I'm using Ember.js in conjunction with Ember-Auth. While uploading files via Jquery-File-Upload, I need to send the authenticity token through the headers. I'm approaching this like so:
didInsertElement: ->
$('#image_upload').fileupload
headers:
'X-CSRF-Token': Whistlr.Auth.authToken
Unfortunately, Whistlr.Auth.authToken is undefined. I'm not even sure this is where Ember-Auth stores the auth token, though it seems like a likely candidate. Similarly, other attributes are undefined, such as user and userId. Aside from this, Ember-Auth seems to work fine, and it sends the auth token with every request. It's only when trying to manually retrieve it that I have this problem. Any advice as to what's happening?
I don't know Ember-Auth, but to access properties in objects.
You have to use the get method.
Whistlr.Auth.get('authToken')
I hope it helps.
Related
So I am creating some api's on Laravel using Passport (JWT).
I am having issues deciding what is the preferred method for the following:
PUT: api/users/{user_id}
PUT: api/users/me
I need the api so that the user can change his own information, but I would also like it for the api to be accessible for the Admin to change said information.
At the moment I am only using the first API and checking if the ID is the same as the one in the JWT auth or if the one requesting the api is the Admin.
But I was also thinking that maybe it was better to have them separate. The first api should only be accessible to the Admin, and I should be taking the ID from the JWT auth for the second api.
What would be the correct choice? Or is there a better choice?
I would say using this approach is better:
PUT: api/users/{user_id}
That allows anyone to consistently link to your own profile or to some other user profile in the same way. Then depending on your authentication and authorization, you can be allowed to do different operations on that resource.
There is no correct or better choice. You seem to understand the implications of using any of them so it's really up to you to choose. With the /{user_id} version you have to be extra careful not to remove proper validation rules from your code. If you used /users/me for a GET operation you would have to be careful with setting cache headers. If a browser would cache a response to users/me and then another user would request this endpoint, then you could get some other user's data. For PUT operations, though, this is not a concern.
I try to use Invidious API with authenticated route. For this, i've generated new token with this URL : https://invidio.us/authorize_token?scopes=GET:preferences.
The response is like this : {"session":"v1:XXXXX","scopes":["GET:preferences"],"signature":"XXXX"}
But, the token generated (session) don't work. I try with simple GET on preferences route, and i've an error Request must be authenticated :(
Anyone have already use their API and work with auth route ?
Thank you !
I've actually been struggling with this the past week, and I even deployed a self hosted instance because I thought that would fix it... I was wrong of course.
Here's how the Authentication header should look like:
Authentication: {"session":"v1:XXXXX","scopes":["GET:preferences/*"],"signature":"XXXX"}
The full token is the json that is provided.
The scope needs to include a * or a specific identifier for example in the case of playlists as mentioned in the examples here . So your authorize_token request should look like:
https://invidio.us/authorize_token?scopes=GET:preferences*
or
https://invidio.us/authorize_token?scopes=GET:preferences/*.
If you want all scopes that would be :*. Make sure not to forget the colon.
First of all the project is amazing, I had GraphQL working with MongoDB very quickly. Even GraphiQL with the ModHeader extension. However, I am trying to add policies to the graphQL endpoints and I am finding that ctx.session is always empty, even tho I am making authorized requests (via the Bearer token)
How does session work in this example? Do I need to query for the user every single time I create a request?
The user info is available through the ctx.state.user object and not the ctx.session. Also, feel free to take a look at the GraphQL example https://github.com/strapi/strapi-examples/tree/master/react-apollo
maybe I am not understanding the OAuth flow correctly, but this is what I want to be able to do: I have a service that will issue request to Trello's API, so, in order to perform some of the requests, I need to have a access token.
Is this even possible? I know that you can do this with other services, like Twitter, but I don't know if I can do this against Trello.
I am using NodeJS with a library called oauth to do this, and my flow looks like this: I created a new OAuth object, call getOAuthRequestToken and then I call getOAuthAccessToken in the callback, and is there where I get an 500 error saying that the oauth_verifier is missing.
Here the piece of code I am talking about:
var OAuth = require('oauth').OAuth,
oauth = new OAuth('https://trello.com/1/OAuthGetRequestToken?key=' + config.key,
'https://trello.com/1/OAuthGetAccessToken',
config.key,
config.secret,
'1.0',
null,
'PLAINTEXT');
oauth.getOAuthRequestToken(function(error, oauth_token, oauth_secret, results){
//Here I have some error handling code
oauth.getOAuthAccessToken(oauth_token, oauth_secret,
function(error, oauth_access_token, oauth_access_token_secret, access_results){
//Here I would be storing the access token for later, etc.
}
});
So, obviously, I am not passing the oauth_verifier parameter to the getOAuthAccessToken method (I checked in the code and that function is expecting the verifier as third parameter), but I am not doing it because I do not have it: the results object is empty and I do not know how to get it programmatically.
Another thing to notice is that I am passing the key parameter in the request token url and using plaintext as signature because I just thought that would be the right thing to do (I haven't see any reference in the documentation about what kind of signature to use or if I need to pass the key as a parameter).
Am I doing things really wrong? Am I in the correct track? what am I missing?
As always, thanks in advance! =)
Trello docs don't say much about oAuth.
I'd speculate that the issue would be that Trello is oAuth 2.0 (used by Facebook, Google) and you're using the oAuth 1.0 scheme (used by Twitter, Tumblr).
For what it's worth, the node-oauth library has an oAuth2 implementation in its lib directory you can include via require in node.js.
The logic looks circular to me(although I know I'm missing something)
I want to use this:
https://dev.twitter.com/docs/auth/pin-based-authorization
But in order to make the url to send the user to get the pin you need an "oauth_token" :
https://dev.twitter.com/docs/api/1/get/oauth/authorize
But to get the "oauth_token" you need a:
https://dev.twitter.com/docs/api/1/post/oauth/request_token
But that at the bottom shows it needs an "oauth_signature"
Well, an "oauth_signature" requires an "oauth_token"
( https://dev.twitter.com/docs/auth/creating-signature ) which you don't have, making impossible to get an "oauth_token" because you need one to get one.
What am I missing here? I mainly just want to find out how to get that initial url for the PIN-based authorization, so I need that first "oauth_token" somehow.
There are two different types of oauth tokens - let's call them request tokens and normal tokens. Request tokens are used for the authentication, then once the authentication is done you get normal oauth tokens.
Calling oauth/request_token will generate a request token for you, which is a temporary token used for the actual authentication. Once that's done you have the normal tokens.
set the callback URL both https://apps.twitter.com/ and in your code
. It is working for Me.
oauthCallback:#"myapp://twitter_access_tokens/"