Liferay jsonws api: how do I get p_auth from a client? - liferay

I'm trying to develop a javascript mobile app that will use a liferay portal jsonws api. I have a username and password. If I try a request using curl with basic auth I can access the resources, but I don't get a token in return, I get a cookie with a sessionid and I have to include username and password in every request. I've no control on the portal. How do I get the p_auth token?

You can use Liferay.authToken to get p_auth from client.
You may go to browser console and type Liferay.authToken to verify that the object is available.
I've used the same object for auth purpose where I was listing down results from JSONW service call. You can save the value in a variable and set anywhere per requirements. I found this the easiest way:
var pAuth = Liferay.authToken;
console.log(pAuth);

Becareful, the parameter p_auth is used to prevent CSRF attack. You can obtain the value with this code:
String pAuth = com.liferay.portal.security.auth.AuthTokenUtil.getToken(request);
TokenUtil is a part of the liferay core, so you must create a hook because the jsp must be in liferay directory, not in a plugin or a portlet because in other classpath you dont have acces to this object.

You can get the authentication token (p_auth) by using Liferay.authToken predefined variable.

Related

How to implement Token auth for Liferay DXP JSON remote services?

I need to enable Token-based authentication for Liferay JSON remote services. In short, a guest user should be able to pass in a token while accessing a service, and this token is validated inside an auth pipeline and allows the user to use the service or deny it.
How to implement this in Liferay DXP 7.0?
If it a custom token handling you need to implement, you could use AutoLogin
to have an access to the HTTP request and handle custom tokens part of header or param fields.
Otherwise, it is more common to use oauth2 tokens as liferay has a good build in handling for this (but I am not sure about the 7.0 version).

Is there any webservice to login to Liferay

Is there any webservice to login to Liferay. Can pass user name and password.
I checked here - host/api/jsonws but unable to find that kind of API.
The result of a login action on a web application is that the session of the current user is populated with appropriate user-related information.
The purpose of a webservice is that some action is executed in the backend, typically isolated.
A webservice is meant to be populated by some program code, where you can't rely on "a cookie to be set", while this is the mechanism that an application uses, because the browser will honor such a cookie. Your API-client might not.
You can just look at the target of the login form to authenticate to Liferay: It's submitted through http(s), and you can do that through an API as well as through a browser.
For subsequent API access, I'd recommend you look into Liferay's OAuth features: That exists as well, and you'll be happier with the relatively new "headless" features than with the legacy jsonws-api. Or use Basic Authentication, as Daniele suggests in his comment.

ReST API: Should I associate the access token with a user in my database

I am building a secure ReST API on a nodeJS server so that my Android application can access the data on my site. Based on reading some other posts, I've come to understand that I should use an access token. So my idea is to do the following:
1) When the user logs in on the Android app, the app sends a request to /api/login on my site, providing the username and password (this of course needs to happen over SSL to guard against eavesdropping).
2) My server validates that the username + password match, and, if so, responds with an access token.
3) The app uses this access token to make all subsequent requests to my API.
My question is should I store the access token in the database on my server? Specifically, should I store the fact that the access token is associated with that particular user? Most tutorials I looked at did not do this, but if I don't, then what is to stop a user with this access token modifying or viewing the data of another user? Don't I need to pair an access token with a user in my database?
try using this library, i did the same type of project and this life saver was my solution.
If you need to build a secure API the things are little more complicated. You need to sign the access token with a private keystore.
Would it be a option to use a authentication service like Auth0? They are generating a JWT token for you and you only need to validate this token. The API is completely stateless. You can find a lib for almost any programming language on their website.
What you want to do is exactly HTTP Sessions do.
So, I think you can just use HTTP Session functionality It's already implemented in WAS frameworks like Django, Spring etc. If NodeJS provide session functionality, Just use session functionality in the framework. If not, look up the HTTP Session library. Maybe you can find many library that treat session implementation.

Validate LTPA token in nodejs

IS there any way to validate LTPA token previously generated from IBM Tivoli federated Websphere Application Server in my nodejs application.
I have checked "ldapjs", but I could not find something to validate LTPA token.
I have written a small library for this purpose: https://www.npmjs.com/package/ltpa
Once you've extracted your server key you can use the library to validate, and generate LtpaTokens.
There is an Java API related with WSLogin - which allows to validate LTPA. (Technically a re-login here)
But I dont think you can use this with Nodejs.
But my preferred way is to use the BASIC authentication using the URL post from your app.
This requires a provider (Websphere) to expose a URL for you.

Spotify API Authorization for cron job

I'm creating a node.js application that will update playlists (owned by an account in which I have credentials) daily. According to the Spotify documentation, to add tracks to a playlist (https://developer.spotify.com/web-api/add-tracks-to-playlist/), authorization must be supplied using oauth2.
I'm struggling to find a way to do this completely server side with no redirects/etc. It seems like if I can get a refresh token, I can just use that?
I've been looking at the spotify web api node module (https://github.com/thelinmichael/spotify-web-api-node), oauth.io, and the spotify api.
Any ideas would be appreciated! There is only one account that will have to be authenticated, so it could be hard-coded at least for now.
You've picked the correct authorization flow - Authorization Code, since you need an access token that's connected to the user who owns the playlists you're updating. This of course also gives you the ability to refresh the token whenever you need to. (The expiration time is one hour, but you don't need to refresh the access token until your application actually needs to use it.)
As a sidenote, the Client Credentials flow is meant for server to server communication that doesn't require a user's permission, e.g. to search, read a playlist, or retrieve new releases. The Implicit Grant flow is meant to be used in frontends, and doesn't allow you to refresh the token.
I'm struggling to find a way to do this completely server side with no redirects/etc. It seems like if I can get a refresh token, I can just use that?
Once you have the refresh token you can continue to use it to retrieve new access tokens, which can be done without any user interaction. You need to do some preparation work to retrieve the refresh token though.
Following the steps describing the Authorization Code flow, you first need to direct the playlist's owner to a URL on Spotify's account server.
The documentation contains the following example URL:
GET https://accounts.spotify.com/authorize/?client_id=5fe01282e44241328a84e7c5cc169165&response_type=code&redirect_uri=https%3A%2F%2Fexample.com%2Fcallback&scope=user-read-private%20user-read-email&state=34fFs29kd09
Simply replace the client_id and redirect_uri with your application's information. Also modify the scope parameter to match the scopes you need, which from my understanding of your use case is playlist-read-private,playlist-modify-private,playlist-read-collaborative since you want to be able to read and modify all of the user's playlists. Supplying state is not required.
Using spotify-web-api-node you can generate this URL using the createAuthorizeURL method, but since you're only doing this once it's unnecessary to write code for it.
Instead, simply open the URL in your browser.
If done successfully, you'll be taken through a little login dance where your application asks for your permission to read and modify your playlists. When this is completed, Spotify's account service will redirect the browser to your redirect_uri URL with a code query parameter included as described in step 3 in the Authorization Guide.
However, since you're only doing this once, it would be enough to start a webserver on your own machine, set your application's redirect_uri to your localhost, and complete the login flow. Have a look at web-api-auth-examples for a ready-made node.js application that fires up an express server and reads the authorization code.
Once you've got the code, you can trade it for an access token using cURL as it's done in step #4 in the Authorization Guide, or use the code in the web-api-auth-examples repository.
Finally, with the tokens retrieved (step #5), you can start to use the Web API with the access token, and get a new one when it expires using the request in step #7.
spotify-web-api-node has a helper method to refresh the token. Search the main documentation for the refreshAccessToken method.
This use case is slightly mentioned in the FAQ section of the Authorization Guide.
As you said, you need to obtain a refresh token using the authorization code flow. For that you will need to carry out the OAuth process using your user account, the client_id of the app you have registered, and the scopes you need (it will vary depending on whether the playlist is private or public). Then, take the refresh token you have obtained and the client secret key of your app, and you can obtain access tokens without the need of the login form.
This related StackOverflow question might help too Spotify automated playlist management with PHP back-end and rate limits

Resources