I have a meteor app which makes HTTP calls to some server with basic auth.
Now I want to use a modifier (axios provides interceptors which can modify the requests before sending them) such that on the basis of url, I should be able to add authorization headers.
Eg:
HTTP www.a.com/route1
HTTP www.b.com/route1
HTTP www.a.com/route2
What I want to accomplish is, whenever a request is made to www.a.com, I need to add headers.
I cannot do it manually for each request currently being sent as there are hundereds of requests being sent from different modules of the app.
Already thought of writing a wrapper around meteor's HTTP but any better option like interceptors?
Related
Is it possible to identify the client / library which sent a HTTP request?
I am trying to fetch some data via an API and it is possible to query the API via cURL and python, but when I try to use node (doesn't matter which library, axios requests, unirest, native, ...) or wget I get a proprietary error back from the backend.
Now I am wondering, if the backend is able to identify, which library I am using?
More information:
The requests are exactly the same, so no way to distinguish them
The user-agent header field is set and overwritten for all requests
I already tried to monitor the traffic in wireshark, but couldn't find any differences with the packets on HTTP layer (only the order of the header fields is different, that according to the standard this shouldn't make a difference)
It turns out that the problem was TLS fingerprinting.
See: https://httptoolkit.tech/blog/tls-fingerprinting-node-js/
Nodejs uses google V8 JS engine, V8 based http request clients will not allow you to override headers that would compromise 'web safety', so for example if you are setting "Origin, Host, Referrer" headers, node might refuse to do so. I had the same issue previously.
Un-opinionated http clients, such as the ones written in C++(curl) and python won't 'web safety' check your requests, so that is what is causing the difference in behavior.
In my case I used a C++ library that I called from javascript to make my 'unsafe' requests and the problem was solved.
I just deployed an application into cloud run, but the application running in cloud run can't handle the request in the form of POST method and always returns 404 not found. After I checked the log, whatever request was given it was always translated into the get method. What should I do to prevent the given method from being translated like that?
the log:
Notice the HTTP 302 response on your POST. That means the client is being instructed to go to a new Location. Your client is then converting the POST into a GET and making another request at the new location.
Cloud Run only supports HTTPS. Your POST request is being sent to an HTTP endpoint. The Cloud Run frontend will automatically redirect the client to the HTTPS endpoint.
Change your request from using HTTP to HTTPS.
I am running two identical API requests to a 3rd party API -- one in postman and the other in NodeJS. The API responds with different set-cookie headers in Postman vs NodeJS.
I've tried:
Copying the headers from Postman headers tab into my nodejs request headers.
Copying headers from the Postman console logs into my nodejs request headers.
Copying Postman's auto-generated axios code.
node-fetch instead of axios.
Turning various settings on/off in Postman.
Every time, the API request in Postman responds with a different set-cookie header than NodeJS. The postman request is receiving the correct session token while the NodeJS request is not.
The API server can somehow tell the difference between the two environments, but how?
Is postman running on a headless browser so that it can "fool" a server checking for browser runtime?
Is postman a true "curl" while nodejs requests are not?
Given that the request headers and body are the same in both requests, which variables might be used to differentiate between a postman request and nodejs request?
I'll answer this myself, for anyone who comes here searching for answers. Apparently, Postman uses some magic configuration to make requests from the browser while bypassing CORS issues.
They call it the "Postman Agent". It seems like it's probably a local proxy in front of a headless browser with CORS turned off (or something along those lines).
You can read about it here: https://blog.postman.com/introducing-the-postman-agent-send-api-requests-from-your-browser-without-limits/
In my case, the issue wasn't caused by a difference between the requests. It was caused by the way the responses were handled. Postman was showing cookies received in an initial 302 response, and then following the redirect. The NodeJS request was following the redirect but not showing the initial 'set-cookie' header in the final response. As soon as I set redirect: 'manual' in nodejs, I could see the correct headers from the initial 302 response.
My current setup for the project I'm working on is:
Next.js
Wordpress backend with GraphQL plugin enabled
They live on two different servers
I would like to be able to make a request from a Next.js page that proxy via an api-route to the Wordpress backend. I want the GraphQL query to be passed along and I would like to be able to modify the request (for example add header, set a cookie etc) before it reaches the Wordpress backend.
I first tried to achieve this using this module: https://github.com/http-party/node-http-proxy and using the .web() request. It almost worked except I got back a response from Wordpress that I wasn't able to decode (tried with Buffer etc, but no success).
So my current way to do this is to make an axios-request from my api route and pass along the req.body in that request, and that setup works.
However, is this way to proxy OK or should I try to make it work with node-http-proxy? Don't know about what possible benefits there are.
Thank you
if you use Axios you will make an extra request when you retrieve data from the source. This will decrease performance. On the other side if you use proxy you will forward the incoming request and this way you will have improved performance.
I have developed a front-end interface using Aja(AngularJS) and HTML5. Right now, I send an HTTP get request to my backend server which returns some data based on the GET parameters.
Since the URL is exposed in the Javascript file, I believe anyone could just use the URL to create there own API to fetch the data. How can I prevent such things ?
One way I could think of is that now instead of directly sending the request to the backend server, an application server could be used (hosting the HTML as well). The Ajax request would then be sent to this server (PHP script ?) which would in turn forward the request to the backend server and return the result to the UI. To prevent 3rd party services, I can disable cross origin requests on my application server.
Is this the correct way to solve my problem or are there better ways to do this? I am concerned that this would unnecessarily create another hop (internal though) for requests.
Note: The backend is running Apache Tomcat
In APIs that are not open to the world the user has to authenticate first in order to use it, see for example https://stripe.com/docs/api#authentication or http://dev.maxmind.com/geoip/geoip2/web-services/ -> Authorization