I'm using cURL to hit the api.coinbase.com API endpoint and the results come back with a CAPTCHA requirement from Cloudflare.
Seems kind of odd to have a CAPTCHA on an endpoint written for scripts/servers to use instead of humans.
How can I hit the API with a script if it keeps requiring me to prove that I'm a human all the time?
... or just download the "official" library (https://developpaper.com/how-to-use-bitcoin-coinbase-wallet-library-to-develop-and-apply-php/)
... and then fix the cert issue that causes it to crash (Argument 1 passed to Coinbase\Wallet\Exception\HttpException::exceptionClass() must be an instance of Psr\Http\Message\ResponseInterface, null given)
That works, too.
Related
First off, I apologize if I use any incorrect terminology. I'm familiar with calling internal apis, but this a side project and new territory for me.
I've been using chrome debugger and powershell to write some scripts against the api of a public site. I was able to retrieve the JWT token, however after a few minutes my calls will start to fail with a 403 error. To get around this I've been exporting all the request headers from chrome and storing those locally for my script to pass whenever my call to the api fails. I narrowed it down to 4 headers that must be present, the one that is most suspect seems to be "cookie".
I then removed all key value pairs in the cookie header until I found the one that makes it fail. It's named "__cf_bm". A quick google says it's some kind of cloudflare bot management data. I don't see any of the data present in the __cf_bm cookie being sent in a response during authentication, I only see it in request headers. Is it not possible to construct this value? Does this essentially prevent me from interacting with the site's api?
after successfully getting past the login page using curl in Linux (bash) with two sites that use information from the HTML-form field to accomplish this, I now also want to login to another site with my credentials that is a bit more tricky. I'm new to this and it seems that it works with OAuth so I need an access token first. With my two successfull attempts it was necessary to extract a CSRF token from the HTML code so as to prove I'm not a malicious bot. But now it's completely different and the server thinks I'm a bot (see error messages below).
Can somebody please confirm whether these are the only steps involved for logging in to an OAuth protected site:
a POST request to the server that generates the token (https://name_of_site/api/v1/auth/token)
a GET request to a password-protected part of the website using the access token from step 1
When I try step 1, I get error messages as shown below*. I inspected the website before logging in and afterwards with a browser and copied everything as cURL (bash). In the header fields of the token request I can find two more fields that look like they provide dynamic information:
x-trace-request-id
x-recaptcha-v3
I did some research and found that the request ID stays the same for some interactions that go to and from a server to facilitate identification of the client(?).
And concerning the recaptcha, I know what a recaptcha is, but I did not have to solve any captchas when accessing the site with a browser. So I'm quite unsure about these bits of information.
I strongly assume that I need to send one or both of these headers in the first step to actually get an acess token. But how could I get valid values for these parameters with cURL?
Any help is aprreciated! Please point me in the right direction. I can provide more information if needed, of course.
{"status":"ERROR","statusCode":400,"data":{"message":"Request failed with status code 400","error":"invalid_grant","error_description":"invalid credential","bot-detection-error":"MissingAdditionalAuthToken"}}
This is the error I get when I do not provide x-trace-request-id and x-recaptcha-v3
{"status":"ERROR","statusCode":400,"data":{"message":"Request failed with status code 400","error":"invalid_grant","error_description":"invalid credential","bot-detection-error":"InvalidCaptchaV3Token"}}This is the error I get when I simply use the values as copied from the old request when I used the browser
I need to hit this endpoint as part of an assessment, I have tried having a looking online and I would ideally like to do this just by using the browser console.
This is my task:
Your task is to write some code (eg. console, html form, javascript, python etc.) to hit 2 API endpoints. You can use any language, framework, tool or library. The result of each endpoint will give you instructions on how to proceed. The first endpoint is /api/Step1 and requires a GET verb and a parameter value=40
I am really trying to understand how to do this but all of the things I have read have not worked.
Any help would be greatly appreciated.
[Postman]
http://i.stack.imgur.com/DA5Oq.png
You should make sure you get the idea of what an API is, and you can read this for the queries.
That said, you are looking to send a GET http request to the url /api/Step1?value=40. You can to this using a tool like Postman on Chrome, but there are other equivalents for other browsers.
If you are using osx/linux, you can look up the command curl on google to see how to do a GET request from the terminal, or check this SO question.
Sending a GET request is quite easy. You can use curl and php for example. If you google it, you can find examples.
Giving a parameter is easy like this: /api/Step1?value=40
I am developing a REST API, and have found a very interesting problem.
When I access the resources in a web browser (in my case Chrome), everything works fine. However, when I access the resources using a REST client (Google Chrome plugin, web-based client, and a Java applet), NONE of the variables pass to the API. This happens both with GET and POST methods.
I have absolutely no idea why this would be the case, and it's proving very difficult to test the methods before putting them into production (especially with POST methods).
Please help!
At first glance it sounds it could be 2 things:
You are not correctly passing API parameters via your client or
applet
A problem with authentication or cookie management. Does the API require any type of authorization?
Are you forgetting to set a necessary HTTP header?
Do you have control of the API also or is it a third party API? If so, do the params arrive at all or do they arrive empty? What's the error code? - a 403 not authorized (which would make sense if the key doesn't pass) or something else due to missing params.
Try the intermediate step of doing it with CURL form the command line - that'll give you more detail on what's coming back.
So I'm trying to authenticate my app to Digg using OAuth (and I'm totally not an OAuth expert).
I use the Scribe Java library.
I keep on getting the HTTP 401 Authorization Required. Inside the body of the response, it is a 5001 Invalid Signature Error.
I have read this Digg Google Groups Thread
and I didn't really understand. They say I should remove the method from the URL, but when I do this, I get the no Method provided error (or something like that).
Here is the dump of the communication : on Pastebin
Could you please help me finding the solution on how to get the request token?
Thank you for your help.
You might want to stop sending the method in the URL as a querystring parameter and do this instead:
request.addBodyParameter("method","oauth.getRequestToken");
Hope that works for you