I'm doing integration testing on Deno with Superoak and my application has one time password, for test a feature I need to know the one time password but for it I need its secret, which is informed on the body of the response of a POST.
I want to know how to get the response of this POST on Superoak.
I solved it mocking the class that create the one time password and added to it a fixed secret, then I won't need to get the body of the response on Superoak.
Related
Could you please explain what does it mean ETag header in firebase response on firebase function's call?
Rephrasing question.
In my case I don't need ETag, and I want to change the behaviour.
How can I implement this?
For example, I have simple function on the cloud side that return json:
const getObject = functions.https.onCall((data, context)=>({x:1, y:2}));
In browser I see ETag presented in http response, as you can see I don't get any data from cloud store in my handler.
Next question, call (for example, in angularfire) to callable functions translates to http POST request, what is the best way to modify response in onCall handler to force caching abitrary json data on the client and reverse proxy side?
The ETag header has the following purpose:
The ETag HTTP response header is an identifier for a specific version of a resource. It allows caches to be more efficient, and saves bandwidth, as a web server does not need to send a full response if the content has not changed. On the other side, if the content has changed, etags are useful to help prevent simultaneous updates of a resource from overwriting each other ("mid-air collisions").
You use the ETag for conditional updates. Typically when you don't want to overwrite another user's changes to a document.
Another use case is when you're making a partial update to a document and the change assumes that the rest of the document has not changed in the meantime; there are invariants to protect.
Don't confuse this with the concurrency model for transactions. Server-side SDKs just keep retrying on failures caused by write contention. This just brute forces your changes in.
This is more for when a user has been editing a customer's order for 10 minutes, then saves it, but some other user, like a customer services person, has already made changes, so you can't overwrite them else their changes will be lost.
So you need to inform the user that someone else has changed stuff and they need to reload and potentially lose their edits.
I have a problem with the x-csrf-token validation with regard to a HTTPS-Post-Request. The request comes from a Lambda function triggered by an Amazon Alexa skill and is sent to a XSO Data file running on the SAP Cloud Platform in an SAP HANA Database. I use Javascript/Node.js.
A valid token is set in the request header (see code in the first picture below) but the response header shows for the x-csrf-token "required" (see code in the second picture below). So there is an error with the validation. The same post request with POSTMAN works correctly, but when I try it via a JS File as a Lambda function (in the first picture) there it comes this error with HTTP status code 403 (see code in the second picture below). The POST request itself does work, but the token validation not. GET requests work fine.
Does anybody know a possible solution?
Thank you very much!
1.picture: request
2.picture: response
Please try to get the csrf token first before setting it to the request body. CSRF token changes from device to device as well as the timeframe. I also had a similar issue, and upon implementing the above solution, it started working perfectly.
I am writing this as a separate answer as I had an issue in Spring Boot RestTemplate call. I could arrive at a solution after going through this article.
SAP CSRF Issue
Basically the "set-cookie" header is instructing the browser to set the "Cookie" header. All one has to do (apart from x-csrf-token) is to replace the comma in the string of the cookie with a semicolon. Then set the header "Cookie" to this replaced value;
I have setup everything as described in the steps in answer to the post withings api authentication.
However, when i copy and paste the final URL generated in Step 2 (Send request to the URL:), I get no response on my browser and the screen remains empty.
Is there any reason for why it might be happening ?
OAUTH TOKEN and OAUTH SECRET - will I get two of them appended to callback url ?
Each paramter string was supposed to be URL encoded in signature i.e URLEncoder.encode("key=value","UTF-8")
I have used temboo API to get the user tokens.
They have two steps Initial oauth and final oauth.
In the data model behind my RESTful API there are several entities with the CreatedBy/ModifiedBy fields. The only access to this data is through my API, and as such, the fields should be populated with the user id of the user making the request to my API.
I have considered either adding these fields to the models exposed by my API or expecting a request header containing the user id on all PUT/POST/DELETE requests. I would be interested in any opinions as to which approach is best, or any other approach.
I like the idea of providing it in the header since it is necessary for every request and I am wondering if there is a standard request header to contain the information, or a common x-header.
I have seen the from request header; however, it seems to be defined as the email address of the user making the request and I need to pass the user id.
In our current implementation, we use the authorization header to authenticate the calling application with the API, and not for a specific user.
Which header would you use to pass information to identify the user making a request?
You can extend the Authorization header to add your own parameters. Both the Digest and OAuth authorization schemes support parameters. The Basic scheme already have the user credentials readable. Something like:
Authorization: OAuth realm="Photos",
oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131200",
oauth_nonce="wIjqoS",
oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready",
oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D",
xoauth_user_guid="alganet"
Yahoo! does something similar with their OAuth implementation, but in another context.
http://developer.yahoo.com/oauth/guide/oauth-accesstoken.html.
However, if these fields are shown or exposed somehow in your public API, they belong to RESTful resources and should be represented always in the body, not the headers. If you GET the username in the message body, you should POST the username using the message body as well.
Assuming you can use HttpClient
HttpClient client = HttpClientManager.getNewClient();
HttpMethod get = new GetMethod(...);
get.addRequestHeader("x-newHeader", "value");
more here
OR using URLConnection using setRequestParameter
I'am writing an API to make users can subscribe to things. An user can subscribe to anything via submitting a POST something like this:
{
"item_id": "c13",
"requested_status": "subscriber",
"sure": true,
}
Here you can see a sure parameter. I'am using this to avoid making subscriptions accidentaly. If client sends that info without sure parameter API rejects that request to make GUI ask "are sure to subscribe this?". If user confirms, same post happens again with sure parameter. And subscription (or unsubscription) happens.
So, when I am rejecting that request because there is no sure parameter. Which response code should I use? I thought 400 (bad request) can be used but not sure.
Thanks for you response.
HTTP codes are codes with a pure technical meaning. What you want is not a technical problem and shouldn't be handled with technical means.
Since the reponse was received and contained technically correct values (not the same as functional valid values!), you should send a 200 - OK status. The content of your response should be the action to perform next. In this case, ask the user if he/she is sure.
If you work with Post-Redirect-Get, a 303 - See Other status is your best option.