Develop Reference

Browser not saving cookie sent by Golang backend

I know this question has been asked a bunch of times, but I tried most of the answers and still can't get it to work.
I have a Golang API with net/http package and a JS frontend. I have a function
func SetCookie(w *http.ResponseWriter, email string) string {
val := uuid.NewString()
http.SetCookie(*w, &http.Cookie{
Name: "goCookie",
Value: val,
Path: "/",
})
return val
}
This function is called when the user logs in, and I expect it to be sent to all the other endpoints. This works as expected with Postman. However, when it comes to the browser, I can't seem to get it to remember the cookie or even send it to other endpoints.
An example of JS using an endpoint
async function getDataWithQuery(query, schema){
let raw = `{"query":"${query}", "schema":"${schema}"}`;
let requestOptions = {
method: 'POST',
body: raw,
redirect: 'follow',
};
try{
let dataJson = await fetch("http://localhost:8080/query/", requestOptions)
data = await dataJson.json();
}catch(error){
console.log(error);
}
return data;
}
I tried answers like setting SameSite attribute in Golang, or using credential: "include" in JS with no luck.

Thanks to the discussion in the comments, I found some hints about the problem.
Saving cookies (both API and frontend on the same host)
I used document.cookie to save the cookie. I set the options by hand since calling res.cookie on the response of the API fetch only returned the value. An example is document.cookie = `goCookie=${res.cookie}; path=/; domain=localhost;.
Sending cookies
This has been answered before in previous questions and answered again in the comments. The problem was that I used credential:'include' instead of the correct credentials:'include' (plural).
CORS and cookies
In case the API and the frontend are not on the same host you will have to modify both the API and the frontend.
frontend
The cookie has to have the domain of the API since it's the API that requires it, not the frontend. So, for security reasons, you can't set a cookie for a domain (API) from another domain (frontend). A solution would be redirect the user to an API endpoint that returns Set-Cookie header in the response header. This solution signals the browser to register that cookie with the domain attached to it (the API's domain, since the API sent it).
Also, you still need to include credentials:'include' in the frontend.
API
You will need to set a few headers. The ones I set are
w.Header().Set("Access-Control-Allow-Origin", frontendOrigin)
w.Header().Set("Access-Control-Allow-Credentials", "true")
w.Header().Set("Access-Control-Allow-Headers", "Content-Type, withCredentials")
w.Header().Set("Access-Control-Allow-Methods", method) // use the endpoint's method: POST, GET, OPTIONS
You need to expose the endpoint where the frontend will redirect the user and set the cookie in the response. Instead of setting the domain of the API by hand, you can omit it, the browser will fill it with the domain automatically.
To handle the CORS and let JS send the cookie successfully, you will have to set the SameSite=None and Secure attributes in the cookie and serve the API over https (I used ngrok to make it simple).
Like so
func SetCookie(w *http.ResponseWriter, email string) string {
val := uuid.NewString()
http.SetCookie(*w, &http.Cookie{
Name: "goCookie",
Value: val,
SameSite: http.SameSiteNoneMode,
Secure: true,
Path: "/",
})
// rest of the code
}
I recommend you also read the difference between using localStorage and document.cookie, it was one of the problems I had.
Hope this helps.

How to set hostname used in JavaMail or Apache James Message-Id header?

I am having issues with mail bouncing when sending from my own server to my own active yahoo account using JavaMail. The mails are passing SPF, DKIM and DMARC according to google mail that receives the same messages being bounced by yahoo. I can send messages from other accounts to my yahoo account without issue.
The messages send fine from my server to ZMail, GMail, Microsoft mail. Looking at the emails, the only thing that I have noticed is the message header for the Message-Id. My messages have the following header:
Message-ID: <923936395.17.1634776639078#[internally visible hostname]>
I am wondering if this header could be the problem and whether there is a way in JavaMail or in the Apache James to set the hostname or IP address that gets used in this message so that rather than using the "internally visible hostname", I can get the hostname that is externally visible. I have been searching the available documentation for Apache James and JavaMail but have not found any parameters to try in order to resolve this.

According to the Decompiled SRC of sun mail it should be possible by setting some properties for your session.
props.setProperty("mail.from", user);
props.setProperty("mail.host", host);
//props.setProperty("mail.user", user);
The Id will be updated by the save method (saveChanges()) and will trigger an new ID generation (updateHeaders() -> updateMessageID()). (Looked up in the decompiled MimeMessage.class)
Leading to the HostPart called in javax.mail.internet.InternetAddress.
The relevant method is _getLocalAddress.
Here you can see that the values get extracted from the Properties or will fallback to your local machine.
Used Fields:
user.name
mail.from
mail.user
mail.host
The user.name property can also be looked up from the system props.

BizTalk 2016: How to use HTTP Send adapter with API token

I need to make calls to a rest API service via BizTalk Send adapter. The API simply uses a token in the header for authentication/authorization. I have tested this in a C# console app using httpclient and it works fine:
string apiUrl = "https://api.site.com/endpoint/<method>?";
string dateFormat = "dateFormat = 2017-05-01T00:00:00";
using (var client = new HttpClient())
{
client.DefaultRequestHeaders.Add("token", "<token>");
client.DefaultRequestHeaders.Add("Accept", "application/json");
string finalurl = apiUrl + dateFormat;
HttpResponseMessage resp = await client.GetAsync(finalurl);
if (resp.IsSuccessStatusCode)
{
string result = await resp.Content.ReadAsStringAsync();
var rootresult = JsonConvert.DeserializeObject<jobList>(result);
return rootresult;
}
else
{
return null;
}
}
however I want to use BizTalk to make the call and handle the response.
I have tried using the wcf-http adapter, selecting 'Transport' for security (it is an https site so security is required(?)) with no credential type specified and placed the header with the token in the 'messages' tab of the adapter configuration. This fails though with the exception: System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
I have tried googling for this specific scenario and cannot find a solution. I did find this article with suggestions for OAUth handling but I'm surprised that even with BizTalk 2016 I still have to create a custom assembly for something so simple.
Does anyone know how this might be done in the wcf-http send adapter?

Yes, you have to write a custom Endpoint Behaviour and add it to the send port. In fact with the WCF-WebHttp adapter even Basic Auth doesn't work so I'm currently writing an Endpoint Behaviour to address this.
One of the issues with OAuth, is that there isn't one standard that everyone follows, so far I've had to write 2 different OAuth behaviours as they have implemented things differently. One using a secret and time stamp hashed to has to get a token, and the other using Basic Auth to get a token. Also one of them you could get multiple tokens using the same creds, whereas the other would expire the old token straight away.
Another thing I've had to write a custom behaviour for is which version of TLS the end points expects as by default BizTalk 2013 R2 tries TLS 1.0, and then will fail if the web site does not allow it.
You can feedback to Microsoft that you wish to have this feature by voting on Add support for OAuth 2.0 / OpenID Connect authentication
Maybe someone will open source their solution. See Announcement: BizTalk Server embrace open source!

Figured it out. I should have used the 'Certificate' for client credential type.
I just had to:
Add token in the Outbound HTTP Headers box in the Messages tab and select 'Transport' security and 'Certificate' for Transport client credential type.
Downloaded the certificate from the API's website via the browser (manually) and installed it on the local servers certificate store.
I then selected that certificate and thumbprint in the corresponding fields in the adapter via the 'browse' buttons (had to scroll through the available certificates and select the API/website certificate I was trying to connect to).
I discovered this on accident when I had Fiddler running and set the adapter proxy setting to the local Fiddler address (http://localhost:8888). I realized that since Fiddler negotiates the TLS connection/certificate (I enabled tls1.2 in fiddler) to the remote server, messages were able to get through but not directly between the adapter and the remote API server (when Fiddler WASN'T running).

Invalid tag for push notifications in Windows Azure

I am building a Windows Phone 8.1 application and want to add push notifications from Windows Azure. I am creating the channel by using CreatePushNotificationChannelForApplicationAsync, after which I take the resulting URI and store it in the Azure database. When trying to send a push notification by using push.wns.sendToastText01, I get the following error in the Azure logs:
Error in script '/table/Message.insert.js'. Error: 400 - An invalid tag 'https://db3.notify.windows.com/?token=AwYAAAC3tTi3W5ItZ0hWdZ3FLmELt%2flHcwpsM...' was supplied. Valid tag characters are alphanumeric, _, #, -, ., : and #.
I noticed that the channel URI contains the '%' which does not appear among the valid characters, yet that is the URI that gets generated in the client application. Am I using a wrong method for sending push notifications or is there something else I am missing?
Edit: I am using Node.js for backend in Azure.
request.execute({
success: function() {
push.wns.sendToastText01(channelUri, {
text1: "Google Plus Friend Tracker",
text2: item.content,
param: '/ChatPage.xaml?friendGoogleId=' + item.author_id
})
}
});

Looking at the wns object documentation, the first parameter would be the tags that you are sending to. Since you're providing a channel in the code above, you are getting the error specified.
The backend does not need to provide the channel URI, as this was associated with the Notification Hub via the client-side registration action. If you are broadcasting the message, you would just provide null as the tag value. Otherwise, you can use the tags that were specified when you registered the channel URI.
For more about the process, see the "Get started with push" tutorial. There is also an example of using a tag (user ID) in the "Send push notifications to authenticated users" tutorial. For more on tags in general, the Notification Hubs breaking news tutorial is also good.

ArangoDB authentication via HTTP

I've seen examples of how to authenticate with a database using arangosh, but I couldn't find anything in the documentation about how to authenticate via the http API. Is this possible? Is it something like this:
http://username:passwd#arangouri.com:8529/_api/document

From the command line, you can do something like this to pass HTTP basic authentication to the server:
curl --basic --user "username:passwd" -X GET http://arangouri.com:8529/_api/document/...
The above example is for curl. If you use any other HTTP client, you have to find the options for setting the username / password for HTTP basic authentication and send them to the server.

Ok, after playing around with authentication in Arango DB on Windows here is what I have found:
I could not get this command to work (which is supposed to enable authentication)
--server.disable-authentication false
UPDATE: I realized I couldn't get this command working because it's not a command at all :-o After looking more closely at the documentation it's a command line option. It should be used when you start arangosh. See documentation here.
I assume I need to adapt it somehow to work in a windows command prompt, but I'm not sure what needs to change. As a work around I opened the file "arangod.conf" (I found it here C:\Program Files (x86)\ArangoDB 1.4.7\etc\arangodb) and changed the following line:
disable-authentication = yes
to
disable-authentication = no
This enabled authentication when I restarted Arango. Yay!
Now to authenticate via http... very simple. It's just basic HTTP auth. So in my case I was using NodeJS and the request library to authenticate. Both examples below work fine.
Credentials appended with .auth:
request({
url:'http://localhost:8529/_api/document/example/20214484',
json: true
}, function (err, data){
console.log(err);
if (data.body.error) console.log("ERROR: " + data.body.errorMessage);
console.log(data.body);
}).auth("username", "password");
OR with credentials in url:
request({
url:'http://username:password#localhost:8529/_api/document/example/20214484',
json: true
}, function (err, data){
console.log(err);
if (data.body.error) console.log("ERROR: " + data.body.errorMessage);
console.log(data.body);
});

It's done through Authorization header where you set authentication mechanism (e.g. Basic) followed by base64 encoded string in format [username]:[password]. More information can be found for example here.