I have a website where I have a sports API available, every user has a limited number of requests and so when they make a request to the site, my node/express backend checks for an api_key to authenticate the request.
I've recently listed the API on rapidAPI, and when a user makes a request from rapidAPI, they're supposed to use their rapidAPI api key that is given to them by rapidAPI. I know that rapidAPI will check if the api_key is valid before sending the request to my API, but how do I know whether or not to check for the api_key when people are making requests from my website URL.
I would expect the express function to do something like this...
router.get('/v1/:sport/odds', async (req, res) => {
// if the request came from rapidAPI and has been authenticated by rapidAPI, continue...
// if the request didn't come from rapidAPI, check for an api_key in req.query and then continue if api_key is valid
})
Related
I am making a web application. Front side is react, server side is rails api and I use firebase authentication.
Now, I get firebase token and set authorization header whenever calling rails api as below.
client.interceptors.request.use(
async (config) => {
config.headers['Content-type'] = 'application/json'
config.withCredentials = true
var token = await firebaseApp.auth().currentUser?.getIdToken()
config.headers['Authorization'] = `Bearer ${token}`
return config
},
(error: AxiosError) => {
throw new Error(error.message)
}
)
But, I found some ways to store token, unsafe local storage, http only cookie.
Why need front end stores firebase token? Is it bad to get the token every time calling rails api?
Firebase ID Tokens are basically JWT, signed by Firebase.
Now imagine a scenario where you need to identify the user in your server. You will probably pass the user's UID in the HTTP Request, which is not safe as that can be easily bruteforced unless you have some sort of rate limiting in your server.
What I meant by signed?
A JWT looks something like: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
The data stored in above JWT is:
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
You need to verify those Firebase IDTokens using Firebase Admin SDK. I don't know if that works with Ruby but worth checking the link above.
Verifying those will either return an object with user auth info or an error if that is an invalid JWT.
You must always pass this JWT in you REST requests to your server because these cannot be bruteforced. Anyone can make a JWT (IDToken) with same content but they don't know your signature. They will need your Firebase Service Account credentials to do so.
Also, JWTs expire eventually (I assume after an hour). So it's not bad to get token again and again. That's what they are meant for. Short term access.
I recommend you to watch this JWT Tutorial.
Just be sure to pass the idToken to your REST API to authenticate users and not their UID.
I'm writing a Go application which has to authenticate using auth0. This is done similar to how Google do it, by creating a HTTP server and setting the callback url to localhost
https://developers.google.com/identity/protocols/OAuth2InstalledApp
Instead of sending the access_token in the HTTP body, it stored the token in the URL which could be cached by the browser/proxy.
http://127.0.0.1:36572/auth0/authenticate/#access_token=eyJ0...truncated...SVYsfTThUhssJSh2C9FSvSGFusdw&expires_in=7200&token_type=Bearer&state=QuSsUxSZkYtFi7QPJkpxB9VI23lO3x4W
How do I configure auth0 to make the callback request to http://127.0.0.1:36572/auth0/authenticate, and store the sensitive tokens in the HTTP response body?
Thanks
EDIT: https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce
I am trying to write the exchange and access endpoints and the docs here (https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/docs/linking-an-alexa-user-with-a-user-in-your-system#h2_login) are not clear on a couple of things:
how is the call to exchange a grant code for access token made - is it GET with credentials in QS or is it a POST with credentials in a body?
Is the access token delivered only in the JSON for an intent call or is it set properly as a bearer token?
It's a POST with credentials in the request body. Amazon follows the Oauth2 RFC correctly in this case.
The access token is delivered by Amazon only in the JSON for the intent request and not properly set as a bearer. This is annoying.
In my case, I had to hack around it by first validating if the request was a valid alexa request which contained a session with an access token, then setting the HTTP_AUTHORIZATION header to Bearer <token>, then using existing request auth logic to authenticate (I was using Django with django-oauth-toolkit, so YMMV if you're using something else).
That code looks something like this:
# get the access_token from the POST request
if access_token is not None:
request.META["HTTP_AUTHORIZATION"] = "Bearer " + access_token
if not hasattr(request, 'user') or request.user.is_anonymous():
user = authenticate(request=request)
if user:
request.user = request._cached_user = user
if request.user.is_authenticated():
# Do whatever with the logged in user
In order to make request to the instagram api. I require an access token.
Which is documented here.
http://instagram.com/developer/authentication/
These access token can change so i need to lookup via the api to get the "code" and then the access token. Most of the examples i see online prompt the user to instagram which then calls the callback url and off you go and generate the access_token.
How can i via the api ( and not logging into instragram ) get the inital "code"/
I was hoping for something like this.
var accessUrl = string.Format(
"https://instagram.com/oauth/authorize/?client_id={0}&redirect_uri={1}&response_type=code",
instagramClientId, redirectUrl);
WebRequest request = WebRequest.Create(accessUrl);
WebResponse response = request.GetResponse();
To be clear I'm not asking how to get the access_token but how do I get the "code" than generates the access_token without logging into instagram
code is appended as a url querystring in a GET request that Instagram sends to your callback url.
For example, if your callback url is:
http://www.mycallbackurl.com/callback
Instagram (upon receiving your access_token request) will send a GET call to:
http://mycallbackurl.com/callback?code=20938409823kjl2k3j4o998as0df809s80980234809
(it's base64 encoded).
You then need to capture that url parameter on your callback server and echo it out on the page (nothing else, only the value of the code parameter), resulting in something like:
<html>
<body>20938409823kjl2k3j4o998as0df809s80980234809</body>
</html>
This can be done easily with php:
if (isset($_GET['code']))
echo $_GET['code'];
else
//do all the other stuff your page does
Hopefully if you're not using PHP you can discern how to accomplish the same result. This part of their authentication flow is rather poorly documented, but hopefully this helps.
Also: (Not sure if I understand this part of the question or not, but) the only authentication flow they allow is the in-browser login page. If you're trying to build your own custom login and pass credentials, it won't work.
I'm working with OAuth 2.0 for MVC, found here: http://community.codesmithtools.com/CodeSmith_Community/b/tdupont/archive/2011/03/18/oauth-2-0-for-mvc-two-legged-implementation.aspx
For anyone who's worked with this - I'm confused about the RequestToken. There is a controller implemented that lets you get a request token, which expires in 5 minutes, and you pass that token back in to get an AccessToken. But it never checks the request token for validity - it seems like you can pass in any access token you want to. What is the idea for the RequestToken here - are you supposed to create your own method of storing, referencing, and then deleting that token for those 5 minutes?
Thanks,
Andy
This is all about how OAuth works in conjunction with your application Id, application secret key and valid domains for your application. Here is the process in general
Your application sends a request to the OAuth provider using your application Id and secret along with a callback (return Url).
The OAuth provider gets the request, checks your application Id and secret and validates that the callback url is from a domain that you have specified for your application.
2a. If the callback url is not from a domain that you have specified, then the request is rejected with error.
2b If the callback url is from your domain, it returns a temporary request key to your server.
Given that you received a request key, you send that back to the OAuth provider to get the actual access token for the user.
Now, as to why the request key step is in place, this is to prevent and help protect 'bad people' from attempting to use your application id to falsely authenticate other users. By sending the request token to you (a callback URL that you have approved), the OAuth provider has confidence that the request actually came from your servers.
You most certainly could send any string back instead of the request token, but you would quickly get an error back from the OAuth provider as that request token does not correspond to any existing authentication request from any known application.
Lastly, I am not clear on what you mean by 'validating the request token'? You did not generate the token not probably do not have insight into the algorithm to generate the request token. Given that, I am not sure how you would validate this. If you are concerned about validating the first step, take a look at the Facebook OAuth process. In there, they recommend sending a request key as part of your return Url(as a query string parameter). That request key will come back to your application which you could then use as a validation that, indeed, this is a response to a request that you made. How you store and track that request key is up to you (session, database). In the PHP samples, they use a 'state' variable to track a unique/arbitrary string: Facebook OAuth Server Side Login Example (in PHP)