We are developing a rest API and giving it to many customers. For testing purpose for each customer we create a new workspace in postman and add some collections contains of requests to that. Each customer has its own domain name obviously so each workspace contains request with unique domain address and also unique x-api-key header.
When we release our API for new customer, we must add a new workspace with all requests. using export/import collection we can add request from old workspaces very fast but changing domain name and x-api-key header one by one for each request in new workspace is exhausting!
Is there any way in postman to do such work automatically?
Related
Salutations!
I have just completed my first REST API, deployed on heroku, and I decided it would be cool to make $0 a month through rapidAPI.
The rapidAPI testing dashboard passes the tests successfully - with one of their keys being a requirement for an API call.
However when I access the site on a browser or on Postman, there is no need for an API key and therefore no restrictions in get requests.
I have noticed that the test code makes a fetch request to the rapidAPI url for the project but how can I make the heroku url accessible only from rapidAPI?
I know it's extremely unlikely someone will find my heroku app url but it is technically possible.
I appreciate your time and insights.
RapidAPI provides 2 security features to support this:
set X-RapidAPI-Proxy-Secretin the API Dashboard: this token is added in the X-RapidAPI-Proxy-Secret HTTP header for each request. You should validate this for every API call. This is the default measure in place.
the list of IP addresses used by RapidAPI is provided: you can check/validate for every API call.
There might be Heroku Addon to help with the IP filtering, but those are typically enterprise-plugin (with associated cost).
RapidAPI allows you to add secret headers and/or query string parameters to API requests. The RapidAPI proxy adds these secrets to every request, but are hidden from the API consumers.
Find more details in this page: https://docs.rapidapi.com/docs/secret-headers-parameters
My company has a strict compliance policy with respect to protecting the client secrets and passwords of azure active directory client apps(client secret for aad app) and service accounts (passwords).
However during bug fixing in production or replicating issues on production code or active debugging, we need to debug the production code by passing these credentials from postman or fiddler.
Is it safe to save these keys in Postman and share it by generating a public url? Is there any way of sharing it from postman to a specific set of users? Or is there any better way of sharing the API requests with set of users.
You can invite someone to postman workspace using thier email Id, sharing public collection url is not safe anyone with url can access that
Other way is to download collection and environment as json and send that json file instead .
There is no way to mask secrets as even if you store it in variable , the secret will be exposed in postman console
https://learning.postman.com/docs/collaborating-in-postman/sharing/
to invite to workspace :
Create a workspace :
Invite someone to workspace
select team, type the user's email id you want to invite , click add , then click create workspace. A mail will be send to the user's email through which user can join workspace.
now share that collection to or environment to that workspace
I'm working on a app feature that is going to be used by different users. I structure the test in a Collection in Postman:
- Messaging
- Thor
- Get contacts
- Loki
- Get contacts
- Baldr
- Get contacts
In this case, Messaging, Thor, Loki and Baldr are collections (folders) while Get contacts is the actual request (3 identical requests).
How can one set an authentication cookie for each user in order to get correct response: contacts available for that particular user.
NOTE: Tried setting a cookie in 'Manage Cookies' but it's shared among all requests and hence, once I change it for one user, all the users get the same changed cookie.
As of now, you cannot achieve that in the postman app. And a feature request for the same has been raised here - https://github.com/postmanlabs/postman-app-support/issues/3312
However, as a workaround, you can set a new cookie before every request and achieve the results that you want using the collection runner.
- Messaging
- Thor
- Authentication Request (Sets new cookie)
- Get contacts (Thor)
- Loki
- Authentication Request (Sets new cookie)
- Get contacts (Loki)
- Baldr
- Authentication Request (Sets new cookie)
- Get contacts (Baldr)
Now, just run this collection using the collection runner and write your tests or check the responses that were needed.
Refer the Collection Runner Documentation
The only things I need:
Get order id and customer id.
Create redirect url (this must be done on backend, url is signed with private hash)
Redirect user to this user
Upon success verify signature of redirect data and set order status
Upon failure verify signature of redirect data and set order status
Is there some simple module, which does these things so I can modify it for my needs?
This module should not use deprecated AbstractMethod, if possible.
I'm new to magento and documentation about payment gateway is too bloated. Plus it is hard to understant all these config pools and commands in configuration.
P.S. Magento 2 only with new payment gateway api.
I refer to a answer given by Mike20132013 on
This IP, site or mobile application is not authorized to use this API key.
Mike in point 5 you say:
Once you are done, click create and your new Server Key will be generated and you can then add that server key to your URL.
Sorry, I am lost here. I have created a server key but to which URL are you referring to? Where exactly do I enter this URL please? I have bought the Google Reviews Plugin and I get the error message
"REQUEST_DENIED: This IP, site or mobile application is not authorized to use this API key. Request received from IP address 46.249.199.28, with empty referer" on my website.
My host has referred me to your answer.
Then you say
"Last thing is that, instead of putting the sensor=true in the middle of the URL, you can add it in the end like this:
https://maps.googleapis.com/maps/api/place/nearbysearch/json?location=yourlatitude,yourlongitude&radius=5000&key=SERVERKEY&sensor=true"
I have no idea where to input this.
Easy part first: just omit the sensor parameter entirely. As the documentation says:
The Google Places API previously required that you include the sensor parameter to indicate whether your application used a sensor to determine the user's location. This parameter is no longer required.
For the REQUEST_DENIED error, please go to the Google Developers Console and ensure that:
you are using a Server key, not a Browser key or similar.
you have the Google Places API Web Service enabled (rather than e.g. Google Places API for Android).
your Server key either has a blank field for the IP addresses that may use it, or that the IP addresses field matches your IP (46.249.199.28).
The Get a Key part of the Google Places API Web Service documentation walks you through creating an appropriately configured API key.