I have deployed cube.js via a Helm chart I've created to an AWS EKS cluster. One of the first errors I encountered was that the environment variable CUBEJS_API_SECRET is required. In a docker-compose deployment this secret is automatically generated, but OK, I made an AWS Secrets Manager secret comprised of a random 256-bit string, and synced this with a Kubernetes secret injected into the API service pod as CUBEJS_API_SECRET. I can exec into the API service pod and echo this variable to confirm it is saved correctly.
I am trying to test the deployment by curling the API service:
> $ curl -vvv -H "Authorization: <The API token I generate below>" -G --data-urlencode 'query={"measures":["EventAuthentication.count"]}' localhost:4000/cubejs-api/v1/load
* Trying 127.0.0.1:4000...
* Connected to localhost (127.0.0.1) port 4000 (#0)
> GET /cubejs-api/v1/load?query=%7B%22measures%22%3A%5B%22EventAuthentication.count%22%5D%7D HTTP/1.1
> Host: localhost:4000
> User-Agent: curl/7.84.0
> Accept: */*
> Authorization: <The API token I generate below>
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< X-Powered-By: Express
< Access-Control-Allow-Origin: *
< Content-Type: application/json; charset=utf-8
< Content-Length: 25
< ETag: W/"19-1luTU257I9tvKUXOJotGBQDVDqk"
< Date: Tue, 20 Dec 2022 21:58:05 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
<
* Connection #0 to host localhost left intact
{"error":"Invalid token"}
I am not quite sure why this token is invalid. I can enter the token and the CUBEJS_API_SECRET at https://jwt.io/ and the website says that the token is valid.
I am following the documentation on generating this token. This is the script I use (exactly as the documentation suggests):
const jwt = require('jsonwebtoken');
const CUBE_API_SECRET = '<the CUBEJS_API_SECRET environment variable>';
const cubejsToken = jwt.sign({}, CUBE_API_SECRET, { expiresIn: '30d' });
console.log(cubejsToken);
I have asked this question of the cube.js Slack organization and no one is responding: what am I missing and why is this token invalid? It appears that I am following the documentation correctly, and I have no further information from pod logs or the response as to why the token is invalid.
A second question is, what even is this CUBEJS_API_SECRET environment variable? The documentation on this is sparse: "The secret key used to sign and verify JWTs. Generated on project scaffold with npx cubejs-cli create."
Related
I am developing a simple automation tool using a Go Fiber HTTP server to start and stop AWS instances using the Go SDK v1.44.156.
The service listens to an endpoint at /csm/aws/:region/:instance_id/powerOn.
My code works well when I send requests from Postman. When I send requests using the Go HTTP client, AWS returns the following error:
AuthFailure: AWS was not able to validate the provided access credentials
The Postman request that works fine:
2022/12/23 16:26:12 Request came :#0000000100000003 - 127.0.0.1:7000 <-> 127.0.0.1:34976 - POST http://127.0.0.1:7000/csm/aws/us-east-1/i-0f9c5fe6b5c7b0a87/powerOn
Params: map[instance_id:i-0f9c5fe6b5c7b0a87 region:us-east-1]
Request: POST /csm/aws/us-east-1/i-0f9c5fe6b5c7b0a87/powerOn HTTP/1.1
User-Agent: PostmanRuntime/7.30.0
Host: 127.0.0.1:7000
Content-Type: application/json
Content-Length: 136
Accept: */*
Postman-Token: e27b899f-5125-497a-b154-61cd3214cd74
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
{"aws_access_key_id":"my-id","aws_secret_access_key":"my-key","account":"","region":""}
The Go request which returns the error:
2022/12/23 16:22:02 Request came :#0000000200000002 - 127.0.0.1:7000 <-> 127.0.0.1:34278 - POST http://127.0.0.1:7000/csm/aws/us-east-1/i-0f9c5fe6b5c7b0a87/powerOn
Params: map[instance_id:i-0f9c5fe6b5c7b0a87 region:us-east-1]
Request: POST /csm/aws/us-east-1/i-0f9c5fe6b5c7b0a87/powerOn HTTP/1.1
User-Agent: Go-http-client/1.1
Host: 127.0.0.1:7000
Content-Type: application/json
Content-Length: 136
Accept-Encoding: gzip
{"aws_access_key_id":"my-id","aws_secret_access_key":"my-key","account":"","region":""}
I searched on the web and I found information about this error message. It seems like it can be due to the time of the PC so I set my computer's time to automatic, but I see the same error.
My code was working a few days ago.
We are catching a BigCommerce webhook event in our Google Cloud Run application. The request looks like:
Headers
host: abc-123-ue.a.run.app
AccountId: ABC
Content-Type: application/json
Password: Goodbye
Platform: BC
User-Agent: akka-http/10.1.10
Username: Hello
Content-Length: 197
Connection: keep-alive
Body
{"created_at":1594914374,"store_id":"1001005173","producer":"stores/gy68868uk5","scope":"store/product/created","hash":"139fab64ded23b3e1b8473ba24ab21bedd3f535b","data":{"type":"product","id":132}}
For some reason, this causes a 400 response from Google Cloud Run. Our application doesn't even seem to be passed the request. All other endpoints work (including other post requests).
Any ideas?
Edit
In the original post, I had the path in the host header. This was a mistake made in creating this post and not the actual value passed to us. We can only inspect the request via Requestbin (I can't find the request values anywhere in Google logs) so I'm speculating on the host value and made a mistake writing it out here.
Research so far...
So upon further testing, it seems that BigCommerce Webhooks also fail to send to any Google Cloud Function we set up. As a workaround, I'm having Pipedream catch the webhook and send the payload to our application. No problems there. This endpoint also works with mirror payloads from local and Zapier which seems to eliminate authentication errors.
We are running FastAPI on Google Run and the simplest function on Google Cloud Functions. This seems to be an error with how Google Serverless and BigCommerce Webhook Events communicate with each other. I'm just not sure how...
Here are the headers we managed to capture on one of the only times a BigCommerce Webhook Event came through to our Google Cloud Function:
Content-Length: 197
Content-Type: application/json
Host: us-central1-abc-123.cloudfunctions.net
User-Agent: akka-http/10.1.10
Forwarded: for="0.0.0.0";proto=https
Function-Execution-Id: unes7v34vzyo
X-Appengine-Country: ZZ
X-Appengine-Default-Version-Hostname: f696ddc1d56c3fd66p-tp.appspot.com
X-Appengine-Https: on
X-Appengine-Request-Log-Id: 5f10e15c00ff082ecbb02ee3a70001737e6636393664646331643536633366643636702d7470000165653637393633633164376565323033383131366437343031613365613263303a36000100
X-Appengine-Timeout-Ms: 599999
X-Appengine-User-Ip: 0.0.0.0
X-Cloud-Trace-Context: a62207698d141465d0f38488492d088b/9870406606828581415
X-Forwarded-For: 0.0.0.0
X-Forwarded-Proto: https
Accept-Encoding: gzip
Connection: close
> host: abc-123-ue.a.run.app/bigcommerce/webhooks/
This is most likely the issue. Host headers must contain only the hostname, not the request /paths.
You can clearly see this will fail:
$ curl -IvH 'Host: pdf-2wvlk7vg3a-uc.a.run.app/foo' https://pdf-2wvlk7vg3a-uc.a.run.app
...
HTTP/2 400
However if you don't craft the Host header yourself, it will work.
Production Setup: Django v3.0.5 on Nginx / Gunicorn / Supervisor (i followed directions from here)
(I don't think this is any issue but i am using dj-stripe for django/stripe integration)
While on development (django's built-in HTTP server).. everything seems to work (i.e. stripe can send webhook events just fine)... however, on production, i get emails saying that Stripe can't reach my server.
When I run
curl -D - -d "user=user1&pass=abcd" -X POST https://my.server/stripe/webhook/
I get this response
HTTP/1.1 400 Bad Request
Server: nginx/1.15.9 (Ubuntu)
Date: Thu, 18 Jun 2020 19:44:07 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Vary: Cookie
However, non-webhook (i.e. visiting the website via browser) seems to work normally.. just webhooks.
Any idea where this is going wrong?
Your request doesn't have the Stripe secret which is needed for authentication.
I would to know WINDOWS Server ADFS really exposes an API to post SAML request en get saml assertion response.
When I enter this in my browser : https://<myfqdn>/adfs/ls/IdpInitiatedSignOn.aspx
I’m presented with a site selection page, as shown in the following image .
Then I choose AWS, and get to the authentication page to provide my AD credentials, after what I get to AWS console page.
It's a POST request and If activate my Google Chrome Developer Tools for example, I can see the from headers
However I'm trying to reproduce the same from my Linux command line using curl but It's not working.
This is what I'm trying :
$api_body="{\"service\": \"aws\", \"email\": \"myemail\", \"password\": \"mypass\"}"
$SAML_IDP_ASSERTION_URL=https://<myfqdn>/adfs/ls/IdpInitiatedSignOn.aspx
$curl -sD - -X POST "$SAML_IDP_ASSERTION_URL" -H "Content-Type: application/json" -d "$api_body"
This gives me the following header :
HTTP/1.1 200 OK
Cache-Control: no-cache,no-store
Pragma: no-cache
Content-Length: 12844
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-HTTPAPI/2.0 Microsoft-HTTPAPI/2.0
x-frame-options: DENY
Date: Fri, 22 Mar 2019 10:25:13 GMT
Followed by the site html content in my terminal including javascript and others. I don't get or see any json data back, nor SAML Response.
Do you guys have an idea of what's the right command/request to get SAML Response from command line?
I'm quite new to openstack and software development, but here goes.
i'm trying to curl a GET request via AWS Api Gateway.
the curl looks like this:
curl -H "Accept: application/json" -H "Content-Type: application/json" -i GET -d 'name=Claus&username=gettest&password=test' https://xy8fbbpvak.execute-api.eu-west-1.amazonaws.com/prod/adduser
but it gives me this response:
curl: (6) Could not resolve host: GET
HTTP/1.1 403 Forbidden
Content-Type: application/json
Content-Length: 43
Connection: keep-alive
Date: Tue, 18 Jul 2017 06:10:08 GMT
x-amzn-RequestId: c049f3e5-6b7f-11e7-a380-d966a8908f27
x-amzn-ErrorType: MissingAuthenticationTokenException
X-Cache: Error from cloudfront
Via: 1.1 dc81da318a4ae20e51ccfd9463219596.cloudfront.net (CloudFront)
X-Amz-Cf-Id: BI3LX_cwBic2EtCleIHd6yT0B1p4GRoqEbqx85L1nO2UUafPKXC2iQ==
{"message":"Missing Authentication Token"}
The method in AWS API Gateway doesn't need authorization or a token.
I'm really not sure what i'm doing wrong? please tell me if you need more info.
The message {"message":"Missing Authentication Token"} does not necessarily means that it needs an authorization or a token, but you receive the same error if you request a URL that doesn't exist
You need to make sure you're using the correct HTTP method and resource path to a valid resource.
From your example, you're using a GET and the action is prod/adduser, that does not sound too good to me, addUser would generally be made on PUT or POST when you design your API.
Also make sure to deploy your API changes, when you test from the API gateway, its a staging area but its not deployed