I receive an error in the emulator when I try to check for a custom claim field that does not exist on the request.auth.token object when checking storage.rules. The request fails which is correct if the property is missing but I am concerned about the error.
function isPlatformVerified() {
return request.auth.token.platformVerified == 'ok';
}
and this is the error shown in the emulator:
com.google.firebase.rules.runtime.common.EvaluationException: Error: /Users/marcel/git/dev/storage.rules line [68], column [14]. Property platformVerified is undefined on object.
I wish to check if the custom claims has this property and if it has that it contains the correct value. How do I do this without getting an error (or can I ignore this??)
Many thanks
Most likely the custom claim hasn't propagated to the client and rules yet.
Custom claims are part of the token that the client sends with its requests, and that token is only auto-refreshed once per hour. So it may take up to an hour before a new claim shows up in the client, and thus in the security rules.
You can force a refresh of the ID token on the client by calling user.reload(), to ensure that the new claims will be present before the auto-refresh.
Related
I developed a chrome extension using Rally's WSAPI v2.0, and it basically does the following things:
get user and project, and store them
get current iteration everytime
send a post request to create a workitem
For the THIRD step, I sometimes get error ["Not authorized to perform action: Invalid key"] since end of last month.
[updated]Error can be reproduced everytime if I log in Rally website via SSO before using the extension to send requests via apikey.
What's the best practice to send subsequent requests via apikey in my extension since I can't control end users' habits?
I did see some similar posts but none of them is helpful... and in case it helps:
I'm adding ZSESSIONID:apikey in my request header, instead of user /
password to authenticate, so I believe no security token is needed
(https://comm.support.ca.com/kb/api-key-and-oauth-client-faq/kb000011568)
url starts with https://rally1.rallydev.com/slm/webservice/v2.0/
issue is fixed after clearing cookies for
https://rally1.rallydev.com/, but somehow it appears again some time
later
I checked the cookie when the issue was reproduced, and found one with name of ZSESSIONID and its value became something else rather than the apikey. Not sure if that matters though...
code for request:
function initXHR(method, url, apikey, cbFunc) {
let httpRequest = new XMLHttpRequest();
...
httpRequest.open(method, url);
httpRequest.setRequestHeader('Content-Type', ' application\/json');
httpRequest.setRequestHeader('Accept', ' application\/json');
httpRequest.setRequestHeader('ZSESSIONID', apikey);
httpRequest.onreadystatechange = function() {
...
};
return httpRequest;
}
...
usReq = initXHR ('POST', baseURL+'hierarchicalrequirement/create', apikey, function(){...});
Anyone has any idea / suggestion? Thanks a million!
I've seen this error when the API key had both read-only and full-access grants configured. I would start by making sure your key only has the full-access grant.
I want to restrict access to view models according to the authorization or JWT. I found examples for the read models, but how to implement it for the view models in the right way?
In resolve framework every view-model can have own serializer and deserializer. These functions are used for view-models which have non-trivial state object, which cannot be automatically serialized by JSON.stringify and be restored within JSON.parse - for example, it's useful for Immutable.JS or seamless-immutable.
In fact serializer has two arguments - first is state object for serialization, and second argument is JWT token from invoker. Since view-model is always had been invoked from current client, either HTTP request or API handler, JWT token is always present and can be used for access restriction
const serializeState = (state, jwtToken) => {
if(jwtToken != null && !isGoodToken(jwtToken)) { // JWT token is present and custom validation failed
throw new Error('Access denied')
}
return JSON.stringify(state) // Or custom serialize procedure
}
export default serializeState
Important notice: do not restrict serialized state access in case of jwtToken absence, since it used for internal purposes in snapshot adapters. Always allow return serialized state if second argument is undefined. Else if jwtToken present and invalid, error can be thrown to restrict access.
I'm attempting an implementation of aurelia-authentication with an OIDC provider (IdentityServer4) and seem to be running into an issue with logging a user out.
The short of it is I'm not able to logout users successfully using the authService.logout function mentioned in the OIDC configuration section (https://aurelia-authentication.spoonx.org/oidc.html).
In looking into it a bit further I've tracked it down to a promise rejection in the logout function which provides the message: "OAuth2 response state value differs"
if (logoutResponse.state !== stateValue) {
return Promise.reject('OAuth2 response state value differs');
}
logoutReponse seems to be the culprit as it's coming through as an object with the state property named incorrectly {/login?state: "qAIxYwKqLHYJtyar2PfdvaROWT1O56P7"}.
I can actually change the if statement to:
if (logoutResponse['/login?state'] !== stateValue) {
return Promise.reject('OAuth2 response state value differs');
}
which seems to be working fine, but requires us to modify the aurelia-authentication source directly.
Any thoughts from anyone as to why the "state" property is coming through as a relative path instead of just "state"?
So after spending more time on this I was able to track the issue down and find a solution.
The solution was to change the aurelia-authentication authConfig postLogoutRedirectUri value to just the root page (http://localhost:8080). Additionally, I needed to define that URI under the PostLogoutRedirectUris within my IdentityServer4 Client definition.
logoutResponse was then coming through correctly with a property named state property that holds the correct value and permits the redirect successfully.
I am trying Token based authentication with NancyFX. Token is getting generated perfectly but when I am passing header in Get Request, I can't get pass this.RequiresAuthentication() and getting unauthorized error.
Here is my token format
Token:{ token: "ZGVtb1VzZXINCmFkbWlufG5vbmFkbWluDQo2MzU1MDU5NjU4NzExNTE5MzkNCk1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMzsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8zOC4wLjIxMjUuMTExIFNhZmFyaS81MzcuMzY=:QerS8B701zoC1xqlvSxuz0EbrBDtfgEzkDWzlEj9ChA=" }
Am I passing wrong way?
I have also tried
Token:{ ZGVtb1VzZXINCmFkbWlufG5vbmFkbWluDQo2MzU1MDU5NjU4NzExNTE5MzkNCk1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMzsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8zOC4wLjIxMjUuMTExIFNhZmFyaS81MzcuMzY=:QerS8B701zoC1xqlvSxuz0EbrBDtfgEzkDWzlEj9ChA=}
and also
"Token:{ ZGVtb1VzZXINCmFkbWlufG5vbmFkbWluDQo2MzU1MDU5NjU4NzExNTE5MzkNCk1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMzsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8zOC4wLjIxMjUuMTExIFNhZmFyaS81MzcuMzY=:QerS8B701zoC1xqlvSxuz0EbrBDtfgEzkDWzlEj9ChA=}"
But nothing work.
Please let me know if any more details are required.
The value of the authorization header must simply read "Token ZGVtb1VzZXINCmFkbWlufG5vbmFkbWluDQo2MzU1MDU5NjU4NzExNTE5MzkNCk1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMzsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8zOC4wLjIxMjUuMTExIFNhZmFyaS81MzcuMzY" (no quotes).
The brackets in the documentation threw me off as well.
I'm trying to use the http://Astrid.com API, specifically to get data using the method under the "Request Format" section on this page - http://astrid.com/apidoc/file.README.html
The URL I built is:
https://astrid.com/api/7/task_list?app_id=[MY APP ID]&time=1&user_id=[MY USER ID]&sig=[MY REQUEST SIGNATURE]
And it returns this:
{"list":[],"time":1363131562,"status":"success"}
Seems like it worked, but does anyone know why the "list" array might be returning empty? I've created a bunch of tasks in my profile so it should be showing those.
Thanks!
You need to sign in first with the method user_signin. If successful you get a token.
Then you need to call the task_list method providing the token.
You do not need to provide a user id with the task_list method. It is only used to select tasks that you share with this user.
Example for signing in:
https://astrid.com/api/7/user_signin?provider=password&app_id=YOUR_APP_ID&secret=YOUR_ASTRID_PASSWORD&sig=SIGNATURE&time=1365715302.36&email=YOUR_EMAIL
Example for getting your tasks:
https://astrid.com/api/7/task_list?active=true&token=THE_TOKEN&sig=SIGNATURE&app_id=YOUR_APP_ID&time=1365715304.41