I'm trying to use Google Federated Login REST API. I can succesfully reach out to the google server and validate a user but I cannot pull parameters from the return url
for example:
http://mysite.com/login/return?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud...
All the variables in that return string are not accessible in the params array. I have no idea how to get them out. requst.url, request.query_parameter, and all similar calls do not return the query string.
I think i found the issue. I was using the open-uri library to make the call to google's endpoint url so it may have been stepping outside of the normal rails response/request cycle. I've since used Net::HTTP requests and parse the information from the response.
So I have a very similar issue, where I'm actually building a Rails-based openid provider but being consumed by another Rails app. I basically adapted the code from
The whole URL was:
http://localhost:3000/openid?openid.assoc_handle=%7BHMAC-SHA1%7D%7B5193d33f%7D%7BdBrUwQ%3D%3D%7D&openid.claimed_id=http%3A%2F%2Flocalhost%3A3000%2Fopenid%2Fwarren&openid.identity=http%3A%2F%2Flocalhost%3A3000%2Fopenid%2Fwarren&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.realm=http%3A%2F%2Flocalhost&openid.return_to=http%3A%2F%2Flocalhost%2Fsession%3F_method%3Dpost%26return_to%3D&openid.sreg.required=nickname%2Cemail
I had a similar problem where the only parameters being reported were:
{"action"=>"index", "controller"=>"openid"}
So, suspecting that some parameter (maybe a period?) was causing it to hiccup, I went through and deleted them one by one until I found that deleting the following parameter enables the entire thing to go through correctly:
openid.mode=checkid_setup
That left all the remaining parameters correctly being parsed:
{"openid.assoc_handle"=>"{HMAC-SHA1}{5193d33f}{dBrUwQ==}",
"openid.claimed_id"=>"http://localhost:3000/openid/warren",
"openid.identity"=>"http://localhost:3000/openid/warren",
"openid.ns"=>"http://specs.openid.net/auth/2.0",
"openid.ns.sreg"=>"http://openid.net/extensions/sreg/1.1",
"openid.realm"=>"http://localhost",
"openid.return_to"=>"http://localhost/session?_method=post&return_to=",
"openid.sreg.required"=>"nickname,email",
"action"=>"index",
"controller"=>"openid"}
I'm now trying to find why openid.mode causes this issue. It fails even if I change it to openid.mode=5, so it's the key, not the value, causing the problem.
Suspecting the ".mode" part of the string for the trouble (maybe ".mode" is a filetype or something being parsed by the routing?) I am looking towards this post on allowing periods, but it only applies to the value, not the key: rails routing and params with a '.' in them
Will report back if I find more.
Update: I tried, in another Rails app, adding ?openid.mode=0 to the end of a URL -- ".mode" does not result in a parameter being read, but ".modes=" does and so does ".mod=". This confirms that ".mode" is causing a params parsing error.
Update 2: yikes... actually "?a.mode=0" does work. So far, only the complete string "openid.mode" does not work, and this is across various Rails apps. "?openid.mode" with nothing else results in: Parameters: {"openid.mode"=>nil}, but "?openid.mode=" with nothing after the "=" fails to pass any parameters besides action & controller. Very odd.
Update 3: OK, figured it out, I believe -- the params were getting sanitized i.e. deleted by the rack-openid gem, in that gem's path: /lib/openid.rb:168, "sanitize_query_string". This seems to be incompatible with the example I was working with: https://github.com/openid/ruby-openid/tree/master/examples/rails_openid. Going to override that method.
Final update: I replaced this line:
oidreq = server.decode_request(params)
with this line, since we could no longer use the now-empty params hash:
oidreq = server.decode_request(Rack::Utils.parse_query(request.env['ORIGINAL_FULLPATH']))
Related
I have a search page where I update the URL params on the page as filters are added or removed by the user. This allows me to deep link into the page (ie. going to /search?location=new+york&time=afternoon will set the location and afternoon filters).
I also have a filter named format. I noticed that passing in ?format=whatevervalue to the URL and then reloading the page with that param causes Rails to return a Completed 406 Not Acceptable error. It seems that format is a reserved Rails URL parameter.
Is there anyway to unreserve this parameter name for a particular endpoint?
In the context of an URL in Ruby on Rails there are at least four reserved parameter names: controller, method, id, format.
You cannot use these keys for anything else than for their intended purpose.
If you try to you will override the value internally set by Rails. In your example by setting ?format=whatevervalue you override the default format (html) and your application will try to find and render a whatevervalue template instead of the html formatted template. This will obviously not work.
Fun fact: Instead of using the default Rails path format like /users/123/edit you could use query parameters instead like this: /?controller=users&id=123&method=edit&format&html.
My suggestion is: Do not try to fight Rails conventions. Whenever you try to work around basic Rails conventions it will hurt you later on because it makes updates more difficult, common gems might break, unexpected side-effects will happen. Just use another name for that parameter.
First you must know I'm a total beginner, I'm trying to learn so I almost don't know anything.
On the basic page of the API, there is a curl command used as an example to show us how to make requests.
I'm using Ruby on Rails so I used "curl-to-ruby" website to translate it, but it did not work as expected.
I wanted it to show me this :
uri = URI.parse("REQUEST_URL")
response = JSON.parse(Net::HTTP.get(uri))
Instead I got this :
uri = URI.parse("REQUEST_URL")
response = Net:HTTP.get_response(uri)
I don't understand any of this, I thought I wouldn't need to and just use "curl-to-ruby", but apparently I really need to get this.
Would you please try to explain me ?
Or give me links ?
Or matters to read (curl, API, http) ?
Thank you very much, have a nice day.
It's because that command doesn't return just the content, it returns the whole HTTP response object including headers and body. You need to extract the response body and parse that using JSON.parse(), e.g.
JSON.parse(response.body)
See documentation here: https://docs.ruby-lang.org/en/2.0.0/Net/HTTP.html#method-c-get_response
(Also, there is nothing in the cURL command which would hint to the converter that the content-type of the response was expected to be JSON (e.g. perhaps an "accepts" header or something), so even if it were able to produce extra code adding the JSON.parse part, it has no way of knowing that it would be appropriate to do so in this case.)
I have developed a ASP.NET MVC application. I have a conroller with the name EmployeeController and it got a method called GetEmployeeByName. GetEmployeeByName() takes a name of type string as parameter.
So When I send a request like this, i get the data back :
someDomain:9999/Employee/GetEmployeeByName/Roger Federer
But if the name contains an '&' (you & me), I get a '400 Bad Request' as response from server.
someDomain:9999/Employee/GetEmployeeByName/you%20&%20me
Even if i encode it dont get a reposne back
someDomain:9999/Employee/GetEmployeeByName/you%20&%20me
What is the right way to encode such (data with special character) data?
What is the right way to encode such (data with special character) data?
The right way is to use a query string parameter and not be putting those things as part of the uri portion. Read the following blog post from Scott Hansleman. I will only quote hos conclusion:
After ALL this effort to get crazy stuff in the Request Path, it's
worth mentioning that simply keeping the values as a part of the Query
String (remember WAY back at the beginning of this post?) is easier,
cleaner, more flexible, and more secure.
As you can see in the blog post there are some hacky ways to make it work and circumvent IIS handling but it simply is not something that I would recommend you venturing into. Just put this name in the query string.
I got an exception in a web app I'm developing recently from a url something like:
http://domain.com/script.js?bcsi-ac-16E7C1CCF9EF6357=1C76413C00000002kmNHGZK2deV0Qz25TXynq3fMaPTrBAAAAgAAAD5tGgCEAwAACAAAAPUiAgA=
First of all - what in the world is that? From searching it sounds like maybe it's a cookie / session variable of some kind...
Second of all, the exception was about dynamic assignment of a constant. I tried a simpler url:
http://domain.com/script.js?bcsi-ac
And that gave an exception about the variable or method 'bcsi' not being defined, as if it were trying to evaluate it... WHAT!? I sure as hell hope people can't cause my Rails app to evaluate random code just by passing it to the querystring...
To provide more detail: I'm not doing anything unusual with the querystring data in the route or the controller. I just take the params and pass them into a partial as locals (admittedly not the cleanest way to do it, but simple - and that certainly shouldn't cause it to evaluate a parameter name as code?)
OKAY! Answering my own question again. It turns out passing params in as locals to a partial DOES cause it to evaluate the parameter name as code - obviously it can't use the variable name "bcsi-ac" so it tries to evaluate it.
But the question as to whether that poses a security risk still remains... I don't seem to be able to call methods on things, or actually assign things... but maybe I just haven't tried hard enough. It would seem to me that rails should just throw an exception when passing in a locals hash that includes an invalid variable name.
as a general rule of thumb, any time you allow strings from your url to be evaluated as code you are setting up a huge security risk in your application. you might not be able to call methods on locals as your methods exist server side and the code you are evaluating is client side, but this certainly opens your site up to XSS vulnerabilities among others...
I'm unsure what the proper way is to access parts of the requested URL.
In this case, I want to get the requested path without the query variables. This is the only way I found to do it:
String path = getRequest().getResourceRef().getHostIdentifier() +
getRequest().getResourceRef().getPath();
The result would be the bold part of this url: https://stackoverflow.com/questions/ask?query=value
I also found about 6 different ways to get the server name (http://stackoverflow.com) but I'm worried that some of them would fail in certain cases that I am unaware of (why would there be 6 different ways to do one thing):
getRequest().getHostRef().getHostIdentifier();
getRequest().getHostRef().getIdentifier();
getRequest().getRootRef().getHostIdentifier();
getRequest().getRootRef().getIdentifier();
getRequest().getResourceRef().getHostIdentifier();
And this seems to get the complete URL with query parameters:
getRequest().getResourceRef().getIdentifier();
Any further explanation would be much appreciated.
If you're in a UniformResource (or subclass) I think you might be looking for the method getReference(), which returns the URI reference. There are a number of other convenience methods in that class you might be interested in so you don't have to go through the request. See UniformResource (Restlet 2.0).