How do browsers treat 'Authorization: Bearer'? - http-headers

Will this header persist for future requests for the duration of the browser session? Just the tab/window? Do I need to do something special in order to cause this?

I am in the process of working out Athorization for a web app and as I currently understand it bearer tokens need to be sent with each request.

Related

Adding JWT to cookie at login using flask security

Description: I'm trying to set the jwt token at login using
flask_jwt_extended.set_access_cookies and flask_jwt_extended.set_refresh_cookies but the issue is that I cannot set this at the /login endpoint because that is auto created by flask-security. What would be the best way to do this? Would the best way to do this be overriding the /login endpoint and set them there? Or can this be done in the validate method of ExtendedLoginForm even though I would need to add it to a request and not the True or False value that validate requires be returned?
End Result: Use regular cookies (to authenticate) to interact with flask related endpoints. Use JWT tokens (encoded in a cookie) to interact with a react-native compiled code.
My first thought would be to step back - cookies (session) are an easy and secure way to manage all this - why have a JWT that is part of a cookie?
If you really want an Authentication-Token sent with every request - Flask-Security already offers that.
Now - to actually answer your question - You can attach to the "user-authenticated" signal and create your token and cookie there.

fetch httponly cookie persistence through app closures

I am currently using httponly cookie based authentication to authenticate users through a website. On top of this I am creating a react native app which also has to authenticate users, ideally through the same endpoint. At this point users are able to log in through the app and the cookie is correctly send on each subsequent request using credentials: 'include' (fetch). However, if the app is restarted, the cookie does not persist.
So far my searching has led me to the following possible workarounds:
Manage cookies manually by extracting the cookie through something like webview or react-native-cookies, saving the cookie to storage and manually adding it to each subsequent request.
Implement a new endpoint that returns a token and have two authentication flows, one for the website and one for the app.
Have anyone been in a similar situation? Can you point me in the right direction, so not to over complicate my code base and ensure that I am not vulnerable to XSS or other token/cookie theft.
Thanks in advance.
To be honest I never implemented cookie based authentication in react native. How do you handle cookies now ? Basically the flow should be like this:
You authenticate with username and password.
Server will respond with a header "Set-Cookie: sessionIdExample=1234"
Next time when you make a request you should also send that cookie, meaning you have to set a header "Cookie: sessionIdExample=1234"
From your question I guess you don't manually set that cookie, so most probably the http client is doing this for you. Now when you close the app that cookie value is lost as you said. Notice that switching to a token based authentication won't help with this. So what should you do:
Login with username and password.
When you receive that session cookie persist it. You can check async-storage or the more secure react-native-keychain for persisting data.
For the following requests set the session cookie manually.
When you close the app and then open it again, check in your async-storage or keychain if you already have a cookie saved there. If so, set that cookie and everything should work fine.

Reset gcloud auth identity token?

I'm working on a gcloud service which is not publicly available, i.e. you need to connect to it with your Authorization Header set with your gcloud identity token.
The docs used curl to show how to use it from the command line, however as my case concerns a web application I used a browser extension to inject this header when connecting to pages.
Silly me, I forgot to turn if off after I was done, which resulted in accessing a few websites with that token set in the request header. This means some third parties may now have that code.
2 questions concerning this:
How bad is this? What can this token be used for by the ill-willed?
How can I reset/revoke/renew this token?
Identity Tokens are JWTs and are bearer tokens (as you are undoubtedly aware) and generally include a short-ish (60 minute) expiry.
As you suggest, you should be very careful with them as they could be used unscrupulously (while valid).
You may query your JWT using a (trustworthy!) tool to check the expiry:
E.g https://jwt.io/
I'm unsure (doesn't mean that there isn't) whether there's a way to forcibly expire Google-issued JWTs
Update:
Spoke with a Googler who's very well informed on auth and he confirmed that you must await expiry.
Update:
Independently, I reminded myself that Google has a( very trustworthy) endpoint to verify tokens too (I can just never remember the URL, but) it's:
TOKEN=$(gcloud auth print-identity-token)
curl \
--request GET \
https://oauth2.googleapis.com/tokeninfo?id_token=${TOKEN}
And, for completeness, for access tokens:
TOKEN=$(gcloud auth print-access-token)
curl \
--request GET \
https://oauth2.googleapis.com/tokeninfo?access_token=${TOKEN}

How to make Twitter API call through curl in unix

I would like to pull the data from Twitter REST API. I have created the consumer key, secret and Access token, secret. I have tried with "Test OAuth", it generates a CURL command but if I change any one parameter then it is giving the below error.
Message: {"errors":[{"code":32,"message":"Could not authenticate you."}]}
Now I would like to call the twitter API using CURL in shell script for different screenNames.
I want a sample command some thing like mentioned below
curl --get 'https://api.twitter.com/1.1/statuses/user_timeline.json' --data 'count=2&screen_name=aswin' APIKEY:"xxxxxx",Acesstoken:"yyyyyyyy"
Thanks in advance.
Regards,
Aswin
I found the answer.
curl --get 'https://api.twitter.com/1.1/statuses/user_timeline.json' \
--data 'count=2&screen_name=twitterapi' \
--header 'Authorization: OAuth oauth_consumer_key="AAAAAAAAAAAAAAAAAAAA", oauth_nonce="BBBBBBBBBBBBBBBBBBBBBBB", oauth_signature="CCCCCCCCCCCCCCCCCCCCCCCCCCC", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1471672391", oauth_token="DDDDDDDDDDDDDDDDDDDDDDDDDDDDDD", oauth_version="1.0"'
Since your specific query doesn't require a user context you can use Application only authentication to make this request. The bearer token won't change per request so it should allow you to keep using curl.
https://dev.twitter.com/oauth/application-only
n.b. it won't work for all endpoints, but should for the case you listed.
Because most twitter requests require calculating the oauth signature, you should either write a client yourself or reuse an existing command line client.
https://github.com/twitter/twurl
https://github.com/sferik/t
https://github.com/yschimke/oksocial/wiki (Mac focused/cross service)
As you saw any change to the request will generally invalidate the query, and even time is one of the inputs.

How much secure is the token when it is appended to the url as a query string?

I currently work on the Authentication with Oauth2, and successfully issue the token to test client. In order to secure the endpoints, however, what options I should choose?
Now, it is appended to the end of url like, {domain}/my_end_point?token={my_token_goes_here} by GET method. But I realized that what if someone hijacks the token and abuse it?
Should I think of passing it on TSL/SSL? or making ever-changing token on each access? Is there any other option?