Rest API for Authentication with nHost - authentication

So I know there's several SDK packages for many languages available for nHost, however I need to create my own interface to the system since the language I'll be using isn't typical.
I basically just need to know how to interact with authentication endpoints, send a users un/pw and recieve a JWT token. I've been successfully able to do this with aws Cognito, but I'd like to explore this instead.
I'm also not sure if I'm using the right base url, here's my thought so far:
https://kbvlufgpikkxbfkzkbeg.nhost.run/auth/login
So I would POST to there with some json in the body with the un/pw stuff, and the response should be the jwt token right?
I get a "resource does not exist" response from the above, however, so obviously I'm not forming the url correctly in the first place.
Thanks for the help!

Nhost supports multiple sign-on methods.
For example, using the email+password method, you would send:
POST https://xxxxxxxxxxxxx.nhost.run/v1/auth/signin/email-password
{"email":"foo#example.com","password":"bar"}
and the response:
{
"session": {
"accessToken": "somejwt....",
"accessTokenExpiresIn": 900,
"refreshToken": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"user": {
"id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"createdAt": "2022-09-17T19:13:15.440221+00:00",
"displayName": "foo#example.com",
"avatarUrl": "",
"locale": "en",
"email": "foo#example.com",
"isAnonymous": false,
"defaultRole": "user",
"metadata": {},
"emailVerified": true,
"phoneNumber": null,
"phoneNumberVerified": false,
"activeMfaType": null,
"roles": [
"user",
"me"
]
}
},
"mfa": null
}
The JWT is short-term, when it expires, the refresh token is used to get a new one.
The Nhost JavaScript SDK handles it automatically for you, that's a big benefit to the platform (in addition to being integrated with Hasura). If you are trying to port it to another unsupported language, you'd have to reimplement it. Probably by reading the library and/or running one of their sample client application and reverse-engineering the HTTP over the wire.

Related

Parse: no sessionToken retrieved after initial sign up using Google oAuth

For my React Native app I am using Parse JS SDK and hosted Parse Server on Back4app.
When I try to register a new user, the user is not authenticated because the response does not return a sessionToken.
However, once the user is in the db and signs in a sessionToken is returned and the user is authenticated successfully.
Request
The request is the same for sign in/up.
await Parse.User.logInWith('google', {
// auth data received from #react-native-community/google-signin
authData: {
id,
id_token: token
}
})
Response on initial Sign Up
The response is supposed to return a sessionToken which is missing. So the user is not authenticated and modifications on the user object are not possible.
{
"authData": {...},
"createdAt": "...",
"objectId": "...",
"updatedAt": "...",
"username": "..."
}
Response on sign in after user was created
{
"ACL": {...},
"authData": {...},
"createdAt": "...",
"objectId": "...",
"sessionToken": "...",
"updatedAt": "...",
"username": "..."
}
I don't use any cloud code. Just a simple auth flow with Google oAuth.
Any help is highly appreciated.
Edit: same issue for 'sign in with Apple'
As far as I know, according to the Official Documentation, Parse will respond 200 (HTTP OK) and include the Session Token only when it verifies the user is already associated with the OAuth authentication data.
So, again, as far as I know, the very first request when you create the user, will not contain the sessionToken.
Take a look to this tutorial https://www.thinkertwin.com/how-to-setup-google-oauth2-login-with-parse-server-in-react/
Here there is an explanation on how to setup your Cloud Code. It's for React, but with small adjustments it will work for React Native.
You also need Cloud Code as you need to store your Client ID and Secret. You don't want to have those on your public application

How to manage tokens in Hashicorp's Vault

I am implementing Vault for my team to use and store secrets, and we wanted to keep it simple so we decided to go with the default token authentication.
The thing is I can't find a way to manage tokens that were created, so that if I want to revoke a certain person's token, I know exactly which one to revoke.
Does anyone know how to manage tokens in Vault?
You cannot list the tokens because tokens are sensitive information.
You can list token accessors (API docs)
which will give you a value like this 476ea048-ded5-4d07-eeea-938c6b4e43ec which is safe to share - think of it as a pointer to the token.
Then you can lookup the token accessor (API docs) and get a response like this
{
"data": {
"accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed",
"creation_time": 1523979354,
"creation_ttl": 2764800,
"display_name": "ldap2-tesla",
"entity_id": "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9",
"expire_time": "2018-05-19T11:35:54.466476215-04:00",
"explicit_max_ttl": 0,
"id": "",
"identity_policies": ["dev-group-policy"],
"issue_time": "2018-04-17T11:35:54.466476078-04:00",
"meta": {
"username": "tesla"
},
"num_uses": 0,
"orphan": true,
"path": "auth/ldap2/login/tesla",
"policies": ["default", "testgroup2-policy"],
"renewable": true,
"ttl": 2763902
}
}
which will probably help you figure out if the tokens requires revoking or not.

Storing branch attributes offline from Branch.io to track user attribution in my own database

I am trying to store our a campaign attribution identifier offline so that we can do some very custom analytics on the response. Our business team has very specific criteria for determining repeat user activities in our system that can't be tracked with normal analytics, at least not in a very simple way. They need to know how individual users were referred to our system via campaigns, links, etc.
I believe this is as simple as using branch.io to generate a link with specific data in that link. Then, assuming that user ever clicked that link, we should be able to, from our app, use the branch.io SDK to call out to branch.io, retrieve the attribution information, and then pass it to our own servers.
Is this use case possible with branch.io, and am I thinking of it correctly?
Create a branch.io link with a unique referral source
User clicks on that link which may or may not take them to an install
Eventually the user installs our app
On registration within our app we query branch.io using the SDK and ask it for existing attribution information associated to that user.
We make an API call to our own services and pass down whatever we got from branch.io and the user's ID to persist in our own analytics database.
Please let me know if this is possible and if we're thinking of it correctly. I believe this is fundamentally the same use case as custom on-boarding but need to verify for our management team before we bother to implement.
The client-to-server technique that you have described in your response will absolutely work with Branch! If you are interested in a server-to-server approach, your best bet would be to create a webhook from your Dashboard account for the Install event. When installs are referred you'll notice that the json data included in the response will have:
{
"metadata": {
"ip": "<purposely stripped out>",
"referred": true
},
"os": "iOS",
"session_referring_click_timestamp": "2016-02-09T15:57:23.411Z",
"session_referring_click_query": {},
"os_version": "9.2.1",
"first_referring_click_timestamp": "2016-02-09T15:57:23.411Z",
"first_referring_link_data": {
"date_ms": 1455033416690,
"date_sec": 1455033416,
"date": "2016-02-09T15:56:56.690Z",
"data": {
"$og_title": "Jingles Bingleheimer",
"$publicly_indexable": 1,
"face_index": "2",
"~creation_source": 3,
"$identity_id": "225633246304569572",
"monster": "true",
"+url": "https://bnc.lt/ALMc/pkZbNmazPq",
"$one_time_use": false,
"~id": "225633381004658863",
"~channel": "sms",
"body_index": "1",
"monster_name": "Matts Monster",
"$exp_date": 0,
"color_index": "4"
},
"branch_id": "225633381004658863",
"app_short_identifier": "625048",
"domain": "bnc.lt",
"channel": "sms",
"state": 1,
"href": "/ALMc/pkZbNmazPq"
},
"first_referring_click_query": {},
"event": "install",
"event_timestamp": "2016-02-09T15:57:51.019Z",
"session_referring_link_data": {
"date_ms": 1455033416690,
"date_sec": 1455033416,
"date": "2016-02-09T15:56:56.690Z",
"data": {
"$og_title": "Jingles Bingleheimer",
"$publicly_indexable": 1,
"face_index": "2",
"~creation_source": 3,
"$identity_id": "225633246304569572",
"monster": "true",
"+url": "https://bnc.lt/ALMc/pkZbNmazPq",
"$one_time_use": false,
"~id": "225633381004658863",
"~channel": "sms",
"body_index": "1",
"monster_name": "Matts Monster",
"$exp_date": 0,
"color_index": "4"
},
"branch_id": "225633381004658863",
"app_short_identifier": "625048",
"domain": "bnc.lt",
"channel": "sms",
"state": 1,
"href": "/ALMc/pkZbNmazPq"
},
"hardware_id": "<purposely stripped out>"
}
As you can see, it will include the referring link information in the response.
In general, installs will be referred if:
The user clicks on a Branch link and there is an identity associated to the link.
The user installing the app has not installed the app in the past.
Also, webhook documentation can be found here and the SDK will need to be integrated with your app so that Branch can understand that an Install event has occurred.
Note: You can also create webhooks on custom events such as "sign_up_complete" as well.

Accessing a cloud hub API

https://anypoint.mulesoft.com/apiplatform/anypoint-platform/#/portals/organizations/68ef9520-24e9-4cf2-b2f5-620025690913/apis/8617/versions/40329/pages/35412
/applications/{domain}/logs Traits: environment_based
Retrieve log messages for the application, ordered newest to oldest.
I am trying to access this api but am unable to relate what client id does it ask. Also I am unable to relate to oauth authentication this needs.
I am new to mule.
i am sharing the steps by step instructions to access the details of apps from api.
Step 1 : Get the access token from the Api
https://anypoint.mulesoft.com/accounts/login?username=YOUR_USERNAME&password=YOUR_PASSWORD
NOTE : Use POST method and add Header Content-Type=application/json
You will get response in JSON format like below
{
"access_token": "44126898-7ed8-4453-8d28-skajnbf",
"token_type": "bearer",
"redirectUrl": "/home/"
}
Step 2: Get your organization id
https://anypoint.mulesoft.com/accounts/api/me
NOTE : Use GET method and add below Headers
Content-Type = application/json
Authorization = Bearer ACCESS_TOKE_YOU_GOT_ABOVE
Example : Authorization = Bearer 44126898-7ed8-4453-8d28-skajnbf
In the response you will have a section where you will get you organization related details like below
"organization": {
"name": "Sample",
"id": "c1e68d1e-797d-47a5-b",
"createdAt": "2016-11-29T09:45:27.903Z",
"updatedAt": "2016-11-29T09:45:27.932Z",
"ownerId": "68df9a5",
"clientId": "7200350999564690",
"domain": "******",
"idprovider_id": "mulesoft",
"isFederated": false,
"parentOrganizationIds": [],
"subOrganizationIds": [],
"tenantOrganizationIds": [],
"isMaster": true,
"subscription": {
"type": "Trial",
"expiration": "2016-12-29T09:45:27.906Z"
},
Step 3: Get the environment Details
https://anypoint.mulesoft.com/accounts/api/organizations/YOUR_ORGANIZATION_ID_FROM_ABOVE/environments
NOTE : Use GET method and add below Headers
Content-Type = application/json
Authorization = Bearer ACCESS_TOKE_YOU_GOT_ABOVE
Example : https://anypoint.mulesoft.com/accounts/api/organizations/c1e68d1e-797d-47a5-b/environments
You will get all available environments in the response in JSON format as below
{
"data": [
{
"id": "042c933d-82ec-453c-99b2-asmbd",
"name": "Production",
"organizationId": "c1e68d1e-797d-47a5-b726-77asd",
"isProduction": true
}
],
"total": 1
}
Step 4: Now specify the domain name and fetch the logs
https://anypoint.mulesoft.com/cloudhub/api/v2/applications/YOUR_CLOUDHUB_APP_NAME/logs
Example : https://anypoint.mulesoft.com/cloudhub/api/v2/applications/first-test-api-application/logs
NOTE : Use GET method and add below Headers
Content-Type = application/json
Authorization = Bearer ACCESS_TOKE_YOU_GOT_ABOVE
X-ANYPNT-ENV-ID = ENVIRONMENT_ID_YOU_GOT_ABOVE
Example : X-ANYPNT-ENV-ID = 042c933d-82ec-453c-99b2-asmbd
You will get the logs in JSON format as below
{
"data": [
{
"loggerName": "Platform",
"threadName": "system",
"timestamp": 1480503796819,
"message": "Deploying application to 1 workers.",
"priority": "SYSTEM",
"instanceId": "583eb1f1c4b27"
},
{
"loggerName": "Platform",
"threadName": "system",
"timestamp": 1480503797404,
"message": "Provisioning CloudHub worker...",
"priority": "SYSTEM",
"instanceId": "583eb1f1e4b27"
}
],
"total": 2
}
NOTE : FOR ENHANCED LOGGING YOU SHOULD SELECT APPROPRIATE DEPLOYMENT AND INSTANCE IDs TO GET LOGS IN SIMILAR MANNER
Hope this Helps for Beginners
To see the clientID. Log into your CloudHub account. Click on the "gear" icon in the upper right corner. Click on the name of your organisation. you should now see your "clientID" and the "ClientSecret" ID.
Before you use the CloudHub APIs or the Anypoint platform APIs you have to create an account on the Anypoint Platform - Check the architecture of the Anypoint API platform #
https://docs.mulesoft.com/anypoint-platform-for-apis/anypoint-platform-for-apis-system-architecture
Once your are done with the registration with the Anypoint API platform you need to set up users, roles & privileges as an admin -
https://docs.mulesoft.com/anypoint-platform-administration/managing-accounts-roles-and-permissions
As admin you need to control access to APIs by creating & supplying client Id and client Secret - https://docs.mulesoft.com/anypoint-platform-administration/manage-your-organization-and-business-groups
I guess that's the client you referring to. It needs to be present in the request for all the APIs.
As far as OAuth is concerned, it is not completely functional on Cloudhub API. You will have to raise a ticket for support. Check this out -
https://docs.mulesoft.com/mule-user-guide/v/3.7/mule-secure-token-service
If you are new to Mule, run through the Mule Intro videos and try out the Anypoint Studio to get feel of Mulesoft Applications.
Hope this helps.

How to specify team/organization permissions for Trello API token?

I can request a token for a user by visiting the following url:
https://trello.com/1/connect?key=<key>&name=appName&response_type=token&scope=read,write&expiration=never
However, when I request the token's info through the API, I get a response that looks like this:
{
"id": "...",
"identifier": "appName",
"idMember": "...",
"dateCreated": "2015-10-15T05:21:19.886Z",
"dateExpires": null,
"permissions": [
{
"idModel": "*",
"modelType": "Board",
"read": true,
"write": true
},
{
"idModel": "*",
"modelType": "Organization",
"read": true,
"write": true
}
]
}
I'd like to be able to request a token only grant privileges to a specific organization. But I can't seem to find clear documentation on what kinds of options the /1/connect endpoint accepts, or what other method I can use to obtain a token for a specific organization that does not expire.
I could make a machine user with access only to the organization, but it would be a shame to pay for another user account when I only want a subset of the permissions I already have.
I don't think that would be possible as you just authenticate against the API as that user and therefore have the ability to see everything that user can. The only way I'm aware of would be (as you suggested) to create a new user and limit what they can see.