Confused connecting to API in Postman - ruby-on-rails

I am doing a Backend rails thinkster tutorial that involves creating a clone of medium. I am at a step that requires testing the routes in Postman. Thinkster provides an API that has built in requests and pre-made connections.
But the tutorial goes from step "download Postman" to step "send request." There's no explanation about how to initially start using Postman.
So the first test is to test if you can create a new user with a Register request. I am guessing this is in the Auth folder of the API as there is a Post request called "Register".
I am not seeing an area though that suggests I can make a user. All of the items in my collection are have a request Url that starts with {{apiUrl}}. Example: login's POST request is {{apiUrl}}/login. And if I hover over {{apiUrl}}, it says "unresolved variable: variable is not defined in current environment."
Could anyone help me get going with these tests? Below is a gif of my Postman setup as well as the list of tests the tutorial wants run. I am sure I am not providing something that I may need to in order to get help on this. Please let me know if you are not being presented with all info needed! Thanks.
Test out Postman authentication functionality using Postman
You should be able to:
Create an account using the Register request in Postman
Test the Login endpoint using Postman
Try registering another user with the same email or username, you
should get an error back from the backend
Test the Current User endpoint using Postman
Try logging in to the user you created with an invalid password, you
should get an error back from the backend
Try updating the email, username, bio, or image for the user

My friend I will try to answer at least the question about {{apiUrl}}
This are variables that can be global or environment, obviously global apply to all projects and environment, you will need to select the environment in which they apply.
Now to make it work, do the following.
Copy the url to your API server.
Replace it with the magic variable between {{}}
Go to the gear where you manage this global or environment variables «lest make a local one»
Click on add
first name your environment however you like, the go to the grid and make a variable placing the name inside the key and your servir url on the value side. Then save.
Don't forget to select the environment where you are working.
Thats it now your {{variable}} should work. Now you can use this variables all over postman, they are very helpful. If you are using a JWT token, you will be able to assign it to a variable and the use it on your postman api.

Related

Cannot repeat steps on how to get OAuth2.0 Access Token on Postman

On Postman, I can get new access token for OAuth2.0 by providing callback URL, auth URL and client ID.
I want to break this task down on JMeter because I cannot find this function there. From my understanding, it is divided into authenticate -> authorise -> call back.
Authenticate
URL = https://xxxxx/login
Result = Authorising URL
Authorise
URL = https://xxxxx/oauth/authorize?client_id=mmm&redirect_uri=https://yyyyy/auth/callback&response_type=code
Result = code (e.g. zzz)
Call back
URL = https://yyyyy/auth/callback?code=zzz
Result = token
As I used HTTP(S) Test Script Recorder on JMeter, I got the three actions mentioned above. When I reran them, it told me this error on Authenticate part: <oauth><error_description>Full authentication is required to access this resource</error_description><error>unauthorized</error></oauth>.
To make sure that it was not about the program I use, I did it on Postman and found this error as well.
I wonder how I can break OAuth2.0 Get New Access Token feature into basic API settings in order to get access token on Postman or JMeter.
Dont' compare these tools:
Postman is an Electron application, it's basically a heavily customised Chromium web browser + NodeJS
According to JMeter main page
JMeter is not a browser, it works at protocol level. As far as web-services and remote services are concerned, JMeter looks like a browser (or rather, multiple browsers); however JMeter does not perform all the actions supported by browsers. In particular, JMeter does not execute the Javascript found in HTML pages. Nor does it render the HTML pages as a browser does (it's possible to view the response as HTML etc., but the timings are not included in any samples, and only one sample in one thread is ever displayed at a time).
If you can obtain the token using Postman you can just add HTTP Header Manager to your JMeter Test plan and configure it to send Authorization header with the value of Bearer YOUR_TOKEN_FROM_POSTMAN and JMeter should let you in.
After testing, I found that Postman's OAuth 2.0 Get New Access Token popped up a login page of targeted URL where I needed to fill in the username and the password so that the token could be obtained.
As I tried breaking down APIs required for this login, it required GET of that https://yyyyy and POST of that https://xxxxx/login. Click Send for POST, with username and password contained in form-data, then click Send for GET. The GET response would contain such the token.
However, just putting the aforementioned GET and POST APIs into one thread group did not work on JMeter. As I used HTTP(S) Test Script Recorder to no avail, I went with BlazeMeter and realised that it was using Transaction Controller containing 1) GET of https://yyyyy 2) POST of https://xxxxx/login. With these two arranged top-down, the job would be successful. The token was contained in the response of 2).
For now, this has been my discovery which answers my question.
Try BlazeMeter.

Using default ASP.Net MVC setup, how do I Sign in using a Microsoft Account?

Why do I continuously receive "The provided value for the input parameter 'redirect_uri' is not valid."?
My site is hosted in Azure. I'm trying to Login via the Microsoft sign-in button. I haven't really made many changes from the default ASP.Net MVC out-of-the-box template. All I've really changed was to uncomment the app.UseMicrosoftAccountAuthentication line and add the clientId and clientSecret.
Do I have the Redirect URL set up incorrectly?
Site: http://mysite.azurewebsites.net
Redirect URL: http://mysite.azurewebsites.net/
I read somewhere that you need to specify a Redirect URL in the form of http://www.mysite.azurewebsites.net. Can anyone confirm or deny that? I do not need the www in my current set up.
The error I consistently receive is:
https://login.live.com/err.srf?lc=1033#error=invalid_request&error_description=The provided value for the input parameter 'redirect_uri' is not valid. The expected value is 'https://login.live.com/oauth20_desktop.srf' or a URL which matches the redirect URI registered for this client application.&state=SomeLongPossiblyEncryptedString
This message is displayed on the page returned after an attempt to login:
Microsoft Account
We're unable to complete your request
Microsoft account is experiencing technical problems. Please try again later.
3/26/2014 Update: No luck so far, here's some screen shots of my settings in case it helps.
Basic Information
API Settings
Is this a problem on Microsoft's side or am I doing something wrong?
From the default MVC what works for me (just tested about 5 minutes ago) for the redirect URL is
http://testcrap.azurewebsites.net/signin-microsoft
All the documentation I've found says to use
http://testcrap.azurewebsites.net/login/microsoftaccount
But that doesn't work for me...
signin-microsoft does
OR if that doesn't work then use something like firebug to see what the request to the oauth provider looks like and then whatever the redirecturi is inside of that request is what you need to use..
For web application you need to set the redirect url in the Live Connect Developer Center.
In API Settings->Redirect URLs you must set:
http://www.yourdomain.com/signin-microsoft
Hope it's helpful :)
You need to provide the redirect url in the Live Connect Developer Center. I've attached a screenshot. This is part of the application validation to prevent malicious applications.
It seems Microsoft change the url again. This what works for me
.auth/login/microsoftaccount/callback
My redirect url is
https://yyyyyyyy.azurewebsites.net/.auth/login/microsoftaccount/callback
To get this url, use Fiddler or any http debug tool and look for request to login.live.com. The redirect_url is in the query string.
https://login.live.com/oauth20_authorize.srf?client_id=00000000551716B9&redirect_uri=https%3A%2F%2Fyyyyyyyyyy.azurewebsites.net%2F.auth%2Flogin%2Fmicrosoftaccount%2Fcallback&response_type=code&scope=wl.basic+wl.offline_access+wl.signin+wl.birthday+wl.calendars+wl.calendars_update+wl.contacts_birthday+wl.contacts_create+wl.contacts_calendars+wl.contacts_photos+wl.contacts_skydrive+wl.emails+wl.events_create&state=nonce%3Dfe7e6b678b8844f48f079cceadf1f426_20151206145117%26redir%3D%2F
Since I need 3 more reputation points to write a comment to your post I have to ask it here. Sorry about that.
Are you getting this error while trying it out on the real domain or while testing it from your localhost?
If the second is the case you need to setup a DNS entry for a dummy hostname in your local host file that points to 127.0.0.1 and use that dummy name when registering with live. Furthermore it needs IIS, not IIS Express.
Not sure if it is a clean way nor if it is complete, but it is the furthest I got when trying out the new ASP.NET Identitiy Provider. Sadly there is only a example in the official documentation which shows how to use it with google...
I, too, would appreciate a clean answer to this.
Redirect URIs are "SSL sensitive" and you probably always want the SSL version.

Cronjob to sync comments with disqus with oauth

I'm trying to set up a cronjob that syncs comments between Disqus and my database.
Everything is ok with the basic API, but I also need to store Ip addresses and emails in my local db. Reading the documentation, I found out that I need to use oauth and to declare a specific scope in order to get those "confidential" data.
So I set up a script that does everything and it actually works: everything is ok if I access the test page on my browser, trigger the authentication and ALLOW disqus to access my account stuff.
The problem is that I can't do this manually every 10 minutes. I need this to work on a cronjob set up on my linux webserver, but it doesn't work: of course my cronjob can't click on the ALLOW button etc.
Am I missing something? Is this a dumb question? :-)
Thanks in advance
Your API application includes an administrator's access token (it doesn't expire, so keep this secret!) to perform functions like this, so you don't need to authenticate constantly. So there's two things you need to do:
Get your admin access token from your application here (details page): http://disqus.com/api/applications/ - then use this to authenticate in your server-side script.
On the same page, go to the settings page and change the default permissions scope from "Read & Write" to "Read, Write & Manage Forums"
This will make sure you get all the sensitive data you need synced up.

Github API access to private repos using OAuth

Trying to access files in the private repositories of a Github organization of which I am a member, using the API. Tried a couple different ways so far:
1. If I use the username/password method --
curl -u "sashafklein:mypassword" https://api.github.com/repos/:org/:repo/git/trees/:file_sha
it works fine, but I'm trying to access the repos from a collaborative Rails app, so I don't want to publicize my github login credentials. I suppose creating a dummy GH account with access and using those credentials is possible, but it's definitely not ideal..
2. So I looked at the OAuth2 Secret/Key method in the API docs. But it doesn't work. If I curl the org repo url with my credentials as params in the url:
curl -i "https://api.github.com/orgs/:org/repos?private&client_id=<ID>&client_secret=<SECRET>"
Only the public repos show up. This may be a problem with how I'm passing params (passing "?private=true" should theoretically then return an empty list, but the list is identical and all public repos), but I'm following the docs.
3. So I got frustrated and took a look at these docs for getting a OAuth token, but I'm confused about how to alter it so that there's no user interface -- ie, so that my app has automatic access to the Github Orgs of which I am a member, without users of it having to do anything in particular.
Any ideas what I'm doing wrong with attempt 2, or how to get attempt 3 working automatically? I'm pretty stumped.
EDIT I think my client_id/secret are wrong, cause even when I use Octokit, it can't access the protected repos. Am I understanding this wrong? As me, I created an "Application" on Github for my Rails app, and I'm trying to use those credentials to access the org's private repos (to which I am a contributor) using the API.
In case anyone runs into this problem, here's the solution I found.
Apparently the client credentials I had weren't working. I think I didn't quite understand what they're for. The easiest way I could get this to work (ie, get permission for my rails app to access a private repo of which I was a member) was to use the username:password method (1, above).
So that my personal github credentials wouldn't be available to everyone using the app, I created a new dummy github account with access that serves exclusively as an api credentializer.
I am using Octokit with C# and encountered the same issue. After some investigation I found out it was a problem with my token permissions.
Token have scopes (https://developer.github.com/v3/oauth/#scopes) so to access private repositories you need 'repo' instead of 'public_repo' which I think was default.
This can be easily changed from Settings > Personal Access tokens > edit

XPages Social Business Toolkit

I am trying to implement XPagesSBT on localhost.
I have followed this article http://heidloff.net/home.nsf/dx/12152011034545AMNHECAP.htm and the SBT document by Niklas and was trying to implement dropbox oAuth.
I have also placed http://localhost/XPagesSBT.nsf/ and http://localhost/WebSecurityStore.nsf in root folder
but still i get this error
Error while executing JavaScript action expression
Script interpreter error, line=1, col=26: Error calling method 'isAuthenticated()' on java class 'com.ibm.xsp.extlib.sbt.services.client.endpoints.DropboxEndpoint'
No application is registered with id XPagesSBT and provider Dropbox
if(!#Endpoint("dropbox").isAuthenticated()) {#Endpoint("dropbox").authenticate(true);}
do i need to make any other configuration /setup to XPagesSBT db? or it wont work with Localhost?
I don't remember exactly anymore but reading my blog entry you linked it says you shouldn't use Anonymous:
"Additionally there are a couple of security related settings which are important to understand. First of all you need to assign access to the document with the application keys to the ID with which you signed the two NSFs. In the screenshot above I've entered both OpenNTF servers and my own user ID. When you use the web UI to do this these names are added to the document in an authors field and a readers field.
In the last step you need to configure the ACL of the security store. Anonymous must not have access to this database. All users who you want to be able to use the Social Enabler OAuth functionality need to have author access. This is so that their user keys can be stored in this database so that they only have to do the OAuth dance once. "
It should work on localhost. It looks like a configuration issue with SBT not being able to read the security tokens from the websecuritystore.nsf . Did you create the Dropbox Application Key with an admin id and sign the websecuritystore with the correct id?
Padraic

Resources