Servicestack UnAuthorized - asp.net-core

I am getting "The remote server returned an error: (401) Unauthorized." when using the servicestack utils to call a remote API. It requires auth basic or JWT. Calling the same API from PostMan works fine.
var json = $"http://localhost:5000/API/Proxy/IsValidGuidForSetupDevice?Guid=82870f2ca21148739bff0854b306415c".GetJsonFromUrl(requestFilter: webReq => { webReq.AddBasicAuth("DevAdmin", "test1"); });
if i call below with the same user pass in a browser window. i get a valid connect and a bearer token back. The user\pass is good.
http://localhost:5000/auth/credentials?username=DevAdmin&password=test1&format=json
AM I missing something in request filter of the Util? Maybe I should be calling it differently and using a bearer token?
Update after tracing with fiddler
I moved the code into a unit test in the same project as the servicestack service. Just to remove any variables.
Fiddler shows me that : No Proxy-Authenticate Header is present. WWW-Authenticate Header is present: Basic realm="/auth/apikey" GET http://localhost:5000/auth
Raw View
HTTP/1.1
Host: localhost:5000
Connection: keep-alive
Accept: application/json, text/javascript, */*; q=0.01
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: http://localhost:5000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: ss-opt=perm; loginLevel=none; X-UAId=2; ss-id=XPc7ivcCrXuN5tEWwARG; ss-pid=TDeEjUiKck82foJGLGtX
Playing around with it. I can get it to login by calling the URL directly with user and pass. The i get the bearer token back and I am able to pass it.
var json = $"http://localhost:5000//auth/credentials?username=DevAdmin&password=test1".GetJsonFromUrl();
var o = JsonObject.Parse(json);
var token = o.Get<string>("bearerToken");
var jsonr = $"http://localhost:5000/API/Proxy/IsValidGuidForSetupDevice?Guid=bc464658d6a640febbd53ba17c351919".GetJsonFromUrl(
requestFilter: webReq => { webReq.AddBearerToken(token); });
I still can't call this in one call with auth headers and I still don't know why.

Whenever diagnosing different behavior between HTTP Requests of different clients you should inspect the raw HTTP Traffic between the different clients using a HTTP Packet sniffer like Fiddler or WireShark, or if the request is made from a browser you can use their built-in Web Network Inspector tools.
Seeing and comparing raw HTTP Request/Responses are the best way to identify how the requests differ.
The AddBasicAuth() extension method lets you add HTTP Basic Auth to the Web Request, if you want to send the JWT Token instead you would use the AddBearerToken() method instead.

Related

How to store a JWT refreshToken cookie response

I'm trying to authenticate a user with JWT using GraphQL. Once I login the user I receive the token as a JSON response and a httponly cookie storing the refresh token. (Server-side is using Saleor-core)
From the documentation of Saleor and some other blog-posts I assume that this response cookie should now be stored in the browser and whenever I need to refresh a token the cookie-refreshToken is used to authenticate my request. However, when I switch tabs to "Application" in my dev tools it's just empty.
What is the normal behaviour of the browser after receiving a cookie response? Do I need some extra code to somehow "save" that response cookie?
Did not really find anyone else having this problem so I think the mistake must be somewhere else.
UPDATE
I read somewhere the issue might be that there is no "secure" flag, which resulted from the server debug mode. I turned it off, but the cookie is still not being set.
Response Headers:
HTTP/1.1 200 OK
Connection: keep-alive
Date: Thu, 23 Sep 2021 13:32:33 GMT
Server: uvicorn
Content-Type: application/json
Access-Control-Allow-Origin: https://rewhite-86006--beta-duoa0dwg.web.app
Access-Control-Allow-Methods: POST, OPTIONS
Access-Control-Allow-Headers: Origin, Content-Type, Accept, Authorization, Authorization-Bearer
Access-Control-Allow-Credentials: true
Content-Length: 912
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Set-Cookie: refreshToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MzI0MDM5NTQsIm93bmVyIjoic2FsZW9yIiwiZXhwIjoxNjM0OTk1OTU0LCJ0b2tlbiI6Ijd2b0VmMm1DNlZZSyIsImVtYWlsIjoiSnVsaWFuLkZpbmtlQGdtYWlsLmNvbSIsInR5cGUiOiJyZWZyZXNoIiwidXNlcl9pZCI6IlZYTmxjam8zTmc9PSIsImlzX3N0YWZmIjpmYWxzZSwiY3NyZlRva2VuIjoiWm55ek9xVG9rOU9GYXlDZXY0cjFxMUxnaktnTXRRR0VNUVJEalR1eTJDZ1IyOW1GSVBxQ1B1T1hZcTFQNk92cyJ9.Cl6PmoLkO9Hlh36tDOuyNLQCib4FVBwn32hhnmd7Q4E; expires=Sat, 23 Oct 2021 13:32:34 GMT; HttpOnly; Max-Age=2592000; Path=/; Secure
Via: 1.1 vegur
Request Headers:
POST /graphql/ HTTP/1.1
Host: rewhite-saleor-engine.herokuapp.com
Connection: keep-alive
Content-Length: 318
Pragma: no-cache
Cache-Control: no-cache
sec-ch-ua: "Google Chrome";v="93", " Not;A Brand";v="99", "Chromium";v="93"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
sec-ch-ua-platform: "macOS"
content-type: application/json
Accept: */*
Origin: https://rewhite-86006--beta-duoa0dwg.web.app
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://rewhite-86006--beta-duoa0dwg.web.app/
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Thanks for your help!
The Domain attribute on you cookie seems to be different from the origin of your request. You're making a cross-site request and receiving a Set Cookie response from the server (of a different domain).
Normally we run into this issue when running backend and frontend on different domains (for e.g. localhost:3000 and localhost:8080).
Solution:
Recent Chrome browser versions (from 2020) will only set cookies received from cross-site requests if cookie has SameSite=None and Secure attributes set. With Secure set, a cookie will only be sent to server over HTTPS protocol (you need to implement SSL).
As of now, you don't have set either. SameSite defaults to Lax not None. You need to explicitly set it.
OR
You need implement a proxy such that you will request your webapp on https://rewhite-86006--beta-duoa0dwg.web.app and your webapp will proxy this to your Saleor engine domain rewhite-saleor-engine.herokuapp.com. How you do that depends on what frameworks you're using for serving your webapp. You haven't mentioned your it in your question, but I notice you've tagged it under vue.js, so I'll assume that you're using Vue CLI for serving a Vue app.
Its very simple to set up a proxy with Vue CLI. Just look for vue.config.js file in your root directory. If its not there, create it and paste the code below:
module.exports = {
devServer: {
proxy: {
'^/graphql': {
target: 'https://rewhite-saleor-engine.herokuapp.com',
changeOrigin: true,
logLevel: 'debug',
},
},
},
}
Now instead of fetching the refreshToken from rewhite-saleor-engine.herokuapp.com/graphql, you should send the request to your webapp at https://rewhite-86006--beta-duoa0dwg.web.app/graphql, and your web app local server will forward the request to your Saleor backend on Heroku. To your browser it will appear as though the request's response came form the webapp itself, so it won't be a cross-site request anymore.

Vue Firebase Verify ID Token CORS issue

I am trying to verify an ID Token using the Firebase Admin SDK as per instructions. My current auth code looks like this (in Vue):
// Auth.vue, inside the firebaseui config callback
signInSuccessWithAuthResult: function(authResult, redirectUrl) {
authResult.user
.getIdToken(/* forceRefresh */ true)
.then(function(idToken) {
// Send token to your backend via HTTPS
// ...
console.log(idToken);
})
.catch(function(error) {
// Handle error
console.log(error);
});
The login works fine and I can get authResult perfectly. However, it seems the function getIdToken is the problem, as I get the following error on my console:
Cross-Origin Request Blocked:
The Same Origin Policy disallows reading the remote resource at
https://securetoken.googleapis.com/v1/token?key=AIzaSyApp5yu051vMJlNLoQ1ngVSd-f2k7Pdavc.
(Reason: CORS request did not succeed).
In my request list, the one hanging is an OPTIONS method, with the following headers:
OPTIONS /v1/token?key=AIzaSyApp5yu051vMJlNLoQ1ngVSd-f2k7Pdavc HTTP/1.1
Host: securetoken.googleapis.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,pt-BR;q=0.5,de;q=0.3
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: x-client-version
Origin: http://localhost:8080
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
I am not even sure where the problem lies. Is it coming from the Vue side? I am running it in a dev server (by simple yarn serve, vue cli 3). Would the solution be when I run Vue on a production server where I can actually configure cors?
Any light on the matter is extremely welcome...
Thanks!!
Figured it out.
I was calling it in the wrong place. What helped was this thread, which pointed me out to Preflighted Requests which is what the OPTIONS request is:
"preflighted" requests first send an HTTP request by the OPTIONS method to the resource on the other domain, in order to determine whether the actual request is safe to send. Cross-site requests are preflighted like this since they may have implications to user data.
So I realized I should not be sending this request within my Post request where I got the authorization in the first place. Moving it to another method made it work.

recreate this web request in vb net

i?m trying to make automatic image set in pinterest account with WebClient.
I'd like to recreate this http request:
(Request-Line) POST /upload-image/?img=Desert.jpg HTTP/1.1
Host www.pinterest.com
User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding gzip, deflate
X-Requested-With XMLHttpRequest
X-File-Name Desert.jpg
Cache-Control no-cache
X-CSRFToken RqwJCawJyAGYIZfzob51qxrEGj4GJcSA
Referer https://www.pinterest.com
Content-Length 846128
Content-Type multipart/form-data; boundary=---------------------------5431268530037
Cookie _pinterest_cm=TWc9PSY1YlkwcmtVRGlNRzRQZXpiZXJseVl6TnFHYnEvZlhpNDZPcExCQnhKN3UvdUUveWI0c3p4bWJKUmhoZy9YRG9sS3dNZTZFSFNhN2V3VWhJM1JkbUlxbC92VjhHUGFldlRTVVJTNlA1L1M0SDE5QXhLcHVWS2ZrSUh3NTN2ODA0WSZ5dnpJQkVRUmx5TVJGTEdmQm5EVmRGQXNqbDQ9; csrftoken=RqwJCawJyAGYIZfzob51qxrEGj4GJcSA; _pinterest_sess="TWc9PSYvRm93OFNxbGkxWTJ5bzVoZUFudHJVVDI4bndmL2I5SFVIQjZkVk1KWFJ3WDBmNndOWFR0QnBPazltZFRmcnJpcGU5akhQZS8vcEZWTzM5ODJWNVdKS2syekwwc1p1TVVNeEt3Z3NYa1lsMVFXcFpXYUdkRlE1RElQYTBYeXhyQkFkYVFmSHZnVkRyYWhYcURDYzhhWEpuR2dvekE1SlB6cXp4akNNdzJ6QysrR2MzRGNyRXJKczRuRHZDTm1uQkdLMUJrUnF6UjdZakhDUGNVRnQ4T1ZoQUFIQWJSU1VNUHNjUHV5VjlZbk1INU1FMFNhdGJiVFZRdUNDWFNlMGJvcDBFeXk4a3cxT25ROHpSOXFzcTZ6NFBHekFjNkFNQUtnaktQNGQ1VkhnNDdlSXNQTGhmTzhDWm5UaDNoZzdqbEFHQWQ1RjJXWVo5bjNXVkVUWnVUWXNiL1JLTFdqNDBvMWllT0VyRDRNN1lXN0diQmlWRjdGdWF5UGUzYkNLYlMvamJUSVFwcFZoVVVUL2ROVkFIQUNYODQxR3R5eDFrQ0VpTGhmaGZ1Y2VOdGt6aUdLQmtCTkRYdkpkVGhmLzMvMnVOWHAwQVdZWEs2alE4eTUwd3E1SlJPRWFDc3VKTXByb2tISm8rcldRQT0mejAwN0hvdlRhbU8zYmNJT0lsSm9PSldheGpJPQ=="; sessionFunnelEventLogged=1; __utma=229774877.448600758.1436737610.1436739423.1436745191.3; __utmz=229774877.1436737610.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); c_dpr=1; __utmc=229774877; _b="ARLbRMvYKUdKiaBWDA2Oxko87z7iIN4MuGnJALvZK8vehgzT11AKeoa13PH4l9VjVMU="; _pinterest_pfob=disabled; __utmb=229774877.3.9.1436745219732; __utmt=1
Connection keep-alive
Pragma no-cache
I have try this code, but i can't obtain Content-Length and Content-Type.
Dim wc As New WebClient
wc.UseDefaultCredentials = True
wc.Credentials = New NetworkCredential("pippomio#yahoo.com", "88Y71nR3764")
wc.Headers.Add("Host", "www.pinterest.com")
wc.Headers.Add("User-Agent", "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5")
wc.Headers.Add("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")
wc.Headers.Add("Accept-Language", "it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3")
wc.Headers.Add("Accept-Encoding", "gzip, deflate")
wc.Headers.Add("X-Requested-With", "XMLHttpRequest")
wc.Headers.Add("X-Requested-With", "XMLHttpRequest")
wc.Headers.Add("X-File-Name", "Hydrangeas.jpg")
wc.Headers.Add("Cache-Control", "no-cache")
wc.Headers.Add("X-CSRFToken", token)
wc.Headers.Add("Referer", "https://www.pinterest.com")
wc.Headers.Add("Connection", "keep-alive")
wc.Headers.Add("Pragma", "no - cache")
Dim Response As Byte() = wc.UploadFile("https://www.pinterest.com/upload-image/?img=Hydrangeas.jpg", "POST", "Hydrangeas.jpg")
In wich way can I do this request in vb net?
Thanks
First, I recommend you to check this and this tutorial to learn how to send/receive HTTP requests on correct way.
Second, you should not re-do any web browser actions in your program since it is usually not a good practice as the frontend architecture should be subject an unexpected change any time. Instead of this, you should check Pinterest API, especially the Users API which can help you to achieve your plans. Usually API interfaces are not a subject of random changes, they are more reliable than replaying front-end operations and more stable, has more capabilities to the load.
(Pinterest API seems working only from Firefox, if you get an empty area at right side with a big "None" text, then browse the link from Firefox - it seems can handle the page)

ASANA API and Access-Control-* headers

I am writing some code to call the Asana API from the browser. XDR requests emitted from the browsers all begin with a call to OPTIONS to get the Access-Control-* headers, but Asana server does not seem to response to them:
Request URL:https://app.asana.com/api/1.0/users?opt_pretty=true&opt_fields=name,email
Request Method:OPTIONS
Status Code:404 Object Not Found
Request Headers:
Accept:*/*
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
Access-Control-Request-Headers:origin, authorization, accept
Access-Control-Request-Method:GET
Connection:keep-alive
Host:app.asana.com
Origin:null
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1129.0 Safari/536.11
Query String Parameters:
opt_pretty:true
opt_fields:name,email
Response Headers:
Content-Length:82
Content-Type:application/json
Date:Sat, 12 May 2012 22:23:19 GMT
Server:nginx/0.7.67
...
Response headers should contain something like:
Access-Control-Allow-Headers: Accept, Authorization, Content-Type
Access-Control-Allow-Methods: GET,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Or is there anything that I am missing when requesting the API?
(I work at Asana)
The Asana API does not return these headers right now because it does not support OAuth and cannot securely authenticate requests from clients. It is only secure to return these headers for an authenticated client, otherwise the service would be open to cross-site scripting attacks. OAuth is on the list of features to be supported in the future.

NSURLConnection and Authenticating to webservices behind ssl?

I'm currently trying to connect to a webservice placed on https://xxx.xxx.xx/myapp
It has anonymous access and SSL enabled for testing purposes atm.
While trying to connect from the 3G network, i get Status 403: Access denied. You do not have permission to view this directory or page using the credentials that you supplied.
I get these headers while trying to connect to the webservice locally:
Headers
Request URL:https://xxx.xxx.xx/myapp
Request Method:GET
Status Code:200 OK
Request Headers
GET /myapp/ HTTP/1.1
Host: xxx.xxx.xxx
Connection: keep-alive
Authorization: Basic amViZTAyOlE3ZSVNNHNB
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: sv-SE,sv;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response Headers
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Thu, 16 Feb 2012 12:26:13 GMT
Content-Length: 622
But when accessing outside the local area, we get the big ol 403. Which in turn wants credentials to grant the user access to the webservice.
However, i've tried using the ASIHTTPRequest library without success, and that project has been abandoned. And they suggest going back to NSURLConnection.
And i have no clue where to start, not even which direction to take.
-connection:(connection *)connection didRecieveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
The above delegate method of NSURLConnection doesnt even trigger. So i have no idea what so ever how to authenticate myself.
All i get is the parsed results of the xml elements of the 403-page.
I needs dem seriouz helps! plx.
This was all just a major f-up.
The site had ssl required and enabled, and setting ssl required for the virtual directories does some kind of superduper meta-blocking.
So, by disabling ssl required for the virtual directories, it runs over ssl and is not blocking 3G access..