How to set environment variable while posting data to API in Postman - api

I have few APIs which uses a variable instance with values as dev, test and prod. These values are used in the variable so that the API remains the same and the data can be posted to different environments like dev, test, prod. These APIs are deployed on azure platform
I am using postman to publish data to the API. I have created an environment variable and set its value as dev. I want to know where in the api url I should include this variable in order to successfully send the data.
API Url:
https://ashtechdev.azurewebsites.net/tempdata

I have posted my answer here in this below link. Please use the same.
Hope this helps.

Related

How to make REST API deployed to heroku accessible only through rapidAPI

Salutations!
I have just completed my first REST API, deployed on heroku, and I decided it would be cool to make $0 a month through rapidAPI.
The rapidAPI testing dashboard passes the tests successfully - with one of their keys being a requirement for an API call.
However when I access the site on a browser or on Postman, there is no need for an API key and therefore no restrictions in get requests.
I have noticed that the test code makes a fetch request to the rapidAPI url for the project but how can I make the heroku url accessible only from rapidAPI?
I know it's extremely unlikely someone will find my heroku app url but it is technically possible.
I appreciate your time and insights.
RapidAPI provides 2 security features to support this:
set X-RapidAPI-Proxy-Secretin the API Dashboard: this token is added in the X-RapidAPI-Proxy-Secret HTTP header for each request. You should validate this for every API call. This is the default measure in place.
the list of IP addresses used by RapidAPI is provided: you can check/validate for every API call.
There might be Heroku Addon to help with the IP filtering, but those are typically enterprise-plugin (with associated cost).
RapidAPI allows you to add secret headers and/or query string parameters to API requests. The RapidAPI proxy adds these secrets to every request, but are hidden from the API consumers.
Find more details in this page: https://docs.rapidapi.com/docs/secret-headers-parameters

How to store and respond with variables for API request

I am attempting to create a dynamic responsive server which is able to:
read a request
store the token in an environment variable
use that environment variable in the response back to the source
I am unsure where to begin with this, I have had a look at some API tools such as PostMan and Insomnia but although I can set up a mock server which would receive the responses, the data I want to save is not being stored in the variable and thus is not being used in the response.
Some guidance would be appreciated.
Thank you
What language and platform you are using?
If you are using any of the major public cloud options, (AWS, Google, Azure), there are easy to deploy API Gateway Services that required minimal code to get started and supports environment variables.
If you are using a local development only,
then you can get started with ASP .NET Core Web API: https://learn.microsoft.com/en-us/aspnet/core/tutorials/first-web-api?view=aspnetcore-3.1&tabs=visual-studio
Then use environment variable:
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/environments?view=aspnetcore-3.1
Or instead once you setup your API running locally, you can use Postman variables:
https://learning.postman.com/docs/sending-requests/variables/

Is it good practice or necessary to protect an API with authentication even if the data is not sensitive?

My Vue.js app which interacts with data via a Node.js backend accesses both sensitive and non-sensitive data. I have been able to protect the API's on the Node server, the ones working with sensitive data (such as updating pricing information) using the google authentication API. This requires a user to have to login with a google account before being able to interact with those API's.
I'm now trying to protect the API's which simply retrieve non-sensitive data (such as Names, descriptions, prices of products I sell, etc.) so that even said API's cannot be accessed directly without some form of authentication. ie. If I used something like Postman to retrieve data from the API directly, without authenticating I would not be able to get any data. However, these API's are accessed from a part of the Vue.app which does not require login. ie. Users on the site may see Product, pricing etc. information without having to login first.
In order to protect these "non-sensitive" API's I would have to pass some "secret" such as an API Key from the Vue front-end to the Node backend. I believe from 2 other posts I've done (here and here) that it isn't possible to pass Environmental variables into a Vue App at run-time (I'm using Vue CLI 3). This leaves me with having to hardcode the API Key into the front-end code which means it is no longer "secret" or secure.
I'm in essence trying to do "Application Authentication" but without the ability to pass ENV Variables in Vue at run-time I don't know how to do this securely.
Everything I read on the internet points to either:
Passing ENV Variables into Vue at build-time (which isn't secure in this scenario); or
That I'm missing something for wanting to pass ENV Variables into Vue at run-time in the first place.
Question: Am I overthinking or overcomplicating things by trying to protect data which isn't sensitive?
One way of doing so is the following:
Upon successful authentication generate a JSON Web Token
Send token back to the client (Vue app) and store it in the browser's local storage
On the API route you want to secure add a function that will check whether the the request contains the token you provided on Step 2. You can send the token as part of the request body or maybe a header.
This is a simple yet effective way of securing an API.

Azure API Management - Versioning

We are currently having all our APIs in Azure API Management Portal. The versioning in the API code is handled using the version header. These APIs were deployed into our Production environment mid of Last year. I guess we did not have the versioning concept in the Old API Management Portal and the vendors who are using the APIs which are in Production works without passing the version header (if the version header is not passed, it will fallback to the initial version).
We could see that, currently API Management does have ability to create versions. But, if I create a new version for the existing API – I could see that the existing version (which currently works with or without version header) stops working. It is giving resource not found error. If we go into the API settings page for the Existing version, we could see that the Version Header field is mandatory and not filled.
Is there any way we can default the version header to the initial version through API Management?
This is old but probably worth answering for someone asking in the future.
You can set a header on all API operations in the Azure portal.
Select the API version and then ensure All operations is selected in the list of operations.
Then in the Inbound Processing section click + Add policy.
Set headers is one of the options.
Select that and add the details for the header.
Save and repeat for the other versions you have defined, obviously setting the correct version each time.
Hope this helps.
You may also define passing the version as a header parameter when initially adding the API to API Management as Open API Specification Full definition and then set the Header definition in Versioning scheme.

REST API Works in Browser, But Not Client

I am developing a REST API, and have found a very interesting problem.
When I access the resources in a web browser (in my case Chrome), everything works fine. However, when I access the resources using a REST client (Google Chrome plugin, web-based client, and a Java applet), NONE of the variables pass to the API. This happens both with GET and POST methods.
I have absolutely no idea why this would be the case, and it's proving very difficult to test the methods before putting them into production (especially with POST methods).
Please help!
At first glance it sounds it could be 2 things:
You are not correctly passing API parameters via your client or
applet
A problem with authentication or cookie management. Does the API require any type of authorization?
Are you forgetting to set a necessary HTTP header?
Do you have control of the API also or is it a third party API? If so, do the params arrive at all or do they arrive empty? What's the error code? - a 403 not authorized (which would make sense if the key doesn't pass) or something else due to missing params.
Try the intermediate step of doing it with CURL form the command line - that'll give you more detail on what's coming back.