Some req.session variables not saving (express-session) - node.js

I am setting up an OAuth2 flow that needs to send some extra variables to the callback. When I check req.session in the authorize call, the values for the variables are properly set. The next step is to hit the "callback" route.
router.post('/api/personas/authorize', async (req, res) => {
const source = await personaController.getSourceInformation(req.body.source)
req.session.exchangeURL = source.token_exchange_url;
req.session.exchangeFields = source.exchange_fields;
console.log('REQ', req.session)
req.session.save()
const url = constructAuthURL(source)
res.send(url);
})
In the console.log('REQ') call, both the exchangeURL and exchangeFields variables are set properly.
Then, we hit the callback route:
router.get('/callback', async (req, res) => {
console.log(req.session)
}
Those exchange variables are not set. The sessionIDs are the same between the calls and the sid cookie is being sent in both requests. Additionally, in both requests, there are some custom variables that are retained between the calls. It appears that just the variables set at /authorize are not persisted.
Any help would be greatly appreciated and I am happy to provide more info!
EDIT:
Here are the headers from the request that hits 'api/personas/authorize':
{
host: 'localhost:3000',
connection: 'keep-alive',
'content-length': '15',
accept: 'application/json, text/plain, */*',
'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36',
'content-type': 'application/json;charset=UTF-8',
origin: 'http://localhost:3000',
'sec-fetch-site': 'same-origin',
'sec-fetch-mode': 'cors',
'sec-fetch-dest': 'empty',
referer: 'http://localhost:3000/personas',
'accept-encoding': 'gzip, deflate, br',
'accept-language': 'en-US,en;q=0.9',
cookie: 'connect.sid=s%3AK01XQwFSwwA_q-D8OxALcx--asG23hsB.%2B8j%2BgLX6Eg%2FHhyh3K5wv%2FqpM6Vmp89xX5Kh8%2FFhLMJg'
}
And here are the headers from the request that hits '/callback':
headers: {
host: 'localhost:3000',
connection: 'keep-alive',
'upgrade-insecure-requests': '1',
'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36',
accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'sec-fetch-site': 'cross-site',
'sec-fetch-mode': 'navigate',
'sec-fetch-dest': 'document',
referer: 'https://{XXXX}.salesforce.com/',
'accept-encoding': 'gzip, deflate, br',
'accept-language': 'en-US,en;q=0.9',
cookie: 'connect.sid=s%3AK01XQwFSwwA_q-D8OxALcx--asG23hsB.%2B8j%2BgLX6Eg%2FHhyh3K5wv%2FqpM6Vmp89xX5Kh8%2FFhLMJg'
}

Related

403 code when using python request library

I have gone through most of the posts related to 403 error and tried all of the options. However I am still not able to fix, I keep getting 403 error.
I have tried various combinations of the headers but no luck
Here is my code :
import requests
headers = {
'accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'accept-encoding': 'gzip, deflate, br',
'accept-language': 'en-US,en;q=0.9',
'cache-control': 'max-age=0',
'referer': 'https://www.whatismyip.com/52.242.97.97/',
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36'
}
response = requests.get('https://www.whatismyip.com/40.70.224.149/', headers=headers)
print(response.status_code)

aws ec2 nodejs empty body sent through axios post request in react

I am deploying a MERN app on AWS EC2. Frontend is rendered perfectly on aws. While calling API(axios.post) empty body is received in backend when called through react frontend. But, when called through postman, the body is received correctly.
I am sharing the details of the request body as received on backend(I printed this for debugging purposes):
POSTMAN method:
Method: POST
Path: /api/auth
Body: { email_id: 'comiiii#gmail.com',
password: 'comiiii#123',
user_type: 'type_com' }
Headers: { host: '64.1.75.248',
'x-real-ip': '113.103.59.237',
'x-forwarded-for': '113.103.59.237',
'x-forwarded-host': 'ec2-64-1-75-248.ap-south-1.compute.amazonaws.com',
'content-type': 'application/json;charset=UTF-8',
connection: 'close',
'content-length': '94',
'user-agent': 'PostmanRuntime/7.26.8',
accept: '*/*',
'postman-token': 'a6ef6f75-716b-4843-a773-8b46d1f28427',
'accept-encoding': 'gzip, deflate, br' }
REACT FRONTEND:
Method: POST
Path: /api/auth
Body: {}
Headers: { host: '64.1.75.248',
'x-real-ip': '213.235.108.12',
'x-forwarded-for': '213.235.108.12',
'x-forwarded-host': 'ec2-64-1-75-248.ap-south-1.compute.amazonaws.com',
'content-type': 'application/json;charset=UTF-8',
connection: 'close',
accept: '*/*',
'access-control-request-method': 'POST',
'access-control-request-headers': 'access-control-allow-origin,content-type',
origin: 'http://ec2-64-1-75-248.ap-south-1.compute.amazonaws.com',
'user-agent':
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36',
'sec-fetch-mode': 'cors',
referer: 'http://ec2-64-1-75-248.ap-south-1.compute.amazonaws.com/',
'accept-encoding': 'gzip, deflate',
'accept-language': 'en-GB,en-US;q=0.9,en;q=0.8' }
I saw the difference between the two and realised that the headers which are different are part of forbidden ones. (Refer : https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name)
How to solve this?

node js express-session Set-Cookie on Postman/ Not in Flutter http headers

I'm facing an issue trying to connect an flutter application with my nodejs backend with express-session. In postman the response header includes a "Set-Cookie"-Header, but the flutter headers with http.post(...) do not: headers: {content-length: 113, content-type: application/json; charset=utf-8}.
I need a cookie to keep the authenticated session with passport. Any ideas how to fix it?
Flutter headers:
host: '127.0.0.1:3000', connection: 'keep-alive', 'content-length': '57', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36', 'content-type': 'application/json; charset=utf-8', accept: '*/*', origin: 'http://localhost:51879', 'sec-fetch-site': 'cross-site', 'sec-fetch-mode': 'cors', 'sec-fetch-dest': 'empty', referer: 'http://localhost:51879/', 'accept-encoding': 'gzip, deflate, br', 'accept-language': 'de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7'
Postman Headers: 'content-type': 'application/json', accept: '*/*', 'postman-token': '7c79280d-****-****-a985-c01395e50e08', host: 'localhost:3000', 'accept-encoding': 'gzip, deflate, br', connection: 'keep-alive', 'content-length': '66'
Recommend you to use dio library for HTTP calls.
import 'package:dio/dio.dart';
class ApiProvider {
Dio _dio;
String aToken = '';
final BaseOptions options = new BaseOptions(
// base url to backend server
baseUrl: 'http://a.b.c.d:port/',
connectTimeout: 15000,
receiveTimeout: 13000,
);
static final ApiProvider _instance = ApiProvider._internal();
factory ApiProvider() => _instance;
ApiProvider._internal() {
_dio = Dio(options);
_dio.interceptors.add(InterceptorsWrapper(
onRequest:(Options options) async {
// to prevent other request enter this interceptor,
// use a new Dio(to avoid dead lock) instance to request token.
_dio.interceptors.requestLock.lock();
// set the cookie to headers
options.headers["cookie"] = aToken;
_dio.interceptors.requestLock.unlock();
return options; // continue
}
));
}
Future login() async {
final request = {
"userName": "",
"password": "",
"token": ""
};
final response = await _dio.post('/login', data: request, options: Options(
followRedirects: false,
validateStatus: (status) { return status < 500; }
));
//get cooking from response
final cookies = response.headers.map['set-cookie'];
if (cookies.isNotEmpty && cookies.length == 2) {
// it depends on how your server sending cookie
aToken = cookies[1].split(';')[0];
}
}
/// if we call this function without cookie then it will throw 500 err.
Future getSomething() async {
final response = await _dio.post('/something');
}
}

NodeJs request.get() function not working while the url is accessible from the browser

I am using the request npm module.I want to retrieve an image from a url. The request.get(url) function is returning me a '400 Bad Request', whereas the image is accessible from the browser.
The url i am hitting is : http://indiatribune.com/wp-content/uploads/2017/09/health.jpg
You could try to add some headers:
const request = require('request');
request.get({
url: 'http://indiatribune.com/wp-content/uploads/2017/09/health.jpg',
headers: {
Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en-GB,en;q=0.8,en-US;q=0.6,hu;q=0.4',
'Cache-Control': 'max-age=0',
Connection: 'keep-alive',
Host: 'indiatribune.com',
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36',
},
}, (err, response, data) => {
console.log(response, data);
});
The User-Agent seems to be enough.
Use download module . It's pretty simple.
const fs = require('fs');
const download = require('download');
download('http://indiatribune.com/wp-content/uploads/2017/09/health.jpg').pipe(fs.createWriteStream('foo.jpg'));

Aurelia http-client/http-fetch not sending headers

Tried multiple approaches to send custom-headers via Aurelia-http-client and Aurelia-Fetch-client to pass Headers in the get/post requests that I am making, but in the actual request, the headers are not being passed
approach 1
var client = new HttpClient()
client.createRequest('/api/information/save')
.asPost()
.withBaseUrl('http://10.0.0.13:3000')
.withHeader("X-auth-code", "abc")
.send()
approach 2
var client = new HttpClient()
.configure(x => {
x.withBaseUrl('http://10.0.0.13:3000');
x.withCredentials(true);
x.withHeader('Content-Type', 'application/json; charset=utf-8');
x.withHeader('x-client-code', 'abc');
});
Approach 3
this.http.configure(config => {
config
.withDefaults({
credentials: 'same-origin',
headers: {
"Content-Type": "application/json",
"x-client-code": "abc",
}
})
.useStandardConfiguration()
.withInterceptor({
request(request) {
request.headers.append("x-client-code","abc");
console.log(`${request.headers}`);
return request; // you can return a modified Request, or you can short-circuit the request by returning a Response
},
response(response) {
console.log(`Received ${response.status} ${response.url}`);
return response; // you can return a modified Response
}
});
})
But all of them lead to the same error
{ host: '10.0.0.13:3000',
connection: 'keep-alive',
'access-control-request-method': 'POST',
origin: 'http://localhost:9000',
'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.104 Safari/537.36',
'access-control-request-headers': 'content-type',
accept: '*/*',
referer: 'http://localhost:9000/',
'accept-encoding': 'gzip, deflate',
'accept-language': 'en-GB,en-US;q=0.8,en;q=0.6' }
At the end we are unbable to pass the headers.
it's a security against cross-site scripting (and it's super annoying) #see : Cors Access-Control-Allow-Headers wildcard being ignored?

Resources