I'm trying to do a cross-domain request. Looks like all the headers are ok. However the cookie is not set and I don't know why. Can it be because the 401 server status (no access to change server) or because the request is from http to a https server?
these are the headers:
Request URL:https://domain/current-user
Request Method:GET
Status Code:401 Unauthorized
**Request Headers**
Accept:application/json, text/plain, */*
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:keep-alive
Host:app.domain.com
Origin:http://domain.com
Pragma:no-cache
Referer:http://domain.com/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36
**Response Headers**
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:accept, origin, content-type, cookie
Access-Control-Allow-Methods:GET,POST
Access-Control-Allow-Origin:http://domain.com
Access-Control-Max-Age:1728000
Connection:keep-alive
Content-Encoding:gzip
Content-Type:text/html; charset=utf-8
Date:Sun, 02 Jun 2013 16:52:58 GMT
P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Server:nginx/1.1.19
Set-Cookie:domain.ssid=s%3A7GcUvlVmeOgVF5sgyIHCjNn8.S%2FFDoCTOU5q4bT4zNQAECCGg%2FQmKkb9bT7Ee2KaLP2o; Path=/; Expires=Mon, 30 Sep 2013 16:52:58 GMT
Transfer-Encoding:chunked
Vary:Accept-Encoding
X-Cache:MISS
X-Powered-By:Express
Try setting withCredentials on the request, e.g.
var xhr = new XMLHttpRequest();
xhr.withCredentials = true;
Related
I try to set a auth cookie. The ui and the data server are under different subdomains. So I need to activate CORS.
services.AddCors(options => options.AddPolicy("SubdomainDefault", builder => builder
.WithOrigins("https://ui.domain.de")
.AllowCredentials()
.AllowAnyHeader()
.Build()
));
On the same subdomain the cookie is set, but with different subdomains it is visible in the headers, but not set.
Request URL: https://server2.domain.de/...
Request Method: POST
Status Code: 200 OK
Remote Address: X.X.X.X:443
Referrer Policy: strict-origin-when-cross-origin
Response Header
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://ui.domain.de
Content-Length: 1017
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Oct 2021 10:27:11 GMT
Server: Microsoft-IIS/8.5
Set-Cookie: auth=XXX; domain=.domain.de; path=/; secure; samesite=strict; httponly
Vary: Origin
X-Powered-By: ARR/3.0
Request Headers
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en;q=0.8,en-US;q=0.7
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 0
Host: server2.domain.de
Origin: https://ui.domain.de
Pragma: no-cache
Referer: https://ui.domain.de/
sec-ch-ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Has anyone a idea?
Assuming your second request is actually a XMLHttpRequest you need to set the withCredentials flag, otherwise the cookies are not sent.
Here's an excerpt from https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#requests_with_credentials:
const invocation = new XMLHttpRequest();
const url = 'https://bar.other/resources/credentialed-content/';
function callOtherDomain() {
if (invocation) {
invocation.open('GET', url, true);
invocation.withCredentials = true;
invocation.onreadystatechange = handler;
invocation.send();
}
}
I am trying to log in to the pge.com website using Google Apps Scripts, with my username and password, so that I can retrieve my electricity consumption details. The need is similar to this thread
I have inspected network calls during login but I cannot figure out how my username and password are passed.
I can see two subsequent calls to the login service.
First request (doesn't seem to carry a payload):
**General**
Request URL: https://apigprd.cloud.pge.com/myaccount/v1/login?ts=1614544850626
Request Method: OPTIONS
Status Code: 200 OK
Remote Address: 130.19.47.120:443
Referrer Policy: strict-origin-when-cross-origin Response Headers
** Response Headers **
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: authorization
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Origin: https://www.pge.com
Content-Encoding: gzip
Content-Length: 59
Content-Type: text/plain;charset=UTF-8
Date: Sun, 28 Feb 2021 20:40:50 GMT
Set-Cookie: TS01ef76cb=015399e11<...>dc1f; Path=/; Domain=.apigprd.cloud.pge.com
X-Tracking-ID
X-Transaction-ID: 00000177b2ec4203-10baebc
** Request Headers **
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Access-Control-Request-Headers: authorization
Access-Control-Request-Method: GET
Connection: keep-alive
Host: apigprd.cloud.pge.com
Origin: https://www.pge.com
Referer: https://www.pge.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
A subsequent request is then made:
** General **
Request URL: https://apigprd.cloud.pge.com/myaccount/v1/login?ts=1614544850626
Request Method: GET
Status Code: 200 OK
Remote Address: 130.19.47.120:443
Referrer Policy: strict-origin-when-cross-origin
** Response Headers **
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers
Access-Control-Allow-Origin: https://www.pge.com
Content-Encoding: gzip
Content-Length: 101
Content-Type: application/json;charset=UTF-8
Date: Sun, 28 Feb 2021 20:40:50 GMT
set-cookie: PF=cuLZ7Vh4y6keKdWEzXVaxD4kzuePT0wcOOyvxZ6V3u0K; Path=/; Domain=.cloud.pge.com; Secure; HttpOnly
set-cookie: PA.ToI.CustomerWeb=eyJhb<...>MifQ..8p6<...>iqw.1BewS--tpmP<...>3fo-rbtoh-<...>Egz-acEIN58H-dO<...>rWR-Q<...>w; Path=/; Domain=pge.com; Secure; HttpOnly
Set-Cookie: TS01ef76cb=015399e11<...>ec2d9; Path=/; Domain=.apigprd.cloud.pge.com
Set-Cookie: TS01d056a5=015399e11<...>2fc17; path=/; domain=pge.com
X-Tracking-ID
X-Transaction-ID: 0000017602681258-9359011
** Request Headers **
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Authorization: Basic bWFy<...>wc2U=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Cookie: optimizelyEndUserId=oeu1<...>2r0.2464<....>336; oo_inv_percent=0; _gcl_au=1.1.1250622131.1614535637; AMCVS_DF70BB6B55BA62677F000101%40AdobeOrg=1; s_cc=true; _ga=GA1.2.676<...>72.1614535638; _gid=GA1.2.127<...>54.1614535638; _fbp=fb.1.1614535638419.135544411; userLanguageSelected=English; com.silverpop.iMAWebCookie=654ee074-<...>-<...>-0784-4940b13c1dc8; CARE_LANG=English; BIGipServer~Prod~P-itiampingaccess.cloud.pge.com-pool=1796742666.54795.0000; com.silverpop.iMA.session=2764a7b2-1c77-<...>-<...>-b56816c03631; com.silverpop.iMA.page_visit=2144181430:; s_sq=%5B%5BB%5D%5D; PF=dyxdIf<...>wnCDfDTC4EeNVNzFtF3; care_hashed_acct_id=811067339<...>E559C253; PGE_EN=4nx9s6<...>NigxfgqMgNTc/Hs7mt6oL<...>M3oG2lGBv+FNpQhj4U1N8YVv<...>TEUP1x9NU5QJQPcImd/s3FVCFgLy<...>qhrhuv+HQ1J/OANiGah+0exaD2ScPRBd3MQ/+4EqtzOEbpsjjKDKN<...>qe+mOMjkjZ0otbEknx5I7Z1p8w/KxI0fvwT32RBc5U+92j6CxxIDoYwm3KlmCQ==; TS01d056a5=015399e11<...>e65810; TS01ef76cb=015399e11<...>73b336; ADRUM=s=1614544835448&r=https%3A%2F%2Fm.pge.com%2Findex.html%3F35; oo_OODynamicRewrite_weight=0; oo_inv_hit=3; AMCV_DF70BB6B55BA62677F000101%40AdobeOrg=-1303530583%7C<...>Bpb2zX5dvJdYQJzPXImdj0y%7CMCOPTOUT-1614552037s%7CNONE%7CMCAID%7CNONE%7CMCSYNCSOP%7C411-18694%7CvVersion%7C3.3.0; OptanonConsent=isIABGlobal=false&datestamp=Sun+Feb+28+2021+12%3A40%3A37+GMT-0800+(Pacific+Standard+Time)&version=6.1.0&consentId=749474e8-c692-470b-be09-77aa32646232&interactionCount=0&landingPath=NotLandingPage&groups=C0001%3A1%2CC0002%3A1%2CC0003%3A1%2CC0004%3A1%2CC0005%3A1&hosts=&legInt=&AwaitingReconsent=false; _dc_gtm_UA-64722139-1=1; _gat_UA-77056718-1=1; s_tp=2617; s_ppv=PG%2526E%252C%2520Pacific%2520Gas%2520and%2520Electric%2520-%2520Gas%2520and%2520power%2520company%2520for%2520California%2C35%2C35%2C914; s_plt=3.13; utag_main=v_id:0177e9d2<...>78001407000ac8$_sn:2$_ss:1$_st:1614546650462$vapi_domain:pge.com$dc_visit:8$_pn:1%3Bexp-session$ses_id:1614544836893%3Bexp-session$dc_event:2%3Bexp-session$dc_region:us-east-1%3Bexp-session
Host: apigprd.cloud.pge.com
Origin: https://www.pge.com
Referer: https://www.pge.com/
sec-ch-ua: "Chromium";v="88", "Google Chrome";v="88", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
How can I use the Google Apps Script to login?
PS I have tried the following:
function loginPge() {
var baseUrl = "https://apigprd.cloud.pge.com/myaccount/v1/login";
var now = Date.now();
var url = baseUrl + '?ts=' + now;
var payload =
{
"username" : "xxx",
"password" : "xxx",
};
var headers =
{
"Accept":"*/*",
"Accept-Encoding": "gzip, deflate, br",
"Accept-Language": "en-US,en;q=0.9",
"Access-Control-Request-Headers": "authorization",
"Access-Control-Request-Method": "GET",
"Connection": "keep-alive",
"Origin": "https://www.pge.com",
"Referer": "https://www.pge.com/",
"Sec-Fetch-Dest": "empty",
"Sec-Fetch-Mode": "cors",
"Sec-Fetch-Site": "same-site",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36"
};
var options =
{
"headers":headers,
"method" : "get",
"payload" : payload,
"followRedirects" : false
};
var login = UrlFetchApp.fetch(url, options);
return;
}
But I am getting an error message
Exception: Request failed for https://apigprd.cloud.pge.com returned
code 400. Truncated server response: {"user": "unknown",
"errorCode":"33"}
I am a little late, but maybe it helps someone else.
The username and password are sent in 'Authorization' header. I figured out the value for this header by inspecting the login page source where it appears as:
<set-header value="Basic base64($username:$password)" name="Authorization"></set-header>
Below is Python code to login and get user details:
import requests
import base64
username = 'test'
password = 'test'
session = requests.Session()
auth = ':'.join([username, password]).encode('utf8')
headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Content-Type': 'application/x-www-form-urlencoded',
'Authorization': 'Basic {}'.format(
base64.b64encode(auth).decode('utf8')
),
'Origin': 'https://www.pge.com',
'Connection': 'keep-alive',
'Referer': 'https://www.pge.com/',
}
resp = session.get(
'https://apigprd.cloud.pge.com/myaccount/v1/login',
headers=headers
)
print(resp.json()) # get the json response
headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0',
'Accept': 'application/json, text/javascript, */*; q=0.01',
'Accept-Language': 'en-US,en;q=0.5',
'Content-Type': 'application/json',
'X-RAS-API-USERKEY': 'pgecocmobile',
'cocGUID': 'null',
'Origin': 'https://m.pge.com',
'Connection': 'keep-alive',
'Referer': 'https://m.pge.com/',
}
params = (
('userId', username),
)
resp = session.get(
'https://apigprd.cloud.pge.com/myaccount/v1/cocaccount/secure/account/retrieveMyEnergyAccounts',
params=params, headers=headers
)
print(resp.json()) # get the json response with acc details
I want process a POST request with axios in a vuejs project, but axios never send correct csrf cookie. My vuejs project run in dev mode on port 8080, my server (Spring Boot) on port 9090. I set correct CORS filter for localhost:8080 and 127.0.0.1:8080, OPTIONS is accepted, but I get a 403 error on my POST.
Here my code :
axios.post("http://127.0.0.1:9090/api/security/authenticate",
this.form,
{
withCredentials: true,
xsrfCookieName: 'XSRF-TOKEN',
xsrfHeaderName: 'X-XSRF-TOKEN'
}
).then((response) => {
console.log("Data: " + response.data);
}).catch((error) => {
console.log("post error: " + error);
});
And here the result of my OPTIONS request on chromium :
GENERAL:
Request URL: http://127.0.0.1:9090/api/security/authenticate
Request Method: OPTIONS
Status Code: 200
Remote Address: 127.0.0.1:9090
Referrer Policy: no-referrer-when-downgrade
RESPONSE HEADERS :
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Methods: POST
Access-Control-Allow-Origin: http://127.0.0.1:8080
Content-Length: 0
Date: Wed, 11 Dec 2019 21:44:07 GMT
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
REQUEST HEADERS :
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Connection: keep-alive
Host: 127.0.0.1:9090
Origin: http://127.0.0.1:8080
Referer: http://127.0.0.1:8080/login
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) snap Chromium/78.0.3904.108 Chrome/78.0.3904.108 Safari/537.36
And my POST :
GENERAL:
Request URL: http://127.0.0.1:9090/api/security/authenticate
Request Method: POST
Status Code: 403
Remote Address: 127.0.0.1:9090
Referrer Policy: no-referrer-when-downgrade
RESPONSE HEADERS :
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://127.0.0.1:8080
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: application/json;charset=UTF-8
Date: Wed, 11 Dec 2019 21:44:07 GMT
Expires: 0
Pragma: no-cache
Transfer-Encoding: chunked
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
REQUEST HEADERS :
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Content-Length: 56
Content-Type: application/json;charset=UTF-8
Cookie: XSRF-TOKEN=428229a0-b2b1-4473-ab3a-557e4dbac1b1
Host: 127.0.0.1:9090
Origin: http://127.0.0.1:8080
Referer: http://127.0.0.1:8080/login
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) snap Chromium/78.0.3904.108 Chrome/78.0.3904.108 Safari/537.36
REQUEST PAYLOAD :
{login: "xxx", password: "xxx", rememberme: false}
login: "xxx"
password: "xxx"
rememberme: false
The CSRF cookie sent (428229a0...) is not correct. Previously in a GET request, I obtained an other CSRF token (70705d00...). Why wrong csrf cookie was sent ?
To be sure that is not the result of dev mode from vuejs, I build my project and deploy it on nginx server, but I got same result. I try also on firefox, get same error.
In package.json, axios is in version "^0.19.0", vuejs "^2.6.10".
What is wrong in my code ? Or is about configuration of my server ?
Thanks for your help!
After hours of digging and testing i got my local frontent (angular2) to speak with a dev backend.
Using withCredentials: true on https request and htaccess:
Header add Access-Control-Allow-Origin "https://127.0.0.1:3000"
Header add Access-Control-Allow-Credentials "true"
Header add Access-Control-Allow-Methods "GET, POST"
It's all fine until i reload the page - and i have to login again.
This is sent with requests, but cookie PHPSESSID is not actually saved on disk:
Cookie:PHPSESSID=jp65lr9tviq6n5q9s1i0fupuq7
If i build the code and upload to the same server where backend is, not using CORS - it all works fine, but i cannot do that when i develop frontend locally.
Response Headers:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Methods:GET, POST
Access-Control-Allow-Origin:https://127.0.0.1:3000
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection:Keep-Alive
Content-Encoding:gzip
Content-Length:105
Content-Type:text/html
Date:Tue, 04 Apr 2017 14:15:56 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive:timeout=5, max=100
Pragma:no-cache
Server:Apache/2.4.7 (Ubuntu)
Vary:Accept-Encoding
X-Powered-By:PHP/5.5.9-1ubuntu4.20
Request Headers:
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate, br
Accept-Language:en-GB,en;q=0.8
Connection:keep-alive
Content-Length:62
Content-Type:application/x-www-form-urlencoded
Cookie:PHPSESSID=cjoe07094u4139i7c0pb4cd3e7
Host:dev.server.com
Origin:https://127.0.0.1:3000
Referer:https://127.0.0.1:3000/login
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
What am i missing here?
UPDATE:
It seems like it does save it - under wrong domain. The cookie is set under the api server domain and localhost cannot find it anymore.
Setting up a proxy in webpack settings:
proxy: {
'/authenticate': {
target: 'https://dev.server.com',
secure: false,
changeOrigin: true
},
'/Api': {
target: 'https://dev.server.com',
secure: false,
changeOrigin: true
}
}
Together with withCredentials: true got around the issue.
I want to make google api calls to send mail via gmail.
To do that, I first make the following request to oauth server:
https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=SOMECLIENTID&access_type=offline&redirect_uri=http://localhost:63878/Default.aspx&scope=https://www.googleapis.com/auth/gmail.send
Note that in my request, I have included access_type=offline
It redirects me to POST https://accounts.google.com/AccountChooser and I login using my account, give consent, and get redirected back to this page:
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 01 Jun 2016 06:30:37 GMT
Location: http://localhost:63878/Default.aspx?code=4/LF9pQo8EH-SZkkDJV0ttNnVMIwjwWLgnc-H-QjLg__k#
Content-Language: en
Content-Encoding: gzip
as seen on fiddler.
Now using this code, I make a second call:
POST https://www.googleapis.com/oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Connection: keep-alive
Content-Length: 266
Cache-Control: no-cache
Origin: chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Postman-Token: e9716588-2f62-d761-1c07-41c6dc057f0f
Accept: */*
X-Client-Data: CIm2yQEIorbJAQjEtskBCLKVygEI/ZXKAQjgmMoBCO2cygE=
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
code=4/LF9pQo8EH-SZkkDJV0ttNnVMIwjwWLgnc-H-QjLg__k#&client_id=SOMECLIENTID&client_secret=SOMESECRET&redirect_uri=http%3A%2F%2Flocalhost%3A63878%2FDefault.aspx&grant_type=authorization_code
The response I get is:
{
"access_token":"ya29.CjLzAuW07My8BHnaMaLWjhKsD2FvzI6SpUHqdqQwkugTW4lMnQl0rXt6cQdm0ir4RObYEg",
"token_type": "Bearer",
"expires_in": 3557
}
Why does this not include the refresh token in the response?