Pre signed url PUT does a GET request in the background? - amazon-s3

uploading a image/jpeg to s3 bucket with PUT works fine, but just before the put the javascript throws an error saying it tried to do a GET using that signed key anT request in the first place. When i check the network in the browser it shows an OPTIONS method call with 200 status OK and then a PUT call using the signed url with 200 OK and no GET calls. Still the console throws the GET error.
Any insights would be appreciated.

Got the answer in the following post: Why am I getting an OPTIONS request instead of a GET request?
Before every PUT request there is an OPTIONS ajax request which does a GET for that key. Apparently these PUT cross origin request are preflighted with OPTIONS call

Related

POSTMAN - unable to fetch all the RESPONSE HEADERS including TOKEN

I am trying to access the token from the Response Header of the POST request. However, when I POST the request in POSTMAN it doesn’t show all the Response headers which I see on the chrome dev tool.
The KEY in the response header I am after is :
location: https://app.rm.dev/auth/callback/?token=
Also, I can see when I POST the request I receive a GET request in the chain in the Console window [image attached]. I tried but was unable to get all the Response Headers, therefore is there a way I can copy the GET request Token value from the Console window shown in the Image?
Found the solution, just needed to toggle off Auto redirect option in Postman Settings.

What is the difference between a postman request and a request from heroku or localhost

I can make a request from postman but when I make the same exact request (I'm talking about even copying the code from postman) I get an error.
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://glacial-stream-35306.herokuapp.com' is therefore not allowed access.
Even with the cors-eveywhere chrome extension and attempting to use jsonp I cannot get it to work. Even though the request goes through every time on postman.
What makes a postman req different from a request from a Heroku app?

How to look at http headers sent by safari?

I been trying to debug an issue that ONLY happens on safai, I get:
Bad Request - Invalid Header
http Error 400 The request has an invalid header name
However no matter where I look for in the error console, resources, or timeline I cant look at the headers from said request.
Is there a way to get this information?
You can install http-log and point the Safari URL to localhost:7777 and it will print out what headers Safari is sending.
If you can not change the URL or just want more debugging power you should install a debugging proxy e.g. WebScarab and configure Safari to use that. You get a nice GUI where you can see all the request data: WebScarab GUI
Http-log only prints it to command line.

Postman Resolving "Invalid CORS request" for a POST Request

I've just started using Postman to test an API I am integrating to.
I have the following error that keeps showing up
Invalid CORS request
Note the following:
The API uses Bearer token authentication(OAuth2). I have this
working without a problem.
I do get the bearer token successfully, assign it to an Environment variable and then attempt to use it for the RESTful operations.
The problem is in the subsequent RESTful operation that uses the token.
When I use an old token (through a POST operation), it rightfully
tells me that it is expired and not authorized.
When I then generate a new one and try to run the restful call, it gives me that Invalid CORS request error.
Using cURL, I have no issues. But I am frustrated by Postman.
What I have found so far:
Using postman with Http POST requests - I don't get the part in bold
Just in case anybody else has this same problem, here is how to solve
it. Go to https://www.getpostman.com/docs/capture in your chrome
browser. Click on interceptor extension and then choose add to
chrome. Once it is added there is a new icon top right of both the
browser and postman that looks like a traffic light. In postman click
this and it turns green. Then add a header to every request going to
third light. Every header consists of the header name and a value.
Start typing over the header name and a list of allowed http headers
comes up. Choose "Origin". In the cell for value simply type the
full URL of your server. (Do not forget the 'http://' or 'https://').
What is the expected response to an invalid CORS request? - Best explanation I have seen so far on CORS errors.
The other material speaks about Access-Control-Allow-Method header, preflight requests
... and there is an illustrative Apache Tomcat flowchart of the CORS flow.
Here's the answer you found again:
Just in case anybody else has this same problem, here is how to solve it. Go to https://www.getpostman.com/docs/capture in your chrome browser. Click on interceptor extension and then choose add to chrome. Once it is added there is a new icon top right of both the browser and postman that looks like a traffic light. In postman click this and it turns green.
... With the bit in bold translated:
Then add a header to your request. The header Key should be "Origin" and the header Value should be the full URL of your server (Do not forget the http:// or https://).
Note that Chrome/Postman won't allow you to add a Header with a Key of Origin without the Interceptor plugin.
Also note that at least on my system the Interceptor icon no longer looks like a traffic light.
If your back-end service side code checks for origin of the request (just to avoid CORS attack) you may face this issues when testing your Rest API through postman.
How to Resolve this .?
You need to install a Chrome plugin called Postman Interceptor (https://chrome.google.com/webstore/detail/postman-interceptor/aicmkgpgakddgnaphhhpliifpcfhicfo?hl=en).
After successfully installing this plugin , in you Postman client you can see small icon called Postman Interceptor , you need to toggle it to turn it on.
Now you can add a Request header as below
RequestHeader Key "Origin"
RequestHeader Value "your application base URL"
Check this image
Now you should be able to over come CORS issues you are facing
Cheers !!
Just avoid using browser/chrome postman plugin. Use the desktop application instead!
Seems our server is seeing from a Postman manual HTTP POST that the orgin is invalid b/c its coming from Postman as "chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop"
Not sure why or how to resolve on client/Postman side. Seems our server is correclty rejecting it as is though and issuing a 403.
Value of "Origin" header set in Postman request should be allowed in API backend. For example, using Spring Boot for API should have next:
#Configuration
public class WebConfig implements WebMvcConfigurer {
#Value("${cors.allowedOrigins}")
private String allowedOrigins;
#Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins(allowedOrigins)
.allowedMethods("*")
.allowedHeaders("*");
}
}
where allowedOrigins is set using application.properties property cors.allowedOrigins having comma separated list of allowed origins, eg:
cors.allowedOrings=http://localhost:8080,http://example.com
and set 'Origin' value in Postman to any url from cors.allowedOrigins
I was getting this error when testing my APIs on the postman. Even after meticulously configuring my cors. So I used Insomnia instead of Postman and it works fine. I guess sometimes postman is the problem as it needs some extra effort.
You can try new version of PostMan. To me it works after upgraded postman version from 5.5.5 to 7.36.5

How to send a HEAD HTTP request in Python to Amazon S3?

I'm trying to retrieve HTTP HEAD information from a S3 resource using Python. Unfortunately the response always returns a 403 error. I am using code that was suggested
here but unfortunately this does not work for S3 requests. Here is the code (host and key details omitted):
>>> import httplib
>>> conn = httplib.HTTPConnection("www.mybucket.us")
>>> conn.request("HEAD", "/mykey?myparamterers")
>>> res = conn.getresponse()
>>> res.status
>>> 403
The request also sends a signed expiration as part of the query string.
I have also tried using httplib2 but the HEAD REQUEST simply hangs.
If you are using a signed URL, the URL is signed by method (e.g. HEAD or GET). So you will need a different URL for each method.
403 tells you that the request sent was valid (whether it was correct is another story), but that you don't have permission to access the requested page for some reason. At least you know that a valid HTTP request is being sent.
Can you check the server log at all? That might help shed some light on the problem...
I'm not sure about the "HEAD" request either. Can you not use "GET" or "POST" and extract the header yourself? It might be that "HEAD" is not implemented by the library... I am not sure - the documentation I've been able to find by quick googling is woefully inadequate.
403 HTTP code means forbidden. Probably, site administrator disabled this method.
try telnet
telnet www.mybucket.us 80
HEAD http://www.mybucket.us/mykey?myparamterers
Host: www.mybucket.us
<ENTER>
<ENTER>
and watch for server response.
Alternatively, you could use conn.set_debuglevel(1) in python code.
A HEAD request on an AWS S3 pre-signed URL generated for GET will result in a 403 Forbidden response. You can, however, achieve the equivalent of a HEAD request on a pre-signed AWS S3 URL by doing a GET request with the Range header set as follows:
Range: bytes=0-0
here is a code snippet
import requests
response = requests.get(download_url, headers={"Range": "bytes=0-0"})
As shown in the Screen shot, response will have enpty body but will have Hearder info.
https://i.stack.imgur.com/9J99G.png