I'm using OAuth authorization on my back-end server. The thing is locally, when a user tries to send an unauthorized request, the server returns 401. The problem is when I push the sever, an unauthorized request send 500 instead of 401. The server doesn't throw any exception, since I check the logs and everything, and there are no exception.
Related
Imgur API, as every other API, requires an access token. I get it through their original collection of API inside Postman. Though I may not set access token inside my Node app, all HTTP requests calls just work, I do not completely understand why.
What should I need to do to refresh my access token once it is expired without manually touching Postman collection?
In Postman, I click "Get new Access token" and yet it does not show how Postman gets it - what type of request, what payload - almost nothing. That is why I am asking this question. Because I cannot replay the request of getting new access token in my Node app.
I have deployed Backend on Heroku & frontend on Netlify. After sending login request from frontend, I am getting a token, which I'm setting using React-cookie from frontend, so token(cookie) is accessible to me. But, when I goto dashboard, their I have to make authorized request to backend, which I'm not able to do so far. How can I make Requests from frontend and what format should I make requests ? I have given netlify site url to backend when I'm using cors. But, whenever I'm making request from frontend, It is giving me 401 error, saying that unauthorized access, I think i have to pass cookies from frontend as well, how can i send it in headers ?
I'm trying to authenticate with a third party API using OAuth 2 via a NodeJS + Express REST api. We're doing this through a ReactJS webapp
The current flow is that we send a request to our Express API from the front-end with the Fetch API, with a username as parameter
This request builds an authUrl object containing a redirect_url and then responds with
return res.redirect(authUrl);
When we initiate this endpoint straight from the browser, we get redirected to the Third Party API, and after authenticating a user is successfully created.
But the problem lies when we try to send a request to this endpoint from the front-end.
We added CORS headers to our Express app so we can reach this endpoint, but it still gave us the following error:
Fetch API cannot load OUR ENDPOINT. Redirect from 'OUR ENDPOINT' to 'THIRD PARTY API' has been blocked by CORS policy: Request requires preflight, which is disallowed to follow cross-origin redirect.
When we just do a res.json(authUrl) instead of res.redirect(authUrl) we retrieve a proper response containing the URL. But redirecting doesn't seem to work.
We experimented a bit with different headers but can't seem to find a suitable solution.
So we were wondering does res.redirect() handle requests differently? Are we implementing the OAuth flow properly? Do we need specific headers?
Any help would be welcome!
Summary of our flow:
Browser receives request for front-end
User enters his name and clicks the signup button
Our Rest API receives the request and builds an authentication url
Rest API sends a response that redirects the browser to the authurl.
After successful authentication, third party sends a confirmation to the callback endpoint of our Rest API.
With the confirmation, the Rest API then sends another request to the third Party API.
Rest API sends a response back to ReactJS app with the token.
I am developing a RESTful API using authentication tokens.
The workflow is simple; the client does a /getAuth request, sending user credentials, which returns a token for that user.
The user then passes the token in all the following requests to the API as an header. After some time/ number of calls (decided by the server) the token expires. When a request with an expired token in its headers reaches the server, the response status is 401 Unauthorized.
In that case, the user must ask for another token with /getAuth, and so on.
The problem I am facing is that when a request is unauthorized for any other reason (accessing an unauthorized resource), the API also returns 401 Unauthorized. At this point, the client cannot know if it is trying to access something he cannot access, or if its user token is expired. Without any way of knowing that, it would ask for a token again, and replay the same request, thus getting a 401 again and so on.
So my question is : should a RESTful API return a different status code, or error message, for an expired token than the status and error returned for an unauthorized request, or should the client find some way for managing that ?
The solution I found client-side would be to save each request url and not retry a request which fails with a fresh (just received) token. But I think its very dirty.
After the token expired, the client is no longer authorized, so returning a 401 Unauthorized header makes sense.
The problem I am facing is that when a request is unauthorized for any other reason (accessing an unauthorized resource), the API also returns 401 Unauthorized. At this point, the client cannot know if it is trying to access something he cannot access, or if its user token is expired.
If the (authorized) client tries to access a resource and doesn't have proper privileges, you should return 403 Forbidden.
I've been able to setup JHipster successfully using both Token and OAuth2 authentication. With both I can login using the default admin/admin account. However, in both cases, I get 401 errors when I want to access any API endpoint, i.e: http://127.0.0.1:8080/api/users
It renders a page with the following message:
Your request cannot be processed
Sorry, an error has occurred.
Status: Unauthorized (Unauthorized)
Message: Access Denied
Am I missing anything obvious?
Are you seeing any the spring security errors in the logs? Your angular session should be passing your recently acquired auth token for the admin user as part of the request to the api. If you want to access the api again outside of angular eg curl/Java client you'll need to request a new token for the user eg https://github.com/reddit/reddit/wiki/OAuth2-Quick-Start-Example