In network tab I saw this on the request
Then I try to use https://www.hurl.it to try to post to the request. It failed. What is that authorization about? is that a security layer?
It's a JWT token used for authentication purposes
You can read about it here
Related
I am working with React.js framework on my project, all is well only when I try to update data, always seen Forbidden (403).
I don't think its a problem with react.
According to MDN web docs :-
403 Forbidden
The HTTP 403 Forbidden response status code indicates that the server understands the request but refuses to authorize it.
This status is similar to 401, but for the 403 Forbidden status code re-authenticating makes no difference. The access is permanently forbidden and tied to the application logic, such as insufficient rights to a resource.
It means you don't have permission to that endpoint, maybe because of you are not added the credentials (password, jwt, token or something like that which authorize the request) to the request header in react front-end.
In my application I have got laravel as backend, jwt-auth as authentication, socialite as oauth2 provider and vue as my frontend.
Now I use axios to authorize the user by github for example (https://github.com/login/oauth/authorize) inside the client and then get the access token by the backend api.
If I do the authorize request with POSTMAN everything works, but if I do the request with my frontend axio request I get always errors. I think I get them because some Header values which are not correct. Can someone explain me which variables an axion request needs to perform an authorization request.
Kind Regards.
you can either disable cors in your browser which is very bad or you have to enable cors in your backend and to check if cors is enabled in your backend look for Access-Control-Allow-Origin header in browser network tab or you have to use proxy so that the requests are made to the same origin as seen by the browser but are redirected to some other url.
In create-react-app this works by adding
"proxy":"http://youUrl:portNo."
I am fetching some data from a website by hitting the HTTP API via postman.
It was working fine for me but from last few days it's giving me an error i.e
invalid csrf token 403
So as I inspect by developer tools in chrome.I go to the network tab of the website and check the API.
So now the site also sending the CSRF-Token in the header field.
So I know the API by which I can generate the csrf token.
I also get the token from API and sending the token with the header as they doing in the original site.
But I am wondering to know why every time the API returned with invalid csrf token
Is it possible to send CSRF token via postman. Becuase as I know about csrf token is used to stop the forgery request.
And the site has a form with the hidden field of csrf token and as the form is submitted the browser get the token from that hidden field and works like this.
I want to know a few things:-
1)Is it possible to send the csrf token in a header field via postman.
Or we must log in to the site via browser then only we can get the
data.
2)How can I get the data from the site using Postman?
3)Should I need to use some headless browser to achieve this?
4)As I go through with a post they are saying we need to set the
csrf-token in the cookie and then we can fetch the token from the
cookie and send the request.
Any help is much appreciated.
Thanks
Normally CSRF Token implementation are tied with the session so make sure you are using the same session. Session will be created when you give a call to return a CSRF token.
If you are backend is using cookie for session implementation you can make a use of cookie interceptor in Post man to pass the same session cookie.
Is it possible to send the csrf token in a header field via postman? Or we must log in to the site via browser then only we can get the data.
You can get CSRF token from visiting website but send it via Postman. CSRF token, in many cases, does not depend on a website logging-in, only on the site visit.
How can I get the data from the site using Postman?
If a website returns CSRF in response headers, then you probably might use it within Postman.
If you need some other data - it depends on the website responses... I think you'll be able to get data provided your CSRF or/and other form data are correct.
Should I need to use some headless browser to achieve this?
Using browser automation is best since a browser manages all the session data, including cookies, headers, etc.
As I go through with a post they are saying we need to set the csrf-token in
the cookie and then we can fetch the token from the cookie and send the request.
Yes, the CSRF might be set or required by a server both in cookie and as a separate request header. So CSRF might be required (depending on website) in any the following:
cookie header
separate header
form field
I'd recommend you to use a scripting language to work with CSRF (or analogs) for data fetching. An example shows how to do it in Python.
Note
That example will not work if the site changes CSRF with each request/response.
I have a client side app (written in Angularjs) and an api this client uses. The api uses session cookies for authentication (don't ask why, I can't change it).
I am trying implement a per request csrf token generation. Normally if I had server side html rendering I would generate a csrf token for each form as a hidden input.
What is the best way to do this with a client-side Javascript app? I thought of creating an api end point that generates a csrf token if user is authenticated, fetch that token and submit it with post request. But I am not sure if that would actually be secure. Any thoughts ?
I know there are plenty of arguments about csrf token per request or per session. I am trying to figure out what is the best approach to implement this particular mechanism without causing more vulnerabilities; which is csrf token per request with a client-api setup .
I have a solution in mind and I am going to answer my own question. Please post your answer if you have a better solution or comment if you think this approach has any potential dangers or flaws.
So, what I think I can do is to create a response filter on api and send a new csrf token as a custom response header for every response for current session.
On the client side I can create a http response interceptor to store this csrf token and a request interceptor to add this token as a custom csrf header to send back to the api.
It is also possible to set it as a cookie on every request (SET-COOKIE headers) and let browser handle this (in Angular if cookie XSRF-TOKEN is set $http service will automatically send it as X-XSRF-TOKEN http header).But this will cause invalid csrf issues if multiple tabs are open.
I try to access a resource at http://**/rest that is protected by Shibboleth SAML Serviceprovider. For that I make an XMLHttpRequest call to that address. On the resource server CORS headers are set and if there is no SAML Authentication everything works fine.
But if SAML Authentication is activated I get the following error in Chrome:
XMLHttpRequest cannot load *****/rest. The request was redirected to 'https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO?SAMLRequest=********', which is disallowed for cross-origin requests that require preflight.
If I have a look at the network console I can see the following requests:
1.
Request URL:http://<resource_server>/rest
Request Method:OPTIONS
Status Code:200 OK
2.
Request URL:http://<resource_server>/rest
Request Method:GET
Status Code:302 Found
Response-Header: Location:https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO?SAMLRequest=*****
So it seems that redirect will be initialized but then stops because of the error above.
Does anyone have any ideas how I can get this working?
Regards
Philipp
The 302 response is not an error. That is how a SAML protected resource requests authentication: by redirecting the user to the identity provider. Since you are making an AJAX call, however, the browser cannot follow the redirect to be authenticated.
Assuming the common Web Browser SSO Profile: The browser client needs to establish an authentication session in the same application that supports http://**/rest before you make the AJAX call. Most authentication session states are managed with cookies, so i would expect that once you have a session cookie for the application, the request to http://**/rest + the session cookie will result in a success.
There is also the Enhanced Client or Proxy (ECP) Profile. This would require passing on the authentication SAML payload from the IDP to the resource - see the spec https://www.oasis-open.org/committees/download.php/35389/sstc-saml-profiles-errata-2.0-wd-06-diff.pdf .