Postman not reaching AWS EKS API endpoint - node.js

I'm trying to figure out how to get postman to work with EKS. I have a simple nodejs app.
const express = require('express');
const app = express();
app.get('/', (req, res) => res.send('hello world'));
app.listen(3000, () => {
console.log('My REST API running on port 3000!');
});
Here's everything I've done so far:
I created a docker container and successfully pushed it to ECR.
Also I tested docker by running it locally and I was able to reach it and get hello world response so the docker container seems fine.
I created an EKS cluster with the docker container and have the api server endpoint
but when I try and make a call with postman, I get
I even tried adding access key and secret from IAM user that has access to EKS, but I get same error.
When I configured the cluster, I set it to public so I don't understand why Postman can't reach the API endpoint.
Also I added the following permissions to the IAM user I'm using in postman. I wasn't sure which one was correct so I added all of them. I also put the security credentials for that IAM user in postman.
What am I missing? I appreciate the help!

Actually, your Postman is reaching AWS EKS API endpoint, but you are getting authentication/authorization error - 403 Forbidden. I see OpenID Connect provider URL in the API config, so I would expect OIDC authentication and not AccessKey/SecretKey. Check AWS EKS documentation or contact your AWS support.

Related

Node.js Express API doesn't send headers if its docker image is deployed

I've built an Node.js Express API where whenever the user uses the (POST) /login, if logged successfully, the api will set the Authorization Token such as this:
#Post('/login')
#UseBefore(validationMiddleware(LoginUserDto, 'body'))
async logIn(#Res() res: Response, #Body() userData: LoginUserDto) {
const { cookie, user } = await this.authService.login(userData);
res.setHeader('Set-Cookie', [cookie]);
return user
}
Whenever I run the docker image locally, if it was requested by a React app it would create the token as a cookie in the browser successfully.
Since it was working, I deployed in docker image of the API in Azure and Digitalocean (in order to see if would work on both. But when I tried to login with the deployed API, it would POST with success but the cookie wouldn't be set in the browser when using the React App (in the app the credentials were set to true in order to save).
I tried to call the deployed API with Postman and Insomnia and both would save the cookie from the successful login.
With this last experiment I was really confused because the API works as expected both in postman and in the react app when run locally, but when deployed only works as expected in postman and not in React. I can't understand if the problem is from react or from the API.
I have also tried using RTK and Axios in react and both got the same results.
In the CORS options from the API the origin is set to "*"
Already found out, seems like when creating the cookie I was not setting the Same-Site property and by default was Lax, which didn't let the browser save the cookie. I set it to none and needed to put secure after it.
public createCookie(tokenData: TokenData): string {
return `Authorization=${tokenData.token}; HttpOnly; Max-Age=${tokenData.expiresIn}; SameSite=None; Secure`;
}

Send GET request from Amplify service to EC2 machine

< I am a real newbie so I am sorry if I am using the terms incorrectly. >
Hey guys!
I am trying to deploy my website, I put my front - files in Amplify app which provides me with an HTTPS url.
My goal is to load my backend code to EC2 ubuntu machine and to run it via pm2.
I have a trouble understanding how to do it, I am writing backend code in nodejs and I am using the express framework.
When I am developing locally, it all runs perfectly.
My backend code :
app.get('/db', (req,res) => {
let ddb = new AWS.DynamoDB({ apiVersion: "2012-08-10" });
const params = {
TableName: "blablabla",
};
let itemObj = [];
ddb.scan(params, function (err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data);
data.Items.forEach(function (element, index, array) {
itemObj.push(data.Items);
res.status(200).json(itemObj);
});
}
})
Relate front-end code :
function getData(username){
var xmlhttp = new XMLHttpRequest();
var url = "http://localhost/db";
xmlhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) { //request completed
result = JSON.parse(this.responseText);
blablabla
}
};
xmlhttp.open("GET", url, true);
xmlhttp.send();
}
When I am using localhost url and run the server via my computer (npm start server..) I do get the data I am looking for on the amplify service.
But when I use the elastic IP addresses of the EC2 machine I get an error: "was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint, This request has been blocked"
Is there any way to allow those kind of requests?
Do I even use the correct IP of the EC2 machine?
It seems to me that if EC2 provided me an HTTPS address, it will works fine, am I right or it has nothing to do with it?
Thanks in advence.
It works on your local machine because you don't have an SSL certificate on localhost, so your frontend is not loaded over a secure connection. When you run the frontend from Amplify, you're connecting to the Amplify domain name via SSL (I expect the URL is something like https://master.randomalphanumericstring.amplifyapp.com). So your browser complains when that page tries to make an insecure connection to your EC2 instance.
You can work around this by changing your browser settings to allow mixed content. In Chrome, it's Settings->Site Settings->Insecure Content->Add site. But that's just a workaround for development, obviously that won't work for production.
You can't make an HTTPS request to an IP address. SSL certificates must be associated with a domain name. It's also not a very robust solution to have your backend depend on a specific IP address. You have a few options to address this:
Generate an SSL certificate and install it on your EC2 instance. You can't use AWS Certificate Manager with EC2, so you'd need to obtain a certificate from letsencrypt or some other source. Self-signed won't work, it has to be trusted by the browser. And of course you need a registered domain for that.
Add an application load balancer with a secure listener and a certificate issued through ACM that directs requests to your EC2 instance. Again, you'll need to have a registered domain that you can use with the certificate.
Deploy your backend through Amplify. This will provide an API endpoint with a secure connection in the awsamazon.com domain.
There are many other ways to create an app backend with a secure connection, but those should get you started.

Problem accessing to REST API from devices on same network

I have a REST API running in my PC and vuejs web app sending request.
When I try the app in localhost, found perfectly.
I can access to home ('/') and using the web app, it send others requests at the API ('/something')
But, i need to try app from my mobile, so I connect both at same network and access to localhost from IP.
I can access to home (IP:port) and the app responde from my mobile.
I can access to others endpoints too (IP:port/something).
Normaly only the app use API endpoints. (Useless for the user to access directly)
The problem is: I'm on home page from my mobile, but at start, the web app send a request to an endpoint. But the server respond 0 to status :(
I try with other PC and same... when i try my app from others devices, the app can't use my API.
Connexion to home: (server.js (API))
MyRouter.route('/')
.all(function(req, res){
res.render('home.ejs');
});
Request sended when user access to home (when Vue mounted): (app.js (Application))
mounted () {
this.$http.get(this.website + '/connexion' ).then(response => {
//succes (I need to get some infos from API)
}, response => {
//error
}
Endpoint: (server.js)
MyRouter.route('/connexion')
.get(function(req,res){
res.json({foo: "bar"}); //some infos
})
From localhost I can get json info but from others device I can access home page but the request to endpoint return request status = 0. When I try to access directly to the endpoint it found ! But I need to still on home page...
Some of the situations that produce this status code:
Illegal cross origin request (see CORS)
Firewall block or filtering
The request itself was cancelled in code
I'd bet it's CORS or firewall problem.
Ok, I find the problem... xD From others device i access to the web app from server IP but the variable 'this.website' used in requests was always "localhost" ! So I replaced that by current URL...

Sending email via aws ses

I have 2 servers A & B and hosted in AWS and my app is built using nodejs.
I have the same copy of application running on both servers. Now from server A the email works but not from B.
I have a file called emailconfig.json which has accesskeyId, secretAccessKey and region which I call to load the config.
I think the same config can't be used in another server in AWS to send the email?
Code --
router.post('/sendmail', function(req, res, next) {
// load aws config
console.log("I am here 1");
aws.config.loadFromPath('\emailconfig.json');
console.log("I am here 2");
For some reason, I can't see the second log in server B but works in server A.
Any help is highly appreciated. Thanks in advance.
I think you server B IAM permission is different from the server A. Because it creates separate IAM Roles for each EC2, you should specify the IAM role which has been used for server A as the IAM role of server B too.

Get Google Plus user access_token in Azure webapp server

I have set up an Azure webapp successfully running Node.JS with Express and added a Google Plus authentication using the built in Azure Google "Authentication / Authorization". The auth process works just fine using SSL and and I am able to get users authenticated.
Now,
I know the auth process is calling https://mysite.azurewebsites.net/.auth/login/google/callback with the user access_token for future API calls but in this case Azure "intercepts" it (instead of what will normally happen - I would get it on my won server).
The question is - Is there any why to get and use this token on the server?
I have tried to add a route to the .auth/login/google/callback and somewho get the code
router.get('/.auth/login/google/callback', function (req, res, next) {
console.log("CALLBACK");
next();
});
to no avail...
The auth info from google+ will be set in request headers. If you list your request headers in a router function like:
res.send(JSON.stringify(req.headers));
You can the auth info are set in the headers with the prefix x-ms-token-google-.
Refer to https://azure.microsoft.com/en-us/documentation/articles/app-service-api-authentication/ for more details.
Meanwhile, you can simply issue a GET to the /.auth/me endpoint on your site for retrieving additional user information as well as any tokens required for graph calls. Refer to https://azure.microsoft.com/en-us/blog/announcing-app-service-authentication-authorization/ for details.

Resources