How to use the AddAuthparameter procedure? - api

I have to add an authorization to a REST request in Delphi.
Can someone give me an example how should it call the AddAuthParameter procedure?
I am doing this code in an onclick event of a button :
authjo, auth1, auth2, auth3, auth4, auth5, auth6, auth7, auth8, auth9, auth10 : string;
authjo := auth1 + auth2 + auth3 + auth4 + auth5 + auth6 + auth7 + auth8 + auth9 + auth10 ;
Restrequest4.AddAuthParameter('Authorization',authjo,TRESTRequestParameterKind.pkHTTPHEADER);
Restrequest4.Execute;
But this does not use thes the Authorization token 'authjo' and i don't know why.
I must have Authorization like this "Authorization Bearer :token" am i not constructing well in the code ?

If the authentication expects a Bearer token, you must add that to your call:
Restrequest4.AddAuthParameter('Authorization','Bearer ' + authjo,TRESTRequestParameterKind.pkHTTPHEADER);

Having messed around with Delphi to access an API (In my case Trakt), I managed to authenticate with OAuth2. But I ran into the very same problem as you did.
I have just asked my question here:
Accessing TRAKT API from Delphi - issues with Bearer authentication [SOLVED]
As I understand it, the root cause it that adding headers like we do, will create a parameter entry that is "Authorize=Bearer [token]" whereas it should be "Authorize:Bearer [token]".
See here:
How to add a "Authorization=Bearer" header with Indy in Delphi?
I have managed to mitigate the issue and would like to reference to that thread.
Also, the tool Fiddler was most helpful to see what my app actually sent and what it got back.

Related

intermittent error from rally 'Not authorized to perform action: Invalid key' for POST request in chrome extension

I developed a chrome extension using Rally's WSAPI v2.0, and it basically does the following things:
get user and project, and store them
get current iteration everytime
send a post request to create a workitem
For the THIRD step, I sometimes get error ["Not authorized to perform action: Invalid key"] since end of last month.
[updated]Error can be reproduced everytime if I log in Rally website via SSO before using the extension to send requests via apikey.
What's the best practice to send subsequent requests via apikey in my extension since I can't control end users' habits?
I did see some similar posts but none of them is helpful... and in case it helps:
I'm adding ZSESSIONID:apikey in my request header, instead of user /
password to authenticate, so I believe no security token is needed
(https://comm.support.ca.com/kb/api-key-and-oauth-client-faq/kb000011568)
url starts with https://rally1.rallydev.com/slm/webservice/v2.0/
issue is fixed after clearing cookies for
https://rally1.rallydev.com/, but somehow it appears again some time
later
I checked the cookie when the issue was reproduced, and found one with name of ZSESSIONID and its value became something else rather than the apikey. Not sure if that matters though...
code for request:
function initXHR(method, url, apikey, cbFunc) {
let httpRequest = new XMLHttpRequest();
...
httpRequest.open(method, url);
httpRequest.setRequestHeader('Content-Type', ' application\/json');
httpRequest.setRequestHeader('Accept', ' application\/json');
httpRequest.setRequestHeader('ZSESSIONID', apikey);
httpRequest.onreadystatechange = function() {
...
};
return httpRequest;
}
...
usReq = initXHR ('POST', baseURL+'hierarchicalrequirement/create', apikey, function(){...});
Anyone has any idea / suggestion? Thanks a million!
I've seen this error when the API key had both read-only and full-access grants configured. I would start by making sure your key only has the full-access grant.

Can't get Token based authentication working with NancyFX

I am trying Token based authentication with NancyFX. Token is getting generated perfectly but when I am passing header in Get Request, I can't get pass this.RequiresAuthentication() and getting unauthorized error.
Here is my token format
Token:{ token: "ZGVtb1VzZXINCmFkbWlufG5vbmFkbWluDQo2MzU1MDU5NjU4NzExNTE5MzkNCk1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMzsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8zOC4wLjIxMjUuMTExIFNhZmFyaS81MzcuMzY=:QerS8B701zoC1xqlvSxuz0EbrBDtfgEzkDWzlEj9ChA=" }
Am I passing wrong way?
I have also tried
Token:{ ZGVtb1VzZXINCmFkbWlufG5vbmFkbWluDQo2MzU1MDU5NjU4NzExNTE5MzkNCk1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMzsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8zOC4wLjIxMjUuMTExIFNhZmFyaS81MzcuMzY=:QerS8B701zoC1xqlvSxuz0EbrBDtfgEzkDWzlEj9ChA=}
and also
"Token:{ ZGVtb1VzZXINCmFkbWlufG5vbmFkbWluDQo2MzU1MDU5NjU4NzExNTE5MzkNCk1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMzsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8zOC4wLjIxMjUuMTExIFNhZmFyaS81MzcuMzY=:QerS8B701zoC1xqlvSxuz0EbrBDtfgEzkDWzlEj9ChA=}"
But nothing work.
Please let me know if any more details are required.
The value of the authorization header must simply read "Token ZGVtb1VzZXINCmFkbWlufG5vbmFkbWluDQo2MzU1MDU5NjU4NzExNTE5MzkNCk1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMzsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8zOC4wLjIxMjUuMTExIFNhZmFyaS81MzcuMzY" (no quotes).
The brackets in the documentation threw me off as well.

Mediafire api call Signature(session token 2)

i don't see any post related to generating a call signature(session token 2) using mediafire api.So , here is my question.
I am trying to use the get_info api to get the user information but i am having a problem generating a call signature(Session token 2).
I am reading the documentation given here where it says to generate the call signature we need the formula
The signature = the Message-Digest (MD5) of the 'secret_key' modulo 256 + 'time' + the URI of the API call.
I have the secret_key and time which i got from calling get_session_token api.The problem lies (i guess) in the URI of the API call.
In my case , i wanted to call the get_info api , so i replace the URI with "/api/user/get_info.php" .But i got error saying i have invalid signature.What am i doing wrong here?
signature = sha1(email + password + application_id + API_Key)
i see that in here: https://github.com/MediaFire/mediafire-php-open-sdk/blob/master/mflib.php

Try to get an access_token with google oauth api but redirect to `o/oauth2/approval`

I'm now trying to use google oauth api to allow google user to login to my app. And I've followed all along with google's OAuth2Login documentation.
I used this to get a code and it worked just fine.
var u = 'https://accounts.google.com/o/oauth2/auth?'
+ '&response_type=code'
+ '&client_id=' + opts.googleClient
+ '&redirect_uri=' + redirectURI
+ '&scope=' + opts.scope
+ '&approval_prompt=force&access_type=offline';
But while I try to get the access_token with the /o/oauth2/token api like below:
var u = 'https://accounts.google.com/o/oauth2/token?'
+ 'code=' + code
+ '&client_id=' + opts.googleClient
+ '&client_secret=' + opts.googleSecret
+ '&scope='
+ '&redirect_uri=' + redirectURI
+ '&grant_type=' + 'authorization_code';
request.post({url: u, json: true}, fn);
It returned me
{
error: "invalid_request"
}
I've checked that with Chrome developer tools in the Network bar which indicate that the request URL is https://accounts.google.com/o/oauth2/approval?as=-5013c18c497345fc&hl=en&pageId=none&xsrfsign=APsBz4gAAAAAUcwS1TxlojrAPVNCj7ntTlz1H4xQgysC instead of what I'm posting to.
I can make sure my post url and data looks exactly like that in Google oauthplayground. But the result is totally different.
Did I doing anything wrong? Please help.
The data you are sending looks correct, but it looks like there are two errors in how the request is formed.
First, when you construct the form data part of the message make sure that you URL encode all of the values, e.g. if the redirect_uri value contains an &, that will cause you problems unless it is URL encoded.
Second, while you are correctly doing a POST instead of a GET, you are still sending the parameters in the query string instead of in the body of the request. Move them to the body, set the content-type to 'application/x-www-form-urlencoded' and you should be set.
(it looks like JavaScript, but I'm not sure which libraries you are using so I didn't provide sample code)

FB error:Expected 1 '.' in the input between the postcard and the payload

I have finished my app and then tried it on 3 FB accounts and it was ok,
but the 4th have a permanent error (it cannot get an access token):
com.restfb.exception.FacebookOAuthException: Received Facebook error response of type OAuthException: Expected 1 '.' In the input between the postcard and the payload.
I tried to remove the app and install it again on this account a few times and nothing changed.
I use Java and restFB client.
This is the code where i get the access token:
if (request.getParameter("code") != null) {
String code = request.getParameter("code");
String url = "https://graph.facebook.com/oauth/access_token?"
+ "client_id=" + clientId + "&" + "client_secret="
+ clientSecret + "&" + "code=" + code + "&" + "redirect_uri="
+ redirectURL +"&type=web_server";
String accessToken=readUrl(url).split("&")[0].replaceFirst("access_token=", "");
//....
}
I saw here someone with the same error, he said that the solution was:
replacing "|" with "%257C" which made my access token invalid"
I couldn't really understand what he means.
Embarrassing as it is -- I'll be honest in case it helps someone else:
When I got this error message, I had accidentally copy/pasted a Google access_token (e.g. ya29.A0A...) into a Facebook graph API route. :)
It's probably worth logging the response to the /oauth/access_token request and the value you extract for use as the access token.
For the account that doesn't work, check whether the /oauth/access_token response includes other parameters before access_token. IIRC I've seen responses like
expiry=86400&access_token=AAAxxxx
Check to ensure you are verifying the "code" parameter returned by Facebook before signing the request, not the "access token". That was the mistake I made.
I experience the same issue, and after debugging my only conclusion was that when this message is thrown it might just be the token is expired or invalid. Checking with a freshly generated token should not throw this error.