We Keep Coding

HLS Stream OneTimePassword (GetHLSToken from 511nj.org)

For research purposes, we analyzed and extracted large-scale traffic data from 511nj cameras. Starting from 2020, it adds an OTP(one-time password) to the video link, which is requested by the website API: https://511nj.org/api/client/camera/getHlsToken?Id=2&rnd=202205281151, as observed from the network traffic. However, the website itself gets a response of 200 with a valid token, while accessing it by myself gets a response of 401, which indicates an unauthorized request. What makes me confused is why I can get the camera feed with the OTP through the website, but can't access the api. Is there a solution?
Failed attempt:
requests.get('https://511nj.org/api/client/camera/getHlsToken?Id=2&rnd='+datetime.datetime.now().strftime('%Y%m%d%H%M')).json()
20220601 Update: Modification has been made based on #Brad 's comment. However, the error message now turns into "An error has occurred". Please help!
def GetOTP():
import requests
import json
import datetime
Now = datetime.datetime.now()
DT = Now.strftime('%Y%m%d%I%M%S')
DT24 = Now.strftime('%Y%m%d%H%M')
Enigma = dict(zip(map(str,range(0,10)),('2','1','*','3','4','5','6','7','8','9')))
cookies = {
'ReloadVersion': '112',
'_ga': 'GA1.2.335422978.1653768841',
'_gid': 'GA1.2.721252567.1653768841',
}
headers = {
'authority': '511nj.org',
'accept': 'application/json, text/plain, */*',
'accept-language': 'en-US,en;q=0.9',
'referer': 'https://511nj.org/Scripts/Directives/HLSPlayer.html?v=V223',
'responsetype': "".join([Enigma[key] for key in DT[4:6]])+'$'.join([Enigma[key] for key in DT[6:8]])+'$'.join([Enigma[key] for key in DT[:4]])+'#'+Enigma[DT[9]]+"!".join([Enigma[key] for key in DT[10:12]])+"!"+DT[-2:]+"#PK",
'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Google Chrome";v="102"',
'sec-ch-ua-mobile': '?0',
'sec-ch-ua-platform': '"macOS"',
'sec-fetch-dest': 'empty',
'sec-fetch-mode': 'cors',
'sec-fetch-site': 'same-origin',
'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36',
}
params = {
'Id': '2',
'rnd': DT24,
}
Response = requests.get('https://511nj.org/api/client/camera/getHlsToken?Id=2&rnd='+DT24, headers=headers,cookies=cookies,params=params).json()
print("".join([Enigma[key] for key in DT[4:6]])+'$'+''.join([Enigma[key] for key in DT[6:8]])+'$'+''.join([Enigma[key] for key in DT[:4]])+'#'+Enigma[DT[9]]+"!"+''.join([Enigma[key] for key in DT[10:12]])+"!"+DT[-2:]+"#PK")
print(params['rnd'])
print(Response)
return Response['Data']

Vue, Axios and Google Maps Place API CORS error [duplicate]

This question already has an answer here:
Google Maps API: No 'Access-Control-Allow-Origin' header is present on the requested resource
(1 answer)
Closed 2 years ago.
I've looked at the other answers, but unless I'm not getting the answer, they don't answer my question.
Environment
NodeJS 12.19.0
VueJS 2.6.10
Axios 0.15.3
Current config for Axios:
axios.defaults.headers.common['Authorization'] = store.apiKey
axios.defaults.headers.common['Content-Type'] = 'application/x-www-form-urlencoded, application/json'
axios.defaults.headers.common.crossDomain = true
axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest'
axios.defaults.headers.common['Access-Control-Allow-Origin'] = '*'
axios.defaults.headers.common['Access-Control-Allow-Origin'] = 'https://maps.googleapis.com/maps/api/*'
axios.defaults.headers.common['Accept'] = 'application/json, text/plain, text/html, application/xhtml+xml, application/xml, */*'
I've tried this as well:
axios.defaults.headers.common['Access-Control-Allow-Origin'] = '*, https://maps.googleapis.com/'
My Axios call (from method section in a mixin):
...
loadPoi (lat, lng, radius = null, type = null) {
if (!lat || !lng) {
this.$message({message: 'Unable to load Places of Interest: invalid lat or lng values',
type: 'warning'
})
return
}
let url = 'https://maps.googleapis.com/maps/api/place/nearbysearch/json?location=' + lat + ',' + lng + (radius ? '&radius=' + radius : '') + (type ? '&type=' + type : '') + '&key=' + GOOGLE_API_KEY
console.log('loadPoi', url)
/*
var xmlHttp = new XMLHttpRequest()
xmlHttp.open('GET', url, false) // false for synchronous request
xmlHttp.send(null)
console.log(xmlHttp.responseText)
*/
axios.get(url).then(response => {
this.places = response.results
})
.catch(e => {
this.$message({message: 'Unable to load Places of Interest [' + e + ']',
type: 'error'
})
})
},
...
As you can see, even tried raw JavaScript call, same result.
The same URL works perfectly fine in the browser.
However when I access it from Axios, I get this error:
The raw header response:
GET /maps/api/place/nearbysearch/json?location=2.0978,103.6063&radius=5000&key=[KEY] undefined
Host: maps.googleapis.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: application/json, text/plain, text/html, application/xhtml+xml, application/xml, */*
Accept-Language: en-GB,en;q=0.7,es-MX;q=0.3
Accept-Encoding: gzip, deflate, br
Authorization: undefined
crossDomain: true
X-Requested-With: XMLHttpRequest
Access-Control-Allow-Origin: https://maps.googleapis.com/maps/api/*
Origin: http://localhost:8080
DNT: 1
Connection: keep-alive
Referer: http://localhost:8080/

Axios use for sent HTTP request, set 'Access-Control-Allow-Origin' header on a request is meaningless.
In response, the server sends back an Access-Control-Allow-Origin
header with Access-Control-Allow-Origin: *, which means that the
resource can be accessed by any origin.
enter link description here
So, to allow CORS, the server-side need to add Access-Control-Allow-Origin: * within its HTTP response.
But, it seems the response is from google API in your case, I think such service should already allow cross-origin access, could you please produce detailed error output?

ASP.NET Core JWT with Custom Authentication Type

Is there a way to configure the authentication type for the HTTP Authorization header? For example: "Token" instead of "Bearer"?
Consider the following extension method which activates authentication and configures JWT with a custom scheme called "Token":
let jwtScheme = "Token"
type IServiceCollection with
member this.AddJwtAuthentication (JwtSecret jwtSecret : JwtSecret) =
this.AddAuthentication(jwtScheme)
.AddJwtBearer(jwtScheme, jwtScheme, fun jwt ->
jwt.RequireHttpsMetadata <- false
jwt.SaveToken <- true
let key = Encoding.ASCII.GetBytes jwtSecret
let validationParams = TokenValidationParameters()
validationParams.IssuerSigningKey <- SymmetricSecurityKey(key)
validationParams.ValidateIssuerSigningKey <- true
validationParams.ValidateIssuer <- false
validationParams.ValidateAudience <- false
jwt.TokenValidationParameters <- validationParams)
|> ignore
this
This request (with Bearer auth type) is processed successfully:
GET /user HTTP/1.1
Host: https://localhost:5001/api
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9zaWQiOiIxIiwibmFtZWlkIjoicGltIiwibmJmIjoxNTk0NzUxMTA1LCJleHAiOjE1OTUzNTU5MDUsImlhdCI6MTU5NDc1MTEwNX0.G3P7JR97rKG9ckX9UD0kHtZ8sNWOKYsJDrFY5bz3RqE
This request (with Token auth type) is NOT processed successfully:
GET /user HTTP/1.1
Host: https://localhost:5001/api
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Authorization: Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9zaWQiOiIxIiwibmFtZWlkIjoicGltIiwibmJmIjoxNTk0NzUxMTA1LCJleHAiOjE1OTUzNTU5MDUsImlhdCI6MTU5NDc1MTEwNX0.G3P7JR97rKG9ckX9UD0kHtZ8sNWOKYsJDrFY5bz3RqE

The solution was to plug in to the JwtBearerEvents and strip the Token prefix if it was present:
this.AddAuthentication(jwtScheme)
.AddJwtBearer(jwtScheme, fun jwt ->
let events = JwtBearerEvents()
events.OnMessageReceived <- (fun ctx ->
let authHeader = ctx.HttpContext.Request.Headers.["Authorization"].ToArray()
match Array.tryHead authHeader with
| None -> ()
| Some header ->
match header.StartsWith("Token ", StringComparison.OrdinalIgnoreCase) with
| false -> ()
| true ->
ctx.Token <- header.Substring("Token ".Length).Trim()
Task.CompletedTask)
jwt.Events <- events
// Rest of options ...)
|> ignore

Axios post request failing due to CORS but the same request using ajax is getting no issues

I am getting following error wile doing axios post request.
But when I use ajax request there is no issue:
request has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Ajax Request:
Axios request:
let payload = {
type: ["a", "b"],
category: ["a", "b"],
category: ["a", "b"],
accountNumber: "123"
};
var apiURL = this.$apiBaseURL + "/Product/ProductDetails";
$.ajax({
url: apiURL,
type: "POST",
data: { payload },
xhrFields: {
withCredentials: true
},
success: function (result) {
console.log(JSON.stringify(result));
}
});
this.$http.post(apiURL,payload,{withCredentials: true})
**UPDATE 1 **
I am still facing the same issue. Here I will share the request header in both ajax and axios request
AJAX Working code and request header :
{
var apiURL = this.$apiBaseURL + "/Request/MediaUpload";
$.ajax({
method: 'post',
processData: false,
contentType: false,
cache: false,
data: fileformData,
enctype: 'multipart/form-data',
url: apiURL,
xhrFields: {
withCredentials: true
}
});
}
Request header:
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Content-Length: 7610
Content-Type: multipart/form-data; boundary=----
WebKitFormBoundaryAjc8HwVPaRtQ5Iby
Host: localhost:62148
Origin: http://localhost:8989
Referer: http://localhost:8989/
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
AXIOS failing code and header
var apiURL = this.$apiBaseURL + "/Request/MediaUpload";
var self=this;
let config={
headers:{
'Content-Type': 'multipart/form-data'
}
}
this.$http.post(apiURL, { withCredentials: true },fileformData,
config)
Request Headers:
Provisional headers are shown
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
Referer: http://localhost:8989/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Here is my web api config where I have enabled cors
string origin = "http://localhost:8989";
EnableCorsAttribute cors = new EnableCorsAttribute(origin, "*", "*", "*");
cors.SupportsCredentials = true;
config.EnableCors(cors);
// Web API routes
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
**UPDATE 2 **
The CORS configuration at server side is done correctly thats why I am able to make the call successfully via AJAX.
Is this a known AXIOS issue which occurs only when we enable the windows authentication?

This issue arises because jQuery sends the request as application/x-www-form-urlencoded by default and does not send preflight request whereas axios sends as application/json and sends a preflight request i.e. OPTIONS before sending actual request.
One way it could work is by setting Content-type header to 'Content-Type': 'application/x-www-form-urlencoded' in axios.
You will have to change the settings on server side to get around this issue.

Add this in your web.config file:
<system.webServer>
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="OPTIONSVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
Using default ajax won't send any OPTIONS request, but using axios does. This will enable accepting OPTIONS requests.

Gatling script throws an error "type mismatch"

I have a problem with my script, I converted it from HAR file and divide it to two separate execs as below. I believe I did it properly (but I'm not 100% sure)
import scala.concurrent.duration._
import io.gatling.core.Predef._
import io.gatling.http.Predef._
import io.gatling.core.structure.{ChainBuilder, ScenarioBuilder}
import io.gatling.commons.validation._
class logingood extends Simulation {
val httpProtocol = http
.baseUrl("https://webapi.wage.iteodev.com")
.inferHtmlResources()
.userAgentHeader("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36")
.proxy(Proxy("localhost", 8888).httpsPort(8888))
val headers_0 = Map(
"Accept" -> "application/json, text/plain, */*",
"Origin" -> "https://frontend.iteodev.com",
"Sec-Fetch-Mode" -> "cors")
val headers_1 = Map(
"Access-Control-Request-Headers" -> "authorization",
"Access-Control-Request-Method" -> "GET",
"Origin" -> "https://frontend.iteodev.com",
"Sec-Fetch-Mode" -> "cors")
val headers_2 = Map(
"Accept" -> "application/json, text/plain, */*",
"Origin" -> "https://frontend.iteodev.com",
"Sec-Fetch-Mode" -> "cors",
"authorization" -> "Bearer ${authToken}")
val headers_3 = Map("Sec-Fetch-Mode" -> "no-cors")
val headers_7 = Map(
"Origin" -> "https://frontend.iteodev.com",
"Sec-Fetch-Mode" -> "cors",
"content-type" -> "application/x-www-form-urlencoded; charset=UTF-8")
val uri1 = "https://api.wage.iteodev.com/signalr"
val uri2 = "https://frontend.iteodev.com/static/media/download-app-headline.a2c2b312.svg"
val scn = scenario("logingood")
.exec(http("request_0")
.post("/api/oauth/token")
.headers(headers_0)
.formParam("username", "test#evxmail.net")
.formParam("password", "Zaq1#wsx")
.formParam("grant_type", "password")
.check(jsonPath("$..access_token").exists.saveAs("authToken"))
.resources(http("request_1")
.options("/api/account")
.headers(headers_1),
http("request_2")
.get("/api/account")
.headers(headers_2),
http("request_3")
.get(uri2)
.headers(headers_3),
http("request_4")
.options("/api/conversations/")
.headers(headers_1),
http("request_5")
.get("/api/conversations/")
.headers(headers_2),
http("request_6")
.options("/api/notifications")
.headers(headers_1)))
.exec(http("request_7")
.get(uri1 + "/negotiate?clientProtocol=1.5&Authorization=Bearer%20${authToken}&connectionData=%5B%7B%22name%22%3A%22livechat%22%7D%5D")
.headers(headers_7),
http("request_8")
.get("/api/notifications")
.headers(headers_2),
http("request_9")
.get(uri1 + "/start?transport=serverSentEvents&clientProtocol=1.5&Authorization=Bearer%20${authToken}&connectionToken=${MyConnectionToken}&connectionData=%5B%7B%22name%22%3A%22livechat%22%7D%5D")
.headers(headers_7))
setUp(scn.inject(atOnceUsers(1))).protocols(httpProtocol)
}
But Gatling throws error
GATLING_HOME is set to "C:\Gatling"
JAVA = ""C:\Program Files\Java\jdk-12\\bin\java.exe""
10:28:27.322 [ERROR] i.g.c.ZincCompiler$ - C:\Gatling\user-files\simulations\logingood.scala:74:21: type mismatch;
found : io.gatling.http.request.builder.HttpRequestBuilder
required: io.gatling.core.structure.Execs[_]
.headers(headers_7),
^
10:28:27.325 [ERROR] i.g.c.ZincCompiler$ - C:\Gatling\user-files\simulations\logingood.scala:77:21: type mismatch;
found : io.gatling.http.request.builder.HttpRequestBuilder
required: io.gatling.core.structure.Execs[_]
.headers(headers_2),
^
10:28:27.326 [ERROR] i.g.c.ZincCompiler$ - C:\Gatling\user-files\simulations\logingood.scala:80:21: type mismatch;
found : io.gatling.http.request.builder.HttpRequestBuilder
required: io.gatling.core.structure.Execs[_]
.headers(headers_7))
^
10:28:27.371 [ERROR] i.g.c.ZincCompiler$ - three errors found
10:28:27.378 [ERROR] i.g.c.ZincCompiler$ - Compilation crashed
sbt.internal.inc.CompileFailed: null
at sbt.internal.inc.AnalyzingCompiler.call(AnalyzingCompiler.scala:253)
at sbt.internal.inc.AnalyzingCompiler.compile(AnalyzingCompiler.scala:122)
at sbt.internal.inc.AnalyzingCompiler.compile(AnalyzingCompiler.scala:95)
at sbt.internal.inc.MixedAnalyzingCompiler.$anonfun$compile$4(MixedAnalyzingCompiler.scala:91)
at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
at sbt.internal.inc.MixedAnalyzingCompiler.timed(MixedAnalyzingCompiler.scala:186)
at sbt.internal.inc.MixedAnalyzingCompiler.$anonfun$compile$3(MixedAnalyzingCompiler.scala:82)
at sbt.internal.inc.MixedAnalyzingCompiler.$anonfun$compile$3$adapted(MixedAnalyzingCompiler.scala:77)
at sbt.internal.inc.JarUtils$.withPreviousJar(JarUtils.scala:215)
at sbt.internal.inc.MixedAnalyzingCompiler.compileScala$1(MixedAnalyzingCompiler.scala:77)
at sbt.internal.inc.MixedAnalyzingCompiler.compile(MixedAnalyzingCompiler.scala:146)
at sbt.internal.inc.IncrementalCompilerImpl.$anonfun$compileInternal$1(IncrementalCompilerImpl.scala:343)
at sbt.internal.inc.IncrementalCompilerImpl.$anonfun$compileInternal$1$adapted(IncrementalCompilerImpl.scala:343)
at sbt.internal.inc.Incremental$.doCompile(Incremental.scala:120)
at sbt.internal.inc.Incremental$.$anonfun$compile$4(Incremental.scala:100)
at sbt.internal.inc.IncrementalCommon.recompileClasses(IncrementalCommon.scala:180)
at sbt.internal.inc.IncrementalCommon.cycle(IncrementalCommon.scala:98)
at sbt.internal.inc.Incremental$.$anonfun$compile$3(Incremental.scala:102)
at sbt.internal.inc.Incremental$.manageClassfiles(Incremental.scala:155)
at sbt.internal.inc.Incremental$.compile(Incremental.scala:92)
at sbt.internal.inc.IncrementalCompile$.apply(Compile.scala:75)
at sbt.internal.inc.IncrementalCompilerImpl.compileInternal(IncrementalCompilerImpl.scala:348)
at sbt.internal.inc.IncrementalCompilerImpl.$anonfun$compileIncrementally$1(IncrementalCompilerImpl.scala:301)
at sbt.internal.inc.IncrementalCompilerImpl.handleCompilationError(IncrementalCompilerImpl.scala:168)
at sbt.internal.inc.IncrementalCompilerImpl.compileIncrementally(IncrementalCompilerImpl.scala:248
at sbt.internal.inc.IncrementalCompilerImpl.compile(IncrementalCompilerImpl.scala:74)
at io.gatling.compiler.ZincCompiler$.doCompile(ZincCompiler.scala:210)
at io.gatling.compiler.ZincCompiler$.delayedEndpoint$io$gatling$compiler$ZincCompiler$1(ZincCompiler.scala:215)
at io.gatling.compiler.ZincCompiler$delayedInit$body.apply(ZincCompiler.scala:39)
at scala.Function0.apply$mcV$sp(Function0.scala:39)
at scala.Function0.apply$mcV$sp$(Function0.scala:39)
at scala.runtime.AbstractFunction0.apply$mcV$sp(AbstractFunction0.scala:17)
at scala.App.$anonfun$main$1$adapted(App.scala:80)
at scala.collection.immutable.List.foreach(List.scala:392)
at scala.App.main(App.scala:80)
at scala.App.main$(App.scala:78)
at io.gatling.compiler.ZincCompiler$.main(ZincCompiler.scala:39)
at io.gatling.compiler.ZincCompiler.main(ZincCompiler.scala)
Java HotSpot(TM) 64-Bit Server VM warning: Ignoring option AggressiveOpts; support was removed in 12.0
Choose a simulation number:
What I did wrong? On many examples it looks similar and it works properly. I searched whole internet and didn't find any solution.

exec takes either an action, a chain, or a vararg of Execs.
in the block containing request7, you've got an exec where you're trying to pass what looks like a vararg of httpRequrestBuilders.
so instead of
.exec(http("request_7")
.get(uri1 + "/negotiate?clientProtocol=1.5&Authorization=Bearer%20${authToken}&connectionData=%5B%7B%22name%22%3A%22livechat%22%7D%5D")
.headers(headers_7),
http("request_8")
.get("/api/notifications")
.headers(headers_2),
http("request_9")
.get(uri1 + "/start?transport=serverSentEvents&clientProtocol=1.5&Authorization=Bearer%20${authToken}&connectionToken=${MyConnectionToken}&connectionData=%5B%7B%22name%22%3A%22livechat%22%7D%5D")
.headers(headers_7))
you need to either make them all Execs, or chain them
.exec(
exec(http("request_7")
.get(uri1 + "/negotiate?clientProtocol=1.5&Authorization=Bearer%20${authToken}&connectionData=%5B%7B%22name%22%3A%22livechat%22%7D%5D")
.headers(headers_7)),
exec(http("request_8")
.get("/api/notifications")
.headers(headers_2)),
exec(http("request_9")
.get(uri1 + "/start?transport=serverSentEvents&clientProtocol=1.5&Authorization=Bearer%20${authToken}&connectionToken=${MyConnectionToken}&connectionData=%5B%7B%22name%22%3A%22livechat%22%7D%5D")
.headers(headers_7)))
I'm guessing the first exec in your snippet works as all the requests other than the first are done as resources