I created a Ruby on Rails API with a group of people via Github. For some reason, my authorization fails repeatedly and says the following in my server.
Started GET "/boards" for ::1 at 2020-08-24 21:38:38 -0400
Processing by BoardsController#index as */*
Filter chain halted as :authorized rendered or redirected
Completed 401 Unauthorized in 1ms (Views: 0.2ms | ActiveRecord: 0.0ms | Allocations: 150)
Any ideas on what may be happening here? Boards is a controller I created and I am trying to index it. It additionally doesn't work with a post method either.
You're almost certainly either not sending any credentials in your requests from Postman, or the credentials you are sending are incorrect.
You can see information about making Postman send credentials as part of your request in the Postman docs at https://learning.postman.com/docs/sending-requests/authorization/
In order to know what you need to send, you would need to know what authentication mechanism you're using. With an API, this is most likely a JWT and you are most likely using the Devise gem, but something else may have been configured in your app.
In the case of it being JWT, you would need to generate a valid JWT in your application, then configure Postman's authorization to use "Bearer Token", providing the token you generated as the value there
Related
Does shopify have a method of authenticating requests to my postgresql db. I was given code to a shopify embedded app done using ruby on rails (backend) and react.js with Polaris (front end) and I see that the front end makes requests to the backend without any headers or authorization.
Example:
axios.get('/api/main/vendor’)
.then(response=> {
console.log(response)
})
.catch(error=> {
console.log(error)
});
This seems to work and print outs the response from the backend.
However, when I run the server and make the GET request through Postman, passing in this URL:
https://<NGROK_URL>/api/main/vendor
I can see in my terminal that I get status 302 (redirected to login).
Processing by Api::MainController#vendor as JSON
Redirected to https://<NGROK_URL>/login
Completed 302 Found in 19ms (ActiveRecord: 0.0ms)
I’m wondering if there’s some sort of authentication that shopify does when developing an embedded app that I’m unaware of. For example does it implicitly pass in some token? If so, where can i find this. Sorry for this question if it sounds newby, I’m pretty new to shopify dev.
Shopify usually passes a hmac argument that needs to be validated in the backend.
This hmac includes mostly static information like your store name, timestamp, language etc... but the important part is that is salted with the APP password.
You can read more about this here: https://help.shopify.com/en/api/getting-started/authentication/oauth#verification
This means that you can't make requests outside of Shopify.
I am attempting to use the Paw app to test out a REST API build in Rails 4.2.4. I have a create method which expects JSON as input. The request appears to pass the correct information from Paws as structure, but the Rails API is failing with the following error:
422 Unprocessable Entity
Can't verify CSRF token authenticity
When writing the JavaScript front end, the request must have a header appended to the request, of the form:
webix.ajax().headers({'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')}).post("geo_wells.json", parms), function(text){webix.message("posted");});
That all works fine for getting the CSRF satisfied consistently, although it's the parms I am trying to use Paws to help sort out. But I can't get that meta token in Paws. No idea how to actually add that to the header of the request. Tried creating a cookie and all response cookies, but that didn't do it either.
Any ideas? I'd like to purchase the tool, but if it can't do this, it's not of that much use to me. I would prefer not to up and disable the CSRF as is so often suggested. I'm hoping for a robust answer that would still extend to testing of the fully CSRF enabled API.
This Paw.app article had the answer.
First, install the RegExMatch extension.
See: https://paw.cloud/extensions/RegExMatch
With the Ruby on Rails getting started set up, the regex required to get the csrf token was below:
I am trying to call a authentication URL using apache HttpPost, passing all the request parameters like userid, pwd hardcoded for proof of concept purpose. I found it is not working with a response code of 302.
However if I submit the same request from chrome PostMan or Advanced RestClient it is found to be working with 200 response code. I am able to get the correct response of the Post call.
Want to understand If I am doing anything wrong or my understanding about RestClient (POSTMAN/Advanced RestClient) is wrong.
Please suggest
Thanks,
A HTTP 302 response is a request to redirect.
When Postman receives this response, it will automagically redirect to the URL provided in the HTTP 302 response - you'll see this if you install Postman Interceptor.
Apache HTTPClient doesn't do this automatic redirection - so you see the raw HTTP 302 redirect. Use the location in the HTTP 302 response to perform the redirect.
So I have two Rails applications. The old one is using devise (2.2.1) for authentication and the new one has devise (3.2.4). There is a huge amount of users (nearly 10k) in database.
Rails version of the old app is (3.2.11), the new one is (4.0.2).
What I need is to 'copy' every user from the old app to the new one.
And so I did. But now when I'm trying to log in it fails. Here's some logs:
Started POST "/users/sign_in" for 185.16.106.233 at 2014-05-09 06:45:24 +0400
Processing by Devise::SessionsController#create as HTML
Parameters: {"utf8"=>"?^?^?", "authenticity_token"=>"8d8yWlLPNcaITv5WqT5fgooAQCUOY6DIC1HiZPgslXM=", "user"=>{"email"=>"test.for.stats#gmail.com", "password"=>"[FILTERED]"}, "commit"=>"Log in"}
Completed 401 Unauthorized in 16ms
I think there's a problem with password encryption. I tried to copy secret_token and pepper from the old app devise, but it didn't help.
Any ideas how to resolve this without mass password reset?
Thanks.
We have a new web app constructed by another developer. My job was to implement a backend API for other programs to use to exchange XML data with the database. It was going pretty well, until the main app implemented devise to authenticate users. I figured I'd be able to tweak the curl command to log in then submit/request data, but it isn't going very well. I'm trying things like
curl --cookie-jar ~/Desktop/cjar --data "user[login]=<username>" --data "user[password]=<pwd>" --data "commit=Sign in" localhost:3000/users/sign_in
followed by
curl --cookie ~/Desktop/cjar --data "<root_node></root_node>" localhost:3000/my_update_method
my latest error message is
WARNING: Can't verify CSRF token authenticity
Completed 401 Unauthorized in 1ms
I guess that's better than the redirection messages I was getting, but I'm still not close to knowing what's going on.
I've found a few related posts that make me think this is partly related to devise, and partly related to automatic authentication done by Rails. When I look at the info being passed by the web page, I see authenticity_token and utf8 params that I don't know how to construct for my curl command.
I can keep trying stuff, but I'm new to both curl and authentication, so I'm sort of shooting in the dark, and hoping that someone can save me some time. I guess my questions are:
Can this be done?
Should this be done? If not, what other options do I have?
One post suggested a way around the authentication, but is is possible for only the curl commands to require a login/pwd, but bypass any other validation, without affecting the main web app?
UPDATE 1:
Thanks for all the help, I appreciate it. The response to the first curl command (listed above) is now just a redirection to the login page, so logging in doesn't seem to take. Does anyone have any suggestions about where to start debugging that? Nothing is ever getting into the application, so there's no logging there to look at. Here's the content of the cookie, if it means anything to anyone:
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
#HttpOnly_localhost FALSE / FALSE 0 _glow_session BAh7B0kiCmZsYXNoBjoGRUZvOiVBY3Rpb25EaXNwxhc2g6OkZsYXNoSGFzaAk6CkB1c2VkbzoIU2V0BjoKQGhhc2h7ADoMQGNsb3NlZEY6DUBmbGFzaGVzewY6C25vdGljZUkiHFNpZ25lZCBpbiBzdWNjZXNzZnVsbHkuBjsAVDoJQG5vdzBJIg9zZXNzaW9uX2lkBjsARkkiJTIwODc1Y2VjM2ViNzlmZDE3ZjA4ZjVmMDAxNWMxMDU4BjsAVA%3D%3D--d90722b6da386630b33f57902447b440f30d0b2a
I've added skip_before_filter :verify_authenticity_token to the controller that handles the api requests, and that eliminated the error I was seeing before.
UPDATE 2:
After some troubleshooting and debugging, I think I may actually be getting logged in okay, but when I execute the second curl, the development.log file shows
Started POST "/upsert_experiment" for 127.0.0.1 at 2013-10-16 12:14:12 -0500
Processing by WebServiceController#upsert_experiment as */*
Parameters: {"experiment_xml"=>"<experiment></experiment>"}
Completed 401 Unauthorized in 1ms
which leads me to think that the authorization is still the problem.
UPDATE 3:
I think the problem is just that skip_before_filter :verify_authenticity_token isn't working.
I have
class ApplicationController < ActionController::Base
rescue_from DeviseLdapAuthenticatable::LdapException do |exception|
render :text => exception, :status => 500
end
protect_from_forgery
before_filter :authenticate_user!
end
and
class WebServiceController < ApplicationController
skip_before_filter :verify_authenticity_token
...
end
With this setup, I get "Completed 401 Unauthorized in 1ms". If I comment out the protect_from_forgery line in the superclass, it just works, so the forgery protection is definitely the problem. I just don't know how to solve it.
Rails CSRF protection is preventing you from making this request.
From rails documentation
CSRF protection automatically include a security token, calculated from the current session and the server-side secret, in all forms and Ajax requests generated by Rails. You won't need the secret, if you use CookieStorage as session storage. If the security token doesn't match what was expected, the session will be reset. Note: In Rails versions prior to 3.0.4, this raised an ActionController::InvalidAuthenticityToken error.
If you want to skip it, add this line to your controller
skip_before_action :verify_authenticity_token, :only => ["your_update_action"]
CSRF stands for Cross Site Request Forgery and is a security protection you can read more about here. Essentially rails generates a random token included in the form rendered on the page and it expects to get that token back on form submit. You don't need this protection for an api, but it is important for the web app side. See this question for methods to disable the CSRF token.
One approach you might take is to use the token_authenticable Devise module and authenticate your requests with auth_token=#{token}, then skip CSRF protection if an auth token is present.
You're missing a CSRF token. This is to prevent cross site request forgery.