Here are the program imports.
import com.google.gson.Gson;
import com.microsoft.graph.auth.confidentialClient.ClientCredentialProvider;
import com.microsoft.graph.auth.enums.NationalCloud;
import com.microsoft.graph.httpcore.HttpClients;
import okhttp3.*;
The program invokes the ClientCredentialProvider constructor to create an authProvider.
ClientCredentialProvider authProvider = new ClientCredentialProvider(...);
The program creates a client to send a post request to the server to get an access token.
OkHttpClient client = HttpClients.createDefault( authProvider );
A subroutine uses the access token in a get request in an effort to obtain a site ID.
request = new Request.Builder()
.url(target)
.header("Authorization",
"Bearer " + tokenResponse.get_access_token())
.get()
.build();
Here is the code that transmits the get request.
response = client.newCall( request ).execute();
Here is the result that comes back from the server.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Header</h2>
<hr><p>HTTP Error 400. The request has an invalid header name.</p>
</BODY></HTML>
When I manually send the get request from Postman or Charles, it works fine.
When I look at the outgoing request just before it is sent, I find that the okhttp3 code has tacked on a few more headers including a second Authorization header that uses a slightly different token.
How should the program configure okhttp3 classes to stop this interception and rewriting of the header section of the outgoing request?
Related
Attempting to tap http://www.anagramica.com/api to determine all words that can be made from an inputted word. As expected cross-origin policy does not allow using a normal GET request to receive the JSON data. On the anagramica homepage, JSONP is mentioned. I attempted implementing this below.
<!DOCTYPE html>
<html>
<head>
<script src="jquery-3.3.1.min.js"></script>
<title>word play</title>
</head>
<body>
<h1>Speak A Word</h1>
<script>
document.body.onclick = function() {
$.getJSON("http://www.anagramica.com/all/dog?callback=?",function(json){
console.log(json);
});
}
</script>
</body>
</html>
This resulted in the following error.
"Cross-Origin Read Blocking (CORB) blocked cross-origin response http://www.anagramica.com/all/dog?callback=jQuery33106950206857384036_1542003732614&_=1542003732615 with MIME type application/json. See https://www.chromestatus.com/feature/5629709824032768 for more details."
Relevant posts here: Loading cross-domain endpoint with jQuery AJAX
Make cross-domain ajax JSONP request with jQuery
Wondering why JSONP is not working in this case?
We have deployed the api on azure and trying to consume in our web app written in angular 5. However when we try to consume the api we are getting following errors.
Chrome Mixed Content: The page at 'https://somedevapp.azurewebsites.net/#/managesomething' was loaded
over HTTPS, but requested an insecure XMLHttpRequest endpoint
'http://admindevapp.azurewebsites.net/api/data/getdata'. This request
has been blocked; the content must be served over HTTPS.
Firefox Blocked loading mixed active content
Is this issue related to CORS? How to resolve this issue?
Any help on this appreciated!
If your web app is being hosted over HTTPs as you've indicated, then all external resources it is consuming (CDN, scripts, CSS files, API calls) should also use SSL and be secured through HTTPs. Think about it. It would defeat the purpose of your app being secure, if your app was in turn making insecure requests to an API.
You can either therefore:
As Chrome suggests, change your API calls to use HTTPs (recommended)
Use HTTP instead of HTTPs
Add the following meta tag to your <head> element in your HTML:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests" />
More information about this can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests.
Use this ---- Add in your head section
I will try this with my weather application & now it's working fine
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
only add this on header section.
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
you can use this only if your resource API supports the HTTPS request.
example: "http://ip-api.com/json" and "https://ip-api.com/json" both will not return the same response if "ip-api.com" doesn't support HTTPS requests.
The meta tag below helps to prevent Chrome complaining about HTTP request made. I was working on a class projects (a weather app) and the API call over HTTP and adding an S to the HTTP call doesn't help. Since this a project a there no major issue. The meta tag share above by #Medhi Ibrahim does the trick.
<meta
http-equiv="Content-Security-Policy"
content="upgrade-insecure-requests"
/>
i tried to remove the "meta solution" on index.
And removed the "s" on environment.prod.ts
When i sign in " http://app.finoview.com" the api Nestjs works.
But when i try to log in "https://finoview.com", angular works, but the api nestjs doesnt work.
Here is the image:
okay.
I think I have failed to understand an elemental part of token based authentication.
I am using node with express and am using jwt to prevent access to my site if you haven't logged in. I can create a token on the login page, and I can send it back to the client and store it in localStorage/cookie. Now if the user wants to navigate to another page they will type in a url and trigger a get request.
How do I access that token from localStorage/cookie and pass it to the server before I load the page as part of the get request. My assumption is that there should be a way of passing the token to the server - intercepting it in the middleware - and loading the page if the token is legit, or redirecting to the login page if the token isn't validated correctly.
On a post request this would be much simpler as you can fetch the token and pass it as part of an ajax call, after the page has loaded.
I have seen references to including the token as part of the request header (authorization bearer). I assume this only works for post, because if you were able to set the header parameter 'globally' then why would you bother storing on the client side in a cookie/localStorage.
So as you can see I am a little confused by the workflow. It seems like I am going against the grain somehow. Any clarity would be much appreciated.
If you are using localStoage in order to store the JWT, then the easiest way to pass it to the server is by retrieving first the token from the localStorage with localStorage.getItem('token') (or whatever your token name is) and then inserting it in the header of the request (either it is GET or POST/PUT/DELETE). Depeding on the library you are using to handle your http requests on the client, there are different ways of doing so. In jQuery for example, you can do the following inside the AJAX request:
$.ajax({
url: API_URL + "/endpoint",
method: "GET",
beforeSend: function(request){
request.setRequestHeader("Authorization", "BEARER " + localStorage.getItem('token'));
}
})
After this, on the server side simply access the parameters by accessing request.header options just as you would normally do. Hope this helps!
We got an Angular application and we got another Spring application. The login is managed by Spring and when the user is logged, Spring redirects to the Angular app. When Spring redirects, it puts an authentication token to the header.
How to get this token with Angular?
Since AngularJS is javascript, you can echo that token in your HTML somewhere. It's a one time redirection to your angularApp. I did this on
<meta name="csrf-token" value="xxxx-xxx" />
And to send http calls back to your Spring App from Angular, I believe you have to send that token (e.g X-Token) in header too which can be done like
window.ngApp = angular.module('ngApp',[]);
ngApp.config(["$httpProvider", function(provider) {
provider.defaults.headers.common['X-Token'] = $('meta[name=csrf-token]').attr('content');
}]);
So everytime a http request is made, the X-Token will be part of your request.
I can't get a browser to accept and answer an incoming call using Twilio JavaScript API.
Every time I call my Twilio number the call just hangs up and I don't see anything happen in my browser.
According to my JS I should get an alert popup when the call is connected/answered.
I've setup my Request URL correctly in my Twilio account and I've even checked the Twilio Debugger and don't see any error messages.
See code below for what I'm using in my browser app that should answer the incoming call.
FYI, I'm using PHP library to generate the Twilio Token. And I've double checked my Twilio API credentials - they're all correct (I've removed them in my code post below).
FYI2, I get the JS alert that the Twilio Device setup is ready.
FY3, I know the voice request URL is setup in Twilio correctly because if I change that code to Say Hello it says hello and then hangs up when I call my Twilio number.
<?php
###############
# Define Vars #
###############
include 'Services/Twilio/Capability.php';
$accountSid = 'A_xxxxxxxxxxxxxxxxxxx';
$authToken = 'f_xxxxxxxxxxxxxxxxxxx';
$appSid = 'AP_xxxxxxxxxxxxxxxxxxx';
$clientName = 'jack';
####################
# Get Twilio Token #
####################
$capability = new Services_Twilio_Capability($accountSid, $authToken);
$capability->allowClientOutgoing($appSid);
$capability->allowClientIncoming($clientName);
$token = $capability->generateToken();
?>
<!DOCTYPE html>
<html>
<head>
<title>Twilio Incoming Call Test</title>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
<script type="text/javascript" src="//static.twilio.com/libs/twiliojs/1.1/twilio.min.js"></script>
<script>
Twilio.Device.setup('<?=$token?>');
Twilio.Device.ready(function(device) {
alert('ready!');
});
Twilio.Device.incoming(function(conn) {
conn.accept(incomingCall(data));
});
function incomingCall(data)
{
alert("Incomging Call:\n"+data);
}
Twilio.Device.error(function(conn) {
alert("Error:\n"+data);
});
</script>
</head>
<body>
<h1>Twilio Incoming Call Test</h1>
</body>
</html>
Here is my Voice Request URL code:
<?php
header('Content-type: text/xml');
echo '<?xml version="1.0" encoding="UTF-8"?>';
?>
<Response>
<Dial>
<Client>jack</Client>
</Dial>
</Response>
I figured out what the issue was. Pretty simple. The account sid and auth token where set to my sandbox/test credentials and when I changed this to live credentials it worked. Problem solved!