I want Bosun to make an API call to JIRA, which requires a basic authentication in a form of BASE64 encoded string username:password. What keyword I can use in the notification definition to pass the authentication token to JIRA? My basic notification looks like this:
notification jira_alert {
post = https://example.com:8081/rest/api/2/issue/createmeta
contentType = application/json
Reading the documentation on bosun.org I can't find any specific keyword I could use. Any hints?
Can you put put the key in URL or in JSON data?
For example:
notifaction chat {
next = email
timeout = 10m
post - http://chat.example.com/room/1?key=KEY&message=whatever
}
Related
#linkedin
I am trying in python to get the metrics (likes, shares, comments, etc) of my company page.
We registered the API which includes Marketing Developer Platform.
I understand, I need Members authentication and I set up Oauth 2.0 settings.
I've created the access_token for the permissions (among them is r_organization_social - which I need to collect data).
What is confusing for me, how to use this token.
Is it enough to use it together with header in my request?
response = requests.get('https://api.linkedin.com/v2/posts', headers = headers)
I've created the header like this:
headers = {
'Authorization': f'Bearer {access_token}',
'cache-control': 'no-cache',
'X-Restli-Protocol-Version': '2.0.0'
}
I tried that and I am getting an error that token is Invalid, even though it is live and active for the next 11 months.
I also tried many things where I would first send request for authenticate my request and then manually copy the response to get the new access token.
That access token never worked - was invalid.
Even if it works, looks like that wouldn't be acceptable solution...
Can you please help with this?
Thanks
The following is working for me.
I used this format of the header:
headers = {
'X-Restli-Protocol-Version': '2.0.0',
'Authorization': 'Bearer '+ access_token }
payload ={}
And the request looks like this (instead of posts I use ugcPosts):
requests.request("GET",'https://api.linkedin.com/v2/ugcPosts?q=authors&authors=List('+urnLiOrganizationEncode + ')&count=100', headers=headers,data=payload)
I'm using Twilio API for getting the Twilio call logs. I want the recording for the corresponding call in .mp3 format. We are accessing recording URLs, but that is the .json format, so we replaced .json with .mp3 and added https://api.twilio.com at the beginning using the following codes
var recordings = RecordingResource.Read(
callSid: sid,
limit: 1
);,
foreach (var item in recordings)
{
recordUrl = "https://api.twilio.com" + item.Uri.Replace(".json", ".mp3");
}
But we can't play the recorded call.
We doubt in Enforce HTTP Auth on Media URLs currently its status is Enabled. If we disable it, is there any security issue? Are we able to play the audio after disabling it? What should Enforce HTTP Auth status on Media URLs if we access Twilio from the mobile app?
Disable the "Enforce HTTP Auth on Media URLs" option so you can use the URL to access the file without authentication.
When the "Enforce HTTP Auth on Media URLs" option is disabled, any person who has the Account SID and the Recording SID will be able to access the .mp3 file. On the other hand, when the option is enabled, you might have to use your Account SID and Auth Token to get access to the recording file.
If you need to keep your recordings secure with the HTTP basic auth, I suggest enable the "Enforce HTTP Auth on Media URLs" option and download the .mp3 file making an HTTP request; here is a code example of how to make the request.
using RestSharp;
using RestSharp.Authenticators;
using RestSharp.Extensions;
var client = new RestClient("https://api.twilio.com/2010-04-01/Accounts/ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/Recordings/RExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.mp3");
var request = new RestRequest(Method.GET);
client.Authenticator = new HttpBasicAuthenticator("Account_SID", "Token_Auth");
IRestResponse response = client.Execute(request);
client.DownloadData(request).SaveAs("/your_path/recording_file.mp3");
What I'm doing now:
Using the JavaScript API to render the button on my web page.
When the Sign in with Google flow is complete, my client-side JavaScript callback is called.
That callback sends the given .credentials string to my server.
The backend server (Node.js) calls the google-auth-library library's OAuth2Client.verifyIdtoken method on the .credentials string, which returns the user's email address (among other things), which my server uses to verify the user and create a session.
Everything works, but I'm wondering if there are any security concerns I'm missing. In particular there's a nonce field. The docs (link) don't explain how to use it.
Note: I'm using "Sign in with Google" and not the deprecated "Google Sign-In".
Edit: I'm familiar with the concept of nonces and have used them when doing the OAuth 2 server-side flow myself. What I can't figure out is how the Sign in with Google SDK expects me to use its nonce parameter with the flow above, where I'm using both their client-side and server-side SDKs.
Nonces are used as a CSRF-prevention method. When you make a request to Google, you include a nonce, and when authentication is complete, Google will send the same nonce back. The magic in this method is that if the nonce does not match what you sent then you can ignore the response, because it was probably spoofed.
Read more about CSRF here: https://owasp.org/www-community/attacks/csrf
Nonces are usually crytographically secure random strings/bytes.
I use crypto-random-string as a base to generate nonces, but any package with this functionality should suffice.
Sometimes I store nonces with a TTL in Redis, but other times I store nonces with an ID attached to the request so I can later verify it.
I'm telling you this since it took a bit long for me to figure out this nonce stuff :P
Using the example from Google's website (https://developers.google.com/identity/one-tap/android/idtoken-auth), I added the code for the nonce:
const nonce = '...'; // Supplied by client in addition to token
const {OAuth2Client} = require('google-auth-library');
const client = new OAuth2Client(CLIENT_ID);
async function verify() {
const ticket = await client.verifyIdToken({
idToken: token,
audience: CLIENT_ID, // Specify the CLIENT_ID of the app that accesses the backend
// Or, if multiple clients access the backend:
//[CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]
});
const payload = ticket.getPayload();
const serverNonce = payload['nonce'];
if (nonce != serverNonce) {
// Return an error
}
const userid = payload['sub'];
// If request specified a G Suite domain:
// const domain = payload['hd'];
}
verify().catch(console.error);
I'm trying to query a Firebase database from a Service Worker using the Fetch API. However it doesn't work as expected as I can't get authenticated correctly.
Basically what I'm trying to do is from origin https://myproject.firebaseapp.com inside a Service Worker I do a call like this :
var fetchOptions = {};
fetchOptions.credentials = 'include';
var url = options.messageUrl;
var request = new Request('https://myproject.firebaseio.com/user/foobar.json', fetchOptions);
messagePromise = fetch(request).then(function(response) {
return response.json();
});
I'm getting this error :
Fetch API cannot load https://myproject.firebaseio.com/user/foobar.json. Response to preflight request doesn't pass access control check: Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is ''. It must be 'true' to allow credentials. Origin 'https://myproject.firebaseapp.com' is therefore not allowed access.
Any idea of a way to fix it? How one should do to query/update the Firebase database from a SW?
I've read https://jakearchibald.com/2014/using-serviceworker-today/ and one of the gotcha was exactly that problem, the fact that Fetch request do not send authentification.
Ideally it would be great to be able to use the Firebase JS API inside a SW but this doesn't seem to work as well.
Firebase doesn't store authentication info as a cookie or in anything that would be sent along in the credentials, so there's no need to send them in your fetch request. Instead, you'll need to pull the token from Firebase Auth:
firebase.auth().currentUser.getToken(true).then(function(token) {
// token is the value you'll need to remember for later
});
Once you've got the token, you should be able to add it as a query parameter to the REST request e.g. ?auth={THE_TOKEN}. This will allow you to make your authenticated request in the Service Worker.
I'm trying to query api.whatever.com, but I also want to pass a USERNAME, such as in curl it would look like this:
https://USERNAME#api.whatever.com/
How do I write the client request in such a way that USERNAME gets sent properly to the API server.
You need to base64 encode the username.
url = "https://USERNAME#api.whatever.com/".replace("https://","").split("#");
// Buffer is global, no need for require.
url64 = "https://" + (new Buffer(url[0]).toString('base64')) + url[1];
http://en.wikipedia.org/wiki/Basic_access_authentication
There's an explaination of the format you have to use as well as an example.