Fetch() authentication failed - javascript

Originally we sent the authentication in the URL as
http://root:root#172.19.50.30/mjpg/video.mjpg?resolution=1024x768&compression=70
and that worked fine. As long as the password wasn't using special characters, this worked. But bad practice and Chrome forced me to do it differently.
The Wireshark header for this request:
GET /mjpg/video.mjpg?resolution=1024x768&compression=70 HTTP/1.1
Host: 172.19.50.30
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://172.19.50.30/local/ipsloitering/index.html?&language=en-US
Connection: keep-alive
Authorization: Digest username="root", realm="AXIS_00408CC561BC", nonce="7kRiObt8BQA=b937e181325fd66b88f1179eb1f5efe649c49e66", uri="/mjpg/video.mjpg?resolution=1024x768&compression=70", algorithm=MD5, response="5f31e9a6fe08992737bacd47bf4131a5", qop=auth, nc=00000001, cnonce="33c8306da3831b3a"
To allow for other characters, and use chrome, I used following JS Code:
fetch(url,
{
method:'GET',
headers: {
'Authorization': 'Basic ' + btoa("root:root")
},
}
)
and the response is
GET /mjpg/video.mjpg?resolution=1920x1080&compression=70 HTTP/1.1
Host: 172.19.50.30
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://172.19.50.30/local/ipsloitering/index.html?&language=en-US
authorization: Basic cm9vdDpyb290
origin: http://172.19.50.30
Connection: keep-alive
HTTP/1.1 401 Unauthorized
Date: Tue, 11 Dec 2018 08:54:07 GMT
Server: Apache/2.4.27 (Unix) OpenSSL/1.0.2k
WWW-Authenticate: Digest realm="AXIS_00408CC561BC", nonce="LqVkObt8BQA=f5ede433bcdc7b2d1a7b12c0763156e9d45b8972", algorithm=MD5, qop="auth"
Content-Length: 381
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
How do I get the fetch() to use Digest, or what is causing this?

Related

Can't use `Authorization: Token xxx` header as identification to request data

When I login the rest_auth API, I get the data:
{"key":"727ac2daf3f0ad2fa1cd13e0905e9941d721f49b","user":{"username":"111111#gmail.com","first_name":"","last_name":"","email":"111112#gmail.com","last_login":"2021-05-18T16:35:12.982804+08:00"}}
but when I use the key as identification to request data, I get 403 forbidden error:
[General]
Request URL: http://127.0.0.1:8000/api/CNAME/list/
Request Method: GET
Status Code: 403 Forbidden
Remote Address: 127.0.0.1:8000
Referrer Policy: strict-origin-when-cross-origin
[Response Headers]
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://127.0.0.1:8080
Allow: GET, HEAD, OPTIONS
Content-Length: 43
Content-Type: application/json
Date: Tue, 18 May 2021 08:35:13 GMT
Server: WSGIServer/0.2 CPython/3.5.2
Vary: Accept, Origin, Cookie
X-Frame-Options: SAMEORIGIN
[Request Headers]
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Authorization: Token 727ac2daf3f0ad2fa1cd13e0905e9941d721f49b
Connection: keep-alive
Host: 127.0.0.1:8000
Origin: http://127.0.0.1:8080
Referer: http://127.0.0.1:8080/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
sec-ch-ua-mobile: ?0
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36

XMLHttpRequest formatting issue

The following code is used to connect to an API and get data.
function req() {
var xhr = new XMLHttpRequest();
xhr.open("GET", "https://url/api");
xhr.setRequestHeader("Accept", "*");
xhr.setRequestHeader("uid", "1234");
xhr.setRequestHeader("x-api-key", "1234");
xhr.send();
}
The function is called via a button
The API is confirmed working with postman. Firefox displays the following error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
The interesting problem is that when inspecting with Firefox, the set headers seem to be misaligned
Host: url
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: GET
Access-Control-Request-Headers: uid,x-api-key
Origin: null
Connection: keep-alive
I can edit this in Firefox to the correct way:
Host: url
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: GET
uid: 1234
x-api-key: 1234
Origin: null
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
And will get successful state 200
What could be the issue of wrong formatting when using js?

couchdb response with 400 status posting to _user db using aurelia fetch client

This is kind of strange. I make a rest post call to couchdb 2.0 to update the user database and I get back a 401 status message "error=bad_request" and "reason=Referer header must match host."
However if I change the "post" to "put", then it is happy and returns status of 201 as expected. I could continue use puts, but that isn't the standard.
Suggestions?
POST http://localhost:5984/_users/org.couchdb.user:test1 HTTP/1.1
Host: localhost:5984
Connection: keep-alive
Content-Length: 364
Pragma: no-cache
Cache-Control: no-cache
Origin: http://localhost:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
content-type: application/json
Accept: */*
DNT: 1
Referer: http://localhost:9000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
Cookie: io=YBMMIY0pejGjeHV9AACO; AuthSession=foo
{
"_id":"org.couchdb.user:test1",
"_rev":"1-8e2136e07f62238327f87d1ae54a29df",
"type":"user","roles": "user"],
"name":"test1",
"email":"test1#foo.bar",
"fullName":"Test1 esq",
"phone":"555-555-5555",
"id":"org.couchdb.user:test1",
"password_scheme":"pbkdf2",
"iterations":10,
"derived_key":"0e076f6f85f1389fd90ff181d433e1438e8e30a4",
"salt":"37f590de042f07956f6cc11b8a9eb012"
}
Response
HTTP/1.1 400 Bad Request
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:9000
Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
Cache-Control: must-revalidate
Connection: close
Content-Length: 67
Content-Type: application/json
Date: Thu, 29 Dec 2016 23:15:25 GMT
Server: CouchDB/2.0.0 (Erlang OTP/17)
X-Couch-Request-ID: b45ec52b5c
X-CouchDB-Body-Time: 0
{"error":"bad_request","reason":"Referer header must match host."}
**This works**
PUT http://localhost:5984/_users/org.couchdb.user:test1 HTTP/1.1
Host: localhost:5984
Connection: keep-alive
Content-Length: 364
Pragma: no-cache
Cache-Control: no-cache
Origin: http://localhost:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
content-type: application/json
Accept: */*
DNT: 1
Referer: http://localhost:9000/
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Cookie: io=62j8pWngSUNyLwKjAACX; AuthSession=xyyz
{
"_id":"org.couchdb.user:test1",
"_rev":"1-8e2136e07f62238327f87d1ae54a29df",
"type":"user",
"roles":["user"],
"name":"test1",
"email":"test1#foo.bar",
"fullName":"Test1 esq",
"phone":"555-555-5555",
"id":"org.couchdb.user:test1",
"password_scheme":"pbkdf2",
"iterations":10,
"derived_key":"0e076f6f85f1389fd90ff181d433e1438e8e30a4",
"salt":"37f590de042f07956f6cc11b8a9eb012"
}
So, you have troubles with mismatching referrer and expected host because of different port numbers. According to this https://github.com/couchbase/couchdb/blob/2.5.1.1/src/couchdb/couch_httpd.erl#L344
you can place X-Forwarded-Host header with your value - localhost:9000

Login to site with js/php code

I've caught this packet sent from my browser to X site when I login:
POST http:/page_to_login HTTP/1.1
Host: host_name
Connection: keep-alive
Content-Length: 63
Accept: application/json, text/javascript, /; q=0.01
Origin: http:/host_name.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36
Content-Type: application/json; charset=UTF-8
Referer: http://name_host.com
Accept-Encoding: gzip, deflate
Accept-Language: en,it-IT;q=0.8,it;q=0.6,en-US;q=0.4
Cookie: __gads=ID=ba4aa3e1f26167ce:T=1420379969:S=ALNI_Max051cucDaIPAjfr_u43Jz3tF-eQ; mlUserID=qoqCnShSTTHg; ebNewBandWidth_.name_host.com=2137%3A1424452854024; ff11_lastvisit=1424960092; ff11_lastactivity=0; __adnt_intro=1; __utma=85431950.643346397.1420379964.1425039982.1425049087.44; __utmb=85431950.10.10.1425049087; __utmc=85431950; __utmz=85431950.1425032713.42.10.utmcsr=dotnethell.it|utmccn=(referral)|utmcmd=referral|utmcct=/forum/messages.aspx; sly_cook_fc=17313 18 0_; comp_drogat-premier-leagueLeghe2015Quad=0=87834; _ga=GA1.2.643346397.1420379964; _gat=1; rta_nxtml=
And this is how the password and username have sent to the server:
{"u":"my_username","p":"my_password","aliaslega":"","check":"u1-L12"}
How can I encapsulate this information and create js/php functions to automatically login to X site?

Ajax CORS iframe, cookie not set

i have an iframe with src set to (let say) domainA.com and parent url is domainB.com, from this iframe i make an ajax call to domainA.com/ajax.asp, this works in chrome and firefox, but not with safari and IE. bellow are complete header request for chrome and safari.
REQUEST HEADER (Chrome)
POST /Ajax.asp HTTP/1.1
Host: domainA.com
Connection: keep-alive
Content-Length: 29
Accept: */*
Origin: http://test.takeoutmenuz.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://domainA.com/menu.asp?userid=1025
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,id;q=0.6
Cookie: userid=1025; ASPSESSIONIDAQCQASBD=IDGHMLJDBHOKJFBIKMCNDHDA; ZZZZZ=here
REQUEST HEADER (Safari)
POST /Ajax.asp HTTP/1.1
Host: domainA.com
Connection: keep-alive
Content-Length: 29
Accept: */*
Origin: http://test.takeoutmenuz.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://domainA.com/menu.asp?userid=1025
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,id;q=0.6
as you see, there is no Cookie header in safari, based on explanation from this page the problem is that Cookie stuff (if i not mistaken). how to make it work without Cookie, should i do something on response header in Ajax.asp or do something in ajax script (i already add withCredential field to it)?

Categories

Resources