Im developing a node application with express.
In my users.js file in the routes folder, i have 3 routes /register, /authenticate, and /profile route. what does router.post do? and what does router.get do?
router.post() refers to POST requests and router.get() referes to GET request.
The difference between the two is that a GET request, is requesting data from a specified source and a POST request submits data to a specified resource to be processed.
For example when you load a sign up page, that is a GET request as you are requesting data from the server and when you submit that form it's a POST request as your inputted data will be processed and assorted into a database, etc.
router.post() and router.get() refer to POST and GET requests respectively. When your app is sent an HTTP POST request at the specified address, the post method is what will fire. The same for GET.
Related
enter image description here
I use thi axios request to post my server
enter image description here
From the picture, you can see that I have set the router to response post request.
When I send a request, the server response well, so that we can sure it is a post request.
However, when I use the browser console network to check this request, it shows that it is a get request.
enter image description here
BTW,I config a proxy server in vite.config.js to solve the CORS, the request is send by the proxy server to my express server. I dont know whether it matter the problem.
Thanks for any response from this post.
For supplement, this is my request function which was encapsulated to create axios.
enter image description here
I've been doing some HTTP methods and header research recently if we should use GET with basic authorization instead of POST when submitting?
HTTP Methods
The GET method requests a representation of the specified resource. Requests using GET should only retrieve data.
The POST method submits an entity to the specified resource, often causing a change in state or side effects on the server.
As we see here, the POST method normally changes the state of the server. If sending out JWTs/HTTP cookies, we are not modifying the state of the server. Nor are we creating a new resource in the server.
I understand that we should not not send the username and password as a GET parameter but should we use the authorization header instead?
Basic authentication
For "Basic" authentication the credentials are constructed by first combining the username and the password with a colon (aladdin:opensesame), and then by encoding the resulting string in base64 (YWxhZGRpbjpvcGVuc2VzYW1l).
Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l
The only advantage I see to using POST over GET is that we need no extra code in the HTML/JS on the client side to send headers via the fetch API. To send headers, we would need an onsubmit and then check if status code is 200. If 200, we will need to redirect to the page after the login screen. Then again, if using the fetch API, this means the server does not need to send a new HTML page to the client all the time either.
Should we use GET with basic auth or POST when logging in since we don't create a resource/modify the server state?
Would this change if say we enable 2FA since we would need to generate a code for that user?
Doing basic authentication in the browser and using GET is not that recommended.
To do your own login form it is better to always do it using HTTPS and POST. Do post the username/password in the body of the request and secure it with proper CSRF protection.
If you want to level up, you can always look at the OpenIDConnect approach, but that is more advanced depending on your needs.
Also, a good approach is to explore how existing site implement a login form and look at the HTTP(s) traffic in a tool like Fiddler.
I have recorded a login flow of an application and found some URIs like below:
/api/oauth2/initiate GET
/oauth2/authorize GET
/api/v1/oauth2/authorize GET
/api/v1/oauth2/authenticate POST
{"username":"${Username}","password":"${Password}","client_id":"${client_Id}","response_type":"code","redirect_uri":"${scheme}://${host}/api/oauth2/callback","server_id":"${server_Id}"}
When I am hitting above in sequence via JMeter I am getting 200 response. Just like JMeter I tried recording in Postman and it worked same, but instead of JSON it gave response in XML format.
It doesn't generate a access_token, it works via session cookies.
My question is - Do I really have API access or it is just browser record n play? If Yes, Does this mean I can get access to any API, if I am a registered user of that application? For ex: Facebook, YouTube or any startup website.
JMeter works on the protocol level. This means that whatever request you are generating. Say a simple browser request or an API call, you can do that easily.
Now the thing is replicating requests. You don't need to record the requests necessarily using the browser. You need to analyze the few things that are required. Say Postman is generating a request. You specify the things you want to send and you use the API Token there. The same things can be specified there as well. It all depends on how you are understanding the concept of request generation.
You simply need to replicate the samplers and the parameters. And the request headers in postman can be replicated here in the same way.
For each HTTP Request Sampler make sure you add a corresponding child HTTP Header Manager config element.
Headers basically tell the server that what client we are using and in what form data is being sent and then server responds accordingly with the information.
What you're recorded is OAuth2 flow and you won't be able to replay it without correlating the dynamic values.
You can have access to Google API or Facebook Graph API given you have proper access_token but I don't think you should be testing them directly, you should focus on solely your application.
I have a backend with Drupal.
Using Drupal Services to interact with. Which provides a rest server.
Created endpoint named 'api'.
Following sequence works in normal browser or any http client like postman :-
example.com/api/login (works).
api sends back user data (token,session id, session name etc).
Further any request I make, I send token as X-CSRF-Token (all requests work).
I can even logout the same session with the token received before.
IN IONIC APP :-
I can login and I also store user data (token, session data etc.) in local storage after login.
Here's the difference in app :-
When I send the same token back to server while making a request (say logout).
Server's response is "User is not Logged In."
Why does this happen?
Update :-
After logging in I tried getting the current token from the server, and it was different from the one I saved after successfully logging in.
Every time a different token is received.
I faced the same issue. Problem was i never set the cookie and chrome did this for me automatically.
Luckily i found this great site:
drupalionic.org
There are links to a view demos as well as good descriptions and code.
So what you have to do is:
- log in
- retrieve session data and set cookie
- perform subsequent requests with the cookie data and X-CSRF-Token in your header
Here is a flowchart:
Was this helpful for you?
I'm using the Instagram API.
I'm trying a simple post for a subscription request, and I keep getting
"Invalid format for 'callback_url'. URL must start with http:// or
https://".
It clearly starts with that.
I can't find anyone online that's running into this same problem.
Tried the post with a clear callback url:
http://api.instagram.com/v1/subscriptions/?client_id={client_id}&client_secret={secret}&object=tag&aspect=media&object_id=skateboarding&callback_url=http://skateparkoftampa.com/spot/instagram_callback.aspx
And with an HTML encoded callback URL:
http://api.instagram.com/v1/subscriptions/?client_id={client_id}&client_secret={secret}&object=tag&aspect=media&object_id=skateboarding&callback_url=http%3A%2F%2Fskateparkoftampa.com%2Fspot%2Finstagram_callback.aspx
Also tried it with both GET and POST, also by letting the API console create the request by simply filling in the parameters fields, etc. I feel like I'm missing something really obvious or something, but I'm stuck. Any ideas?
As sais on Endpoints page:
All endpoints are only accessible via https
You should use your own CLIENT-ID and SECRET-ID and callback url (so don't use API console).
Your callback url may be without https.
Just use link with https:
https://api.instagram.com/v1/subscriptions/
Try examples from this page
You should use POST request to subscribe and unsubscribe, and GET to get list of subscriptions. Please, read documentation accurately.