I'm using plupload in my Breeze/Durandal application to upload photos.
As part of configuring plupload in a given viewmodel, I set its url configuration property to point to an action on a Web API controller that is decorated with BreezeController and Authorize.
Examining the network trace in the browser developer tools, I see that the user's authorization info doesn't make it into the request. This actually makes sense, because the ajax isn't happening within breeze.
Any thoughts on how to properly secure this call to upload the image? I'd like access to the authenticated user id, otherwise I would have just let it be anonymous.
Thank you!
UPDATE: There's a headers option which allows you to set the request headers. Missed this when I was going through the documentation initially.
Are you just trying to tunnel an AJAX request through Breeze? This can be done using the Breeze.AjaxPost.js adapter.
http://www.breezejs.com/documentation/breezeajaxpostjs
This would be used similar to a query except that you would attach a payload somehow -
var payload = JSON.stringify(payload);
// Query to post your payload
var query = breeze.EntityQuery
.from('api/postsomething')
.withParameters({
$method: 'POST',
$encoding: 'JSON',
$data: payload
});
return manager.executeQuery(query).then(saveSucceeded).fail(saveFailed);
}
Now, this example is stringifying some JSON to post to the server, how you would do this with an image is beyond me but this should hopefully get you started.
In fact, I forgot about this answer which should provide some extra resources if you need them - breeze 1.4.8 & angular ajax adapter: how to customize ajax settings?
There's a headers option which allows you to set the request headers. Missed this when I was going through the documentation initially.
Related
I'm using Ruby on Rails. Here is the requirement: the client (a native mobile app developed by me) will send a http post request to my Ruby code, my code will add some extra http headers (based on some business logic), then I need to "forward" or "redirect" this post request to another backend server (which has a REST service) and return its response back to the client.
I have been able to write a rack middleware to intercept the post request and add the extra headers. Originally I thought I could just use http redirect (status code: 307 for post request). But the problem is that the extra headers could NOT be submitted, which is the whole point of my code. So this isn't http redirect or forwarding per se, it's more like transforming a request.
I'm able to make a separate post request from my code using net http. This works. But I have to COPY data from the incoming request to my outgoing request (eg form data, http headers). This copying seems a bit tedious.
I would prefer some kind of simple "repackaging" (which is akin to http redirect or forwarding), that is I copy the whole incoming request to the outgoing request, slap on the extra headers and send it to the destination URL and be done with. I am not sure how to do this, and if doing it this way is even a good idea. For example, HTTP_USER_AGENT shows the OS, browser type of the client, when I'm making a new request, I probably don't need to send this on.
Alternatively, I can copy only the application specific data, because they're all the backend server (the destination of this "redirect") cares about. But I'm averse to hardcoding attributes in my code, causing close-coupling with the client (our native mobile app). Ideally I only copy application-specific data without hardcoding their attribute names. Is this possible? If so, how?
Any advice would be appreciated.
Thank you.
HTTP does not allow redirects for anything other than GET request.
(This is not technically correct but using HTTP 307 is kind of sketchy - see https://softwareengineering.stackexchange.com/questions/99894/why-doesnt-http-have-post-redirect)
If you need too send a POST request to another server for processing then using a proxy as you already seem to be doing is the correct solution.
Recreating the request in the proxy may seem tedious but it actually serves as a guarantee that you are calling the other servers "API" correctly.
While you can simply loop through the request headers:
uri = URI('http://www.example.com/todo.cgi')
req = Net::HTTP::Post.new(uri)
request.headers.each do |key, value|
req[key] = value
end
And pass the request form data:
req.set_form_data = request.request_parameters
You should ask yourself if it really is prudent to proxy everything.
See http://api.rubyonrails.org/classes/ActionDispatch/Request.html
We have existed API like
/api/activiation_code
each time, the activiation_code will be different, then server will create a token for this call and return it, usually each call will have different activiation_code which return different token.
Since this API need server to create something so it is designed as POST.
Can we design this API as HTTP GET ?
What is the pro and cons ?
You could design the API to support GET requests, but I would not recommend this. If your API is accessible via a website, a user could accidentally activate an account multiple times since the URL will be stored in the browser's history. Additionally, web crawlers could potentially supply values to your API through the URL if you support GET requests.
POST requests are much better because the information is included in the body of the request, not the URL. Thus, it is much less likely that something will go wrong accidentally.
Summary: I haven't found any option of sending POST requests via Ember Data, and would really appreciate your sophisticated help. The documentation says one should use the Create function, but there are no examples for it anywhere. You don't have to read the entire details here, this is my major question.
Background: I want that as soon as the user logs in with a Facebook login, his signedRequest would be sent to the RESTful server and it will send back a JSON that would provide more information about him from my database.
My architecture: By my research I've discovered that signedRequest is the prefered way (compare to accessToken) to make this secure and quick, because it does not rely on any further Facebook Server check and therefore decreases the 'IO'. It only depands on AppId And AppSecret for decoding. Security and agility are important to me due to the RESTful architecture in which authentication should be done per each communication (am I wrong?).
What I'v succeeded: I've managed to make the facebook login and the decoding logic of the signedRequest.
(If this is the first login, the logic on the server will insert him to the database).
The problem: At first I made a GET request to the Web API I've prepared with the signedRequest, it worked well untill I had concated a long-string and then
got "NetworkError: 400 Bad Request".
App.UserController = Ember.ObjectController.extend({
FBSignedRequest: "non",
actions: {
login: function(){
this.set("FBSignedRequest", FBApp.FBUser.signedRequest);
this.store.find('user', this.get("FBSignedRequest")); //want to make it POST
}
}
});
The GET request was something like:
http://localhost:54441/api/users/iAMveRyLongStrINgWHichRepreSEnTsASignEDReQueSt
Then I thought to myself that this is because of the complexity of the signedRequest,
so the second way is to make it POST request. But, surprisingly, there is nothing about making POST requests on the internet. Am I missing something here? I have found only payloads and serialization, but am not sure those are necessary.
Could you help me please?
We create web project with RestFull+OAuth.
Its looks good - client sent token for each request in header Authorize.
But for some request we can`t add header.
For example when we print some image or document.
Because we use window.open - at our disposal only GET params.
At now i see one way - for that request add token to UPL as get params(?token=xxxxxxx) and not show url line in child browser window.
But i think its not good way.
Maybe somebody have other idea or practicals of implement it.
putting token in URL is not good way as it will be public in network and any one sniffing on your network will get the token, I think you have to make revers proxy on your server to get the file you want by after checking session attribute to be sure you are authorized for that.
So I'm writing a post on my wall and type a URL into the main body of the post. As soon as I finish the URL, Facebook creates a little section underneath which has the title, description, and an image from the url I typed.
Without getting too indepth, how is this done and what is the best way of make something similar myself?
jQuery (or some other framework that lets you do Ajax easily) to communicate between browser client and webserver
PHP/ASP.NET/Python (or some other scripting framework on the backend) to fetch the url
Facebook also has a meta data specification you might be interested in, to let developers further define what gets shown in a Facebook page.
I believe Facebook is written in PHP. And PHP does this easily.
FOpen can be used to access files on other sites. There are other functions but this will get you started. Then it's a matter of parsing the html you get from the url to get what you want.
http://php.net/manual/en/function.fopen.php
You have a couple choices. You can fetch it using Ajax from the client; or you can fetch it from your server.
If doing it from your server in asp.net then you need to use HttpWebRequest.
FB does an asynchronous JavaScript call to fetch that data without reloading the window you're on. Lookup ajax and libraries like jquery do this: http://api.jquery.com/category/ajax/