I'm creating an API endpoint for a mobile app and for computer web browsers. Both devices use the same API endpoint with a POST request sent to /users/session for authentication. The mobile phone requires a 200 Status Code response. However, as login forms do, I need to redirect browsers to the home logged in page where the user can see their information. Do I return a 301 subsequently after? What is the best practice to implement this?
In summary: I need to use the same API endpoint for mobile and computer, but am unsure how to redirect while returning a 200 Status Code.
It seems like a 200 OK is the proper code to return upon successful login. This makes the API more generic and doesn't tie it to any particular use (mobile vs desktop). You might try placing the redirect logic in the desktop site itself and use ajax to submit the data. This will give you more flexibility for handling login errors as well. This is a basic example with jquery.
$.ajax({
type: "POST",
url: "/users/session",
data: loginForm,
success: function(){
//Redirect user to home page
window.location.replace("/home");
},
dataType: dataType
});
try this
$.ajax(serverUrl, {
type: "POST",
data: dataToSave,
statusCode: {
200: function (response) {
alert('200');
},
201: function (response) {
alert('201');
}
}, success: function () {
alert('1');
},
});
Related
I have a website that basically makes API calls and displays the data in a table; the API is on a different server from the website.
If the API server is down what is the best way to alert the user client-side (JavaScript) that the server is unavailable?
Could/Should I put the alert in the API call error handling (See code for example)? What is the best practice for this type of situation.
function apiCall(query, product){
var p = product;
var urlr='https://myFakeAPIUrl/api/'+query+'/'+ product;
$.ajax({
contentType: 'application/json',
crossDomain: true,
url: urlr,
type: "GET",
success: function (result){
alert("Yay, the API server is up.");
},
error: function(error){
console.log(error);
alert("Sorry, the server is down.");
}
});
}
var productData = apiCall("Produce", "112233");
I would ask myself what a user would like to see in this situation.
What I always do is putting a timeout on the Ajax request, whenever that timeout of e.g. 9999ms runs out, the user should get notified (with a toast, a heading, etc..) that something went wrong and that they should try it again later.
I'm working a simple mobile app and I'm using HTML, CSS, Javascript, ajax, PHP and Mysql and Phonegap. The mobile app has a login and I'm using ajax to send the data to a php file located on a separate server if the login is successful the app loads a diferent page, only users that are register can see this page.
The problem that I'm facing is that when I'm on the next page I don't know how to verify that the user has the access. I was thinking on using a window variable or localstore but I don't know if this is a good idea or not.
Can some one point me in the right direction on this topic.
Just sit and think. Use localStorage.setItem if user is registered/logged on ajax call. Later control that on easy way. Check this example.
Ajax call:
$.ajax({
type: "POST",
url: "http://exampleUrl.com/php1/insert.php",
data: dataString,
crossDomain: true,
cache: false,
beforeSend: function() {
$("#insert").val('Connecting...');
},
success: function(data) {
if (data == "success") {
alert("You can login now!");
$("#insert").val('Wait...');
localStorage.setItem("logged", logged); // Save if user is successfuly registered and control on other page
//console.log(dataString);
loadiranje_paIndex();
} else if (data == "error") {
alert("Error! Try another username!");
$("#insert").val('Register');
/*location.href = '/register.html'; */
}
}
});
I'm going to use Facebook JS SDK to login users to my site.
function myLogin(){
FB.api('/me',{fields: 'name,email'}, function(response) {
if(response.email){
//Ajax call function
jQuery.ajax({
url: 'inc/social_logins/fb/account_auth.php',
type: "POST",
data: { func: 'nac', name: response.name, email: response.email},
success:function(data) {
if(data == 1){
window.location = "user_dashboard.php";
}
}
});
//Ajax call function ends
}
}
Above ajax request calls account_auth.php and it checks for accounts associated with the email comes with FB authorization. And if FB authorization returns true, it runs the myLogin() in the following logic.
function statusChangeCallback(response) {
if (response.status === 'connected') {
qksellLogin();
}
}
Everything works fine and gets redirected to the private dashboard area after FB login popup window closed.
What I want to do is, to block manual Ajax requests by unauthorized users.
Let's say if I can fake the response object and add someone else's FB name and email, then I call the above Ajax call function in the console, it still runs and logs in. That's terrible huh...
So, what actions may I want to take here ?
I have written a Phonegap application and I would like to know how can I submit a form to Django using Javascript or Jquery. I have already implemented a JSON API using Tastypie.
Can anybody provide me with some ideas, or any guidance on how to implement such a function?
You just have to do ajax call to tastypie api url in the below format.
$.ajax({
type: 'POST',
url: site_url+'api/v2/user/login/',
data: '{"username": "developer", "password":"imagine2"}',
processData: false,
crossDomain: true,
success: function (response, textStatus, xhr) {
console.log('jquery worked');
//results=JSON.stringify(response);
setCookie( "sessionid", response.sessionid);
setCookie( "app_version", response.app_version);
window.location.href = 'home/';
$('#overlay').hide();
},
error: function (res) {
msg = (res.responseText) ? res.responseText : res.statusText;
console.log(msg+",res.status="+res.status);
alert(msg);
},
dataType: "json",
contentType: "application/json; charset=utf-8"
});
Also you need to enable cross domain.
There are multiple ways to do this. Since you are using an API with tastypie I would suggest not submitting the form itself, but extracting the form data before submitting the form with JavaScript. On submit you pass the data you want to submit in the request body to your API endpoint.
As an example you could have an api endpoint for blog entries, lets say its http://example.com/api/v1/entry. Considering your API allows cross-domain requests (e.g. via CORS) you could do something simple as this to "submit" your form (e.g. creating a new entry):
$('#myForm #mySubmitButton').click(function() {
$.post('http://example.com/api/v1/entry', $('#myForm').serialize(), function(data) {
// deal with the response data
}
});
I am not sure tastypie supports this kind of data structure. A little longer version of this could be to do something like this (here I am sure tastypie does support it), which submits the data as a JSON:
$('#myForm #mySubmitButton').click(function() {
var data = {'title': $('#myForm #titleInput').val(), 'description': $('#myForm #descriptionInput').val()};
$.post('http://example.com/api/v1/entry', data, function(data) {
// deal with the response data
}
});
This examples do not deal with form validation, error handling etc.. You could have look into tastypie validation for more details and potentially also add frontend specific validation with HTML5. I would also suggest you to use a more sophisticated JavaScript framework like AngularJS for single page apps like a PhoneGap app. JQuery will bloat your app soon, when it grows.
I have a web site that is trying to call an MVC controller action on another web site. These sites are both setup as relying party trusts in AD FS 2.0. Everything authenticates and works fine when opening pages in the browser window between the two sites. However, when trying to call a controller action from JavaScript using the jQuery AJAX method it always fails. Here is a code snippet of what I'm trying to do...
$.ajax({
url: "relyingPartySite/Controller/Action",
data: { foobar },
dataType: "json",
type: "POST",
async: false,
cache: false,
success: function (data) {
// do something here
},
error: function (data, status) {
alert(status);
}
});
The issue is that AD FS uses JavaScript to post a hidden html form to the relying party.
When tracing with Fiddler I can see it get to the AD FS site and return this html form which should post and redirect to the controller action authenticated. The problem is this form is coming back as the result of the ajax request and obviously going to fail with a parser error since the ajax request expects json from the controller action. It seems like this would be a common scenario, so what is the proper way to communicate with AD FS from AJAX and handle this redirection?
You have two options.
More info here.
The first is to share a session cookie between an entry application (one that is HTML based) and your API solutions. You configure both applications to use the same WIF cookie. This only works if both applications are on the same root domain.
See the above post or this stackoverflow question.
The other option is to disable the passiveRedirect for AJAX requests (as Gutek's answer). This will return a http status code of 401 which you can handle in Javascript.
When you detect the 401, you load a dummy page (or a "Authenticating" dialog which could double as a login dialog if credentials need to be given again) in an iFrame. When the iFrame has completed you then attempt the call again. This time the session cookie will be present on the call and it should succeed.
//Requires Jquery 1.9+
var webAPIHtmlPage = "http://webapi.somedomain/preauth.html"
function authenticate() {
return $.Deferred(function (d) {
//Potentially could make this into a little popup layer
//that shows we are authenticating, and allows for re-authentication if needed
var iFrame = $("<iframe></iframe>");
iFrame.hide();
iFrame.appendTo("body");
iFrame.attr('src', webAPIHtmlPage);
iFrame.load(function () {
iFrame.remove();
d.resolve();
});
});
};
function makeCall() {
return $.getJSON(uri)
.then(function(data) {
return $.Deferred(function(d) { d.resolve(data); });
},
function(error) {
if (error.status == 401) {
//Authenticating,
//TODO:should add a check to prevnet infinite loop
return authenticate().then(function() {
//Making the call again
return makeCall();
});
} else {
return $.Deferred(function(d) {
d.reject(error);
});
}
});
}
If you do not want to receive HTML with the link you can handle AuthorizationFailed on WSFederationAuthenticationModule and set RedirectToIdentityProvider to false on Ajax calls only.
for example:
FederatedAuthentication.WSFederationAuthenticationModule.AuthorizationFailed += (sender, e) =>
{
if (Context.Request.RequestContext.HttpContext.Request.IsAjaxRequest())
{
e.RedirectToIdentityProvider = false;
}
};
This with Authorize attribute will return you status code 401 and if you want to have something different, then you can implement own Authorize attribute and write special code on Ajax Request.
In the project which I currently work with, we had the same issue with SAML token expiration on the clientside and causing issues with ajax calls. In our particular case we needed all requests to be enqueud after the first 401 is encountered and after successful authentication all of them could be resent. The authentication uses the iframe solution suggested by Adam Mills, but also goes a little further in case user credentials need to be entered, which is done by displaying a dialog informing the user to login on an external view (since ADFS does not allow displaying login page in an iframe atleast not default configuration) during which waiting request are waiting to be finished but the user needs to login on from an external page. The waiting requests can also be rejected if user chooses to Cancel and in those cases jquery error will be called for each request.
Here's a link to a gist with the example code:
https://gist.github.com/kavhad/bb0d8e4a446496a6c05a
Note my code is based on usage of jquery for handling all ajax request. If your ajax request are being handled by vanilla javascript, other libraries or frameworks then you can perhaps find some inspiration in this example. The usage of jquery ui is only because of the dialog and stands for a small portion of the code which could easly be swapped out.
Update
Sorry I changed my github account name and that's why link did not work. It should work now.
First of all you say you are trying to make an ajax call to another website, does your call conforms to same origin policy of web browsers? If it does then you are expecting html as a response from your server, changedatatype of the ajax call to dataType: "html", then insert the form into your DOM.
Perhaps the 2 first posts of this serie will help you. They consider ADFS and AJAX requests
What I think I would try to do is to see why the authentication cookies are not transmitted through ajax, and find a mean to send them with my request. Or wrap the ajax call in a function that pre authenticate by retrieving the html form, appending it hidden to the DOM, submitting it (it will hopefully set the good cookies) then send the appropriate request you wanted to send originally
You can do only this type of datatype
"xml": Treat the response as an XML document that can be processed via jQuery.
"html": Treat the response as HTML (plain text); included script tags are evaluated.
"script": Evaluates the response as JavaScript and evaluates it.
"json": Evaluates the response as JSON and sends a JavaScript Object to the success callback.
If you can see in your fiddler that is returning only html then change your data type to html or if that only a script code then you can use script.
You should create a file anyname like json.php and then put the connection to the relayparty website this should works
$.ajax({
url: "json.php",
data: { foobar },
dataType: "json",
type: "POST",
async: false,
cache: false,
success: function (data) {
// do something here
},
error: function (data, status) {
alert(status);
}
});