Express Session not working with DialogFlow - express

I have deployed an Express app on Heroku, set my web hook on the address and use my DG agent to make post request to the endpoint on Heroku.
The webhook passes over parameters's body to another web service and that's fine. I need to keep track of the cookie the web service passes back in order to send it back to keep the context of the conversation.
At the moment I am saving a file on the server with the Express's session id (req.session.id) and the cookie value. Everything works if I make POST call via Postman or via form, so let's say the web application is tracking sessions properly.
On the contrary, if I test my webhook with the DialogFlow agent, I receive a new session id per each request to my endpoint on Heroku.
I don't understand why... What am i missing?

I do not believe you can rely on the request from DialogFlow maintaining a cookie for you.
We are using DialogFlow, Google Actions, and Node.js. We retain session information by including data in the response we send back, which we then read when the next request comes in. When writing a response we put our session data (JSON) on the assistant.data attribute. When receiving a request we get session data from the incoming event.body.
We had considered trying to live off a unique ID of the incoming request, such as a user ID or device ID, but did not pursue it.

Related

JMeter: Record n play, also gives API access

I have recorded a login flow of an application and found some URIs like below:
/api/oauth2/initiate GET
/oauth2/authorize GET
/api/v1/oauth2/authorize GET
/api/v1/oauth2/authenticate POST
{"username":"${Username}","password":"${Password}","client_id":"${client_Id}","response_type":"code","redirect_uri":"${scheme}://${host}/api/oauth2/callback","server_id":"${server_Id}"}
When I am hitting above in sequence via JMeter I am getting 200 response. Just like JMeter I tried recording in Postman and it worked same, but instead of JSON it gave response in XML format.
It doesn't generate a access_token, it works via session cookies.
My question is - Do I really have API access or it is just browser record n play? If Yes, Does this mean I can get access to any API, if I am a registered user of that application? For ex: Facebook, YouTube or any startup website.
JMeter works on the protocol level. This means that whatever request you are generating. Say a simple browser request or an API call, you can do that easily.
Now the thing is replicating requests. You don't need to record the requests necessarily using the browser. You need to analyze the few things that are required. Say Postman is generating a request. You specify the things you want to send and you use the API Token there. The same things can be specified there as well. It all depends on how you are understanding the concept of request generation.
You simply need to replicate the samplers and the parameters. And the request headers in postman can be replicated here in the same way.
For each HTTP Request Sampler make sure you add a corresponding child HTTP Header Manager config element.
Headers basically tell the server that what client we are using and in what form data is being sent and then server responds accordingly with the information.
What you're recorded is OAuth2 flow and you won't be able to replay it without correlating the dynamic values.
You can have access to Google API or Facebook Graph API given you have proper access_token but I don't think you should be testing them directly, you should focus on solely your application.

ASP.NET Core Identity Server 4 , Loss of Request Data after reauthentication

I have a case with an Order System (ASP.NET Core 2.2 with Identity Server 4 auth)
where I post form-data to an external Api from a Controller for Payment purposes.
The remote Api is configured with a return-url (after Payment is processed)
Problem is when the user is returned to my system they are no longer authenticated so they are automatically redirected to the identity-server and automatically re-autheticated (as the Cookie is still valid) but in this process the returned data from the api is lost. I can see the data (and the complete request) in my logs, but the Controller-method for the return-url is never accessed (as before that point the middleware has detected the user is not authenticated, or this is my assumption.)
If I cannot capture the returned data I cannot save the results from the Payment attempt.
(For testing purposes I have set [AllowAnonymous] attribute on the return-url controller method, but this did not work. It still redirected to the identity-server.)
How does one solve this as I cannot handle this in the controller method as this is never accessed ?
(The remote Api does allow for custom parameters to be passed and then returned as query-strings to the return-url.)
Thanks
//Jonas
[Edit] : The response is posting some user-data like address etc to the web-service (it is not a rest API, sorry for mixing words). The user then gets a HTML response from the remote webservice with a form to post the creditcard info. At this point they are no longer on our site, after post they are redirected to the return-url on our site. This is where they are no longer authenticated, but I assume they still have the cookie, as they are automatcally logged in without needing to input username and passw again. (so I guess in a sense they are still authenticated, but the system is not able to get the user info. User info is filled again after re-route to the identity server and back.)

Is there a way for a SPA to check if there's a proxy and handling it properly?

We have developped a SPA SaaS and went to a soft production launch recently.
Everything was fine until one of our customers told us they had trouble using the app.
Once they open the app, the first request to our backend triggers their proxy credential prompt. Hopefully on the login request.
They have to enter their proxy credentials to let the request go. All subsequent requests are passing properly and they can use the app.
The problem is:
When they stop using the app, close the browser and then come back the day after, the persistent login tries to connect them to our backend, but the proxy credentials prompt is not triggered and the request fails. All subsquent requests fail also.
For it work again, they have to delete all app data in chrome (so the service worker is unregistered, the localstorage and cache are cleared). The next api call will trigger their proxy credentials prompt and they will be able to work again.
So is there any way for the app to know if the proxy is set or not ? Any way of triggering the proxy prompt if not set or whatever ?
I don't exactly know how those proxies work and we have zero access to the proxy settings.
It surely is something with the credentials expiration after some time but that's all we can figure out right now. Maybe we could monitor some params in the request headers ?
We are using VueJS with axios for the requests.
My guess is when user session credentials get expired, your UI is not handling redirection to login page. When the user login for the first time you should store that the user has logged in successfully in browser localstorage. If your server returns 401 error code, you can delete the flag and redirect the user to login page. You can achieve that using meta fields in router.
Check out this link on how to use meta fields https://router.vuejs.org/guide/advanced/meta.html

X-CSRF-Token issue in ionic. Every time a different token is received

I have a backend with Drupal.
Using Drupal Services to interact with. Which provides a rest server.
Created endpoint named 'api'.
Following sequence works in normal browser or any http client like postman :-
example.com/api/login (works).
api sends back user data (token,session id, session name etc).
Further any request I make, I send token as X-CSRF-Token (all requests work).
I can even logout the same session with the token received before.
IN IONIC APP :-
I can login and I also store user data (token, session data etc.) in local storage after login.
Here's the difference in app :-
When I send the same token back to server while making a request (say logout).
Server's response is "User is not Logged In."
Why does this happen?
Update :-
After logging in I tried getting the current token from the server, and it was different from the one I saved after successfully logging in.
Every time a different token is received.
I faced the same issue. Problem was i never set the cookie and chrome did this for me automatically.
Luckily i found this great site:
drupalionic.org
There are links to a view demos as well as good descriptions and code.
So what you have to do is:
- log in
- retrieve session data and set cookie
- perform subsequent requests with the cookie data and X-CSRF-Token in your header
Here is a flowchart:
Was this helpful for you?

How to receive webhook signal from 3rd party service

I'm using a SaaS for my AWS instance monitoring and Mandrill for email sending/campaigns.
I had created a simple chart with Zapier but I'd rather like to host it myself. So my question is:
How can I receive a webhook signal from Mandrill and then send it to Datadog from my server? Then again I guess hosting this script right on the same server I'm monitoring would be a terrible idea...
Basically I don't know how to "receive the webhook" so I can report it back to my Datadog service agent so it gets updated on their website.
I get how to actually report the data to Datadog as explained here http://docs.datadoghq.com/api/ but I just don't have a clue how to host a listener for web hooks?
Programming language isn't important, I don't have a preference for that case.
Here you can find how to add a new webhook to your mandrill account: https://mandrillapp.com/api/docs/webhooks.php.html#method=add
tha main thing here is this:
$url = 'http://example/webhook-url';
this is your webhook URL what will process the data sent by mandrill and forward the information to Datadog.
and this is a description about what mandrill will send to your webhook URL: http://help.mandrill.com/entries/21738186-Introduction-to-Webhooks
a listener for webhooks is nothing else then a website/app which triggers an action if a request comes in. Usually you keep it secret or secure it with (http basic) authentication. E.g. create a website called http://yourdomain.com/hooklistener.php. You can then call it with HTTP POST or GET and pass some data like hooklistener.php?event=triggerDataDog or with POST and send data along with the body. You then run a script or anything you want to process that event.
A "listener" is just any URL that you host where you can receive data that is posted to it. Keep in mind, since you mentioned Zapier, you can set up a trigger that receives the webhook data - in this case the listener URL is provided by Zapier, and you can then send that data into any application (or even post to another webhook). Using Zapier is nice because it doesn't require you to write the listener code that receives the hook data and does something with it.