I am trying to make a POST or GET request to a page that requires login.
Is there a way that I can login before I make the request or a way that I can make the request if I already am logged in on my browser?
Regards,
Alexandru Spinu
I made a little framework that I use to test my node apps. It is only one file and is rather misleadingly called django-endpoint-test here on github - at some stage I do plan to update this - let me know if this helps your scenario.
Related
A novice javascript developer here!
A have a basic question on whats the best and secured way to make HTTP calls from a front application to a backend service that needs an authentication. My application is a SPA (using Vue.js) & getting data from Java services. Java services need authentication details and return sensitive user data.
I see there are a few options and I wanted to understand a better approach amongst all 3-
Making direct HTTP calls from javascript code- Concern for using this approach is, as Javascript code can also be viewed via dev tools in browser, wont it be easier for anyone to do an inspect and view all critical authentication details hence making overall integration less secure?
Making an HTTP call using Axios via Vue framework- Seems like Axios is Promise based HTTP client for the browser that lets you easily make HTTP calls without much code overhead. but is this secure? is Javascript code loaded in the browser? Or the front end code sends the request and axios makes the request from backend server where the application is hosted?
Using Node- If front end application has unique routes configured for each API call and in my application if I have a route mapping to use request module and node js backend code to make those HTTP calls, is that going to be a robust and secure way of integration?
Please let me know your thoughts and apologies if this is a dumb question!
Not dumb at all. You're just learning.
My first question to your answer 😅 will be: is your application server-side rendered or it's sap + backend?
If it's server-side rendered then I would say it's secured since Node will be sending pages with all required data. On the dev tool, you will only see static files being loaded.
However, if it's SAP, I am not sure whether there is a way to hide whatsoever you send to the server from the dev tool. The only one thing you will need to do is to make sure you encrypt whatever is sensitive to your application.
I'm trying to implement this prototype app: https://github.com/agraebe/Take-Me-Home-Now As a disclaimer, I'm fairly new to Node JS and API integration. I'd like to get the code functioning to show that I properly implement this OAuth2 workflow, and saw this app as a good way to practice that.
I'm having trouble obtaining an access token and receive the error: Invalid access token when I go to localhost:1455, and then click the "Login to request ride" button.
I've seen various reasons on stackoverflow. One could be that I need to have requests approved by Uber. I wouldn't think so though, since the code is using sandbox and not production.
My redirect uri is set as https://login.uber.com/oauth/v2/authorize?client_id=client_id&response_type=code with "client_id" set as my client id in that link. I've made sure the redirect uri matches what I have in the app developer account page.
Also, I've hard coded the details into the config.js file, since I've seen someone mention on stackoverflow that storing the environment variables could be an issue from the error I was receiving.
please help...
thanks!
I created the Take-Me-Home-Now app. Assuming you already installed all the dependencies (npm install in the project root folder), here are some things to consider:
You should disable your ad-blocker to ensure that's not the issue
You have to configure your app in the Uber Developer Dashboard:
Create a new app
Go to the authorizations tab and set the following configuration:
redirect url: http://localhost:1455/api/callback
origin url: http://localhost:1455/
general scopes: enable all the scopes (except for the priviliged ones)
Go to the settings tab and copy over the required credentials (client id, server token, and client secret). You will need them to start the NodeJS server, like this: client_id=[1] client_secret=[2] server_token=[3] redirect_uri=[4] mashape_key=[5] node app.js
In order to make use of the gender-awareness feature, you'd need to get an account with Mashape (Face++). As you might have realized already, the start command above also requires this key.
When you register your app with uber, you will have to define a callback URL. Even if it is your development machine (i.e. localhost:1455) When you send the request to the Auth server, you provide a client_id, response_type and callback_url.
When the user successfully authenticates, Uber sends back a code (hence the response_type=code) as a URL parameter to your callback URL. This code is NOT the token. This code is then used to get the token using the client_id, client_secret and code.
I would suggest doing some reading on how oAuth works to get a better understanding.
I'm developing an api server in (NodeJs/ hapi) coupled with an android application.
I'm having a problem understanding how to do login via a third party like google and facebook.
So far my strategy is:
authorize my app(android)
get the email and other data from google/facebook(android)
Send email and data to my server and save it in a database(server)
Next time when authentication. I'll just check the same data(from google) against the save data(my server).
I'm pretty sure there is a better way to do it, but the documentation I have read so far leave me with a head ache.
Help is appreciated.
I just setup a demo project using ExpressJS.
It would be interesting to have a fork for Hapi.
Check it out if want: http://git.io/RHnjBg
I have developed a front-end interface using Aja(AngularJS) and HTML5. Right now, I send an HTTP get request to my backend server which returns some data based on the GET parameters.
Since the URL is exposed in the Javascript file, I believe anyone could just use the URL to create there own API to fetch the data. How can I prevent such things ?
One way I could think of is that now instead of directly sending the request to the backend server, an application server could be used (hosting the HTML as well). The Ajax request would then be sent to this server (PHP script ?) which would in turn forward the request to the backend server and return the result to the UI. To prevent 3rd party services, I can disable cross origin requests on my application server.
Is this the correct way to solve my problem or are there better ways to do this? I am concerned that this would unnecessarily create another hop (internal though) for requests.
Note: The backend is running Apache Tomcat
In APIs that are not open to the world the user has to authenticate first in order to use it, see for example https://stripe.com/docs/api#authentication or http://dev.maxmind.com/geoip/geoip2/web-services/ -> Authorization
I have an action that retrieves some data from the DB and then I wanted to check that the data it have received is correct before it continues on with authentication. I am using invite codes to allow people to log into a public site that is for private corporate use only. I am able to get the data just fine, but the aftermodel is firing before the request is completed. I am making a call to an azure mobile service and the call is still in pending (according to chrome) when the aftermodel is firing off. Seems like it hasn't received the data at that point.
What is the best method to get this verification working properly? Once it verifies it would then allow them to log in with an external provider.
Please, look at this discussion: Ember authentication best practices?
If you don't need an Auth engine, then you could implement "verifying data" in beforeModel hook. Why beforeModel? Because if data is not correct, then app should redirect user to another page, and beforeModel is made for this logic: http://emberjs.com/guides/routing/preventing-and-retrying-transitions/#toc_aborting-transitions-within-code-model-code-code-beforemodel-code-code-aftermodel-code