I am working on a web app which requires a user to login to their reddit account and according to https://github.com/reddit/reddit/wiki/OAuth2#retrieving-the-access-token I need to send a POST request to https://www.reddit.com/api/v1/access_token with some parameters. I am currently running the server from localhost and I keep getting the error:
XMLHttpRequest cannot load https://www.reddit.com/api/v1/access_token. Request header field Access-Control-Allow-Origin is not allowed by Access-Control-Allow-Headers.
I was struggling with this same issue and figured out that I need to register my app as "Installed" instead of "Web". This will make the authorization redirect with the bearer token instead of the code.
http://wattydev.com/authenticating_a_js-based_reddit_application_with_user_login_%28implicit_grant_flow%29
Related
I'm making a Google Chat bot with NestJS. It accepts slash commands and allows for interaction with an already existing system. The messages returned on the POST endpoint sometimes include private info or JWTs, so I need to improve security.
I need a way to authenticate and reliably identify the user that triggered the bot command. Currently I'm using the user email provided in the POST body and validating the Bearer token from the header.
Is there a good way to authenticate the user and make sure someone didn't just change the email in the request body?
A solution that could work:
Instead of returning the reply message contents in the POST response, send the message directly to the user it was requested for.
So even if someone changes the email in the request body to someone elses, they do not get the reply, only the requested email gets it.
You can verify the authenticity of the app by checking the bearer token send it to the server
POST
Host: yourappurl.com
Authorization: Bearer AbCdEf123456
Content-Type: application/json
User-Agent: Google-Dynamite
Google Chat includes a bearer token in the Authorization header of every HTTPS Request to an app.
You can verify your bearer token using an open source Google API client library, in your case Node.js
You can review the full guide here
In my application I have got laravel as backend, jwt-auth as authentication, socialite as oauth2 provider and vue as my frontend.
Now I use axios to authorize the user by github for example (https://github.com/login/oauth/authorize) inside the client and then get the access token by the backend api.
If I do the authorize request with POSTMAN everything works, but if I do the request with my frontend axio request I get always errors. I think I get them because some Header values which are not correct. Can someone explain me which variables an axion request needs to perform an authorization request.
Kind Regards.
you can either disable cors in your browser which is very bad or you have to enable cors in your backend and to check if cors is enabled in your backend look for Access-Control-Allow-Origin header in browser network tab or you have to use proxy so that the requests are made to the same origin as seen by the browser but are redirected to some other url.
In create-react-app this works by adding
"proxy":"http://youUrl:portNo."
My application is based on LeafletJS API so it's limited to javascript and Webview(because I am compiling application for mobile phones).
So Index.html file will always be located locally on device and it will work as an application.
I would like to add option for users to be able to login to my application and when they are logged in they can add markers on map and some additional data.
So I wrote php files to add login/register function and queries to mysql server as a backend.
This files must be on the server, so to access them I need to send request to login or run query in one of this files.
I created Ajax request but the issue is that sessionID is not being cached.
So I am able to create request to login but when I am trying to send another request to query I am not able to do that because user is not logged(no sessionID).
I would like to keep settings like that for security reason, if there is any better way to do login/register and queries suggestions are more than welcome.
I tried to use xhr.getResponseHeader('Set-Cookie'); to get sessionid.
But then I am receiving:
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'null' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
I cannot change wildcard '*' to any ip address as mobile users will send requests from different ip address.
Can someone please suggest me some changes to get everything work together?
Thank you
Goal
I am trying to implement a server-side authentication.
I want to request authentication code using javascript on my website, and then pass the auth code back to my server. Then my server can use this code to exchange for refresh token, and access token.
What I have tried
I followed these instructions, and registered my Web application for client ID. It's working perfectly fine, but this is only for client-side authentication, and it returns a access token directly. Then I registered server account for another client ID, and replace the old one with the new one. I was expecting it returned authentication code, but it returned error in the Web console.
Error message
Load denied by X-Frame-Options does not permit cross-origin framing.
Question
Did I use the code in a wrong way, or my registration process might cause the problem?
In this website,
there's no mention of any build-in function for getting the authentication code. Do I have to implement it from a very basic level?
I would like to call /search api from javascript client side. To do so, I have read that I need a oauth2 access token.
Following the Google guide, I must go to Google cloud Console but there is no Google Cloud Print service to subscribe to.
What service should I use to obtain an API key?
I recently started getting familiarized with both Google Cloud Print and OAuth, so I don't know much. I started in the same way that you seem to be starting. That is, by trying to make a successful request to /search. I will describe what worked for me.
After creating the project in the Cloud Console, I went to APIs & auth > Credentials menu item and created a new client ID for a 'Web Application' application type.
For the created client ID, I modified the Javascript Origins and the Redirect URIs appropriately.
Then, I added an anchor to the following URL in my web application so that the user gets directed to the authentication page.
https://accounts.google.com/o/oauth2/auth?
response_type=token&
client_id=<application-client-id>&
scope=https://www.googleapis.com/auth/cloudprint&
redirect_uri=<application-redirect-uri>
client_id - should be the client_id value of the Client ID that you registered in the Google Cloud Console.
response_type - This value would depend on what kind of application are you planning to develop. For client side applications (JavaScript apps), token should be the value. See https://developers.google.com/accounts/docs/OAuth2 for more info on this topic.
redirect_uri - should be the redirect URI value that you specified in the Client ID that you registered in the Google Cloud console. This is where the user will get redirected when it gets authenticated.
scope - I set it to https://www.googleapis.com/auth/cloudprint. This value will request that your app be given access to manage the cloud printers associated with the user account that is being authenticated.
Now, the part where I got stuck is when trying to make the HTTP request using JavaScript (AJAX) to https://www.google.com/cloudprint/search. I get the follow response when I attempt to make the HTTP request to /search.
OPTIONS https://www.google.com/cloudprint/search No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access.
It seems like the entity (server(s)) that is handling the request to the /search interface is not configured to use CORS? Correct me if I am mistaken.
Now, the way that I verified that I was able to successfully authenticate was by attempting the request to /search in a Java program instead. I used the OAuth token that I got when authenticating using my web app in a java program and made the request with the Authorization: OAuth <token> header set) and the request was successful.