We Keep Coding

How to send a XMLHttpRequest

I want to send a request look like this:
POST /accounts/211242/followers HTTP/1.1
Host: website.com
User-Agent: <user-agent>
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://website.com
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 0
Connection: close
Cookie: <user-cookie>
But I don't know much about Javascript. I have tried a lot but everything I got just an error. Can anyone create a code for me?
Here what I have tried:
<html>
<head>
<title>CSRF Demo</title>
</head>
<body>
<script>
var xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", "https://website.com/accounts/211242/followers");
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xmlhttp.withCredentials = true;
xmlhttp.send(null);
</script>
</body>
</html>
And after run that code, the browser sends a request:
POST /accounts/211242/followers HTTP/1.1
Host: website.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: null
Connection: close
Cache-Control: max-age=0
Content-Length: 0
Cookie: <user-cookie>
Which don't have 'X-Requested-With: XMLHttpRequest' so the server sends back 400 Bad Request

According to the docs, you should add xmlhttp.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
after opening and before sending the request, to append the desired header.

axios send wrong csrf cookie

I want process a POST request with axios in a vuejs project, but axios never send correct csrf cookie. My vuejs project run in dev mode on port 8080, my server (Spring Boot) on port 9090. I set correct CORS filter for localhost:8080 and 127.0.0.1:8080, OPTIONS is accepted, but I get a 403 error on my POST.
Here my code :
axios.post("http://127.0.0.1:9090/api/security/authenticate",
this.form,
{
withCredentials: true,
xsrfCookieName: 'XSRF-TOKEN',
xsrfHeaderName: 'X-XSRF-TOKEN'
}
).then((response) => {
console.log("Data: " + response.data);
}).catch((error) => {
console.log("post error: " + error);
});
And here the result of my OPTIONS request on chromium :
GENERAL:
Request URL: http://127.0.0.1:9090/api/security/authenticate
Request Method: OPTIONS
Status Code: 200
Remote Address: 127.0.0.1:9090
Referrer Policy: no-referrer-when-downgrade
RESPONSE HEADERS :
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Methods: POST
Access-Control-Allow-Origin: http://127.0.0.1:8080
Content-Length: 0
Date: Wed, 11 Dec 2019 21:44:07 GMT
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
REQUEST HEADERS :
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Connection: keep-alive
Host: 127.0.0.1:9090
Origin: http://127.0.0.1:8080
Referer: http://127.0.0.1:8080/login
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) snap Chromium/78.0.3904.108 Chrome/78.0.3904.108 Safari/537.36
And my POST :
GENERAL:
Request URL: http://127.0.0.1:9090/api/security/authenticate
Request Method: POST
Status Code: 403
Remote Address: 127.0.0.1:9090
Referrer Policy: no-referrer-when-downgrade
RESPONSE HEADERS :
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://127.0.0.1:8080
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: application/json;charset=UTF-8
Date: Wed, 11 Dec 2019 21:44:07 GMT
Expires: 0
Pragma: no-cache
Transfer-Encoding: chunked
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
REQUEST HEADERS :
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Content-Length: 56
Content-Type: application/json;charset=UTF-8
Cookie: XSRF-TOKEN=428229a0-b2b1-4473-ab3a-557e4dbac1b1
Host: 127.0.0.1:9090
Origin: http://127.0.0.1:8080
Referer: http://127.0.0.1:8080/login
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) snap Chromium/78.0.3904.108 Chrome/78.0.3904.108 Safari/537.36
REQUEST PAYLOAD :
{login: "xxx", password: "xxx", rememberme: false}
login: "xxx"
password: "xxx"
rememberme: false
The CSRF cookie sent (428229a0...) is not correct. Previously in a GET request, I obtained an other CSRF token (70705d00...). Why wrong csrf cookie was sent ?
To be sure that is not the result of dev mode from vuejs, I build my project and deploy it on nginx server, but I got same result. I try also on firefox, get same error.
In package.json, axios is in version "^0.19.0", vuejs "^2.6.10".
What is wrong in my code ? Or is about configuration of my server ?
Thanks for your help!

Google OAuth Code does not include refresh token

I want to make google api calls to send mail via gmail.
To do that, I first make the following request to oauth server:
https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=SOMECLIENTID&access_type=offline&redirect_uri=http://localhost:63878/Default.aspx&scope=https://www.googleapis.com/auth/gmail.send
Note that in my request, I have included access_type=offline
It redirects me to POST https://accounts.google.com/AccountChooser and I login using my account, give consent, and get redirected back to this page:
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 01 Jun 2016 06:30:37 GMT
Location: http://localhost:63878/Default.aspx?code=4/LF9pQo8EH-SZkkDJV0ttNnVMIwjwWLgnc-H-QjLg__k#
Content-Language: en
Content-Encoding: gzip
as seen on fiddler.
Now using this code, I make a second call:
POST https://www.googleapis.com/oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Connection: keep-alive
Content-Length: 266
Cache-Control: no-cache
Origin: chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Postman-Token: e9716588-2f62-d761-1c07-41c6dc057f0f
Accept: */*
X-Client-Data: CIm2yQEIorbJAQjEtskBCLKVygEI/ZXKAQjgmMoBCO2cygE=
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
code=4/LF9pQo8EH-SZkkDJV0ttNnVMIwjwWLgnc-H-QjLg__k#&client_id=SOMECLIENTID&client_secret=SOMESECRET&redirect_uri=http%3A%2F%2Flocalhost%3A63878%2FDefault.aspx&grant_type=authorization_code
The response I get is:
{
"access_token":"ya29.CjLzAuW07My8BHnaMaLWjhKsD2FvzI6SpUHqdqQwkugTW4lMnQl0rXt6cQdm0ir4RObYEg",
"token_type": "Bearer",
"expires_in": 3557
}
Why does this not include the refresh token in the response?

The request entity body has an incorrect value in the 'Content-Disposition' header. The expected format for this value is 'Content-Disposition:

I have tried multiple HTTP APIs to post a file to OneDrive using the POST method, and I am getting always the same error.
I went to the extreme case of creating my own SSL TCP socket and send the following bytes:
POST /v5.0/folder.a4fb14adbccd1917.A4FB14ADBCCD1917!32089/files HTTP/1.1
Accept-Encoding:
Authorization: Bearer eWciaQ1DBAAUGCCXc8wU/zFu9QnLdZXy%2bYnElFkAAXA4AJqTmiPoOUADOkV98mAdpBZp8SeF0zjYzU4%2bVa0fVR/aWr4X0cHWAzEF7s7HBEABBptxlWcKHEyrgKfbH2YbADpxEjU0gRrOz37WInvPSgFVD8BZ9GtCQwdHh3GUXunbM/Nlqh1TIzELMJYuPEgaEBBWT25f8SoKziZi2kPVlZDPokjJBq2bxrYcAWydDK74ivuiuDGkX4hMpmWZmWtergEybpN2EgObHQa8O3GT2a9ta2hps0ElCv0GkhWG/u1t19/xjokW2dNbbsJ01A9iJkMYXhaMTYg71sGjqzHdXjAJf0hXNg8NiIOTy82MlHqEwCwEyzfXOSGddt0cLkIDZgAACEDf3skftS5%2bWAHGkGlcwFj4DRlrn3/F2DvOZWgyeITjkWfzdx%2b4B8m5olyO5oYKWf77zjVxnUkJ50cIOVCJq/OgnV1kMGB45EExY3%2b3T9JjN0rm91doGnuFGj1m/vuzVN3eP5f3Jr0hMvXbMpzFBImV/c/5SU5esBzA1zas9xt%2bKEi0rriVSqHS4QI4Bps3RN5KpQd4yrNxcTDi%2b9b9AkUVQB%2bxeW5lWGuR5YvaAOHhcePRqNqT2MY7c1zQMoa/C7E63FuOoSdr0KPJbsDKl8aXEt9vT/6A8BK0MnY%2b7MJ1cZaFL%2bhvK0lfI4Z6LJa/3Ayy%2bPt8%2bOc8gNP1Mu/1RCdOT8K1PxwhnvUIE8cnRyI28LUm%2bWUCnurRCNMNBorhZu64JxqOC1EGOja6wNcyI%2bw3TQ1dorDJWN91qENQAxxBMpl1LWdp548kDJcEPwxI4SkXQKnvWcxW1vCZY90SHzruvNmb
Content-Length: 197
Content-Type: multipart/form-data; boundary=8381f8b9-b470-43ce-b23b-f13cf5840014
Host: apis.live.net
Connection: Keep-Alive
Cache-Control: no-cache
--8381f8b9-b470-43ce-b23b-f13cf5840014
Content-Length: 9
Content-Type: application/octet-stream; charset=UTF-8
Content-Disposition: form-data; name="file"; filename="hello.txt"
xxxxxxxxx
--8381f8b9-b470-43ce-b23b-f13cf5840014--
And I always get the following bytes back:
HTTP/1.1 400 Bad Request
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Length: 276
Content-Type: application/json; charset=UTF-8
Server: Live-API/18.105.8117.3007 Microsoft-HTTPAPI/2.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: BY3301____PAP073
X-Content-Type-Options: nosniff
X-HTTP-Live-Request-Id: API.f06af310-9b49-4cbf-bf71-8c9d79570ec9
X-AsmVersion: UNKNOWN; 18.105.0.0
Date: Mon, 06 Oct 2014 21:37:15 GMT
{
"error": {
"code": "request_body_invalid",
"message": "The request entity body has an incorrect value in the 'Content-Disposition' header. The expected format for this value is 'Content-Disposition: form-data; name=\"file\"; filename=\"[FileName]\"'."
}
}
All of this happened after I tried to answer this SO question.
Any idea?
UPDATE: I used the onedrive-api tag as recommended in the MSDN forums.

Try putting the Content-Disposition header as the first header after the boundary, followed by the Content-Type:
--8381f8b9-b470-43ce-b23b-f13cf5840014
Content-Disposition: form-data; name="file"; filename="hello.txt"
Content-Type: application/octet-stream; charset=UTF-8
You may need to omit the Content-Length as well to make it work. Pretty fragile really.

Fineuploader: large files to Amazon S3

For small files (smaller than about 5MB) Fineuploader sends a complete policy objet for signing, and upload succeeds including the posprocessing which is sending a temporary link to the client, and some server-side administrative stuff. I use the official FineUploader S3 demo PHP code for server. https://github.com/Widen/fine-uploader-server/blob/master/php/s3/s3demo-thumbnails.php
Example of signing request (formatted, anonimized):
{
"expiration": "2013-12-28T12:57:42.354Z",
"conditions": [
{"acl": "private"},
{"bucket": "TOP-SECRET-BUCKET-NAME"},
{"Content-Type": "application/pdf"},
{"success_action_status": "200"},
{"key": "bfccb67e-5343-4e01-97ff-2dcffe681da0.pdf"},
{"x-amz-meta-qqfilename": "plakat_a3.pdf"},
["content-length-range","0","1000111000111"]
]
}
Response contains policy and signature (formatted):
{
"policy":"eyJleHBpcmF0aW9uIjoiMjAxMy0xMi0yOFQxMzoxODoyNy4yODhaIiwiY29uZGl0aW9ucyI6W3siYWNsIjoicHJpdmF0ZSJ9LHsiYnVja2V0IjoiZGVtb2Nza2EifSx7IkNvbnRlbnQtVHlwZSI6ImFwcGxpY2F0aW9uXC9wZGYifSx7InN1Y2Nlc3NfYWN0aW9uX3N0YXR1cyI6IjIwMCJ9LHsia2V5IjoiMWZiMjZmMjAtNjg2Ni00YjU1LTg3YTctZWZlMjNiOWMwZmY1LnBkZiJ9LHsieC1hbXotbWV0YS1xcWZpbGVuYW1lIjoicGxha2F0X2EzLnBkZiJ9LFsiY29udGVudC1sZW5ndGgtcmFuZ2UiLCIwIiwiMTAwMDExMTAwMDExMSJdXX0=",
"signature":"Wlw1QJjwmsASyQemUWrYuktiQwE="
}
... but for larger files Fineupload sends a different signing request, which only contains headers (formatted, anonimized):
{
"headers": "POST\n\nvideo/quicktime\n\nx-amz-acl:private\nx-amz-date:Sat, 28 Dec 2013 12:53:13 GMT\nx-amz-meta-qqfilename:20MB_stopmot-minta.mov\n/TOP_SECRET-BUCKET-NAME/d2033a4c-1e55-49a0-8589-9b1725dcd013.mov?uploads"
}
Response contains only signature (formatted):
{
"signature":"jYtFC91wIPkZj31W\/vwuK9ClawU="
}
In that case the OPTIONS request to amazon S3 fails:
Request Headers 14:09:09.000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0
Pragma: no-cache
Origin: http://top-secret.example.com
Host: TOP-SECRET-BUCKET-NAME.s3.amazonaws.com
Connection: keep-alive
Cache-Control: no-cache
Access-Control-Request-Method: POST
Access-Control-Request-Headers: authorization,content-type,x-amz-acl,x-amz-date,x-amz-meta-qqfilename
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Response:
Status: 403
Body: empty
Response headers:
x-amz-request-id: 625913F399C626A2
x-amz-id-2: +enheIuZT0RJ+11THF1TuNsA6bCqE4a2ppsklK84k4KXdNX4UsuGhxPf00Eb137G
Transfer-Encoding: chunked
Server: AmazonS3
Date: Sat, 28 Dec 2013 13:18:01 GMT
Content-Type: application/xml
Test cases:
Tested with smaller .mov, .mp3, .pdf, .log files: course #1 (success)
Tested with larger files (same types): course #2 (fail)
What can cause the difference? How can / should I fix it?

I needed to add <ExposeHeader>ETag</ExposeHeader> to my CORS configuration at Amazon S3 bucket permissions. So finally it looks similar to:
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>DELETE</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<ExposeHeader>ETag</ExposeHeader>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
Reference:
http://docs.fineuploader.com/endpoint_handlers/amazon-s3.html