com does not really take any extra steps to obfuscate their AJAX responses. And it is generally a bad idea to do so. Whatever method you employ to obfuscate your responses (like using HTTP Referrer field), people can always come up with counter-measures to defeat them.
It is simply not worth the time to put in effort and time to come up with a mechanism which would eventually be broken by a determined attacker.
It is not possible.
The answer from gtux well explains the reasons why you are seeing binary characters of compressed content, not of encrypted content.
Note that this very simple version works:
curl 'https://www.almaconnect.com/suggestions/portaled_institute?q=am'
The answer from gaganshera may show you a way to obfuscate content, but that doesn't mean to really protect content, just to make a little harder for people to see it, since the decryption code is in public pages.
Your site can be protected by security (login + set cookie) or be public. If is protected, the security code checks the cookie header. If is public there are only ways to obfuscate content, not to protect it.
https://stackoverflow.com/a/14570971/1536382
https://www.quora.com/How-can-we-hide-JSON-data-from-tools-like-Chrome-development-tools-and-Firebug-etc-as-a-security-beyond-https
The server is returning an encrypted response which after its receipt is decrypted at the client end using javascript. You can do the same by sending your server response in some encryption that will be then decrypted at the client side. An example of the same can be crypto js.
Have a look at this: Encrypt with PHP, Decrypt with Javascript (cryptojs)
Maybe they are checking the HTTP_REFERER value for the ajax request. If the HTTP_REFERER is not the website, then it can return an encrypted response.
The ajax calls can also be secured using time based tokens. For example when a web page is requested, a random string may be generated on the server and stored in database. This string is sent to the client, which uses it in the ajax request. The server can then check if the token has expired or not. This method allows the ajax call to be valid for a certain time.

How to provide basic authorization like in curl command in web browser or in RestClient

I am new to Spring and very new to Spring Oauth2 Security. I have searched a lot about how to request the following link in web browser(In Firefox Rest Client plugin).The following request is curl and working perfectly fine in terminal through this command.
I am getting the problem while giving basic authorization. So How we can interact with basic authorization given below as -vu myapp:123456.
curl -X POST -vu myapp:123456 http://localhost:8080/oauth/token -H "Accept: application/json" -d "password=sunit&username=sunit&grant_type=password&scope=read%20write&client_secret=123456&client_id=myapp"
I used wireshark for capture the request and ended the same request to fb just to connect because I don't have a local server running... you can see that is a post request with the body in encoded URL...

Resources