I used Luminus, along with reitit and swagger-ui to generate a page that lets me try out my Luminus API. I can just enter my API request body and submit to test my API.
Now I have added authentication using buddy and my API requires a token to be passed in the header of the request, or else it rejects the request as forbidden.
I'm trying to get an "Authorization" headers field to magically appear in my UI so that I can enter a JWT token string and test my API. This must be a very common requirement for anyone creating an API using reitit, but I can't figure out how to do it.
I went searching around and found this reitit issues page, which includes the text...
Header params are declared as lower-case strings {:headers {"authorization" string?}} which would match exactly what Ring provides us. (Could still HTTP-Header-Case them for documentation.)
...and suggests the setup below...
:get {:summary "list offers"
:parameters
{:headers
{"authorization" string?}}
... etc
Doing that didn't get me any way to authenticate. So, I found this discussion and edited my routes by adding the following after :summary and :parameters in the above route...
:middleware [authenticated?]
:swagger {:security [:apiKey]}
After adding that, I get this...
...which looks like I'm on the right track, but I still have no way of entering my token in the auth header.
As I said, everything is working with curl... Just that swagger isn't showing any way to add auth header. Anybody know how to get Swagger UI to play along in this scenario?
If reitit doesn't support this, then how are people using Swagger UI for authenticated requests?
Any help would be appreciated!
OK. Solved it.
At the root of my API routes (encapsulating all of the routes where I might end up using this authentication), I add :securityDefinitions.
["/api"
{:swagger {:id ::api
:securityDefinitions {:apiAuth
{:type "apiKey"
:name "Authorization"
:in "header"
}}}
Inside the specific route:
:middleware [authenticated?]
:swagger {:security [{:apiAuth []}]}
Related
A am just beginning to familiarize myself with the eBay RESTFUL API, forgive me this basic question, but I found no answer yet.
I have an eBay account since many years ago. I registered a developer account (same eMail address) recently, and I got the Tokens for Sandbox and Production. I have successfully used public APIs like list items, search items, and such, to verify the tokens, by querying some items in eBay.
How do I preceed from here to access data specific to my eBay account, like, for instance, the list of purchases and sales? Somehow I need to connect my app to my live eBay account, I guess, and give my app permissions to read data, but I could not find any matching setting in my eBay account settings nor in the API calls.
Please guide me through the next step: how do I give my app the required permissions, and how do I build a simple read-only query to query, for instance, the items I have purchased.
I think this question does not depend on any programming language, feel free to use any programming language you like.
Many Thanx!
Ok so if we are talking only about Authorization token and calling seller api like orders (in ebay it's called fullfilments i believe).
We need to start with creating User Token.
You can create one here:
Then you need to add ebay redirect URL:
I don't know much about Auth'n'Auth so I will talk only about OAuth
After adding new redirect URL you should add url address for authorization success and failure.
You will be redirected there after authorization.
Now we can test if generation of token works.
For this example i did set my redirect url like that:
We need to click "Test Sign-in" (set radio button to OAuth before)
You should be redirected to website:
You need to sign in with account which have access to sandbox.ebay.com or ebay.com (depends if you are on sandbox or production environment)
After logging in I don't remember if there will be another window with confirmation of App scopes to confirm (I already done it before).
But if that is the case just click confirm button.
Now you should be redirected to https://localhost.com which we did set up as our success redirect url
Url should look like that
https://localhost.com/?code=v%5E1.1%0VeMTI%3D%3D&expires_in=299
That code parameter is much longer btw. And you can see that it's url encoded so you need to decode it before using
And now you are almost at home :D
You have 300 seconds to call a POST request to authorize with that code parameter.
POST https://api.sandbox.ebay.com/identity/v1/oauth2/token
Header required
Remember first screen shot?
You need to go there and get your App ID, Cert ID then concatenate it with ":" then encode it to Base64 and add before that value "Basic " keyword.
In pseudo code it should looks like that:
Authorization:Basic Base64.encode(AppID + ":" + CertID)
Body required
format of Body needs to be "x-www-form-urlencoded" (key:value format basically)
here you need
grant_type:authorization_code
code:{code}
redirect_uri:{redirect_name}
{code} - is value from success authorization url
{redirect_name} - you can find it on screen below marked with red circle
If you did everything right you should get response from ebay
{
"access_token": "v^1.1#i^1#r^0VbbxW1wjv4HZGAAA",
"expires_in": 7200,
"refresh_token": "v^1.1#i^1#f^0#r^FDQ=",
"refresh_token_expires_in": 47304000,
"token_type": "User Access Token"
}
You should save that data, access_token is used for accessing data, refresh_token is used to refresh access_token.
Example request with authToken
GET https://api.sandbox.ebay.com/sell/fulfillment/v1/order?filter=creationdate:[2022-03-31T08:25:43.511Z..]
You need Authroization header:
Authorization:Bearer v^1.1#i^1#r^0VbbxW1wjv4HZGAAA
That's it I guess. To implement that into your app you need to be able to generate the first url which you are redirected to after clicking "Test Sign-in" and that's basically it.
Btw you refresh token like that
POST https://api.sandbox.ebay.com/identity/v1/oauth2/token
Body x-www-form-urlencoded
grant_type:refresh_token
refresh_token:v^1.1#i^1#f^0#r^FDQ=
Header
Authorization:Basic Base64.encode(AppID + ":" + CertID)
I hope that will help someone. :)
I am hoping some of you can give me the best practice on how to verify my reCaptcha token on the server.
I have a Symfony 6 app with API Platform. I have defined some entities as API Resources, so I can POST data. On the front end I am using Vue with axios to POST to the specific end points.
I would like to verify the reCaptcha token, before the data from my form is posted, and came up with the below 3 options (Not really sure if any of these are the correct way to go about this)
Create a separate end point for reCaptcha, that I post data to and depending on the response run axios post request for form or not.
Create an up mapped property on the entities I want to use reCaptcha with and set a custom validator on this that validates if the response on token is success. I can then send the reCaptcha token as part of the post request.
Create an event listener for PRE_POST and somehow validate there???
I'm not sure if I'm on the right track with any of the above, the documentation I have been able to find is pretty non existent.
I would really appreciate being pointed in the right direction, or perhaps an example of best practice on this with my current set up?
For those of you coming across this with the same issue I solved it with the following steps: (I would still like to know from someone with more knowledge, if this would be considered best practice or if there is a better way).
Added an unmapped field (No #[ORM\Column annotation) to the Symfony entity I was posting data to, called reCaptchaToken. Added the set method to my denormalizationContext group.
Created ReCaptchaConstraint (class extending Constraint) and set validatedBy method to ReCaptchaConstraintValidator::class
Created ReCaptchaConstraintValidator (class extending ConstraintValidator), added HttpClientInterface to constructor and in validate method posted to recaptcha API (details of this end point can be found in reCaptcha documentation) to validate token and score. If validation failed or score too low, added violation.
Back in Symfony entity, added #[ReCaptchaConstraint] annotation to reCaptchaToken field.
Then from front end, created Vue method:
validateCaptcha() {
return new Promise((res) => {
grecaptcha.ready(() => {
grecaptcha.execute('YOUR_SITE_KEY', {action:
'addContact'}).then((token) => {
return res(token);
})
})
})
}
In .then() method of validateCaptcha() add token to my JSON object and posted to API end point normally.
Now if there is an issue with my token or score, I will get a validation violation returned from POST.
Hope this helps someone else struggling.
I try to use Invidious API with authenticated route. For this, i've generated new token with this URL : https://invidio.us/authorize_token?scopes=GET:preferences.
The response is like this : {"session":"v1:XXXXX","scopes":["GET:preferences"],"signature":"XXXX"}
But, the token generated (session) don't work. I try with simple GET on preferences route, and i've an error Request must be authenticated :(
Anyone have already use their API and work with auth route ?
Thank you !
I've actually been struggling with this the past week, and I even deployed a self hosted instance because I thought that would fix it... I was wrong of course.
Here's how the Authentication header should look like:
Authentication: {"session":"v1:XXXXX","scopes":["GET:preferences/*"],"signature":"XXXX"}
The full token is the json that is provided.
The scope needs to include a * or a specific identifier for example in the case of playlists as mentioned in the examples here . So your authorize_token request should look like:
https://invidio.us/authorize_token?scopes=GET:preferences*
or
https://invidio.us/authorize_token?scopes=GET:preferences/*.
If you want all scopes that would be :*. Make sure not to forget the colon.
I installed the Google Opauth Strategy and it's working brilliantly. The LinkedIn one acts a little differently; in the directions for this strategy it specifies that no OAuth Redirect URL is needed (on the LinkedIn Developer website). I tried leaving this out, and kept getting this error:
'Invalid redirect_uri. This value must match a URL registered with the API Key.'
This error is also on the demo for the plugin here: http://opauth.org/#demo
So I changed it up a bit and placed my redirect URL there just in case, like my Google one has, and it seemed to have worked! It took me to the LinkedIn login screen, I put in my credentials, and it redirected me back to my application. The trouble is, no data was returned this time.
My defaults in LinkedInStrategy.php looks like this:
public $defaults = array(
'redirect_uri' => 'http://example.com/users/login',
'response_type' => 'code',
'scope' => 'r_fullprofile r_emailaddress r_contactinfo'
);
In my controller I have this:
$_SESSION['log'] = $this->data;
And in my view I have this:
debug($_SESSION['log']);
This is just to see if the data is setting. When I log in with GoogleStrategy.php settings, this line displays all of the data and I use it to log me in. Perfect. But with the LinkedIn strategy, I just get an empty array. Anybody have any ideas?
Edit:
According to the LinkedIn API documentation here, my code returned is the correct code returned upon successful authentication (redirect uri, code, and state in the response URL). So I know everything's correct thus far to connect, just obtaining the data must be different than the $this->data return method stated in the regular Opauth documentation.
I solved it! I changed the redirect_uri back to default:
'redirect_uri' => '{complete_url_to_strategy}oauth2callback',
In the LinkedIn Developer API area, I placed this URL in the OAuth 2.0 Redirect URLs:
http://example.com/auth/linkedin/oauth2callback
So the OAuth Redirect URL DOES need to be set, unlike their instructions here.
2. Create LinkedIn application at https://www.linkedin.com/secure/developer
Enter your domain at JavaScript API Domain
There is no need to enter OAuth Redirect URL
Furthermore, it specifically has to be http://www.example.com/auth/linkedin/oauth2callback. If it is not that URL exactly, it will not work, unless you change some of the config files yourself and the name of functions. My error was that I set a custom page for it to go to, rather than going through its oath2callback function THEN heading to the redirect page.
When doing any filters or any other option allowed in the request body per documents like this: https://developer.intuit.com/docs/0025_quickbooksapi/0050_data_services/v2/0400_quickbooks_online/in... (the quickbooks online API document) I always get the error "Unauthorized OAuth Token: signature_invalid" in my own application as well as the API tool located here: https://developer.intuit.com/apiexplorer
Example of what I put in request body:
PageNum=1&ResultsPerPage=20
or simply ResultsPerPage=20
I am not sure why this would also happen in the API Explorer even per instruction but it does. Without the ability to move the page marker and show more results as well as being able to filter, I will simply not be able to use the API as you can see.
Any ideas?
It could be a bug in ApiExplorer. I tried with RestClient plugin of Mozilla browser. It worked fine.
Method - post
Content-Type - application/x-www-form-urlencoded
Paging filter - PageNum=1&ResultsPerPage=1
Snapshot
Thanks