I am trying to setup a node.js application to use the Elance API using OAuth2.0
I am using passport.js to connect to the elance api and so far am able to get the code properly.
Before using the api methods, I then need to obtain the request token using a post request.
However, I am getting a 'Code Already Used' error.
Here's my callback code
app.get('/callback',
passport.authenticate('elance', { failureRedirect: '/failure' }),
function(req, res) {
console.log('CODE : ' + req.query.code); // this is getting displayed properly
var payload = {
code: req.query.code,
grant_type:'authorization_code',
client_id: auth.CLIENT_ID,
client_secret: auth.CLIENT_SECRET
};
request.post('https://api.elance.com/api2/oauth/token/', payload)
.then(function(response) {
var x = response.getBody();
console.log('resp::::'+x);
res.redirect('/success');
});
});
I am using requestify to perform the post request and am not using/calling to the server with the temporary code.
Here's the generated error:
... [Sat, 29 Mar 2014 05:54:15 GMT] "GET /callback?code=F9t-zztOLJ3IOlbGXlsqous686HstXqkv7etrvEnF11Vg4M HTTP/1.1" - - "-" "Mozilla/5.0 (X11; Linux i686 on x86_64; rv:30.0) Gecko/20100101 Firefox/30.0"
InternalOAuthError: Failed to obtain access token (status: 401 data: {"errors":[{"code":null,"description":"Code already used."}]})
Perhaps the proper way of implementing this with Elance is to write a strategy. Just use one of the other ones published like Facebook as a model, or a simpler one like GitHub. It should be fairly straightforward, and better encapsulated. Here's a complete list: http://passportjs.org/ if you want to explore. Better yet, making this module reusable, others can then benefit from it in a more standard way.
Strategies will exchange the code for the token for you. Likely the reason the code is used and you get that error. That is part of the the standard OAuth2 flow.
I had the same problem, and had to work with Elance support to get it figured out. This error occured for me because multiple simultaneous requests were coming in for the same user from multiple threads/servers with the same API key.
In my case, it was a pool of server threads that were doing background work and we needed to synchronize the login so it only happened once. Multiple threads can re-use the same access_token, just not apply for a code and then an access_token/refresh_token in parallel.
This could also happen because you have multiple people / build servers running test cases which are asking for codes and then access_tokens in parallel.
Following are the points which seems to be vital in order to receive the token:
Setting the correct content-type and Content-Length values.
The request should be a HTTPS request.
Method should be POST.
I also installed and used Open SSL, just to avoid any issue caused due to non secure calls made by the server.
Calls made using Requestify were failing each time, even when I set the identical header information mentioned in #1 above. As visible in the attached screenshot, it works fine with normal https request calls.
JSON response from subsequent queries was obtained from the following code:
var request = require("request");
var jobURL = 'https://api.elance.com/api2/jobs/my?access_token=' + _token;
request(jobURL, function (error, response, body) {
res.write(body);
res.end();
});
Related
we are trying to call POST api to generate certificate for renewal of certification. However as per the 3rd party API reqirement, we need to validate Kerberos authentication. We have tried many thhings with no luck.
We are getting 401 unauthorized error when we are trying to run it.
Tech stack: Node.js, Javascript, Kerberos auth, Linux OS.
Code snippet:
const axios = require('axios');
const data = {
Request: "-----BEGIN CERTIFICATE REQUEST-----<csr key>-----END CERTIFICATE REQUEST-----",
CertificateTemplateName: "DBAPI1Y",
PrimaryEmail: "test#test.com"
};
axios.post('http://dummyurl.com/webapi/SubmitRequest', data, "Negotiate")
.then((res) => {
console.log(`Status: ${res.status}`);
console.log('Body: ', res.data);
}).catch((err) => {
console.error(err);
});
Tried this approach with no luck: How do I use Negotiate or Kerberos authentication with axios?
Can someone please help?
I was unable to find any traces of Negotiate support within axios. Your linked post says that in browsers it would work automatically, which is indeed true for any in-browser JavaScript (that uses Fetch or XMLHTTPRequest behind the scenes) – but the node CLI is a different world. When run through Node CLI, axios will use the HTTP client provided by Node, which doesn't do Kerberos.
It seems that you will need to implement this manually, by using the krb5 module to get a token, then telling axios to send it in the Authorization header – similar to Bearer tokens.
The following example seems to kind of work, although not very pretty – it cannot cope with '30x' redirects:
const axios = require("axios");
const krb5 = require("krb5");
// The service is "HTTP" (uppercase), regardless of the URL being http or https.
token = await krb5.spnego({hostbased_service: "HTTP#dummyurl.com"});
resp = await axios.post("https://dummyurl.com/webapi/SubmitRequest",
data,
{
headers: {
"Authorization": `Negotiate ${token}`,
},
// SPNEGO tokens are single-use, so if Axios tries to
// follow redirects, the 2nd request will be rejected
// as a "replay". So tell it to not even try.
maxRedirects: 0,
});
(I have no experience with writing "proper" Node.js code, especially async-based code, and while in theory it should be possible to use axios' transformRequest to dynamically get a new token for each request, I was unable to figure out how to do it within a sync function.)
In general, I would probably do the task in Python instead (which has well-maintained Kerberos integration using requests-gssapi or httpx-gssapi for Requests or httpx respectively).
Note that Kerberos doesn't ensure data integrity for HTTP, so you must still use HTTPS with it, otherwise someone could still simply MitM the requests.
Apart from the above approach suggested by #user1686, I have solved the problem using NTLM authentication. Specifically, I have used the httpntlm module.
By using the httpntlm package, we don't need to deal with kerberos packages as all the kerberos packages have many dependencies on node-gyp.
Thus, it's better to use some other solution apart from the kerberos related packages.
Note: This solution worked for me, but it will vary from use case to use case.
I'm trying to consume a tone analyzer service from a nodejs app. I get unauthorized access problem, but these credentials work fine when I use them in a curl.
Running locally, in my app.js file I've included the data of the tone analyzer as follows:
var ToneAnalyzerV3 = require('watson-developer-cloud/tone-analyzer/v3');
var toneAnalyzer = new ToneAnalyzerV3({
version: '2017-09-21',
iam_apikey: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
});
Then I've added this, so my app listens for post requestes in the /tone url:
app.post('/tone', function(req, res, next) {
var params = {'tone_input': req.body}
toneAnalyzer.tone(params, function(err, data) {
if (err) {
return next(err);
}
return res.json(data);
});
});
But when I call it I get "Unauthorized: Access is denied due to invalid credentials".
The thing is that these credentials work fine in curl:
curl -X POST -u "apikey:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX" --header "Content-Type: application/json" --data-binary #tone.json "https://gateway-lon.watsonplatform.net/tone-analyzer/api/v3/tone?version=2017-09-21&sentences=false"
{"document_tone":{"tones":[{"score":0.6165,"tone_id":"sadness","tone_name":"Sadness"},{"score":0.829888,"tone_id":"analytical","tone_name":"Analytical"}]}}
The reason you are getting unauthorised errors when running locally is that your service is hosted in https://gateway-lon.watsonplatform.net. If you don't specify an endpoint / url in your ToneAnalyzerV3 constructor then the API / SDK defaults to Dallas. So although your credentials may be correct for London, they are not correct for Dallas.
When you deployed your app to the cloud (which I guess was to the London location), you probably bound the service into your application. This sets environment variables allowing the SDK to determine the endpoint.
You constructor should look like:
var toneAnalyzer = new ToneAnalyzerV3({
version: '2017-09-21',
iam_apikey: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
url: 'https://gateway-lon.watsonplatform.net/tone-analyzer/api',
});
I don't see problem with code (also never used watson stuff), but you may check the following point :
How the request you really send is formated : Because I see that you send param that is not present in your curl request.
Is your function using POST aswell (you don't provide much detail on what the call to toneAnalyzer.tone does exactly) ? Maybe it's a conflict of headers or Content-Type.
Do you use a proxy (enterprise settings or stuff like that) ? If you do, you may check that node is correctly using it.
You should also provide a bit more details on what exactly your tone object do, and try to find where the call to the IBM API is done.
I am working on creating a Node.js REST API, using the Express module, that redirects HTTP GET and PUT requests to another server. However, when running test queries in Postman, I always get HTTP 401 Unauthorized responses. Yet, when I try the same on query on the Chrome browser I get a successful response (HTTP 302). I read through some documentation on the HTTP request/response cycle and authorization. The server I am redirecting to uses HTTP Basic authentication. In my code I am redirecting the API call to my application server using the res.redirect(server) method. In my Postman request I am setting the username/password in Authorization tab for my request. I know this is gets encoded using base64, but I am guessing this isn't being passed on the redirect when done through Postman.
The following code snippets show what I've created thus far.
This is the Express route I created for GET requests
app.get('/companyrecords/:name', function(req, res) {
var credentials = Buffer.from("username:password").toString('base64');
console.log(req);
var requestURL = helperFunctions.createURL(req);
res.redirect(requestURL);
});
I define a function called createURL inside a file called helperFunctions. The purpose of this function is set up the URL to which requests will be directed to. Here is the code for that function.
module.exports.createURL = function (requestURL) {
var pathname = requestURL._parsedUrl.pathname;
var tablename = pathname.split("/")[1];
var filter = `?&filter=name=\'${requestURL.params.hostname}\'`;
var fullPath = BASE_URL + tablename.concat('/') + filter;
console.log(fullPath);
return fullPath;
}
Where BASE_URL is a constant defined in the following form:
http://hostname:port/path/to/resource/
Is this something I need to change in my code to support redirects through Postman or is there a setting in Postman that I need to change so that my queries can execute successfully.
Unfortunately you can't tell Postman not to do what was arguably the correct thing.
Effectively clients should be removing authorisation headers on a redirect. This is to prevent a man-in-the-middle from sticking a 302 in and collecting all your usernames and passwords on their own server. However, as you've noticed, a lot of clients do not behave perfectly (and have since maintained this behaviour for legacy reasons).
As discussed here however you do have some options:
Allow a secondary way of authorising using a query string: res.redirect(302, 'http://appServer:5001/?auth=auth') however this is not great because query strings are often logged without redacting
Act as a proxy and pipe the authenticated request yourself: http.request(authedRequest).on('response', (response) => response.pipe(res))
Respond with a 200 and the link for your client to then follow.
I am trying to get data of below url using sync-request module.
https://api.github.com/repos/rethinkdb/rethinkdb/stargazers
I get the data when i call it in browser or through postman.
But i am getting 403 forbidden error when calling it using sync-request in my node api.
My code looks like this.
var request = require("sync-request");
var response = request('GET', 'https://api.github.com/repos/rethinkdb/rethinkdb/stargazers', {
headers: {},
json: true
});
I am able to fetch data of many other api's but not this one. Please help.
Response body already contains the explanation:
Request forbidden by administrative rules. Please make sure your request has a User-Agent header (http://developer.github.com/v3/#user-agent-required). Check https://developer.github.com for other possible causes.
It will work like:
var response = request('GET', 'https://api.github.com/repos/rethinkdb/rethinkdb/stargazers', {
headers: { 'User-Agent': 'Request' },
json: true
});
The use of sync-request is strongly discouraged because synchronousness is achieved via a hack and may block the process for a long time.
For sequential execution request-promise can be used together with async..await.
Try to use an access token along with the GitHub API call
like this
[https://api.github.com/repos/rethinkdb/rethinkdb/stargazers?access_token=f33d1f112b7883456c990028539a22143243aea9]
As you say the API works in the browser it should not be an issue.
When you use too many calls through the GitHub API they they give the following message
{
"message": "API rate limit exceeded for 192.248.24.50. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)",
"documentation_url": "https://developer.github.com/v3/#rate-limiting"
}
To overcome this issue you can use an access token using an access token you can to access the private repositories in your account as well .
Here is the link for to get an access token [https://github.com/settings/developers]
I'm currently tasked with accessing data from the Department of Transportations QCMobile API, located here.
I've made an account and have obtained my key. I've tried accessing it through Ajax calls, Node's Request and https modules, and now I'm just trying to get a response via Curl.
Every time I try to access it I get the same error: error 403, Forbidden.
My URL appears to be properly formed, as seen here:
https://mobile.fmcsa.dot.gov/qc/services/carriers/44110/basics?webKey=xxxx
When I run it from Node or from an Ajax call, I only get 403, Forbidden.
Here is my relevant Node code:
this.url = 'https://mobile.fmcsa.dot.gov/qc/services/carriers/' + dotNumber + '/basics' + '?webKey=' + this.webkey;
this.options = {
method: 'GET',
uri: this.url,
};
this.getDoTData = function() {
request(this.options)
.then(function (response) {
// Request was successful, use the response object at will
console.log(response);
})
.catch(function (err) {
// Something bad happened, handle the error
console.log(err);
});
}
When I run it via Curl, I get the same 403 with some extra detail:
curl: (56) SSLRead() return error -9806
I was wondering if anyone has any ideas as to if I'm accessing this API incorrectly. There doesn't appear to be much documentation, and the page on their site where you can submit technical questions seems to be broken.
Thanks for any insight.
This web service seems to be down for the time being. These problems started during the maintenance window on weekend of Nov 18th, and it has been in varying degrees of non-operation since then.
This is the response I got from FMCSA customer support today:
I do apologize about the inconvenience however, we have been experiencing technical difficulties with the App for a few weeks now. Our IT department is currently working on it however, at this time I do not have an exact time on when it will be fixed.