I use an jquery ajax to update a TimeSlot model from a page showing a campaign. The Campaign is a signup sheet with columns of days and rows of time_slots. The user can join a timeslot by clicking the correct checkbox.
When I implemented this feature several months ago I wasn't getting any errors. Now, I'm getting a 500 error saying there is an internal server error. I did some digging and it appears the error is caused by devise's current_user method not returning a value. There is a CSRF warning in the log. This causes a NilClass to be returned and a mismatched type exception to be thrown. This causes the 500 error.
Do I need to supply CSRF token information in my AJAX call? If I do, what is the best way to do it?
You can always skip the csrf check for the controller action that your ajax is calling with:
skip_before_filter :verify_authenticity_token, :only => :some_action
Related
My custom react-admin page has a component that makes several API calls. When session expired and all calls respond with 401 status, I'm redirected to login, but the notification appears multiple times (once for each failed call).
The calls are made using specialised hooks.
Is there a way to silence those notifications? Looking through react-admin code, I don't think it's possible. It seems that the only option is to resolve the promise in authProvider.checkError and handle the errors elsewhere (not sure how, yet).
Thanks for any input!
My app is an approved hidden app in BigCommerce that has all of the scopes selected in the MyApp Technical page. Unfortunately, when I try to oAuth into a user, the following scope 'store_v2_transactions_read_only' returns an 'invalid scope' message. If I take that scope out, the other scopes (for read_only orders, customers, etc.) work fine and I can successfully connect an account using Oauth with my app.
The scope 'store_v2_transactions_read_only' is found in the documentation in the list of scopes here: https://developer.bigcommerce.com/api/#oauth-scopes96. But making the request to connect an account using that scope returns 'invalid_scope' and I can't access user transaction data. Again, all other scopes work, and I have them all selected in the app technical page in the developer portal.
Working in node and using axios to get the token with the oauth code. This list of scopes works:
scope: 'store_v2_customers_read_only store_v2_information_read_only store_v2_orders_read_only store_v2_products_read_only'
The moment I add store_v2_transactions_read_only it returns 'invalid scope', even thought that is the string stated in the docs. It is the same error that shows if I misspell any of the scopes.
Make sure that you're passing in the context in your query string. At the time of writing the API will send back an Invalid scope(s). error seemingly only when you request store_v2_transactions_read_only without this query param. Other scopes seem to work fine, as you've noticed, if this param is not sent.
Can't comment, because I don't have 50 karma, but adding the context to the POST call in postman from the correct answer fixed this issue for me. I had been dealing with it for some time and there isn't a lot of documentation on the BigCommerce side in other forum posts.
I am using the x-www-form-urlencoded params with:
KEY: context
VALUE: stores/abcdefg
The abcdefg is the actual store number/id in the exact format it came in from the callback.
If ClaimsIdentity set through JwtBearerAuthentication middleware doesnt have enough roles required through
[Authorize(Roles="whateverrole")]
it returns 401 instead of 403.
I am struggling with this in asp.net core web api whole night. I have also seen this question on stackoverflow but i havent seen any solution i could make work. The order of registering middleware nor AutomaticChallange setting did the job.
I dont know if i am missing something but it seems shocking that this hasn't been solved properly for years. It is so annoying.
Is there any normal, usual, non-workaround, non-hack way of solving this?
UPDATE (in response to comment from #juunas)
I have tried that and roles are mapped correctly from Claims.
So, if i remove Roles requirement from attribute, for all roles that user is assigned to (in JWT token) User.IsInRole(x) returns true. So mapping works just fine.
About moving from roles based authorization to policies...can you provide some some link with some best practices, recommendations or something that you base that statement on?
I am not saying its not something to be done but would just like to understand it.
It's important to understand the difference in these to errors to understand why you will get one and not the other.
401 is for authentication. If you are getting this error then you have to ask yourself is the user logged in, or does the user have a current token provided by a valid token provider? If the token has expired or the provider is not valid then you can get a 401. If this is what you are getting then you need to check User.Identity.IsAuthenticated does this return true? Most likely it returns false.
403 is for authorization. This would mean the user has a valid token, but the token they have does not give them access to the resource they are requesting. This is where you would want to check User.IsInRole() and it would return false.
If you're getting 401 it means that the user hasn't been authenticated i.e. they have not logged in, their login was invalid, the token has expired... etc. As far as your application is concerned the user hasn't proved they are who they say they are yet.
Edit: Apologies for assuming the user wasn't Authenicated, I didn't see where you stated that they where in your first post. It's hard to help without seeing code but my next guess is that the Claims check hasn't been added to the services pipeline.
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
services.AddAuthorization(options =>
{
options.AddPolicy("whateverrole", policy => policy.RequireClaim("whateverrole"));
});
}
This is in your Startup.cs. MS doc is here https://learn.microsoft.com/en-us/aspnet/core/security/authorization/claims
Last update: Simply put using the default Authorize attribute tag you can't change it. MS designs I this way due to the number of layers in the pipeline that could impact authentication. I was unaware of this because I use a custom Authorize attribute and forgot that I over wrote the way it handled status codes.
However I found a nice solution that might suite your needs https://github.com/aspnet/Security/issues/872#issuecomment-232624106
It adds an error page to the pipeline prior to the app.UseMvc() that redirects authentication errors to an error page that returns the correct status code.
I would like to differentiate between two scenarios: addSiteAccount API with incorrect credentials and addSiteAccount API with right set of credentials. What I am noticing is that both cases return a siteAccountId with RefreshStatus=Triggered. But when I invoke the same API again or any other API then I get a Login error message.
How can I distinguish between the two cases in a single execution of addSiteAccount ?
So that I could pass the error to end users about incorrect credentials. Thanks.
addSiteAccount1 is the API which will create a siteaccountID i.e. an identifier for that particular account linked.
It will not return any error until you are trying to add same credentials i.e. in that case it will check if you already have added those credentials and will return the response for those credentials.
For understanding how it works:
After calling addSiteAccount1 a siteAccountId willbe created and a refresh would be initiated for that. This will go ahead and validate the credentials passed with the Bank web site and will return the response(success or failure depending upon the credentials passed).
For checking status you need to call getSiteRefreshInfo in loop, I am mentioning the flow for your reference.
(Applicable only for NON- MFA sites)
CobLogin
Register3
Login
AddSiteAccount1 – (this will trigger a refresh request,no need to call startSiteRefresh)
Check for siteRefreshStatus field’s value returned from #4 and if it says “REFRESH_TRIGGERED” , then you can go to #6
Call getSiteRefreshInfo in loop till you get SiteRefreshStatus as either of the following status is received
PARTIAL_COMPLETE– This means that the account level data has been aggregated
REFRESH_COMPLETED– The refresh has been completed.
LOGIN_FAILURE– Login credentials provided was wrong.
REFRESH_CANCELLED– Refresh cancelled by User.
REFRESH_TIMED_OUT– Refresh is taking more time.
7 From #6 you also get a “code” and if the code is 402 then that means credentials were wrong and if it's 0(zero) that means the credentials were correct and the gathering of data was successful. Then you can go to #8 and grab transactions.
Also to know more about error_code see ErrorCode document.
8 ExecuteUserSearchRequest or call any other API depending upon your implementation.
I have a problem with TYPO3's front end user login extension, It correctly detects correct logins and logouts but if I enter an incorrect user/password combination then It doesn't show any error or warning message (which are defined).
I've tried to trace the extension code and print all states and request values and discovered that once incorrect login attempt is detected it "erases" any session or request variable like It would be the first time a user enters the page.
I am using TYPO3 4.5.2, if any one has a clue about what's going on it would really helpful.
Some ideas:
Try to test this behaviour without being logged into the backend
(e.g. in another browser).
Update TYPO3 (or felogin extension).
Cookie handling might be an issue, too:
Delete all cookies from your domain
Check if setting $TYPO3_CONF_VARS['SYS']['cookieDomain'] ins localconf.php resolves the issue [Howto]