How to make request to rest session based api from chrome extension - authentication

I have django rest framework based app, where i am using session based authentication. All apis need session authentication to return results otherwise it will give 403.
App has login flow where user login and session is set under cookie and all apis authenticated after that.
Now i am building chrome extension for same app where i need to make one of the rest api call. since user is already logged in browser so i am assuming that i can make the api call from chrome extension. but when i make the api call from chrome extension its returning 403. I am using fetch to perform request.
I am new in developing chrome extension so i am not able to figure out how to authenticate api call from chrome extension since user is already logged in browser.
I tried ajax request and fetch request and also set the permission in manifest.json.
fetch(url, {
credentials: 'include'
})

Related

Micronaut security with custom authentication with pre-existing cookie

I am trying to create a session using pre-existing cookie. However, dont seem to find any way to configure micronaut application.
Ideal flow
Browser calls a rest API
Server detects no session (Unauthenticated)
Request is intercepted and login is performed thro' a call to an external system using the passed in cookie.
if success, Request continues to rest resource and return the result
if fail, return 401
I dont seem to find a way to intercept the request and authenticate on the fly.
Tried to work with Session and idToken but not sure if those are right options. Also, tried to override SessionSecurityfilterRejectionHandler without any luck.

What is the redirect URL for karate like the one we have in Postman?

Problem:
As per Auth0 below are the prerequisite for Auth0
Prerequisites
Register your app with Auth0. To learn more, read Register Regular Web Applications.
Select Regular Web App as the Application Type. (Done)
Add an Allowed Callback URL of https://YOUR_APP/callback. (This part I am not able to find and question is related to this that what is the call back URL in karate?)
Make sure your application's Grant Types include Authorization Code. To learn more, read Update Grant Types. (Done)
Below are the details how this Auth0 API will be authenticated.
Authorization API is called to generate code.
Token API is then called with the code generated at step 1 in order to exchange code for token.
Both of above APIs require a redirect URL of the calling application like we have in Postman as can be seen in below image. What is the redirect URL that can be provided in karate so once the token is generated it gets redirected to karate and token is shown there in response.

How do I automate cookies synchronization between postman and the browser

When using the Postman Chrome App with the Interceptor extension it's easy to reuse the browser's cookies in order to log into an app and then call the services within.
Since moving to the Postman standalone app, this process has become somewhat manual. After logging in from the browser, I have to access the JSESSIONID cookie in the developer tools and copy its value over to postman.
When my session expires I need to repeat the process.
I would like to automate this synchronization or at least understand how I could obtain the new authenticated value in postman. It's important to note that none of the authentication mechanisms available in Postman work with my app which is why the manual login in the browser is necessary.
You can get JSESSIONID cookie in Postman Standalone in similar way your browser do it - by send proper requests (probably POST "login" request with user credentials) to server

Authorization between nuxtjs and the backend API

I have a Vuejs application created using Nuxtjs. I am also using Django as the backend server, and I made an API to interact with the backend server (Django) and front-end app (Vuejs/Nuxtjs). And any API related fetch are done in the AsyncData function of the page to render the data on the server-side using axios. Also, I am using json web token authentication, and the API generates a jwt token after successful login which is stored in the cookie. So on the backend, it will always check for the request's authorization header for the token. If the request is from a logged in user (authorized token) then return authenticated json data, or else return non authenticated data.
The problem:
When the user navigates to the app, I would like to check if the user is authenticated. If the user is authenticated, render the authenticated page. If not then display non authenticated page.
My thoughts:
When the fetch is done from the App on the AsyncData function, I would check whether there is any value for the cookie. If there is then send the token with the request's authorization header. But, since the page will be rendered on the server first, and not on the client side (where the cookie actually is) it will never find the token for the authorization.
How can I check if the user is already logged in or not so that I can get authenticated and non authenticated data respectively from the API?
Update
When I successfully log in (post authorized email and password), I get a json response back with the token, which I set in the cookie like this:
this.$cookie.set('my_auth_token', this.token, {expires: 15})
How can I retrieve client side cookie and into the nuxt server for server side rendering?
Cookies are exposed in the (Express) Nuxt server through middleware.
Specifically, they can be read from the req.headers.cookie property. You can see an example implementation of this in the Nuxt documentation.
Regarding your implementation: fetching the privileged data from your API using Node would seem to be the ideal way to delegate session handling to that single service (rather than both) and provide SSR for your users.
If you've chosen to instead implement your session handling on the Django service then you'll need to "forward" your cookies by passing them into your axios request headers.
I did something similar using Firebase authentication. There is an example project on Github as well as a blog entry outlining the important files and configuration used in the application.

Accessing the `student_view_url` via Open Edx API authentication or alternatives?

I’m working on a React Native application where all the Edx course information needs to be displayed offline.
I’ve authenticated the app using oauth2 endpoint (client_id=…&grant_type=password&username=user#example.com&password=p455w0rd to {{root}}/oauth2/access_token/) and can access the API endpoints to get the users enrolled courses ({{root}}/api/enrollment/v1/enrollment) and the blocks within those courses ({{root}}/api/courses/v1/blocks/?course_id={{course_id_url_friendly}}&depth=all&nav_depth=3&return_type=list&username={{username}}). What I’m struggling to get is the contents of the HTML blocks.
I see in the official app (when viewing requests via a proxy) that it will request the actual webpage of the course, presumably the student_view_url.
Is this the only way to get that content or is there an API endpoint I can use to return the content?
If the only way is to request the rendered student_view_url, how do I access that page? The only way I can tell in the official app is it looks like it’s passing the cookies to authenticate with the studen_view_url, which it must get when it authorises the user via the oauth2 endpoint. The cookies I get don’t work though, which I’ve tested in Postman (if I use cookies that I got from browsing my Edx site in Chrome, they do work). This begs me the question, is my authentication correct as I don’t get any scope returned when the official app returns a scope filled in with read write and two others.
A sample of what my authentication returns:
{
"access_token": "a12345...",
"token_type": "Bearer",
"expires_in": 2591999,
"scope": ""
}
To reiterate;
Is there a way to request the HTML content via the API (so returned in a JSON request) rather than the student_view_url
If not then how do I authenticate to access the student_view_url?
So I worked out how to do point 2.
Before requesting any HTML content you need to hit the endpoint {{root}}/oauth2/login/ with the auth token that you provide to other endpoints. This will pass back a usable sessionid cookie that will let you access content that's not public (so long as the user has access).
As an aside, to pass the cookie through fetch() requests, I had to pass the option credentials: 'include'.