I’m attempting to pass an API token for a user to grafana from our own internal website so that the main gui renders in an iframe. We don’t want the users to have to log into grafana after they have logged into our site, so we are creating their users in grafana, building an API token and attaching that to the user for our website. When the user goes to the page that has the grafana iframe, we are sending an ajax get request with the token so grafana renders the main dashboards with the users information.
If we do just a standard iframe everything works fine and we render inside the frame. We can get to the login page and do everything we need to. When I add the token so we don’t need to authenticate nothing renders and I see no errors/logs on either grafana or the website. If I send an invalid token I see the expected “401 invalid Api key” error on both the website and the grafana logs. This is what I’m sending from the website…
<div class="content">
<div class="container-fluid" id="container">
</div>
</div>
<script>
$.ajax({
url: "{{url}}",
type: "GET",
beforeSend: function(xhr){
xhr.setRequestHeader('Accept', 'application/json');
xhr.setRequestHeader('Authorization', 'Bearer {{token}}');
},
success: function(r) {
$('#container').html(r);
}
});
</script>
With the above nothing happens, I get no errors or logs. If I keep everything else the same and just adjust the token to make it invalid, grafana says it is invalid, so I know it is making it to the server. Why is nothing coming back to be rendered?
Thanks!
That' s an Error in Grafana-API, the generated API-Key. Use a Key that is generated inside Grafana
Related
I use google auth login in django project with django-oauth-toolkit
What I want to do is
Call ajax of django-restframework api from template and the server checks who calls this api.
For example, I can get if user is login or not {% if user.is_authenticated %} in template.
so, I can call the api with the user information like this.
var url = "http://localhost/api/check?id={{user.email}}"
$.ajax({
method:"get",
url:url
....
with id query server can understand who calls this request.
However in this method,id is written barely, so you can make the fake request.
So, I guess I should make some access token or some other key.
Is there any general practice for this purpose???
I am trying to implement the following functionality.
The server sends an email to a user who doesn't necessarily have an account in the server.
In the email, the user is asked to rate a certain model (send a request to the server).
Can I make it in such a way that the user can click the button and doesn't get redirected to some other page, but sends the request directly to the server.
<div>
<p> Hi {{ user }}, </p>
This e mail is to kindly ask you to rate {{ job_seeker }}, who previously
worked with you.
Please rate him from 1 to 3 below.
<button onclick="some function that wont work in email">1</button>
<button>2</button>
<button>3</button>
</div>
I am using django.
NO, you cant execute JavaScript in email templates.
Due to serious security issues, most of the email clients block JavaScript from executing. that's why your redirection script doesn't work.
the solution is to use an <a> tag with a URL that specifies the page link instead of <button>.
I have a Django app with about a dozen views that I am currently hosting on Heroku. I can do POST requests just fine to the app when directly going to the app url, and I have the 'django.middleware.csrf.CsrfViewMiddleware' enabled. I am running Django 2.1
I am currently having an issue where I am trying to embed this Django app within an iframe, on another site that I host on Weebly. I always get a 403 error when trying to do a post on any of the Django forms. The reason is "CSRF cookie not set."
I am doing this through Chrome on Ubuntu. I checked the Applications tab in the Developer console, and do see the csrftoken key-value pair set in the cookie for the Heroku domain. The Weebly domain does not contain the csrftoken key-value pair. I figured it would just use the cookie from the Heroku app domain and use the csrftoken, but that doesn't appear to be the case.
In Django, here are my settings regarding CSRF:
CSRF_COOKIE_SECURE = False
CSRF_TRUSTED_ORIGINS = ['example123.herokuapp.com',
'app123.weebly.com']
I REALLY don't want to disable security or use the csrf_exempt decorator, as that feels like a hack. I am pulling my hair out on this one!
EDIT:
{% csrf_token %} is in the form, and I can see the hidden field "csrfmiddlewaretoken":
<input type="hidden" name="csrfmiddlewaretoken" value="XXXXXXXXXXXXXXXXXXXXXXywkFTfTC9ttYiOTD0O8uF49SvRjaUWgWeLU0h2PjP2">
There are two different things with csrf in django
1. Csrfmiddlewaretoken : {% csrf_token %}
example of set-token header
2. CSRFcookie : I don't think that you did this one.
example of same request giving different csrf-token
here the images shown are both the examples of one of my app for a specific request
We do often confuse second with the first one. In the second case, the server sets a cookie in the first get request with a csrf token (this is a cookie and not the csrfmiddlewaretoken ), it needs to be sent every-time for csrf cookie verification. This is done by the browser itself and we mostly don't notice it. However the problem arises with using CORS (different origins of request like android/angular app etc).
I'm learning to build a API using Amazon Web Services' API Gateway, DynamoDB, and Lambda.
I've been following a video playlist tutorial on Youtube. So far, I've created the desired Lambda Function, DynamoDB Table, and also the API Gateway.
Now all I need to do is build a frontend that display my current items in the table and also the entry.
So far I made it to this part here.
In the video, he uses JavaScript to make an ajax request and fetch the items in the DynamoDB Table. I've written the same ajax request with the html.
<html>
<head>
<h1 style="color:rosybrown;">Latest guestbook entries:</h1>
</head>
<body>
<div id="entries">
</div>
<h1>New Entry</h1>
<form>
<label for="msg">Message</label>
<textarea id="msg"></textarea>
<button id="submitButton">Submit</button>
</form>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script type="text/javascript">
var API_URL = "someURL/prod/entries";
$(document).ready(function(){
$.ajax({
type: "GET",
url: API_URL,
success: function(data){
$("#entries").html("");
data.Items.forEach(function(guestbookItem){
$("#entries").append("<p>"+guestbookItem+"</p>");
})
}
});
});
</script>
</body>
So here I'm going to explain my purpose. The goal is the display the items in the DynamODB table that I have created while also accepting new entries. It has a date and message item.
The API Gateway has an /entries resource and has two methods, GET and POST. /prod means it was deployed on a production stage.
When invoking the URL for the GET method. I receive this output
"{\"Items\": [{\"date\": 20180512, \"message\": \"this is my 4th message\"}, {\"date\": 20180513, \"message\": \"I love AWS\"}], \"Count\": 2, \"ScannedCount\": 2, \"ResponseMetadata\": {\"RequestId\": \"SOME_REQUEST_ID\", \"HTTPStatusCode\": 200, \"HTTPHeaders\": {\"server\": \"Server\", \"date\": \"Mon, 14 May 2018 20:32:43 GMT\", \"content-type\": \"application/x-amz-json-1.0\", \"content-length\": \"160\", \"connection\": \"keep-alive\", \"x-amzn-requestid\": \"SOME_REQUEST_ID\", \"x-amz-crc32\": \"2401247050\"}, \"RetryAttempts\": 0}}"
However, after running the index.html file on my local host.
The entries did not appear. When I checked the console, it turns out I receive the following error
index.html:33 Uncaught TypeError: Cannot read property 'forEach' of undefined
at Object.success (index.html:33)
at u (jquery.min.js:2)
at Object.fireWith [as resolveWith] (jquery.min.js:2)
at k (jquery.min.js:2)
at XMLHttpRequest.<anonymous> (jquery.min.js:2)
I was not really sure what is going on. Items does exist in the response. I've been stuck with this for days. If anybody could point out what I was missing, it would be greatly appreciated!
I'm using facebook JS api and
FB.ui({
method: 'apprequests',
message: 'You should learn more about this awesome game.',
data: 'tracking information for the user'
});
but its not working on tab , the pop-up stats to load and then automatically become hidden .
http://developers.facebook.com/docs/reference/dialogs/
You can only use iframe in facebook apps, probably also on tab pages.