Sending delete over Curl to a Rails backend with CSRF - ruby-on-rails

I have a Rails 5.2.x app and I want to delete an item using curl but how do I get and pass the CSRF correctly?
I've put the CSRF into the header when getting the listing
def index
#asset_items = AssetItem.all
response.headers["CSRF"]=form_authenticity_token
end
Get listing header
$ curl -I http://localhost:9000/asset_items.json
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
CSRF: tp6PqomUZtuUSvWAcWfmQcEoIboWphJucSBXo5fYmvspyzYHTK0HTa02slqNmtaxKoTtzOxGVkKqOMxqU7RE0Q==
Content-Type: application/json; charset=utf-8
ETag: W/"fb7920f0ce6940c518d3e35d2fa342a8"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: XSRF-TOKEN=6Eg0FcruMqGNWZDhXtlxT9%2FnFmCwC675smJnCj3pn4J3HY24D9dTN7Ql1zuiJEG%2FNEvaFkrr6tVpevzD%2BYVBqA%3D%3D; path=/
Set-Cookie: _personal_property_rails_prototype_session=UApETeV6aMxb8XyoxOaM4Z3vnAHkM37bfMWTalFxkU4PDSEhL19mFzZAdEIotkBks8IE7aCsHhJsJRTJjQPHlyKyhFFtm%2Bi%2BOuLr8s0Sp%2B3fJHPWh3OCXovKxLjw8AOxQ%2FPjrAvWSlSWgITybq4%3D--jQVJGziJDd2FKGr%2B--FLu9WqvAWsCKzEr%2BfDXrsg%3D%3D; path=/; HttpOnly
X-Request-Id: db737c7e-7ae1-4698-bada-6585edaf4933
X-Runtime: 0.016735
Vary: Origin
Record the CSRF
| CSRF | tp6PqomUZtuUSvWAcWfmQcEoIboWphJucSBXo5fYmvspyzYHTK0HTa02slqNmtaxKoTtzOxGVkKqOMxqU7RE0Q== |
Delete id 99 (fails)
curl -X "DELETE" http://localhost:9000/asset_items/99
Delete id 99 but pass the CSRF from the listing header (fails)
curl -X "DELETE" http://localhost:9000/asset_items/99?authenticity_token="tp6PqomUZtuUSvWAcWfmQcEoIboWphJucSBXo5fYmvspyzYHTK0HTa02slqNmtaxKoTtzOxGVkKqOMxqU7RE0Q=="
Where %2B equals +
Tried with sending the token as data (fails)
curl -X "DELETE" http://localhost:9000/asset_items/99 --data "authenticity_token=kRZw5QYfH4BzhsYpuXkO1v/W6luRJXIO87DwDa0jKjHGy0Pnrf6Z1UaVrLo/oJTSTd%2Bf6XFPww8p3opQ0jQ0tA=="
On the Rails side I get the error
Can't verify CSRF token authenticity.
Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms)
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
When posting a delete am I supposed to use the CSRF from the listing which in this case is the last request I made?

I think you need to send that as part of the headers, with curl use the -H option.
I used that for example to create users with the api of gitlab to send the authenticity token.

Related

Cannot make get request after acquiring Bearer token - 401 error "insufficient scope"

I have the following requests to get a bearer token from the Docker Hub API and then use that token for a GET request to the given endpoint:
#!/usr/bin/env bash
raw_token="$(curl https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/ubuntu:list)";
token="$(node -pe "JSON.parse('$raw_token').token")"
curl -i -H "Authorization: Bearer $token" https://registry-1.docker.io/v2/library/ubuntu/tags/list
If I run that, I get this error:
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:library/ubuntu:pull",error="insufficient_scope"
Date: Wed, 20 Jun 2018 08:02:24 GMT
Content-Length: 157
Strict-Transport-Security: max-age=31536000
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/ubuntu","Action":"pull"}]}]}
Does anyone know how I can make the right request, and get the right token?
When you get token, you specify scope=repository:library/ubuntu:list. When you use token, it says you need scope="repository:library/ubuntu:pull".

ODK collect can't GET forms from a rails API

I have a custom rails application to store and aggregate forms from ODK Collect. I can submit a form but when I try getting a form from the server I get no forms yet there are forms.
When I test my API endpoint from curl everything is okay since I am rendering an xml with an array of forms and content-type: text/xml. Here is the output of
curl --head -X GET localhost:3000/formList
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: text/xml; charset=utf-8
Etag: W/"950d3122ec123f00905885e0e57d8f1a"
Cache-Control: max-age=0, private, must-revalidate
X-Request-Id: d2b51a32-2a72-4735-b60a-efd7e0419b93
X-Runtime: 0.012544
Server: WEBrick/1.3.1 (Ruby/2.2.1/2015-02-26)
Date: Tue, 01 Sep 2015 16:57:34 GMT
Content-Length: 380
Connection: Keep-Alive
curl -X GET localhost:3000/formList --- returns:
<?xml version="1.0" encoding="UTF-8"?>
<survey-xmls type="array">
<survey-xml>
<id type="integer">2</id>
<survey-xml>
<url>/uploads/survey_xml/survey_xml/2/CMS_1_.xml</url>
</survey-xml>
<created-at type="dateTime">2015-09-01T16:35:48+03:00</created-at>
<updated-at type="dateTime">2015-09-01T16:35:48+03:00</updated-at>
</survey-xml>
</survey-xmls>
Here is the server output when I run GET FORMS from ODK Collect.
Started GET "/formList" for ::1 at 2015-09-01 19:57:45 +0300
Processing by SurveyXmlsController#getforms as */*
SurveyXml Load (0.4ms) SELECT "survey_xmls".* FROM "survey_xmls"
Completed 200 OK in 3ms (Views: 2.3ms | ActiveRecord: 0.4ms)
Not sure if you ever figured it out but I recently had problems with getting a custom form list to pull into ODK Collect. The one piece of information I was missing was including the OpenRosa version in the response headers.
X-OpenRosa-Version: 1
Without this ODK Collect wouldn't pull in the list but it also wouldn't get an error, which made it difficult for me. This may be obvious solution to people familiar with OpenRosa but for me I was just starting to learn all this.

HTTP/1.1 401 Unauthorized Error on curl request - heroku

i'm trying to send a request via curl to my heroku based api but i keep getting this error:
* Hostname was NOT found in DNS cache
* Trying 23.21.169.234...
* Connected to helphy-api.herokuapp.com (23.21.169.234) port 80 (#0)
> POST /users/sign_in HTTP/1.1
> User-Agent: curl/7.35.0
> Host: helphy-api.herokuapp.com
> Accept: */*
> Authorization: Bearer d5bd07e4-a1c9-46d2-8d8e-d2a7cbc8501f, Accept: application/json
> Content-Length: 68
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 68 out of 68 bytes
< HTTP/1.1 401 Unauthorized
< Connection: keep-alive
< X-Frame-Options: SAMEORIGIN
< X-Xss-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Content-Type: */*; charset=utf-8
< Cache-Control: no-cache
< X-Request-Id: 5b615fce-0674-4302-a9b9-f12cb00db754
< X-Runtime: 0.005328
* Server WEBrick/1.3.1 (Ruby/2.0.0/2014-11-13) is not blacklisted
< Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-11-13)
< Date: Fri, 16 Jan 2015 21:10:12 GMT
< Content-Length: 49
< Via: 1.1 vegur
This is my curl request:
curl -v -H "Authorization: Bearer $TUTORIAL_KEY, Accept: application/json" -X POST http://helphy-api.herokuapp.com/users/sign_in -d '{"user": {"email": "xxxxxxx#gmail.com", "password": "xxxxxxx"}}'
UPDATE
this is the log:
2015-01-16T21:43:04.342815+00:00 app[web.1]: Processing by SessionsController#create as */*
2015-01-16T21:43:04.342822+00:00 app[web.1]: Parameters: {"{\"user\": {\"email\": \"xxxxxx#gmail.com\", \"password\": \"xxxxxxx\"}}"=>nil}
2015-01-16T21:43:04.347678+00:00 app[web.1]: Completed 401 Unauthorized in 5ms
updating...done. Updated to 3.23.2
Email and password are correct and chequed, btw.
Your -d parameter should be x-www-form-urlencoded like a query string:
user[email]=email&user[password]=password
If you want to continue using JSON the way you are you have to add the Content-type header to your -H:
Content-type: application/json
This let's the server know to interpret your POST data as JSON rather than a x-www-form-urlencoded string. This is why in the server log the Parameters are coming out like:
Parameters: {"{\"user\": {\"email\": \"xxxxxx#gmail.com\", \"password\": \"xxxxxxx\"}}"=>nil}
That's just a string, not JSON because the server doesn't know you're sending it JSON because you didn't include the Content-type header and by default servers assume POST data is a x-www-form-urlencoded string.

D2L Dropbox - Posting issue

I'm getting an error trying to post a file to the dropbox in D2L. I'm using HttpRequest in PHP. The Org ID and Folder ID are both valid - I am retrieving the folder ID from the API (using the OrgID).
Here is the HttpRequest output:
POST /d2l/api/le/1.1/61381/dropbox/folders/677320/submissions/mysubmissions/?x_a=d0RNh1RjRGSMJu-dyj_wmw&x_b=_098IyP4bzkow_G-7Ke4Dv&x_c=3_L5VOX5RarK7mztTyX67sL_TyceBOK5r18GnRu9VbE&x_d=jVPR_DXuVf1JIl-YLe3Ad_OM2Ph8xG8UiMYriJVRc2w&x_t=1350769323 HTTP/1.1
User-Agent: PECL::HTTP/1.6.1-dev (PHP/5.2.6)
Host: <hostname>
Accept: */*
Content-Type: multipart/mixed; boundary=65ace1fa6e1f
Content-Length: 251
--65ace1fa6e1f
Content-type: application/json
{"Text":"test","HTML":null}
--65ace1fa6e1f
Content-Disposition: form-data; name=""; filename="file.txt"
Content-Type: application/octet-stream
eyAiVGVztCI6IlRsaXMgfXMgdGVzdYBkYXRhLiIgfQ==
--65ace1fa6e1f--
And the response:
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 131
Content-Type: text/html; charset=utf-8
Location: /d2l/error/404
Server: Microsoft-IIS/6.0
X-XSS-Protection: 0
X-Powered-By: ASP.NET
Date: Sat, 20 Oct 2012 21:42:26 GMT
It appears to be a 404 (No such dropbox folder, or no such org unit), but I know both values to be valid.
I've logged into D2L and the OrgID and DropboxID are both correct in the URL when I'm editing the dropbox settings. The user in question has permission to access the dropbox, and can do so in D2L.
Any help would be appreciated!

OAuth works with Authorization data in the header but not in the URL

I'm trying to use Google's OAuth in my system. I've successfully integrated Twitter and LinkedIn but i'm having hard times with Google.
I already have the consumer key, consumer secret and a valid access token. Using the G's OAuth playground I make a call to a protected resource (https://mail.google.com/mail/feed/atom). I've generated the token using this scope.
Using the authorization data in the HTTP header:
GET /mail/feed/atom HTTP/1.1
Host: mail.google.com
Accept: */*
Authorization: OAuth oauth_version="1.0", oauth_nonce="nounce", oauth_timestamp="1314727855", oauth_consumer_key="myconsumerkey", oauth_token="myvalidtoken", oauth_signature_method="HMAC-SHA1", oauth_signature="signature"
Content-Type: application/atom+xml
GData-Version: 2.0
The response I get from this is a valid HTTP call:
HTTP/1.1 200 OK
Content-Type: text/xml; charset=UTF-8
Set-Cookie: S=gmail=yp_A23KtGOD9:gmproxy=PxCjSERnJWBbe; Path=/mail; Secure
Date: Tue, 30 Aug 2011 18:10:55 GMT
Expires: Tue, 30 Aug 2011 18:10:55 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 353
Server: GSE
<XML response here>
But, (and here comes the error), using the same access token but sending it in the URL as param (https://mail.google.com/mail/feed/atom?oauth_token=myvalidtoken):
GET /mail/feed/atom?oauth_version=1.0&oauth_nonce=nonce&oauth_timestamp=1314729533&oauth_consumer_key=myconsumerkey&access_token=myvalidtoken&oauth_token=oauthtoken&oauth_signature_method=HMAC-SHA1&oauth_signature=signature HTTP/1.1
Host: mail.google.com
Accept: */*
Content-Type: application/atom+xml
GData-Version: 2.0
I get an 401 error:
HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=UTF-8
WWW-Authenticate: BASIC realm="New mail feed"
Content-Length: 147
Date: Tue, 30 Aug 2011 18:38:53 GMT
Expires: Tue, 30 Aug 2011 18:38:53 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
<HTML about my 401>
EDIT
I saw this example and I tried to use anonymous as consumer key and consumer secret. Now it works... but I need to show to the user the project's name declared in the Google's app registration page. I think i'm not using the correct consumer key and consumer secret.
Any clues on this will be appreciated. :)
Thanks in advance
https://www.rfc-editor.org/rfc/rfc5849#section-3.5.3
In OAuth 1.0, the parameter name is oauth_token not access_token...

Resources