Creating users in dream factory - api

I was using dreamfactory and was trying to create users with different roles and use those to send requests however those users aren't working for me. The admin users are however. I don't understand why that is.
Below are the steps I've taken;
In the admin console, click the Roles tab then click Create in the left sidebar.
Enter a name for the role and check the Active box.
Go to the Access tab.
Add a new entry under Service Access (you can make it more restrictive later).
set Service = All
set Component = *
check all HTTP verbs under Access
set Requester = API
Click Create Role.
Click the Services tab, then edit the user service. Go to Config and enable
Allow Open Registration.
Set the Open Reg Role Id to the name of the role you just created.
Make sure Open Reg Email Service Id is blank, so that new users can register without email confirmation.
Save changes.
Then I registered the user incognito mode
I used a google extension rest client called Postman to make the request
In postman I used Basic Auth entered the username and password and sent the request
{
"error": {
"context": null,
"message": "Access Forbidden.",
"code": 403
}
...
Above is the result I got when I use the user I just registered. However when I use the admin username and password, I get the following response.
Status 200 OK
{"resource": [{"name": "_schema"},{"name": "_table"},{"name": "_proc"},{"name":"_func"}]}
which is the result I want for the other users.
Please let me know what I did wrong so I can fix it. Thanks again for all your help

I have configured my system the same and will walk through the steps. This is done on the 06 Oct 2015 commit of DreamFactory 2.0 beta.
First, to register a user:
POST /api/v2/user/register
X-DreamFactory-Api-Key: 0d430cc287b5dd88b0f615d2bb69d84ba7201e8d4214fee2eabcc96bcd937d7d
{
"email": "user#domain.com",
"first_name": "Basic",
"last_name": "User",
"display_name": "Basic User",
"new_password": "password"
}
Response: {"success":true}
Next, to login as that user:
POST /api/v2/user/session
X-DreamFactory-Api-Key: 0d430cc287b5dd88b0f615d2bb69d84ba7201e8d4214fee2eabcc96bcd937d7d
{
"email": "user#domain.com",
"password": "password"
}
Response:
{
"session_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjMsInVzZXJfaWQiOjMsImZvcmV2ZXIiOmZhbHNlLCJpc3MiOiJodHRwczpcL1wvZGVtby5lbnRlcnByaXNlLmRyZWFtZmFjdG9yeS5jb21cL2FwaVwvdjJcL3VzZXJcL3Nlc3Npb24iLCJpYXQiOiIxNDQ0Njc1NDU0IiwiZXhwIjoiMTQ0NDY3OTA1NCIsIm5iZiI6IjE0NDQ2NzU0NTQiLCJqdGkiOiIyMjFiYTg5M2E2YTc4OThlNDdlZGI4MGY5YjVkY2M2ZCJ9.V8y2B_2vlh8QdFhRqyuSG8SbfIVe8g71RvNjKoW2Bi8",
"session_id":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjMsInVzZXJfaWQiOjMsImZvcmV2ZXIiOmZhbHNlLCJpc3MiOiJodHRwczpcL1wvZGVtby5lbnRlcnByaXNlLmRyZWFtZmFjdG9yeS5jb21cL2FwaVwvdjJcL3VzZXJcL3Nlc3Npb24iLCJpYXQiOiIxNDQ0Njc1NDU0IiwiZXhwIjoiMTQ0NDY3OTA1NCIsIm5iZiI6IjE0NDQ2NzU0NTQiLCJqdGkiOiIyMjFiYTg5M2E2YTc4OThlNDdlZGI4MGY5YjVkY2M2ZCJ9.V8y2B_2vlh8QdFhRqyuSG8SbfIVe8g71RvNjKoW2Bi8",
"id":3,
"name":"Basic User",
"first_name":"Basic",
"last_name":"User",
"email":"user#domain.com",
"is_sys_admin":false,
"last_login_date":"2015-10-12 18:44:14",
"host":"console",
"role":"basic",
"role_id":1
}
Since you tried using basic auth, I did too:
GET /api/v2/db
X-DreamFactory-Api-Key: 0d430cc287b5dd88b0f615d2bb69d84ba7201e8d4214fee2eabcc96bcd937d7d
Authorization: Basic dXNlckBkb21haW4uY29tOnBhc3N3b3Jk
Response:
{
"resource":
[
{"name":"_schema"},
{"name":"_table"},
{"name":"_proc"},
{"name":"_func"}
]
}
Docs for DreamFactory 2.0: http://wiki.dreamfactory.com/DreamFactory/API
In-depth docs for each possible API call may be found in the API Docs tab of a DreamFactory instance. API Docs are automatically generated and self-documenting, using Swagger UI.

Related

Read extra SAML claims from ID token returned by Auth0Strategy in NodeJS+express

I have literally followed these steps from Auth0 blog to implement SSO in NodeJS with express.
Then, in Auth0 dashboard > Authentication > Enterprise > SAML, I've added a SAML connection to our Active Directory IdP.
The tutorial above requests these scopes:
scope: "openid email profile"
But our AD SAML IdP can (and should) provide us with the groups claim.
I've tried all the steps bellow, but still no "groups" on the id token that i get back from Auth0.
This is all that I'm getting back every time:
(no "groups")
{
"sub": "samlp|My-Company|Myemail#mycompany.com",
"given_name": "John",
"family_name": "Doe",
"nickname": "johndoe",
"name": "Doe, John",
"picture": "https://mycompany.com/avatar.john.doe.png",
"updated_at": "2022-11-23T13:29:49.197Z",
"email": "Myemail#mycompany.com"
}
I've tried a few things:
I've changed the scope above to scope: "openid email profile groups", but got no groups back on the ID token.
I've also tried adding another request parameter called claims, following this spec sheet. But since claims must be a JSON, and Auth0 strategy sends all in the URL, it didn't work. Either claims goes empty, or if I stringify+urlencode, Auth0 calls us back with an error saying it couldn't parse the JSON (and that is a good sign!!). I then tried just stringifying (without urlencoding) the JSON, and it was successfully sent over the URL, but i still got no groups back on the id token.
On Auth0 dashboard > authentication > enterprise > SAML > our connection > Mappings, i've clicked on "Show full mappings example" and used the example as is. It does include "groups"! But it didn't work either. On the id token that I get back, there are no groups.
On Auth Pipeline > Rules > i added a new rule based on the template called "SAML Attributes mapping". This was promising, and I added these lines:
{ ...
"http://schemas.xmlsoap.org/claims/Group": "group" ,
"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups": "groups"
...}
Again, no "group" or "groups" property on the ID token.
Thank you very much.

Writing to an Excel spreadsheet via Microsoft Graph API - Could not obtain a WAC access token

I'm trying to update an existing spreadsheet that is located in the root of a Business OneDrive.
I can run a GET and retrieve the file details.
I'm authorised as an Application as opposed to Delegated.
Whenever I run the following POST:
https://graph.microsoft.com/v1.0/drives/{drive-id}/root:/demo.xlsx
I get this error:
{
"error": {
"code": "AccessDenied",
"message": "Could not obtain a WAC access token.",
"innerError": {
"request-id": "07422c42-930f-4329-809a-93103bff3ab4",
"date": "2020-05-14T18:32:46"
}
}
}
I also have Files.ReadWrite.All set to the Application.
I have been using the following documentation for help:
https://learn.microsoft.com/en-us/graph/api/resources/excel?view=graph-rest-1.0
Apparently sessions are not mandatory, and by default they are persisted - which is what I want (https://learn.microsoft.com/en-us/graph/api/workbook-createsession?view=graph-rest-1.0&tabs=http)
I have ran the GET and POST requests via Postman
One of the following permission scopes is required to use the Excel resource:
Files.Read (for read actions)
Files.ReadWrite (for read and write actions)
You need to add this permission and give the admin consent:

How to auto login in Odoo's Web-module for res.user, not for res.partner?

I am trying to login using token-based Auth, because we are using Odoo-web module in mobile-app.
currently using GET-method url-passing approach which is "UNSECURE" on websites without SSL certificates and localhost-websites, as
myurl.com?username=foo&password=bar
How can I do that using Token based approach or passing credentials in POST-method, in Odoo-12?
Edit 1:
I found this authenticate() method in core-modules of odoo in http-controllers file and I am calling that only now, as:
request.session(db, username, password)
but I wanted it to be token based without hardcoding password as different passwords for different partners, which I can't hardcode and it's bad approach.
how can I do it by passing token and validating it?
You can use the authenticate endpoint provided by odoo to create a session for your api user.
In the following requests you then use the session id to process operations.
Example call to /web/session/authenticate with body:
{
"jsonrpc": "2.0",
"method": "call",
"id": 1,
"params": {
"db": "<YOUR-DB>",
"login": "<YOUR#LOGIN.COM>",
"password": "<YOUR-PASSWORD>"
}
}
You can find a description of the endpoints in https://github.com/odoo/odoo/blob/12.0/odoo/http.py

Zapier basic auth pass blank data

I have been trying to create an app in Zapier for one of my project. On the very first step, I am doing Authentication where I choose "Basic Auth" method. I have set API URL along with details, however cannot see the expected result and seeing error in my API return value. After debugging, I found that API doesn't get the value I pass thru the Zapier. I have checked the same API in postman and it works, however it only doesn't work thru the Zapier.
Below is even more detail how I proceed, what is expected result and what I am getting:
Process we're following
We have created an App
We went to Authentication step, there we have selected “Basic Auth” option
Under the Basic Auth, we have configure with setting end point and method is “Post”
We have set our field names as Key and as value we have set “{{bundle.authData.password}” and “{{bundle.authData.username}}” in order to field mapping
Then came to Step 2 to test the authentication
Under the “Test Setup”, we have connected the current Zapier account and clicked on “Test Authentication”
This process doesn’t post any value in parameters. Hope I could explain the issue, please help us to find where we’re going wrong.
Expected Result
{
"data": {
"first_name": "Dhaval",
"last_name": "Parekh",
"email_address": "dhaval.php#gmail.com",
"phone_no": "1234567890",
"user_id": "7oiA****",
"token_id": "zNkzT***"
},
"resend_verification_link": false,
"status": true,
"message": "You have successfully Logged in!!"
}
Actual Result
{
"resend_verification_link": false,
"status": false,
"message": "The password must contain a minimum of one lower case character. one upper case character, one digit"
}
What I understand after spending too much time, is it doesn't send the data with post method and hence I'm getting this issue. While it works fine with the Get Method. So, should I consider that Basic Auth will only with work with "Get" method in Zapier? Or I'm missing any piece to include here?
Please let me know what is missing? Or even I'm going thru the wrong root. I want to create an app in Zapier to allow other apps to connect.

slashDB accessing a database via POST request and using APIkey yields 403 error

Question about security for POST method of HTTP:
I made a user called "MyAPP":
{
"userdef": [
"view",
"create"
],
"api_key": "dzn8k7hj2sdgddlvymfmefh1k2ddjl05",
"user_id": "MyAPP",
"name": "MyAPP",
"creator": "admin",
"edit": [],
"dbdef": [
"view",
"create"
],
"querydef": [
"view",
"create"
],
"databases": {
"Gaming": {
"dbuser": "mydbuser_here",
"dbpass": "mypass_here"
}
},
"password":
"$6$rounds=665736$x/Xp0k6Nj.5qzuM5$G.3w6Py1s.xZ83RHDU55qonNMpJe4Le8nD8PqjYKoOtgbab7T22knJPqwHspoT6BQxp.5gieLFuD0SdD9dyvi/",
"email": "",
"view": []
}
Then I wanted to issue a POST in order to execute a SQL Pass-thru
such as this:
http:///query/InsertBestScore/Score/99/ScreenName/GollyGolly.xml?apikey=dzn8k7hj2sdgddlvymfmefh1k2ddjl05
Where I built a query and named it "InsertBestScore":
insert into Gaming.Leaderboard
(ScreenName, Score)
values
(:ScreenName, :Score);
If I run this via POSTMAN using the POST method:
... then I get an access, 403 :
<?xml version="1.0" encoding="utf-8"?>
<SlashDB>
<http_code>403</http_code>
<description>Access was denied to this resource. Please log in with your username/password or resend your request with a valid API key.</description>
<url_template>/query/InsertBestScore/Score/{Score}/ScreenName/{ScreenName}.xml</url_template>
</SlashDB>
Also, I would be calling this POST (or PUT) request from an application, in my case a Python program running from within a AWS Lambda Function.
Now, I came across this in the documentation:
Two parameters API key
SlashDB also allows a two parameters credentials in this authentication method - app id and api key. This may come handy when integrating with API management systems like 3Scale. By default header and query string argument would be:
• appid - identifies certain application
• apikey - secret for the application
Request with API key in header - Access granted
... however in the example above, I don't see where the appid comes into play.
Can you tell me how one would call the SlashDB endpoint and pass a APIkey and assure that the userid is known as MyAPP.
So, to sum up, the Documentation mentions:
• Another application utilizes an API key to authenticate, which is sent with every request. The application is recognized as SlashDB user App2, which uses database login db_admin. Effectively this application can SELECT, UPDATE, INSERT and DELETE data.
So I want to actually, do just what is in that bullet: Identify myself as the user (instead of App2, I'm user MyAPP), and then use the dbuser and dbpass that was assigned to access that "Gaming" database.
Idea?
Make sure you've given user MyAPP permission to execute the query.
To do so:
login as admin,
go to Configure -> Queries,
open your query definition,
update field Execute. It accepts comma separated user ids.
OK, there are really two questions here:
Why was access denied?
What is the appid and how to use it.
Ad. 1: There are two authorization barriers that the request has to clear.
The first one is imposed by SlashDB in that the user executing the query must be listed in the Execute field on the query definition screen. This is done under Configure -> Queries -> "edit" button on your query.
The second barrier is imposed by the database. The SlashDB user who is executing your POST request must be mapped to a physical database user with INSERT privileges to the Gaming.Leaderboard table. It goes without saying that this database user must be associated with the database schema in which the table exists.
Ad. 2. To enable the appid the user api key must be composed out of two parts separated by colon ":". The first part will be interpreted as the appid and the second will be the apikey.
To do that, use Configuration -> Users -> 'edit' button for the user in question. Then simply add a colon at the beginning of the API key and type in your desired appid to the left of the colon. The app will have to supply both keys to execute the request. Note that the names of those keys (i.e. appid) are configurable in /etc/slashdb/slashdb.ini.
The reasoning behind this feature is to facilitate API Management platforms, which can help with key management, especially when API will be exposed to third party developers.