I have read tons of SO and no luck. How do I send cookies in API requests from chrome extension?
I want to make a post request to my API through chrome extension. But, the API is protected. Luckily, I can get the cookie for the API if I am already logged into my app with chrome.cookie. But, how do you attach that cookie to the API request?
I can get the cookie of the website with chrome.cookie, but how do I attach that cookie to the API request?
Related
I have a chrome extension which use Oauth to authenticate users. This authentication create cookies which are shared to detect authentication on my other applications.
So when i'm authenticated by oAuth on my extension, i can go on another app and then if i refresh i'm connected without getting login process. This because cookies created by my OAuth process are shared and detected on others app.
This works fine on browser like Mozilla or Opera but don't works on Chrome cause cookies are filtered out with that info message :
this cookie was blocked because its path was not an exact match for or a super directory of the request url's path.(shown on screen by cookies with question mark (AUTH and KEYCLOAK prefixes)
Cookies with AUTH and KEYCLOAK on yellow are filtered out
How could i manage Chrome to accept those cookies ? But more, how could i manage this programmatically on request which have created cookies cause i can't tell my users to modify their Chrome configuration ?
I am trying to build a web app using Django and DRF at the back-end and ReactJs at the front end and I want to keep them separate (i.e. avoid Server Side Rendering).For authentication purposes, I want to employ JWT and I am using djangorestframework-jwt for that. I have read it at several places that it is not secure to store JWTs in the local storage so I am trying to use HttpOnly cookies for that. One can achieve that by configuring the django server to send HttpOnly by overriding the following default settings of the drf-jwt package in the settings.py file of your project JWT_AUTH = { 'JWT_AUTH_COOKIE': '<cookie name>', } which is set to none by default. The server sends the httpOnly cookie as anticipated but there are a few issues I am facing:
1.Same Domain Restraint
I am aware that httpOnly cookies wont be attached to the request headers unless the request is being made to the server which is hosted on the some domain. In my case I am using localhost:8000 for django and localhost:3000 for my react project so the browser doesnt attach the cookie as the request is made to a different port. I tried running both app on port 3000 simultaneously, and the browser did attach the cookie in the header and I did get the a 302 response from the server. However, it opened door to all sorts of problems due domain clash. I reckon I can solve this problem using nginx reverse proxy or something like that but I am not sure about it. Do guide me how can I serve both apps on the same host during the development.
2. Token Refresh Problem
When I refer to the view setup to refresh the token, I run into a bad request error even when the browser does attach the cookie along the request header. This is the server response in the browser
{"token":["This field is required."]}
Thanks if for reading it all the way down here!
In order for things to be secure:
You need CORS (Quickstart: CORS_ALLOWED_HOSTS=["http://localhost:3000"], CORS_ALLOW_CREDENTIALS=True)
The short-lived token (session) cookie (5-15mins), should NOT have HTTP-ONLY setting
The refresh token cookie SHALL have HTTP-ONLY setting
Then your basic flow is:
On login Django creates session token and sends it
Your SPA reads the cookie and adds its value to the authorization header (Authorization: JWT ...token...)
Any request to Django should be made with that Authorization header
The refresh flow is:
Send a request to the refresh token endpoint following the documentation of the library you use
Django then reads the HTTP-ONLY cookie and verifies it
If valid, Django sends a new refresh token as HTTP-ONLY cookie along with a new short-lived token session cookie
Once the refresh token has expired, you log the user out.
An article here goes into detail using GraphQL, but the cookie part and handling of most of the frontend code you should be able to adapt to REST.
While developing a phonegap application, I can see the SetCookie header in responses from XHR login requests to an API I am using. As expected, when I inspect subsequent requests, I see the cookie being sent. I can also see that it is an httpOnly cookie, so I can't store it using scripts.
However, in the Chrome dev tools "Resources" I have no trouble deleting the cookie if I want to.
Yet, when I am running the application on an external iOS or Android device, using the Safari or Chrome Web Inspectors for each respective device, I can't see the cookies in the "Resources" panel. I don't see the cookie headers in requests or responses, either, yet somehow my requests are fine.
Is this a security measure, or is there an bug in my app/API to do with cookies?
The server I'm using sends the session id with a http-only cookie.
To make this working on WP8, I already enabled cookies in the internet explorer settings of the device. This works well for all my AJAX-requests.
But now i have to download a file from the server, therefore I'm using the file-transfer plugin, but i always get HTTP Status 401 - Http Request not attached to a session
Is there any way to fix this issue, so that the cookie header containing the JSESSIONID is sent with the download request?
I have a ServiceStack API set up which uses the auth plugin to allow users to register through the api.
The front end UI is a PHP site. So when the user clicks 'log in via twitter' they are redirected to the ServiceStack API and then onto twitter, back to the ServiceStack APIv and then back to the PHP site.
My question is - how can I manage the auth between the PHP site and the ServiceStack API? Would giving the PHP site the auth token be the way forward? I'd want there to be some per request authentication - would I pass on some cookie info from the browser with each request?
[UPDATE]
So - the website is hosted at http://somedomain.com
and the api is hosted at api.subdomain.com
so they can share cookies
from that cookie the website can retrieve the ss-id, ss-pid and the X-UAId
I can see that the [Authenticate] attribute tries to get these values from the request
So... if we provide these values in the request the API should be able to authenticate based on that.
Except it can't
What else do I need to provide to allow this to work? Is this even possible?