Show requests made by ServiceWorker in Firefox DevTools? - service-worker

If a ServiceWorker intercepts a web request and manipulates it (e.g. change the status code), in Chrome DevTools both requests are shown - The service worker request with the original status code, and the modified request returned to the code with the changed status code.
In Firefox DevTools only the modified request is shown, so I can't see what the request looked like before the ServiceWorker modified it. How can I achieve thee same behaviour as in Chrome to view the request before it was modified in Firefox DevTools?

Related

ngrok tunnel not returning the control to the caller

I am not sure the title of the posting truly describes my issue but here is what's happening, in more details. I have an ASP.Net MVC application that redirects to a page hosted in an external system. This external hosted page is used to enter the details of a credit card in order to process a payment. Once the payment is processed, the hosted payment page is sending an HTTP POST to a webhook URL which was provided by me, when the transfer to the HPP was made. I have a Web API controller in my ASP.Net MVC application and this will be used to receive the webhook call. Now, to test it while I am running everything locally, I had to use ngrok to create a private tunnel between the HPP and my local Web API endpoint.
I have a breakpoint in my Web API controller and I am getting the data sent by the HPP, data that contains details about the approved payment. The controller responds with an HTTP 200 which I see it in the ngrok console:
For some reasons, this HTTP 200 is not propagated back to the HPP which should display a back button to yield control back to my web application where we all started in the first place. Instead, the browser is directed to an URL which is the exact URL for the webhook, the one that was provided when the transfer to the HPP is made:
Any idea why this is happening? Is the ngrok not returning the HTTP 200 back to the caller, which is the hosted payment page?
Any suggestions would be greatly appreciated.
TIA,
Eddie
Turns out that this is not an issue with ngrok. The remote Hosted Payment Page (HPP) is not sending an HTTP POST to a RESTful endpoint, as I erroneously assumed. Insted it is returning to a specified URL and sends the response as hidden fields.
So if anyone is ever facing the same situation, please make sure you understand exactly the behaviour of the remote server. This could send the response as an HTTP POST sent to a specified URL or could yield the control back to your application by means of navigation where the response is send as hidden fields (HTTP POST with content of type "application/x-www-form-urlencoded").

request headers(CSRF) missing in wkwebview

We are trying to open our app url in wkwebview which used to work fine in uiwebview.
Our app is based on angular2 and nodejs and validate csrf header, this flows works with uiwebview but same is not working in wkwebview as x-xsrf-token is missing from request headers.
Not sure what might be going wrong here
Below is the difference in request header

Desktop application with custom uri schema, "Missing scheme" on token request

I'm writing a desktop application in Delphi and trying to sync it with Google calendar (windows only, win 7 and newer). I've registered a custom uri schema in my system registry, so eu.myapp:test will run my program or pass a message to an already running instance of the program.
I've managed to get the first step of authentication going - I open the default browser, asking the user for permission to modify their calendars, I get the authentication code back into my software without a hitch. The oauth client is registered as an iOS app,
However when I try to request an actual token, the request is denied (400 - Bad request) with the following response body:
{
"error": "invalid_request",
"error_description": "Invalid parameter value for redirect_uri: Missing scheme: eu.myapp",
"error_uri": ""
}
My request body looks like this:
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
code=XXX&
client_id=YYY&
redirect_uri=eu.myapp&
grant_type=authorization_code
According to the documentation, I am supposed to include the redirect URI obtained from the API Console, but I found no such URI there. Found some older answers, but the developer console has apparently been changed since they were given so they are no longer relevant. What am I missing?
Edit: Added some more information
I built a simple nodejs server and put it up with a SSL certificate and nginx, so I could see what actually gets sent across. I then used both my app and the example C# app to send the token request to it and monitor the request body.
The only discernible difference was that delphi url encoded the code automatically (4%2Fhky... instead of 4/Fhky... for example). Other than that they seemed identical.
I also tried rewriting the app to listen to a localhost port but ended up with the same results. There is a delphi demo where they demonstrate the use of google api by using an embedded browser for the user to log in (and it works), but according to the api documentation, it's deprecated and will go away soon. Besides, it seems like I can manage the first redirect just fine, but getting the actual tokens fails.
Found my error. I noticed that the parameters were getting encoded automatically by the delphi component responsible for making the requests. I manually encoded the redirect uri before setting it as a parameter on the token request. Then the component encoded it again, which caused it to be different to the url given on the code request, which caused the uri_mismatch error.
The uris also need to be identical on both requests, as even though the second request does not redirect, it still uses the redirect_uri as a validation parameter.

Add headers to a link in angular

I have an angular app that I need to redirect outside to a server side html page, so I thought I could just use a standard <a> tag with target='_self' to redirect the angular app to my server side page. This actually works fine, however, I have a rails backend that checks for auth token before serving up any content.
This requires a auth token to be sent in the header of the http request which I am setting in a cookie, and angular grabs automatically with the $http service for ajax requests, but I can't seem to get the same thing to happen on a standard link.
Can/How do you add an auth token to a normal link before it is sent off?
When the browser is making the HTTP request and not your JavaScript code, you cannot add a custom header with your token value. See Adding http headers to window.location.href in Angular app for a similar question.
However, if this value is already being sourced from a cookie, can your backend just read that cookie value (or use some filter in the http request chain to transfer the cookie to a header)?

Does the Box API OAUTH protocol work from behind a firewall?

I am investigating the possibility of integrating Box API calls from an internal application that sits behind our firewall (it is not exposed to the outside world).
So the question is, if we fire off an authentication request to Box with a callback URI, does Box post back directly to the specified call back URI (so essentially its initiating a new request from Box to the client), or does it send a request back to the client who made the request (standard HTTP request/response), and expect the client to redirect to the call back URI with the tokens?
This might sound an odd question, but during my investigation it appears this is how the Twitter OAUTH protocol works, and if so would help us a lot as we don't want to open up the firewall to the outside world.
See here for info: https://dev.twitter.com/discussions/5801
EDIT: Just found this which seems to suggest that the client will always initiate the request, never the server: https://stackoverflow.com/a/6116736/811108
Many thanks in advance.
A typical user journey for OAuth on Box would like like this:
User's browser requests www.someboxapp.com and the user clicks a login button
User's browser requests the Box authentication URL which begins with https://www.box.com/api/oauth2/authorize
User authenticates on the Box authorize webpage and then the Box site sends a 302 redirect header back to the users browser. This header tells the user's browser to request the the redirect_uri configured by www.someboxapp.com
User's browser requests the redirect URL on www.someboxapp.com - e.g. http://www.someboxapp.com/oauth/redirect_uri
The Box Application running on www.someboxapp.com makes a POST request to https://www.box.com/api/oauth2/token to complete the authentication and get an access token for using the Box API on behalf of the user.
What this means is that if you are running a Box web app on your internal network - you need to make sure that the webserver running the application and the users' machines can connect to https://www.box.com/api/oauth2/
If www.someboxapp.com only exists on your local network - that is fine - the Box API does not need to connect to this host.

Resources