How to set custom headers in php unit testcases - phpunit

How to send token as part of header along with the request in PHPUnit test cases.I had tried many ways but none of them are not working.
1) const TOKEN = 'XXXXXX';
public function testCreateTest()
{
$response = $this->call('POST','/test'.static::TOKEN,['code' => 'sally','sort_order'=>'test'],[],[], ['HTTP_Authorization' => 'token'],[]);
$this->assertSame(500, $response->getStatusCode());
}
2)public function testCreateTest()
{
$response = $this->call('POST','/test',[], [], [],$headers = ['token' => static::TOKEN], $cookies = [], $files = [], $server = []);
$this->assertSame(500, $response->getStatusCode());
}
When I tried to print the request the headers are not appended.The output look likes this when I run the testcases.
Cache-Control: no-cache
Content-Type: application/json
Date: Thu, 13 Oct 2016 07:38:25 GMT
Set-Cookie: XSRF-TOKEN=eyJpdiI6Ik4zdTZWbHZyXC8ybFV0MUs4R0UwNUl3PT0iLCJ2YWx1ZSI6IkFWb2cxUmtFdmljbXpxRkpcL2wwUHZyckNobVNrQYyI6IjdkY2FhMTliNjVmMDEwN2ZhNjI3ZjRmNDQxNDZmNmYyMTRkY2E4Yzg1NzY3MGY2OTEwNWY5MDA5ZmJlNDY3MDgifQ%3D%3D; expires=Thu, 13-Oct-2016 09:38:25 GMT; path=/
{"message":"Unauthorized"}
Please can anybody help me..
Thanks in advance.

Related

Access-Control-Max-Age not working with Authorization header

Trying to workout why chrome is still firing prefetch request even though the Access-Control-Max-Age has been specified when combined with the Authorization header. If I remove the Authorization header preflight caching works as expected.
Request headers
:method: OPTIONS
:path: /v1/api
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-GB,en-US;q=0.9,en;q=0.8,pt-BR;q=0.7,pt;q=0.6,fr;q=0.5
access-control-request-headers: authorization,content-type
access-control-request-method: POST
origin: https://null.jsbin.com
referer: https://null.jsbin.com/
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
Response headers
access-control-allow-credentials: true
access-control-allow-headers: *
access-control-allow-methods: OPTIONS,POST
access-control-allow-origin: *
access-control-max-age: 86400
content-length: 0
content-type: application/json
date: Wed, 04 Aug 2021 08:30:50 GMT
I'm slowly grinding through this doc https://fetch.spec.whatwg.org/#http-cors-protocol but can't see any reason why Authorization should block preflight caching.
Also, as an aside. If Authorization is incompatible with Access-Control-Max-Age is it such a bad idea to include the auth token in the body rather than as a header from a security point of view? You may assume, over TLS.
Server code: https://glitch.com/edit/#!/prairie-bright-earl?path=server.js%3A22%3A0
Client code: https://jsbin.com/dejetem/16/edit?js,console
For reasons that are not totally clear to me, specifying Access-Control-Allow-Headers: Authorization, * "fixes" things and the Access-Control-Max-Age: 10 is respected. The authorization header is an edge case which must be explicitly safe listed by the server
[0][1][2]
const buildHeaders = origin => {
return {
"Access-Control-Allow-Methods": "*",
// the key line 👇
"Access-Control-Allow-Headers": "Authorization, *",
"Access-Control-Allow-Origin": "*",
"Access-Control-Max-Age": "10"
};
};
fastify.options("/", function(request, reply) {
reply
.code(200)
.headers(buildHeaders(request.headers.origin))
.send();
});
fastify.post("/", function(request, reply) {
reply
.code(200)
.headers(buildHeaders(request.headers.origin))
.header("Content-Type", "application/json; charset=utf-8")
.send({ hello: "world" });
});
const url = 'https://dynamic-past-deltadromeus.glitch.me/'
const opts = {
headers: {
'Content-Type': 'application/json',
'Authorization': 'asdf'
},
method: 'POST',
body: JSON.stringify({ message: 'ping' }),
}
fetch(url,opts)
Source code:
Server source code https://glitch.com/edit/#!/dynamic-past-deltadromeus?path=server.js%3A8%3A0

I'm having a CORS Prefetch Error 400 Bad Request

I am running a Vue project on my local dev server with a firebase function also running on local dev. Whenever I try to make a fetch request to my "beckend" I get a CORS error.
PREFLIGHT REQEUST
OPTIONS /api/url HTTP/1.1
Host: localhost:5001
Connection: keep-alive
Accept: */*
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Content-Type
Origin: http://localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
RESPONSE
HTTP/1.1 400 Bad Request
x-powered-by: Express
access-control-allow-origin: http://localhost:8080
access-control-allow-methods: POST, OPTIONS
access-control-allow-headers: Content-Type
content-type: application/json; charset=utf-8
content-length: 44
etag: W/"2c-1mdAJaORqKZ8xUSbM/cjasU4RC0"
date: Tue, 20 Jul 2021 14:40:25 GMT
connection: keep-alive
keep-alive: timeout=5
Here's my code:
FRONTEND
fetch(/api/url, {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify({
currency: "usd",
paymentMethodType: "card",
amount: 1880,
}),
}).then();
BACKEND
exports.myFunctionName = functions.https.onRequest(async (req, res) => {
const origin = req.headers.origin;
if (ALLOWED_ORIGINS.includes(origin)) {
res.setHeader("Access-Control-Allow-Origin", origin);
}
res.setHeader("Access-Control-Allow-Methods", "POST, OPTIONS");
res.setHeader("Access-Control-Allow-Headers", "Content-Type");
const {paymentMethodType, currency, amount} = req.body;
const params = {
payment_method_types: [paymentMethodType],
amount: +amount,
currency: currency,
};
try {
// Create a PaymentIntent with the amount, currency, and a payment method type.
const paymentIntent = await stripe.paymentIntents.create(params);
// Send publishable key and PaymentIntent details to client
res.status(200).json({
clientSecret: paymentIntent.client_secret,
});
} catch (e) {
return res.status(400).json({
error: {
message: e.message,
},
});
}
}
I can't seem to figure this out, I've been working at it for a few hours. Can anyone help?
The problem is your function treats the preflight request as if it were the actual POST request, but they're separate and not sent simultaneously.
The browser automatically sends the OPTIONS preflight request (which has no body) before the POST. Your function tries to pass non-existent body parameters from OPTIONS to the Stripe API, resulting in an exception caught by your catch handler, which responds with a 400.
The backend function should respond to OPTIONS with an ok status (e.g., 200) before the browser can send the POST request:
exports.myFunctionName = functions.https.onRequest(async (req, res) => {
// Handle preflight request
if (req.method === "OPTIONS") {
// allow `POST` from all origins for local dev
res.set("Access-Control-Allow-Origin", "*");
res.setHeader("Access-Control-Allow-Methods", "POST");
return res.sendStatus(200);
} else {
// Handle `POST` request here...
}
}

Symfony http cache manage dynamic expires time or how to invalidate cache?

I not understand how to invalidate cache, because my appliaction not called when I return request with Expires header in first time and then application not called when try to call same request again
$response
->setExpires($this->helper->getExpiresHttpCache());
And I added class
class CacheKernel extends HttpCache
{
protected function invalidate(Request $request, $catch = false)
{
if ('PURGE' !== $request->getMethod()) {
return parent::invalidate($request, $catch);
}
if ('127.0.0.1' !== $request->getClientIp()) {
return new Response(
'Invalid HTTP method',
Response::HTTP_BAD_REQUEST
);
}
$response = new Response();
if ($this->getStore()->purge($request->getUri())) {
$response->setStatusCode(Response::HTTP_OK, 'Purged');
} else {
$response->setStatusCode(Response::HTTP_NOT_FOUND, 'Not found');
}
return $response;
}
protected function getOptions()
{
return [
'default_ttl' => 0,
];
}
}
and in index.php add
$kernel = new Kernel($_SERVER['APP_ENV'], (bool) $_SERVER['APP_DEBUG']);
// Wrap the default Kernel with the CacheKernel one in 'prod' environment
if ('prod' === $kernel->getEnvironment()) {
$kernel = new CacheKernel($kernel);
}
but http cache works for each envirometns. Only when in browser disable checkbox Disable cache application will calling.
In browser I had correct header Expires: Fri, 01 May 2020 11:59:00 GMT. And if sent request again, with enable debug, debug not entered in application, but response contain result data. In this case General section contain Status Code: 200 OK (from disk cache)
Request URL: http://symfony.localhost/api/products/extra_fields
Request Method: GET
Status Code: 200 OK (from disk cache)
Remote Address: [::1]:80
Referrer Policy: no-referrer-when-downgrade
But wehere this point where compare current time and exprires time ? Example I want use global variables for expires time. Example after call some another api request api/product/{id} I want to change expires time for /api/products/extra_fields, but aplication not called, where I can manage it or it possible ? Could someone help me figure out how to manage it ?
Response
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
X-Powered-By: PHP/7.3.14
Cache-Control: private, must-revalidate
Date: Fri, 01 May 2020 07:39:35 GMT
Expires: Fri, 01 May 2020 11:59:00 GMT
Request
GET /api/products/extra_fields HTTP/1.1
accept: application/json
Referer: http://symfony.localhost/api/doc
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36

Unable To use PUT method to send data via CORS with Express

I am working on simple web app on port 4000 with a RESTful API on port 8080. I have Express setup with the cors package and I seem to be sending the correct headers back from an OPTIONS request, see below:
X-Powered-By: Express
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Vary: Access-Control-Request-Headers
Access-Control-Allow-Headers: content-type
Content-Length: 0
This is returned with a status 204 ok. Then I see the PUT request in FF Network console and after about 45 secs the request header appears:
PUT /movies/updatemovie/59f4ee92be4becd967a573ca HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Referer: http://localhost:4000/movies
Content-Length: 151
Origin: http://localhost:4000
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
The request parameters are:
documentID=59f4ee92be4becd967a573ca&title=Captain%20America%3A%20Civil%20UnWar&release=2016&score=9&reviewer=%20Janet%20Garcia&publication=%20MoviesNow
Chrome shows the PUT as having failed after 4mins.
The Data is not getting posted to Mongo, nor do I get any response from the server.
Here is the relevant code:
Web App
$(".panel").each(function (index) {
if ($(this).find("input[name = 'update']").is(":checked")) {
updatedDocument = {
documentID: $(this).data("id"),
title: $(this).find("input#name").val(),
release: $(this).find("input#release").val(),
score: $(this).find("input#score").val(),
reviewer: $(this).find("input#reviewer").val(),
publication: $(this).find("input#publication").val()
};
JSON.stringify(updatedDocument);
console.log(Object.values(updatedDocument));
} // end if
}); // .each
// Now we have the document stored in JSON object, so lets form
// an AJAX req and grab the updated data from our document and send
// a PUT to our API endpoint
$.ajax({
type: 'PUT',
data: updatedDocument,
url: 'http://localhost:8080/movies/updatemovie/' + updatedDocument.documentID,
dataType: 'JSON',
contentType: 'application/json'
}).done(function (response) {
// Check for successful (blank) response
if (response.msg === '') {
// do nothing
}
else {
alert('Error: ' + response.msg);
}
}); // end .done
API
/*
* Put to Update movie.
*/
router.options('updatemovie/:id', cors());
router.put('/updatemovie/:id', cors(), function(req, res) {
const db = req.db;
console.log(req.params.id);
console.log(req.body.publication);
const movieCollection = db.get("movies");
const movieToUpdate = req.params.id; // Assign collection document id from url :id value
const movieTitle = req.body.title;
const movieRelease = req.body.release;
const movieScore = req.body.score;
const movieReviewer = req.body.reviewer;
const moviePublication = req.body.publication;
// Update the movie document from PUT info
movieCollection.update({'_id' : movieToUpdate},
{
$set: {
title: movieTitle,
release: movieRelease,
score: movieScore,
reviewer: movieReviewer,
publication: moviePublication
}
},
function(err) {
res.send((err === null) ? {msg: ''} : {msg: err});
}); // movieCollection .update
});
I get nothing from the console.logs in the API. Any suggestions most welcomed.
UPDATE: By removing line from APP contentType: application/JSON everything now works. I thought I wanted to send data as JSON to my API? Anybody who has any thoughts or input most welcome.
You aren't sending the data as JSON. You've set the content-type header to application/json but the data will still be encoded as application/x-www-form-urlencoded. To send JSON data using jQuery you'd need to encode it yourself:
data: JSON.stringify(updatedDocument),
On the server you'd then need a suitable bodyParser configuration:
app.use(bodyParser.json());
or:
app.use(express.json());
When you removed the line contentType: 'application/json' that header fell back to its default value of application/x-www-form-urlencoded. That matches the format of the data and presumably you have app.use(bodyParser.urlencoded()) or app.use(express.urlencoded()) configured to parse that data. As your data is a flat string/string data structure it doesn't really matter which format you choose, you'll end up with the same values in res.body.

.NET Web API 2 with CORS and Angular Not Working on First Post

I am using .Net ASP Web API V2 with Angular 1 and Auth0.
After initial login through Auth0 I am getting the following error:
XMLHttpRequest cannot load localhost:3001/profile. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'localhost:62379' is therefore not allowed access. The response had HTTP status code 500.
If I refresh I no longer get the error. If I clear the browser data I get the error again but get success after a refresh.
I have CORS enabled in the API config with the required NUGET packages.
I have tried the following solutions because I thought this was a pre-flight issue:
1) Handling the SELECT verb on the controller and globally by intercepting the request.
http://www.jefclaes.be/2012/09/supporting-options-verb-in-aspnet-web.html
2) Adding the select verb as one of the accepted verbs on the controller method.
3) Various answers I have found on here for changing the request.
** I can not share links my rep is too low.
etc.
4) Using a specific origin instead of *
The Controller:
[Route("profile")]
[EnableCors(origins: "*", headers: "*", methods: "OPTIONS")]
public HttpResponseMessage Options()
{
var resp = new HttpResponseMessage(HttpStatusCode.OK);
resp.Headers.Add("Access-Control-Allow-Origin", "*");
resp.Headers.Add("Access-Control-Allow-Methods", "*");
return resp;
}
[Route("profile")]
[EnableCors(origins: "*", headers: "*", methods: "POST")]
[HttpPost]
public object Post([FromBody]dynamic data)
{
string email = null;
var b = new object();
try
{
**** Logic ****
}
catch (Exception ex)
{
**** Return Error ****
}
return b;
}
API Config
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
var cors = new EnableCorsAttribute(
origins: "*",
headers: "*",
methods: "*");
// Web API configuration and services
config.EnableCors(cors);
var clientID = WebConfigurationManager.AppSettings["auth0:ClientId"];
var clientSecret = WebConfigurationManager.AppSettings["auth0:ClientSecret"];
config.MessageHandlers.Add(new JsonWebTokenValidationHandler()
{
Audience = clientID, // client id
SymmetricKey = clientSecret // client secret
});
// Web API routes
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
}
}
The Angular Request
function postLogin() {
var loginPackage = [];
if (token === null) token = store.get('token');
if (store.get('profile') != null) {
loginPackage = store.get('profile');
}
return $q(function(resolve, reject) {
$http({
method: 'Post',
url: BASE + 'profile',
data: loginPackage,
crossDomain: true,
xhrFields: {
withCredentials: true
},
contentType: 'application/json'
})
.success(function(data, status) {
*** Logic ***
resolve(function() {
resolve(true);
});
})
.error(function(data, status) {
reject(function() {
});
});
});
}
I think I may have been looking at this for too long and have overlooked something fairly simple.
////**** Update ****////
Response:
HTTP/1.1 500 Internal Server Error
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcaWFteWFcRGVza3RvcFxOZXcgZm9sZGVyICgzKVx3ZWJhcGlcQXBpXHByb2ZpbGU=?=
X-Powered-By: ASP.NET
Date: Sun, 08 Jan 2017 00:17:26 GMT
Content-Length: 709
//* UPDATE *///
With a clean browser cache REQUEST (Fails)
POST /profile HTTP/1.1
Host: localhost:3001
Connection: keep-alive
Content-Length: 2372
Accept: application/json, text/plain, */*
Origin: http://localhost:62379
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Authorization: Bearer null
Content-Type: application/json;charset=UTF-8
Referer: http://localhost:62379/index.html
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
I thought this may be the pre-flight but it is my understanding that would be with the OPTIONS verb not the POST verb.
The authorisation is not correctly set by the looks of it.
Authorization: Bearer null
The Response:
HTTP/1.1 500 Internal Server Error
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcaWFteWFcRGVza3RvcFxOZXcgZm9sZGVyICgzKVx3ZWJhcGlcQXBpXHByb2ZpbGU=?=
X-Powered-By: ASP.NET
Date: Sun, 08 Jan 2017 00:31:49 GMT
Content-Length: 709
A second Post is sent immediately after and is successful. It is actually the pre-flight.
The Request:
OPTIONS /profile HTTP/1.1
Host: localhost:3001
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://localhost:62379
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Access-Control-Request-Headers: authorization, content-type
Accept: */*
Referer: http://localhost:62379/index.html
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
And the Response:
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: authorization,content-type
X-AspNet-Version: 4.0.30319
X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcaWFteWFcRGVza3RvcFxOZXcgZm9sZGVyICgzKVx3ZWJhcGlcQXBpXHByb2ZpbGU=?=
X-Powered-By: ASP.NET
Date: Sun, 08 Jan 2017 00:34:43 GMT
Content-Length: 0
Because of this I can not get beyond the login view. The loading screen sits on error. If I refresh and login again there is no error.
The Request:
POST /profile HTTP/1.1
Host: localhost:3001
Connection: keep-alive
Content-Length: 2367
Accept: application/json, text/plain, */*
Origin: http://localhost:62379
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL3ltdC5hdXRoMC5jb20vIiwic3ViIjoiZmFjZWJvb2t8MTAxNTM4MjIxOTc4MTIyNTEiLCJhdWQiOiJWWDhHMFMyUWM5cUFjYnRrM09pMVZMa2NkWGxnWlBtZSIsImV4cCI6MTQ4Mzg3MTMyNywiaWF0IjoxNDgzODM1MzI3fQ.HBQcGC6aad2pLaq3nPuhojrFT2b6Usv64p97b-DCRCU
Content-Type: application/json;charset=UTF-8
Referer: http://localhost:62379/index.html
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
The Authorization field now has the token instead of the null value:
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL3ltdC5hdXRoMC5jb20vIiwic3ViIjoiZmFjZWJvb2t8MTAxNTM4MjIxOTc4MTIyNTEiLCJhdWQiOiJWWDhHMFMyUWM5cUFjYnRrM09pMVZMa2NkWGxnWlBtZSIsImV4cCI6MTQ4Mzg3MTMyNywiaWF0IjoxNDgzODM1MzI3fQ.HBQcGC6aad2pLaq3nPuhojrFT2b6Usv64p97b-DCRCU
The response is success and login proceeds.
The token seems to be injected only after a refresh.
My AUTH0 Config is:
authProvider.init({
domain: A0_DOMAIN,
clientID: A0_CLIENT,
callbackUrl: location.href,
loginState: 'out.login',
options:options
});
var refreshingToken = null;
jwtInterceptorProvider.tokenGetter = function(store, jwtHelper) {
var token = store.get('token');
var refreshToken = store.get('refreshToken');
if (token) {
if (!jwtHelper.isTokenExpired(token)) {
return store.get('token');
} else {
if (refreshingToken === null) {
refreshingToken = auth.refreshIdToken(refreshToken)
.then(function(idToken) {
store.set('token', idToken);
return idToken;
})
.finally(function() {
refreshingToken = null;
});
}
}
}
};
jwtOptionsProvider.config({
whiteListedDomains: ['localhost','https://www.ymtechno.com','https://www.ymtechno.com/_api','https://ymtechno.com/_api']
});
$httpProvider.interceptors.push('jwtInterceptor');
})
.run(function($rootScope, auth, store, jwtHelper, $location) {
var refreshingToken = null;
$rootScope.$on('$locationChangeStart',
function() {
var token = store.get('token');
var refreshToken = store.get('refreshToken');
if (token) {
if (!jwtHelper.isTokenExpired(token)) {
auth.authenticate(store.get('profile'), token);
} else {
if (refreshingToken === null) {
refreshingToken = auth.refreshIdToken(refreshToken)
.then(function(idToken) {
store.set('token', idToken);
return idToken;
})
.finally(function() {
refreshingToken = null;
});
return refreshingToken;
} else {
$location.path('login');
}
}
}
});
auth.hookEvents();
After investigating I found the interceptor was not putting the token into the auth header until the application was restarted. This was read as a CORS error because the request was not meeting the criteria for accessing the API. The token value was undefined.
A more in depth thread about injectors and headers can be found here:
Set HTTP header for one request
in the event that you come across the same issue it is a useful reference.

Resources