So I've made a test to see what happens when I'm making a request from postman to my api with two authorization headers (schemes basic and bearer). I've created an authorization filter attribute:
public class RestrictAccessToAssignedManagers : System.Web.Http.Filters.AuthorizationFilterAttribute
{
public override bool AllowMultiple
{
get { return false; }
}
public override void OnAuthorization(HttpActionContext actionContext)
{
//Perform your logic here
base.OnAuthorization(actionContext);
}
}
and assigned this attribute to my controller.
The problem is that when I'm using both authorizations, in my authorization filter, the authorization header from the request is null.
Here is the request that I'm making from postman:
And here is the request from fiddler:
GET http://localhost:2328/api/values HTTP/1.1
Host: localhost:2328
Connection: keep-alive
Authorization: Basic aaa, Bearer bbb
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36
Postman-Token: 0f557417-d0b7-4ca9-7df7-1df1ea0049ad
Accept: */*
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
My question is why using both authorization headers ends up with none to my authorization filter attribute?
The issue is most likely how you are retrieving the header value. Using your Fiddler raw request, I was able to see the following:
public override void OnAuthorization(HttpActionContext actionContext)
{
var authHeaders = actionContext.Request.Headers.GetValues("Authorization");
// authHeaders = ["Basic aaa, Bearer bbb"]
var authHeader = actionContext.Request.Headers.Authorization;
// authHeader = null
base.OnAuthorization(actionContext);
}
Related
Could you help to solve the problem in API testing by Cypress. When I set the request headers in options section Cypress ignores them and replaces with default ones.
The example of my request:
cy.request({
method: 'POST',
url: 'https://orion.koto.com/api/inn',
Headers: {'sid':'21102xiXXdvsfykg5pj'},
body:'["3211455115"]' ,
})
the request sent by Cypress:
Method: POST URL: https://orion.koto.com/api/inn Headers: {
"Connection": "keep-alive", "user-agent": "Mozilla/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36", "accept": "/",
"accept-encoding": "gzip, deflate", "content-length": 14 } Body:
["3211455115"]
const green_value = "TOTO"
describe('As I have set a green header',()=>{
it('should use this header',()=>{
cy.visit({
method: 'GET',
url: 'https://www.whatismybrowser.com/detect/what-http-headers-is-my-browser-sending',
headers: {
'green': green_value
}
})
})
})
On my side, it work with visit() function. The url used will show you header sent.
Hope this code sample can help you to implement request() function.
I'm using React for the front-end, an Express API for our back-end, and I'm experiencing an issue with accessing our cookie with Axios' PUT or POST requests.
On Postman, i need to declare the cookie i need to make my front-end authorized on connecting to my API.
I'm doing it like this on Postman's interface :
Example of passing cookie in Postman
And when i'm calling my API's requests, on Postman, with the cookie set it works and looks like this in the Postman's code snippet :
var data = JSON.stringify({
"attributes": {
"test": test
}
});
var config = {
method: 'put',
url: 'APIurl/test',
headers: {
'Authorization': 'Bearer myPersonnalToken',
'Content-Type': 'application/json',
'Cookie': 'key=theCookieINeedToGetInMyAxiosRequest'
},
data: data
};
axios(config)
.then(function (response) {
console.log(JSON.stringify(response.data));
})
.catch(function (error) {
console.log(error);
});
Ok so here it is working on Postman, time to make it real on my app with Axios, like this in my front-end :
var url = 'APIurl/test'
var data = {
test: test
}
var config = {
headers: {
'Authorization': "Bearer " + myPersonnalToken,
'Content-Type': 'application/json',
},
withCredentials: true,
}
axios.put(url, JSON.stringify(data), config)
.then(res => {
console.log(res)
...
})
.catch(err => {
console.log(err)
...
})
And knowing it's cross-domain, like this in my back-end :
const corsOptions = {
// I tried with * to see if I mispelled the origin, but no
origin: theOriginIWant,
credentials: true
}
app.use(cors(corsOptions))
As I read a hundred times, {withCredentials: true} should be enough to pass my cookie in my request, and my CORS options look great to me.
But when I launch my app and click the button which calls the request, this is what my devtools Network looks like :
General
Request URL: APIurl/test
Referrer Policy: strict-origin-when-cross-origin
Request Headers
Accept: application/json
Authorization: Bearer myPersonnelToken
Content-Type: application/json
Referer: myAppUrl
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Request Payload
test=test
As you can see, my cookie is missing...
A 401 error is thrown because I cannot access the API without the cookie, with the informations below :
Access to XMLHttpRequest at 'APIurl/test' from origin 'myAppUrl' has been blocked by CORS policy:
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I tried everything i saw on the web, but nothing worked for me, i just can't pass the cookie i want to my PUT or POST requests, which throws an error.
I really don't understand why GET requests work, but not POST or PUT ones...
Any idea of how to fix this ?
Thanks in advance,
Hugo GB
From within an app, I need to change a proxy to use the GET method to read data and not the OPTIONS method. I have attempted to set the 'method' for the proxy but it does not appear to be taking effect.
var operation = new Ext.data.Operation({
action: 'read',
});
var proxy = new Ext.data.proxy.Ajax({
type: 'ajax',
url: testURL,
method: 'GET',
withCredentials: true
});
proxy.read( operation );
Request Headers from debugger (notice OPTIONS)
OPTIONS /web/datasource?_dc=1476803593106&page=1&start=0&limit=25 HTTP/1.1
Host: <removed>
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: https://rally1.rallydev.com
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36
Access-Control-Request-Headers: x-requested-with
Accept: */*
Referer: <hidden>
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
The following code works but is not independent of a data store:
var createCORSRequest = function(method, url) {
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr) {
// Most browsers.
xhr.open(method, url, true);
} else if (typeof XDomainRequest != "undefined") {
// IE8 & IE9
xhr = new XDomainRequest();
xhr.open(method, url);
} else {
// CORS not supported.
xhr = null;
}
return xhr;
};
var url = testURL;
var method = 'GET';
var xhr = createCORSRequest(method, url);
xhr.onload = function() {
// Success code goes here.
alert( xhr.response );
};
xhr.onerror = function() {
// Error code goes here.
};
xhr.withCredentials = true;
xhr.send();
I'm trying to use JsonPatch in ASP.NET Core to handle partial updates for a model but am having binding issues when the PATCH is sent through to the Web API controller action:
I'm using a small library to make the PATCH request:
axios
.patch('http://localhost:8090/api/characters/1', { bookId: 1, name: 'Bob'})
.then(function () { /*...*/ })
.catch(function() { /*...*/ });
Here's the raw request:
PATCH http://localhost:8090/api/characters/6 HTTP/1.1
Host: localhost:8090
Connection: keep-alive
Content-Length: 30
Accept: application/json, text/plain, */*
Origin: http://localhost:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Content-Type: application/json;charset=UTF-8
Referer: http://localhost:3000/library/book/2/character/6
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-AU,en;q=0.8,ru;q=0.6
{"bookId":1,"name":"Bob"}
My ViewModel:
public class UpdateCharacterViewModel
{
public string Name { get; set; }
}
And finally, the Web API action:
[Route("~/api/[controller]/{characterId}")]
[HttpPatch]
public IActionResult Update(int characterId, [FromBody]UpdateCharacterViewModel viewModel, [FromBody]JsonPatchDocument<UpdateCharacterViewModel> patch)
{
// viewModel is bound correctly but patch is NULL
// ...
}
I'm finding that patch comes through as NULL, indicating there's an issue with binding. To check there wasn't issues with the request, I added the viewModel and find that it binds correctly - a populated UpdateCharacterViewModel is available to the action.
What am I doing wrong here?
Ahh, oops. It looks like the request data needs to be in a certain format, whereas I mistakenly thought that the patch was implicit based on the properties that were or were not included in the request's data.
Here's an example of what the request should look like to work properly with JsonPatchDocument:
PATCH /api/characters/1
[
{
"op": "replace",
"path": "/name",
"value": "Bob"
}
]
Thankfully there are a few libraries out there that make creating this patch data easy. JSON-patch seems to be a good one. You can either generate the patch data by observing changes to an object:
var myobj = { firstName:"Joachim", lastName:"Wester", contactDetails: { phoneNumbers: [ { number:"555-123" }] } };
observer = jsonpatch.observe( myobj );
myobj.firstName = "Albert";
myobj.contactDetails.phoneNumbers[0].number = "123";
myobj.contactDetails.phoneNumbers.push({number:"456"});
var patches = jsonpatch.generate(observer);
// patches == [
// { op:"replace", path="/firstName", value:"Albert"},
// { op:"replace", path="/contactDetails/phoneNumbers/0/number", value:"123"},
// { op:"add", path="/contactDetails/phoneNumbers/1", value:{number:"456"}}];
Or alteratively you can run a diff between two objects:
var objA = {user: {firstName: "Albert", lastName: "Einstein"}};
var objB = {user: {firstName: "Albert", lastName: "Collins"}};
var diff = jsonpatch.compare(objA, objB));
//diff == [{op: "replace", path: "/user/lastName", value: "Collins"}]
Lastly, be wary of my attempts at debugging the API controller action. According to the answer to this question, you can only decorate one parameter with the [FromBody] attribute. All subsequent parameters may not be bound!
I have an Angular2/TypeScript application running i Visual Studio Code.
An API running in VS 2015. This is the API project: http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
I can use the API and create new users, but when I try to login(Use the Token function), then I get the following error:
XMLHttpRequest cannot load https://localhost:44305/Token. Response for preflight has invalid HTTP status code 400
The header looks like this:
Request URL:https://localhost:44305/Token
Request Method:OPTIONS
Status Code:400
Remote Address:[::1]:44305
Response Headers
cache-control:no-cache
content-length:34
content-type:application/json;charset=UTF-8
date:Wed, 10 Aug 2016 19:12:57 GMT
expires:-1
pragma:no-cache
server:Microsoft-IIS/10.0
status:400
x-powered-by:ASP.NET
x-sourcefiles:=?UTF-8?B?QzpcQ2hlY2tvdXRcQVBJXzJ2czJcQVBJXEFQSVxUb2tlbg==?=
Request Headers
:authority:localhost:44305
:method:OPTIONS
:path:/Token
:scheme:https
accept:*/*
accept-encoding:gzip, deflate, sdch, br
accept-language:en-US,en;q=0.8,da;q=0.6,nb;q=0.4
access-control-request-headers:authorization
access-control-request-method:POST
cache-control:no-cache
origin:http://evil.com/
pragma:no-cache
referer:http://localhost:3000/signin
user-agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
My angular service looks like this:
loginAccount(account: Account): Observable<string> {
var obj = { Email: account.Email, Password: account.Password, grant_type: 'password' };
let headers = new Headers({ 'Content-Type': 'application/json' });
let options = new RequestOptions( {method: RequestMethod.Post, headers: headers });
let body = JSON.stringify(obj);
console.log('loginAccount with:' + body);
return this._http.post('https://localhost:44305/Token', body, options)
.map(this.extractData)
.catch(this.handleError);
}
When I use the AJAX funtions that a in the API project: http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api then it works fine ?? What am I doing wrong in the Angular POST request ?
I found the solution. Thanks to the comments on the API site: http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
I had to set the correct header for application/x-www-form-urlencoded; charset=UTF-8 and serialize the object i posted. I canĀ“t find an Angular serializer method, so I made my own(copy from another stackoverflow site) in JavaScript.
Here is the final call when the user login on the API and request a token, when using Angular2 & TypeScript:
loginAccount(account: Account): Observable<string> {
var obj = { UserName: account.Email, Password: account.Password, grant_type: 'password' };
let headers = new Headers({ 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8' });
let options = new RequestOptions( {method: RequestMethod.Post, headers: headers });
let body = this.serializeObj(obj);
return this._http.post('https://localhost:44305/Token', body, options)
.map(this.extractData)
.catch(this.handleError);
}
private serializeObj(obj) {
var result = [];
for (var property in obj)
result.push(encodeURIComponent(property) + "=" + encodeURIComponent(obj[property]));
return result.join("&");
}
I was also facing same issue from last week and searched on google and stack overflow but all solutions in vein. but after lot of reading and investigation we have found below solution, we were facing issue in only POST method,GET called successfully.
Instead of directly passing Options we need to first stringify option object like JSON.stringify(options)
CreateUser(user:IUser): Observable<void> {
let headers = new Headers();
headers.append('Content-Type', 'application/json');
headers.append('Accept', 'application/json');
let options = new RequestOptions({ headers: headers });
return this._http.post('http://localhost:22736/api/Employee/Create', **JSON.stringify(options)**)
.map((res: Response) => {
return res.json();
})
.catch(this.handleError);
}
It worked for me, Hope it will help others too.
I found that in angular 4 you have to make it like this.
public addQuestion(data: any): Observable<Response> {
let headersObj = new Headers();
headersObj.set('Content-Type', 'application/x-www-form-urlencoded');
let requestArg: RequestOptionsArgs = { headers: headersObj, method: "POST" };
var params = new URLSearchParams();
for(let key of Object.keys(data)){
params.set(key,data[key]);
};
return this.http.post(BaseApi.endpoint + 'Question', params.toString(), requestArg)
.map((res: Response) => res.json().data);
}
Another native solution is by using HttpParams class and it's toString() method:
let headers = new Headers({ 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8' });
let options = { headers, observe: 'response' };
const body = new HttpParams()
.set('grant_type', 'password')
.set('username', accountInfo.username)
.set('password', accountInfo.password);
return this._http.post('https://localhost:44305/Token', body.toString(), options)
toString() - Serialize the body to an encoded string, where
key-value pairs (separated by =) are separated by &s.
Note. Also it works without setting the headers