Github API OAuth token validation - node.js

Is there any way to validate my OAuth token for the github API? By 'token' I mean the one I get after the user has logged in to my website. I store it on the client computer using cookies, but just checking if there is a token is not enough: I need to actually check if the token is valid or not. Currently this requires me to make a request for information and then catching the errors. However, this is really damaging my rates and also my load speed as the github API is sloooow... I am using Node.js, express and the octonode library.
I tried looking at the github API docs, but they are minimal. Maybe this is to do with OAuth.

Check headers to see what OAuth scopes you have, and what the API action accepts:
curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com/users/codertocat -I
HTTP/1.1 200 OK
X-OAuth-Scopes: repo, user
X-Accepted-OAuth-Scopes: user

From the Github API docs on authorizations:
OAuth applications can use a special API method for checking OAuth token validity without running afoul of normal rate limits for failed login attempts.
Authentication works differently with this particular endpoint. You must use Basic Authentication when accessing it, where the username is the OAuth application client_id and the password is its client_secret. Invalid tokens will return 404 NOT FOUND.
You can do this with curl:
curl -u client_id:client_secret https://api.github.com/applications/:client_id/tokens/:token
Or, if using fetch, use Curl to Fetch.
This is compiled from the helpful comments on the OP's question.

curl -H "Authorization: <TOKEN>" https://api.github.com/
Or
curl https://api.github.com/ -u <USERNAME>:<TOKEN>

Related

How does Oauth2 (Bearer token) work when getting access_token

I will start off by saying I have followed a guide of how to make a secure API using FastAPI (https://fastapi.tiangolo.com/tutorial/security/oauth2-jwt/).
What happens is that you will have two api which one is post and get
POST is where you pass the
curl -X POST "http://127.0.0.1:8000/token" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=&username=hello&password=world&scope=&client_id=&client_secret="
GET is an api that requires the access_token Bearer to be able to access the API etc http://127.0.0.1:8000/getUser
Now I am pretty confused on how safe you can run the application because what makes me confused is that I would need to make a POST request with my username and password to the API which will return me access_token and I believe with that access_token I later on access the next api which is http://127.0.0.1:8000/getUser? Is this the correct way or am I out of scope?
Because what makes me unsafe is that if I now lets say "hardcode" my username and password into a python script and someone manages to reverese engineer the script/exe/whatever (Maybe even see through network what is sending as params/data)- they will be able to access my token in that case. So what would be the suggestion here?
It's a pretty broad question. A good place to start is probably the OAuth2 RFC 6749.
Some of the foundational understanding that need to get right as a first step is:
A precondition of OAuth2.0 is TLS. Assuming you're using TLS 1.2 or 1.3 with appropriate cipher suites, we can safely assume network sniffing is not a possibility
If you're using OAuth2.0 on behalf of a human user, you'd use "Authorization Code" or "Password Credentials" grant types where the user would enter the username password manually
If you're using OAuth2.0 on behalf of the client itself (NOT a human user), you'd use "Client Credentials" grant type
All these grant types have different flows. Since you've mentioned about hard coding, I'm assuming you're referring to the use case mentioned in point no. 3. Hard coding secrets is NEVER an option. The most secured way to handle this is, storing the secrets in a Vault. A less secured option is to store the secret in a separate file in encrypted form.
I'll recommend you to read the following answers as well:
https://stackoverflow.com/a/59433000/1235935
https://stackoverflow.com/a/54011649/1235935
https://stackoverflow.com/a/54258744/1235935
https://stackoverflow.com/a/59464645/1235935

Generate personal access token in github using api

Is there any way I can login to my github account via my username and password and generate personal access token using api ?
per this blog post, they've deprecated the OAuth Authorizations API, that support generating personal access tokens.
so now, you'll have to generate it using the web settings page.
Calls to OAuth Authorizations API
If you're making OAuth Authorization API calls to manage your OAuth app's authorizations or to create personal access or OAuth tokens like:
curl -u my_username:my_password -X POST "https://api.github.com/authorizations" -d '{"scopes":["public_repo"], "note":"my token", "client_id":"my_client_id", "client_secret":"my_client_secret"}'
Then you must switch to the web application flow to generate access tokens.
I found the solution. With reference to GitHub documentation https://developer.github.com/v3/guides/getting-started/#authentication I got it passed and able to make a python script that can serve my purpose.
Here is what should work (Postman example):
POST https://mycloud.example.com/api/v3/authorizations
{
"note" : "example-1",
"scopes" : [
"repo"
]
}

Full Oauth2 Authentication Flow with Vue.js Client and Express.js Server Using Passport.js

I have a problem understanding how to use the Bearer Access Token received from an OAuth2 authentication flow.
In my case the client is Vue.js, the server is Express.js and the authentication middle layer is Passport.js.
The configuration of Passport and authentication flow is standard:
It is an OAuth2 Passport strategy (in my case Asana)
On the server there is routing /auth/asana that calls passport.authenticate.
On the server there is routing /auth/asana/cb for the call back from Asana.
And there is a success URL pointing back to the client.
Step by step this is what I do:
On the client/home user clicks "Authenticate" and I do a redirect to server/auth/asana.
server/auth/asana using Passport.js redirect to Asana so user can authenticate.
server/auth/asana/cb receives the authenticated user back from Asana.
server/auth/asana/cb redirect the user back to client/home.
From client/home I now want to start using the API to fetch data.
Here is 3 questions:
On the server (Express.js where Passport.js is used), how to I get the Bearer Access Token?
On the client (Vue.js), where should the Bearer Access Token be stored so it can be used in requests against the external API (in this case Asana)?
How should the Bearer Access Token be transferred from the server (Express.js) to the client (Vue.js)?
Please note that I've read lots of articles on this and the steps 1 to 4 is fine, the code to authenticate etc. works well. But it seems I am missing something fundamental here since none of the articles explain how to actually use the Bearer Access Token once authenticated.
As per the Asana API documentation, the access_token shall be passed into the Authorization header, like the following:
curl https://app.asana.com/api/1.0/users/me \
-H "Authorization: Bearer ACCESS_TOKEN"
It's the standard way of passing an access token for OAuth2 based API. If you still struggle to get it through, you can use an API-tool (like Pizzly) that takes care of the OAuth dance for you.

OAuth access Jira with google token?

I am using this npm to authenticate through Google to the system.
I have Jira atlassian, that uses Google to authenticate.
Question
Is it possible to use the token that I received from Google, and use it to authenticate into Jira's API of that user to gather information from Jira such as grabbing all tasks assigned to me, and such?
Or do I have to make OAuth specify for Jira ?
Of course you can do this, that is the point of delegated authentication.
Google will send you an authentication token when user will logs in.
I never work with google. I always used keyclock (3 part OAuth provider). But that is a beauty of a spec it should work everywhere the same.
It will be save in the cookie.
It will have o form of JWT.
You have to attache is token to the request that you send to the jira API.
You can try this with curl first
curl -i http://dev.myapp.com/api/jira ... \
-H "Authorization: Bearer Ym9zY236Ym9zY28=afsfdsf...."
You can find the token when looking at the network traffic in your browser.
Let me know how it went. And if I can help further. I have a pretty good understanding of the OpenIDconnect and OAuth 2.0 standards.

Using Passport module in Nodejs for OAuth

I am new to Node.js, OAuth.
I am developing a web app using Nodejs. My application is interacting with the third party API to get data. Per documentation of API "All methods in this third party API take OAUTH authentication parameters in request header"(that's it no more details)
I decided to use Passport module of Node.JS to achieve this(http://passportjs.org/guide/oauth/).
My Problem is I am unable to understand how to proceed with this. Let say we have an API method "http://api.travel/getAllLocation" which returns all locations where user can travel.
Can someone pls help here by providing example how to use NodeJS, Passport to get required data from webservice .
[Update]
Have found this answer which is trying to achieve the same thing. But how to achieve the same using Passport
How to send the OAuth request in Node
It sounds to me as if you're trying to use Oauth to access someone else's API correct? If that's the case, you need to interact with the API by doing this:
Requesting an Oauth token given an API key.
Putting that token into your HTTP Authorization header so that the third-party API can identify and authenticate you.
The way you can request an API token (typically) via the command line using cURL is as follows:
$ curl -v --user api_key_id:api_key_secret -X POST https://api.something.com/v1/auth?grant_type=client_credentials
This will typically return some sort of token (hopefully a JSON web token!) that you can then use to identify yourself. Here's an example cURL request that properly specifies a token:
$ curl -v -H "Authorization: Bearer tokenhere" https://api.something.com/v1/blah
Using Node, you can craft these HTTP requests with the https://github.com/request/request library. Again, if you link us to the exact docs, I can help ya further =)

Resources