I am using flasgger to generate swagger UI for API's in flask.
I have an API endpoint http://localhost:5000/api/token which gives back token, if correct username and password is given, everything is fine, only problem is password is sent in clear text, I want to encrypt password while posting through swagger and decrypt it in flask.
curl generated is
curl -X POST "http://localhost:5000/api/token" -H "accept: application/json" -H "Content-Type: application/json" -d "{"password": "mypassword", "username": "myuser"}"
How can I encrypt password value in swagger or flasgger. I tried below but didn't see any change.
Token:
type: object
properties:
username:
type: string
description: 'enter your username'
example:"myuser"
password:
type: string
description: 'enter your password'
example: 'mypassword'
format: base64
Thanks in advance!
Related
I am trying to get the Indeed vacanties of my company via API with python. I am following https://developer.indeed.com/docs/authorization/3-legged-oauth and https://mathiashaentjens.medium.com/how-do-you-extract-data-using-the-indeed-api-and-build-your-own-indeed-campaign-reporting-8127252ef073.
I create Indeed API keys and recevive the Authorization Code. But i couldnt get Access Token. I send the same POST as documents via curl and python requests but i got this error;
{'error_description': 'Your request might include sensitive information passed in the URL query string. Parameters must be passed in the HTTP request body using the application/x-www-form-urlencoded format (See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3). For increased security, we recommend that you periodically rotate your application secret at https://secure.indeed.com/account/apikeys.', 'error': 'invalid_request'}
My python code is like;
headers = {'content-type': 'application/x-www-form-urlencoded','accept':'application/json'}
payload = {'code':'XXXX', 'client_id':'XXXX', 'client_secret':'XXXX', 'redirect_uri': 'http://localhost', 'grant_type':'authorization_code'}
response = requests.post('https://apis.indeed.com/oauth/v2/tokens', params=urllib.parse.urlencode(payload), headers=headers)
response.json()
and via command line;
curl -X POST -H "Content-Length: 0" -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" "https://apis.indeed.com/oauth/v2/tokens?code=XXXX&client_id=XXXX&client_secret=XXXX&redirect_uri=http://localhost&grant_type=authorization_code"
Is there anyone familiar with this error?
I have started using apidoc for generating REST api documentation. I have tried different things with it.
In my flask based api application, I use JWT (flask-jwt in particular) for authentication. The doc gets generated properly, but the request from the doc doesn't happen properly.
This is where I have put the docsting for generating the doc
def authenticate(username, password):
"""
#api {post} /auth Authentication url
#apiName Authentication
#apiGroup Login
#apiParam {String} username Username of the user
#apiParam {String} password Password of the user
#apiSuccess {String} access_code JWT
#apiSuccessExample Success Response
HTTP/1.1 200 OK
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eSI6IjM5MDA4MGExLWY0ZjctMTFlNS04NTRkLTI4ZDI0NDQyZDNlNyIsImlhdCI6MTQ1OTE3ODE0NSwibmJmIjoxNDU5MTc4MTQ1LCJleHAiOjE0NTkxNzg0NDV9.nx_1a4RmvJ7Vlf1CvnMzqoTfzChcuJnDb1Tjy1_FnXw"
}
#apiErrorExample Invalid Credentials
{
"description": "Invalid credentials",
"error": "Bad Request",
"status_code": 401
}
"""
user = session.query(User).filter_by(username=username).first()
if user and user.is_correct_password(password):
return user
return False
And when I generate the doc, it get's generated properly
$ apidoc -i onehop/ -o doc
But when I pass credentials from the generated doc, the request fails. The request data I get in flask's request is '' (empty)
It also fails even after including the Content-Type header in the docstring. The request data I get in flask's request is username=test#example.com&password=test123
I have confirmed above by putting debug points in Flask-JWT's code
def _default_auth_request_handler():
data = request.get_json() # My debug poing
username = data.get(current_app.config.get('JWT_AUTH_USERNAME_KEY'), None)
password = data.get(current_app.config.get('JWT_AUTH_PASSWORD_KEY'), None)
But when I make the same request using postman it happens properly.
Postman headers
Apidoc headers
What did I miss?
I am using JWT token authentication with Django REST
$ curl -X POST -d "username=admin&password=abc123" http://localhost:8000/api-token-auth/
and then
$ curl -H "Authorization: JWT <your_token>" http://localhost:8000/protected-url/
My points is if someone has to enter username / password in curl to get token and then use that token to get url in 2 steps. Then why not use username / password with basic authentication . as that will be with one request only.
What advantage will token give us . we have to type username / password anyway in token AUTH as well
You are right, if that would be the normal workflow there would be not much advantage. Expect that token auth has slightly better performance, because you don't have to hash the password.
But normally the token is stored on the client side. Imagine a mobile app. There you login once to obtain and store the token. Now you can do authenticated API requests without username/password.
If I have the following curl request:
curl --dump-header - -H "Content-Type: application/json" -u TEST:TEST -X POST --data '{"alert": "[\"CPU\", \"Server\", \"Heartbeat\", \"Ping\"]", "id": 11, "pattern": ".*\\.websys\\.tmcs", "product": "TMOL", "pub_date": "2014-08-05 12:15:17", "resource_uri": "/tool/api/v1/sys_team/11/", "sys_team": "WebSys#xxxxxx.com","group":"WebSys"}' http://localhost:8000/tool/api/v1/sys_team/
Is there anyway I can get access to the -u information (specifically the username)? I can't use request.user.username because I want to authenticate the user based on the group he/she is in so it defaults to Anonymous user because it isn't authenticated yet.
The command you wrote will send the TEST username and TEST password using the HTTP header Authorization.
Authorization: USERNAME THE_PASSWORD_USING_BASE64_ENCODING
You can read more about the Basic access authentication here: http://en.wikipedia.org/wiki/Basic_access_authentication
I am using tastyPie 0.9.11 to create a RESTful API.
I got the API working ok, but then when I added APIKeyAuthentication I couldn't get the POST request to work.
I have set authentication/authorization in my resource meta as:
authentication = ApiKeyAuthentication()
authorization= Authorization()
and I have manually added an API key in the admin site for user admin, with key 1234567890.
When I do a GET it works ok (http://127.0.0.1:8000/api/v1/application/?format=json&username=admin&api_key=1234567890 )
However when I try to do a POST using curl:
curl --dump-header - -H "Authorization: ApiKey admin:1234567890" -H "Content-Type: application/json" -X POST --data '{"user": "/api/v1/user/1/", "title":"api test application"}' http://localhost:8000/api/v1/application/
I get a 401 not authorized error.
I am following the documentation by adding the Authorization header, but maybe there is something else I am doing wrong?
Specifying the ApiKey via header was added after v0.9.11. It will be in the v0.9.12 release.