I am using JWT token authentication with Django REST
$ curl -X POST -d "username=admin&password=abc123" http://localhost:8000/api-token-auth/
and then
$ curl -H "Authorization: JWT <your_token>" http://localhost:8000/protected-url/
My points is if someone has to enter username / password in curl to get token and then use that token to get url in 2 steps. Then why not use username / password with basic authentication . as that will be with one request only.
What advantage will token give us . we have to type username / password anyway in token AUTH as well
You are right, if that would be the normal workflow there would be not much advantage. Expect that token auth has slightly better performance, because you don't have to hash the password.
But normally the token is stored on the client side. Imagine a mobile app. There you login once to obtain and store the token. Now you can do authenticated API requests without username/password.
Related
i have problem for running postman POST using python code.
first i generate python code from fiddler, i capture when i running postman POST from website.
Capture with fiddler
and then the problem is here, the bearer token only work 5-15minutes, after that i got response 401, because bearer token is expired.
Python Code for running my postman
so i want to change the Bearer token to basic auth ( use my user and password of my postman acc)
i already try change Authorization value to apikey and base64encode(user:pass) still not working.
please who experince in this , help my case, thanks.
I am developing an app that will read some tweets stats of my company. I want to let all the employees to connect with their twitter accounts.
I am facing the following problem: I am stuck at the "Exchange authorization code for access token".
The response url after Authorize is: https://example/v1/browser-callback?state=state&code=all0UTY5TVVMYmctNjZEQVpYYYYYYYYZZZZZXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
I suppose I have to change the code all0UTY5TVVMYmctNjZEQVpYYYYYYYYZZZZZXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX for access_token and access_token_secret, but I did not find how to do that on the documentation that twitter offers to us.
You need first to know the type of flow you are trying to implement
First you need to know what is the grant type of your client_id in the twitter side, i see in the callback there is code that means you are in normal authorization code or Authorization Code Flow with Proof Key for Code (PKCE), to know that check in your first call to twitter if you see in the params code_challenge and code_challenge_method if yes It's PKCE flow;
Second, I see that you have successfully done the first step of flow, then if you are in the PKCE, you need in your callback to send another request to get a final token like this:
client_id=your client_id&
code_verifier=the code generated by the application in the first step&
redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcallback&
grant_type=authorization_code&
code=the code sent from twitter
I'm not sure what the docs looked like back in March, but to do this now you simply need to build the request headers with the code argument from the redirect URL. From the example url you gave (https://example/v1/browser-callback), your code is:
all0UTY5TVVMYmctNjZEQVpYYYYYYYYZZZZZXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And the curl request you would make for a private client to retrieve the user's bearer and refresh token would be:
curl --location --request POST 'https://api.twitter.com/2/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic YOUR_BASE64_ENCODED_ClientID:ClientSecret_HERE'\
--data-urlencode 'code=all0UTY5TVVMYmctNjZEQVpYYYYYYYYZZZZZXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'redirect_uri=https://example/v1/browser-callback' \
--data-urlencode 'code_verifier=challenge'
where YOUR_BASE64_ENCODED_ClientID:ClientSecret_HERE is (per the docs):
To create the basic authorization header you will need to base64 encoding on your Client ID and Client Secret which can be obtained from your App’s “Keys and Tokens” page inside of the developer portal.
You'll need to make this request to get the initial bearer token/refresh token for private clients within 30 seconds of receiving the code at your callback URL after the user has authorized your app.
thanks for reading - my questions are simple:
What am I doing wrong?
What am I missing?
Do I need to additional access to make use of the report engine?
I cannot seem to obtain balance or transaction data from my pp account using a simple python client despite what appears to be correct use of documented APIs.
I have:
a business account
dev portal access
valid creds for a Sandbox and Live API use
My py client wraps a few API calls and successfully completes the following:
obtain API token using dev portal creds
use API token to make valid HTTP requests to the balances and transactions API resources
API responses indicate 200 OK
However, except for the OAuth token request, all of the responses all say Empty XML data
Pseudo-sample code
# -- pp_auth_header is a global, contains Auth Bearer token
def get_balances():
print("get_balances...")
headers = pp_auth_header
endpoint = "/v1/reporting/balances"
query = "?currency_code=USD&as_of_time=2021-02-22T00:00:00-0700"
r = requests.get(pp_report_eng_url + endpoint + query, headers=pp_auth_header)
print("get_balances - status: {}".format(r.status_code))
if r.status_code == 200:
print("get_balances - r.text: {}".format(r.text))
# -- output of the above is
get_balances...
get_balances - url: https://api-m.sandbox.paypal.com/v1/reporting/balances?currency_code=USD&as_of_time=2021-02-22T00:00:00-0700
get_balances - status: 200
get_balances - r.text: Empty XML data
Generate an acess_token and then test from the command line with curl, as documented:
curl -v -X GET
https://api-m.sandbox.paypal.com/v1/reporting/balances?currency_code=USD&as_of_time=2016-10-15T06:07:00-0700
\
-H "Content-Type: application/json" \
-H "Authorization: Bearer Access-Token"
Ensure you pass the headers described there, including "Content-Type: application/json".
PayPal REST APIs do not return XML.
If this doesn't work, post the output of that curl -v command as well as the scopes returned by the oauth2 token request. Update your question with those details.
I am trying to run a python script on a remote server which i dont trust. The script contains a password that is kind of important.
What would be a good way to protect that code/password?
I would give it as an argument or i could prompt input on the terminal but that would be saved in history.
Store password with code on untrustworthy server, that definitely unsafe. You have to change the way like below if you can.
on the server you control, encrypt password with pub_key
general the different pub_key/private_key every request
the client you don't trust get id and encrypt_msg with auth
the password_required server get the id and private_key and decrypt encrypt_msg from client and compare the password.
delete the auth if the client is useless any more.
The ideal way to handle it would be using REST-Api calls from a trusted server.
On the untrusted server, you can store the encoded password.
EDIT 1: As #Luke has pointed out in the comments below, base64 owing to its simplicity can be easily decrypted. As suggested, we should implement a symmetric algorithm and then store the key on your trusted server.
You can explore the pycrypto library that has AES, DES etc.
The link for pypi .
import base64
encoded = base64.urlsafe_b64encode('MyPassword')
## returns 'TXlQYXNzd29yZA=='
Store this on the un-trusted server and then decode on the trusted server to generate the expiry-based password.
import base64
original = base64.urlsafe_b64decode(encoded)
# Returns MyPassword
Step-1 : Setup a password generation program on your trusted server
Step-2 : Define the get and post methods for your program
Step-3 : From the remote server, first do a GET Authorization token
command. If this token matches, generate a password with time-limit
expiry.
Step-4 : Handover this to the server. Reset it after the expired
time.
Sample post calls to get temporary passoword will be:
curl -L https://sandbox.trustedserver.com/v1.0/oauth/token/
-X post
-H 'Content-Type: application/json'
-H 'Authorization: Basic [Base64_Credentials]'
-d '{ "grant_type": "client_credentials" }
Sample response will be a access token that expires in 500 seconds:
{
"token_type": "bearer",
"access_token": "TXlQYXNzd29yZA==",
"expires_in": 500
}
Hope it helps.
I am using tastyPie 0.9.11 to create a RESTful API.
I got the API working ok, but then when I added APIKeyAuthentication I couldn't get the POST request to work.
I have set authentication/authorization in my resource meta as:
authentication = ApiKeyAuthentication()
authorization= Authorization()
and I have manually added an API key in the admin site for user admin, with key 1234567890.
When I do a GET it works ok (http://127.0.0.1:8000/api/v1/application/?format=json&username=admin&api_key=1234567890 )
However when I try to do a POST using curl:
curl --dump-header - -H "Authorization: ApiKey admin:1234567890" -H "Content-Type: application/json" -X POST --data '{"user": "/api/v1/user/1/", "title":"api test application"}' http://localhost:8000/api/v1/application/
I get a 401 not authorized error.
I am following the documentation by adding the Authorization header, but maybe there is something else I am doing wrong?
Specifying the ApiKey via header was added after v0.9.11. It will be in the v0.9.12 release.