I am using Hasura to interface with a graphql endpoint on my django project using Graphene. I need to ensure that the user has authenticated for all calls to the graphql endpoint. In a typical rest api all you'd need to do is pass a session cookie back and forth and I would assume it's the same process with GraphQL.
I can interface with the graphql endpoint just fine using Postman, first authenticating with a rest endpoint then passing the cookies I received when making calls to the graphql endpoint. When I copy the cookie to hasuras headers I am not receiving any cookies on the backend. This is effectively what I am setting the header to on hasura:
Set-Cookie : session=iLCJhbGciOiJIUzeyJ0eXAiOiJKV1QI1NiJ9.eyJzZXNzaW9uX2lkIjoiMzUzYWI5M2EtZmVmMi00ZjkyLTllYmItYjlmMDM3ODFkNzMwIiwiZXhwaXJlc19pbiI6IjIwMjAtMDUtMTJUMTk6MTM6MDkuOTc5MjA3WiIsImZpbmdlcnByaW50IjoiT3RoZXIgLyBPdGhlciAvIE90aGVyIiwiY3JlYXRlZF9hdCI6IjIwMjAtMDUtMTJUMTg6NTg6MDkuOTg1NzQ0WiIsImlwIjoiMTI3LjAuMC4xIiwidXNlciI6IjYwNjYwMjgyLTI1ZGEtMTFlYS04YjAzLTRhN2I0YjZmMmYyYSJ9.WCm3GbbLXk-2kbhvKSUpNS-8ggHbEHrDi7YPuLtpvik; path=/; domain=localhost; HttpOnly; Expires=Wed, 13 May 2020 02:58:09 GMT;
I am trying to confirm I have cookies by inserting this code into a resolver but all that is printed is an empty dict.
print(info.context.COOKIES)
I am using Hasura in Heroku and running a Vuejs + Node.js application, I'm creating a cookie(HttpOnly, Secure) with a JWT as value, had setup the hasura HASURA_GRAPHQL_JWT_SECRET to:
{"type":"HS256", "key": "secret","header":{"type": "Cookie", "name": "namecookie" } }
Always returnig 'no cookie name in the header JWT', I'm sending a fetch from Vue direct to Hasura, I want to! even if it is unsafe. but it does not work.
Related
I have two headless backend services: Saleor and Strapi, which provide with GraphQL API for e-commerce development. The problem was to find a service, which can stitch two( or more ) GraphQL schemas so that I can have access to them by one endpoint. Such service is StepZen. Normally when trying to fetch requests on StepZen you would have to do it with
{
"Authorization": "apikey <apikey>"
}
as a header. And it would also work. But when you have some fields in schemas you stitching which Require JWT authentication you need somehow to pass in Authorization header Bearer token. In StepZen there is an opportunity to forward headers, so theoretically I could use that to forward Authorization header to fields, because StepZen also provides JWT Authentication when making your request instead of using API-Key. And THAT is the main problem(failing to access StepZen with only Bearer Token).
As it stays in documentation I changed my config.yaml file accordingly:
deployment:
identity:
jwksendpoint: https://<MY-DOMAIN>/.well-known/jwks.json
access:
policies:
- type: Query
policyDefault:
condition: '?$jwt'
Unfortunately trying after this accessing the endpoint with the Bearer Token as the value of Authorization header like this:
{"Authorization" : "Bearer <token>"}
got me always the same 401 error from StepZen, NOT Saleor( Unauthorized: missing or not allowed ), which means that none of my requests reach its endpoint. I am totally lost, because I tried already all combinations from the StepZen docs of config.yaml file and none of that worked. I would be very happy if someone could explain me what the problem is.
I am enjoying IntelliJ IDEA's HTTP request generator as an alternative to Postman etc.
Currently, my application uses an ephemeral key for JWTs. You know what kind of pain it is... Every time you restart the application you MUST authenticate again, even if the old token is still (temporally) valid.
Currently I have to run my OAuth authentication request with my credentials, copy-and-paste the JWT from the output JSON, and then paste in into next request's Authorization header
GET http://localhost:8080/api/auth/v1/token
Authorization: CCB [... static token...]
{
"id_token": "eyJhbGciOiJIUzI1NiJ9....", <== copy that!
"refresh_token": "eyJhbGciOiJIUzI1NiJ9....",
"expires_in": 1634292409144,
"user_details": {
And
PATCH http://localhost:8080/api/v1/example/runImportJob
Authorization: Bearer <== paste!
Question
I know that IntelliJ IDEA supports {{variables}}. I'd like to ask if it is possible to set the output of the token invocation into a variable which I'll then reference in the Authorization header
Desiderata
PATCH http://localhost:8080/api/v1/example/runImportJob
Authorization: Authorization {{jwt}}
And to run the authentication request (GET .../token) which ultimately sets the jwt variable, after jsonpath-ing the response of corse
You can try using client.global.set and client.global.get to save/load variables. See the example at https://www.jetbrains.com/help/idea/http-response-handling-examples.html#script-var-example .
I'm building a React app that allows users to login with Google and then connects to a webhook/3rd Party service in Realm. The service should only return data that the users own.
I've set up the OAuth 2 with Google and can get back access_token for a user and I then pass it in the header (I've also tried the URL params) to the webhook. But I get an error back saying:
400 "no authentication methods were specified" - "Invalid Parameter".
After much testing, I've identified that it must be a Realm issue - but I can't figure out what.
I've tried authenticating with Google in Postman and sending a request from there like this:
GET <incoming_webhook URL>
Request Headers
Authorization: Bearer <access_token>
User-Agent: PostmanRuntime/7.26.10
Accept: */*
Host: us-east-1.aws.webhooks.mongodb-realm.com
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
But I get the same error.
In Realm I have "Google" enabled as an authentication providers (and the authentication works just not the authorization through the webhook).
Per https://docs.mongodb.com/realm/services/configure/service-webhooks/#configure-user-authentication, you can choose email/password, an API key, or a custom JWT token. I don't know whether you can use google login directly to a webhook, but you're probably better off making a realm function instead.
Regarding the error no authentication methods were specified, you can specify the type of authentication method (using a custom JWT as an example) by either:
putting it in the header:
Header: jwtTokenString, Value: eyJhbGci.....
OR
by including it as part of the webhook body:
{
"jwtTokenString":"eyJhbGci...",
"mydata": "my data value"
}
If you try to use both methods, you get a multiple authentication methods used error. HTTP Bearer tokens in the header, etc, are useless here.
For an API Key, instead of jwtTokenString, use api-key; or email`password` for email\password authentication.
I found these methods of providing authenticating information really unintuitive and the documentation very unclear.
I am trying to integrate a third party API. I was provided with a username and password.
When I use Postman to send a post request to the login webpage; the request header contains a postman token:
Postman-Token: vvvvvvvvv-wwwww-xxxx-yyyy-zzzzzzzzzz //this is not the real value
If I supply the postman token to every request after the login request (as shown below) then everything still works as expected:
If I access the api through my webpage, then everything also works as expected. My questions are:
What is the Postman token? I have looked already here: https://stackoverflow.com/questions/36883046/what-is-the-postman-token-header-attribute-in-generated-code-from-postman#:~:text=1%20Answer&text=This%20is%20primarily%20used%20to,random%20token%20avoids%20this%20issue.
What is the alternative to the Postman token when accessing the API though a webpage. I can see no token in the request when looking at it using Fiddler. Were is the bearer token in Fiddler?
Postman Token :
So it is just a custom header to track and debug postman requests in the receiving server
It doesn't do any authorization
Why no token in fiddler:
Because you haven't added it . You can add any custom header to the request you are sending
Why it works when used as bearer token
Because in your login call your session is cached . So for subsequent requests it is using cached session
To close the session , update the Connection header from keep-alive to close
Try setting second request to no auth:
and see if the request is still successful to confirm you are using cached session
I have a Vuejs application created using Nuxtjs. I am also using Django as the backend server, and I made an API to interact with the backend server (Django) and front-end app (Vuejs/Nuxtjs). And any API related fetch are done in the AsyncData function of the page to render the data on the server-side using axios. Also, I am using json web token authentication, and the API generates a jwt token after successful login which is stored in the cookie. So on the backend, it will always check for the request's authorization header for the token. If the request is from a logged in user (authorized token) then return authenticated json data, or else return non authenticated data.
The problem:
When the user navigates to the app, I would like to check if the user is authenticated. If the user is authenticated, render the authenticated page. If not then display non authenticated page.
My thoughts:
When the fetch is done from the App on the AsyncData function, I would check whether there is any value for the cookie. If there is then send the token with the request's authorization header. But, since the page will be rendered on the server first, and not on the client side (where the cookie actually is) it will never find the token for the authorization.
How can I check if the user is already logged in or not so that I can get authenticated and non authenticated data respectively from the API?
Update
When I successfully log in (post authorized email and password), I get a json response back with the token, which I set in the cookie like this:
this.$cookie.set('my_auth_token', this.token, {expires: 15})
How can I retrieve client side cookie and into the nuxt server for server side rendering?
Cookies are exposed in the (Express) Nuxt server through middleware.
Specifically, they can be read from the req.headers.cookie property. You can see an example implementation of this in the Nuxt documentation.
Regarding your implementation: fetching the privileged data from your API using Node would seem to be the ideal way to delegate session handling to that single service (rather than both) and provide SSR for your users.
If you've chosen to instead implement your session handling on the Django service then you'll need to "forward" your cookies by passing them into your axios request headers.
I did something similar using Firebase authentication. There is an example project on Github as well as a blog entry outlining the important files and configuration used in the application.