I'm trying to make a POST API call to an address, including existing cookies, however the request still returns a 403 forbidden error due to authentication requirements.
The request url is as follows.
https://www.imdb.com/list/ls093916945/tt0096697/add
I'm using existing cookies stored within my browser (after manually logging in to IMDb) and copied across for simplicity of testing.
The current python code is as follows
import requests
cookieData = {
'session-id':'146....',
'ubid-main':'132.....',
'adblk':'adblk_yes',
'x-main':'i2qE6E#EK.....',
'at-main':'Atza|IwEB.....',
'sess-at-main':'"ksn3tObY6.....',
'id':'BCYkx.....',
'uu':'BCYvWpz6s5.....',
'sid':'BCYss.....',
'session-id-time':'20827....',
'session-token':'5SB4.....',
'csm-hit':'tb:9A.....1'
}
r = requests.post('https://www.imdb.com/list/ls093916945/tt2724064/add', cookies=cookieData)
print(r)
How do I import the cookie authentication data and authenticate my request?
Related
I have spent the entire day looking for an answer to this, and i have not been able.
I am trying to learn Flutter as a front-end framework. in the past i built my webpages with html, css, and vanilla js, but i was able to interpolate dynamic data from the server with php.
I would like to use httpOnly cookies for authenticating user sessions, as i have in the past with php. I'm open to other secure methods, but i am not interested in JWT.
Obviously i cannot access httpOnly cookies from my Flutter App, but i can access them with Golang, which i use for serving the html build, and on my api endpoints.
What i want to do is either, read the httpOnly cookie in golang, and then pass some information into my flutter build to be parsed at runtime, or somehow return an httpOnly cookie from an api endpoint, and persist that to the client that made the call, but i cannot for the life of me figure out how to do either.
I am open to ANY suggestions.
tl;dr on a server with golang backend and flutter front end, how do i read an httpOnly cookie in golang and based on that value, populate values in the flutter front end at runtime, or pass a variable from golang http.HandleFunc that can be read by Flutter at runtime?
you can access a cookie by its name in Go through the request r *http.Request
var myToken string
cookie, err := r.Cookie("myToken")
if err != nil {
myToken = ""
} else {
myToken = cookie.Value
}
you can then do user lookup or anything with that token inside a middleware and pass it to the next handler
ctxWithUser = context.WithValue(r.Context(), "user", authorizedUser)
rWithUser = r.WithContext(ctxWithUser)
next.ServeHTTP(w, rWithUser)
finally in your handler get the request context value
ctxUser := r.Context().Value("user").(user.User)
I am trying to get the media_id for a media upload. See docs here.
When using postman, my request is processed successfully and I get a response like this:
{
"media_id": 1222234872222222401,
"media_id_string": "1222734822222102201",
"expires_after_secs": 86399
}
Unfortunately, using postman for our app is not an option. However, when I post a tweet with just text, the tweet is posted successfully using our own native code. I have also recreated the request from postman, and can successfully recreated the same oauth_signature needed for the media upload authorization. So I know that the backend is working in that I can create valid credentials, but I think I need some help structuring the POST request itself.
Here is the code (Lucee ColdFusion):
mediaEndpoint = "https://upload.twitter.com/1.1/media/upload.json?command=INIT&total_bytes=10240&media_type=image/jpg&oauth_consumer_key=consumerKeyHere&oauth_token=tokenHere&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1653075352&oauth_nonce=UU5V18WLaPN&oauth_version=1.0&oauth_signature=verifiedSignature";
cfhttp(url=mediaEndpoint, method="POST", result="init") {
cfhttpparam(type="header", name="Content-Type", value="application/x-www-form-urlencoded");
cfhttpparam(type="header", name="Accepts", value="*/*");
cfhttpparam(type="header", name="Accept-Encoding", value="gzip, deflate, br");
cfhttpparam(type="header", name="Connection", value="keep-alive");
cfhttpparam(type="body", value="command=INIT&media_type=#mediaParameters.media_type#&total_bytes=#mediaParameters.total_bytes#");
}
But I keep getting the following 401:
{"errors":[{"code":32,"message":"Could not authenticate you."}]}
I believe you're supposed to send your authorization token in the header. You're sending it in the URL as a query string. Twitter's documentation would indicate you need to include an authorization header as such:
cfhttpparam(type="header", name="Authorization", value="Bearer: #YourAccessToken#");
I am creating a dashboard extension, and would like to call Executionhistory - List.
Currently, the extension manifest specifies only the scope vso.serviceendpoint_manage.
I get my authorization token via
const token = await VSS.getAccessToken();
var authHeader = VSS_Auth_Service.authTokenManager.getAuthorizationHeader(token);
I am able to successfully get a list of all service endpoints by using Endpoints - Get Service Endpoints
However, when I try to get the Execution History for a given Service Endpoint, I get a CORS policy error.
Access to {devops rest api} from origin {marketplace url} has been blocked by CORS policy
I know CORS errors can occur if the PAT does not have the correct scopes see here.
Note: When I try this locally with a PAT with all scopes, this call works. So I am fairly certain I am missing an extension scope.
Which scope am I missing?
To get service endpoint execution history, no need to set anything other, just set PAT token scope as Read & manage to Tokens:
You will see it is work to run this Executionhistory - List api.
I have a use-case where I need to spoof a white-listed Redirect URL locally when performing OAuth 2 authentication.
I'm running a very basic web-server coupled with a hosts file entry for the domain I'm spoofing. I'm able to correctly negotiate my tokens and return them to Paw, but Paw isn't picking up my access_token or refresh_token, it simply displays the raw response:
Here's my server code (with placeholders for sensitive data):
var http = require('http'),
request = require('request');
var PORT = 6109;
var server = http.createServer(function(req, res) {
var code = req.url.split('?')[1].split('=')[2];
request({
url: 'https://<access token URL>/oauth2/token?code=' + code,
method: 'POST',
form: {
'client_id': <client_id>,
'client_secret': <client_secret>,
'grant_type': 'authorization_code',
'redirect_uri': <spoofed redirect URL>
}
}, function(err, response, data) {
data = JSON.parse(data);
res.writeHead(200, {'Content-Type': 'application/json'});
res.write(JSON.stringify(data.result));
// I also tried this with the same end-result
// res.writeHead(200);
// res.write('access_token=' + data.result.access_token + '&token_type=' + data.result.token_type + '&refresh_token=' + data.result.refresh_token);
res.end();
});
});
server.listen(PORT, function() {
console.log('Server listening on port %d', PORT);
});
What am I missing? Why isn't Paw finding my tokens?
Here's my configuration for reference:
Some other noteworthy points:
The OAuth provider is non-standard and flubs quite a few things from the spec (my proxy exists in part to patch up the non-standard bits)
The domain for the Redirect URL is real, but the URL does not resolve (this is a part of the reason for the local hosts entry)
I'm not showing this part of the flow, but I am correctly completing the authorization step prior to being given the code value
I think you're probably confused between the Authorization URL and Access Token URL. When you're in Authorization Code grant type for OAuth 2, you're expected to have a user confirmation step in a web page (the Authorization URL).
Which makes me guess that instead, you're expecting instead to use the Password Grant or Client Credentials? Otherwise, if you want to use Authorization URL, you'll need to specify a webpage at the Authorization URL.
Note: I've tried your Node.js script in Paw using the two last grants I mentioned (Password Grant & Client Credentials), and it works nicely.
Update: Following the comments below, I understand more what you are doing. The Authorization Request should (if successful) return a 302 redirect response to the Redirect URL page, and append a code URL query param to it. It seems like you're returning a JSON response with the code instead, so Paw isn't catching it.
According to the OAuth 2.0 spec (RFC 6749), section *4.1.2. Authorization Response*, if granted, the code should be passed as a URL query param (i.e. a ?key=value param in the URL) to the Redirect URL when doing the redirection.
If the resource owner grants the access request, the authorization
server issues an authorization code and delivers it to the client by
adding the following parameters to the query component of the
redirection URI using the "application/x-www-form-urlencoded" format
Quoting the example from the spec, here's how the response of the Authorization Request should look like if it's a success (code is granted):
HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA
&state=xyz
I saw that the Redirect URL contains "my Spoofed Uri".
When we need to use authorization code flow, we provide the authorization code and redirect Uri.
When the URI you are providing does not match the URI saved for the client in Identity server, you will not be able to get the token as the URI does not match with the client authorization code.
For example : Consider client identity in the Identity server be:
Auth Code: "xyx"
Redirect Uri: "www.mylocalhost.com\xyz"
And in your example the combination you are providing is:
Auth Code: "xyx"
Redirect Uri: "<my spoofed uri>"
As these 2 wont match there will be no token received.
I believe if you use the correct URI that is registered with the client in the Identity server, you will be able to receive the token.
I'm using the Python Requests library with the Valence-provided Python SDK to attempt to do a GET request. Something odd is happening with the URL and I'm not sure what. The response I get is 200 (which leads me to believe that the authentication is working), but when I try to print the JSON from the Request object, it instead prints the HTML of the page instead of the JSON.
I'm using modified code that I read from http://docs.valence.desire2learn.com/clients/python/auth.html.
Here's the Python code:
import requests
import auth as d2lauth
from auth import *
app_creds = { 'app_id': '----', 'app_key': '----' }
ac = d2lauth.fashion_app_context(app_id=app_creds['app_id'], app_key=app_creds['app_key'])
auth_url = ac.create_url_for_authentication('ugatest2.view.usg.edu', 'http://localhost:8080')
redirect_url = "https://localhost:8080?x_a=3----&x_b=3dMRgCBAHXJDTA2E6DJIfdWq-gYl-pk77fF_3X5oDUuqc"
uc = ac.create_user_context(auth_url, 'ugatest2.view.usg.edu', True)
route = 'ugatest2.view.usg.edu/d2l/api/versions/'
url = uc.create_authenticated_url(route)
r = requests.get(url)
print(r.text)
The output is the HTML of a page instead of JSON. If I do print(r), I get a status of 200. I think my redirect URL may be the issue, but I'm not sure what exactly is wrong. Thanks for any help!
Two things look off to me:
Using auth_url to create a user context isn't going to work, that's the URL you need to send the user to so they can authenticate. You need to use the URL you were redirected to after authenticating to build the user context. Assuming redirect_url is that URL, you should be passing that to create_user_context and not auth_url.
ugatest2.view.usg.edu/d2l/api/versions/ is not a valid value for passing to create_authenticated_route, /d2l/api/versions is probably what you want. The SDK will prepend the scheme, domain, and port so including those in the value passed is going to result in an incorrect URI.
Once your app is working properly, you'll be able to access a JSON response by using r.json() rather than r.text.