I'm making private homepage working only for login user.
When user login success, API server return token and save it to cookie.
After that, token was added to all fetch's request header at server-side "handleFetch" hooks.
All works fine with server-side rendering. But At client-side rendering needed position, I can't use "load's fetch" and also can't get token from cookies by default sveltekit functionality.
How can I solve this?
I am trying to get new access tokens before they expire using reconnect api endpoint, but the api call to https://appcenter.intuit.com/api/v1/Connection/Reconnect is being redirected to https://quickbooks.intuit.com/learn-support/en-us/do-more-with-quickbooks/third-party-app-security-requirements-updating-soon/01/428295, rather the expected response. Am i missing something here? Appreciate the help.
According to Intuit's documentation, you're using the wrong URL:
https://developer.intuit.com/app/developer/qbo/docs/develop/authentication-and-authorization/oauth-2.0#refresh-the-token
Did you try using the correct URL?
From the docs:
To refresh an access token, your application sends an HTTPS POST request to
Intuit’s authorization server
(https://oauth.platform.intuit.com/oauth2/v1/tokens/bearer)
that includes the following parameters:
I am using express-session and was wondering if its possible to send some additional details in the 401 response express will send back when a session is no longer found.
I would like to distinguish when a session has expired vs when no session is found, so I can send some extra details in the response body that the client can use to then show some information text to the user that their session has expired.
Is this possible?
Hopefully I am making sense with this question!
If I understand you correctly, then you can send some json with status 401 to let client know more about the issue.
e.g.
res.status(401);
res.json({'message': 'session has expired'});
I'm creating Single Page Application. I've created login-logout actions and they work fine. But if user logs out and will not refresh page in browser, he couldn't log in again because of "CSRF mismatch" error.
Steps:
1. At first page load, csrf is view local:
<div class="app" id="app" data-csrf="<%= _csrf %>"></div>
2. User logs in with this token successfully:
420["post",{"method":"post","headers":{},"data":{"_csrf":"VHcT2F44-KhZMJmhcAVB1H69BgTMWMZji9_8","login":"alex","password":"123"},"url":"http://127.0.0.1:1337/login"}]
430[{"body":{"id":"560e5756cd01633407eea8be"},"headers":{cut headers},"statusCode":200}]
3. Then, user logs out with this token:
421["post",{"method":"post","headers":{},"data":{"_csrf":"VHcT2F44-KhZMJmhcAVB1H69BgTMWMZji9_8"},"url":"http://127.0.0.1:1337/logout"}]
431[{"body":"ok","headers":{cut headers},"statusCode":200}]
4. And if he try to log in again, he will catch "CSRF mismatch" error and I expected that:
422["post",{"method":"post","headers":{},"data":{"_csrf":"VHcT2F44-KhZMJmhcAVB1H69BgTMWMZji9_8","login":"alex","password":"123"},"url":"http://127.0.0.1:1337/login"}]
432[{"body":"CSRF mismatch","headers":{},"statusCode":403}]
5. I'm catching this error and doing /csrfToken request as said in docs
423["get",{"method":"get","headers":{},"data":{},"url":"/csrfToken"}]
433[{"body":{"_csrf":"49C5OVUZ-6SIL_zW3g1NGI87ux6Mlp-UJj_w"},"headers":{cut headers},"statusCode":200}]
6. Trying to log in again with new token:
424["post",{"method":"post","headers":{},"data":{"_csrf":"49C5OVUZ-6SIL_zW3g1NGI87ux6Mlp-UJj_w","login":"alex","password":"123"},"url":"http://127.0.0.1:1337/login"}]
434[{"body":"CSRF mismatch","headers":{},"statusCode":403}]
I could repeat steps 5 and 6 with same result.
If I refresh page, I can log in without errors.
Question is, what's going on? Why token mismatch at step 6?
Edit: logout method:
req.session.destroy();
return res.send("ok");
Edit 2: sending request:
import socketIOClient from 'socket.io-client';
import sailsIOClient from 'sails.io.js';
var io = sailsIOClient(socketIOClient);
io.socket.post(form.action, serialize(form, {hash: true}), function (data, jwres){
...
});
TL;DR: Use req.session.csrfSecret = null instead of req.session.destroy() if you're doing everything over sockets.
The issue here is with the way Express sessions work. When you call .destroy() on one, it removes the entry for the current session ID (SID) in the sessions object that Express MemoryStore maintains. Normally that's fine because it will be regenerated on the next request, but that's only the next request that runs all of the Express middleware--and Socket requests to a Sails app don't do that, as anyone trying to use Passport with Sails out-of-the-box will tell you. So the next time you make a socket request (to generate a new CSRF secret and get a new token), you're not actually connected to a session and the new info doesn't get saved.
If instead of destroying the whole session, you just destroy the csrfSecret which is used to generate CSRF tokens, then the next socket request will still be attached to a session and the new secret will be saved. You'll also want to blank out any other session variables that were keeping the user logged in.
I am using ServiceStack to build a RESTful API as a backend to a single-page, ajax heavy app.
I have CORS properly configured and everything works as expected.
Some of my services require authorization and throw exceptions that result in 403 or 401 status codes when the user is not authorized, has a expired token, etc. So far so good.
The problem is that whenever I throw one of these exceptions, ServiceStack doesn't include the CORS headers in the response and then the browser refuses to parse it, as it was an ajax call.
Is there a correct way to throw an exception within a service but preserve the CORS headers?
The work around right now is to not throw the exception, set the headers manually and call response.End(). Just think there might be a better way.