am calling an API with he query paramter as told by my Remedy team and i get the "Not able to parse Authorization Header" error
var yhttp = new XMLHttpRequest();
var phonedata=":People?q=%27Phone%20Number%20Business%27%20%3D%20%22%2B12017148030%22&fields=userid";
yhttp.open('GET', 'https://remproditsm.broadridge.net/api/arsys/v1/entry/CTM:People?q=%27Phone%20Number%20Business%27%20%3D%20%22%2B12017148030%22&fields=ciscofinesse');
yhttp.setRequestHeader('Authorization', 'Bearer' + response);
yhttp.setRequestHeader('Content-Type', 'application/json');
yhttp.send();
have tried AR-JWT instead of Bearer, have tried with application/json header and without, i was not convinced if i should be passing that in the header but remedy team advised me to pass it. Also, this works fine in Postman.
I propose to double check the postman and on the right side you have the CODE button,
then export working version from postman to JavaScript-XHR.
ok i found the issue, AJAx request by default is asynchronous, am using the varibale from the response as the token, and by the time it reaches the 2nd GET API request , it has nothing in the res variable, so i converted my first API request for token to synchronous
xhttp.open('POST', 'url',false);
xhttp.setRequestHeader('authString', 'authentication string');
xhttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhttp.send(data);
res= xhttp.responseText;
document.write(res);
Yes, you need "AR-JWT {token}" as your Authorization header value. The token should be stored after the login call and used for each subsequent REST operation.
https://docs.bmc.com/docs/ars2008/examples-of-using-the-rest-api-to-get-update-and-delete-an-entry-from-a-form-929631054.html
Related
I need to be able to delete cookies automatically in between requests when they I run my collection of requests in Newman and Postman Runner (mainly Newman).
I followed the suggestion given in this comment by a person from Postman: https://github.com/postmanlabs/postman-app-support/issues/3312#issuecomment-516965288.
But it is not working.
The answer to these two SO questions also tell the same way to go about doing this: Postman: How do you delete cookies in the pre-request script?
Deleting cookies in postman programmatically
Here is the code that I use that the sources above suggest to place in the pre-request script:
const jar = pm.cookies.jar();
jar.clear(pm.request.url, function (error) {
console.log("Error: ");
console.log(error);
//handle error
});
[Note: error is logged as null when I run this code]
I have tried this code many times and also many different modifications of that code. I do white-list the domain too. But I always get the wrong response in the request. When I clear the cookies manually (using the cookie Manager UI dialogue box), the request gives the right response. I need help in determining where the problem could be for me in deleting cookies programmatically.
I also tried this to see what the cookies that I am deleting are:
jar.getAll(pm.request.url, function (error, cookies) {
console.log("Cookies:");
console.log(cookies);
console.log("Error: ");
console.log(error);
});
Here cookies is an empty array. Perhaps that is the problem. But that is very weird since when I check Cookie Manager manually, there are many cookies shown. And once I delete the cookies manually the requests return the right responses.
Another question I had was: What is the purpose of the callback functions that take 'cookies' and 'error' as arguments in the code above. Are these functions called everytime or only under certain conditions? Could not find the purpose of the callback functions in the postman documentation: https://learning.postman.com/docs/postman/sending-api-requests/cookies/
Thank you
If the cookie has "httpOnly" or "secure" header, you can't delete them via script in postman. jar.clear clears all the cookies except these httpOnly and secure ones.
I think this is a bug and needs to be fixed by Postman. If this is intended, there should be a setting in Postman to activate or disable it.
I have the following API downloaded in JSON from Swagger Editor:
PUT http://10.37.64.243/m2m/fim/items/fim:device:manager/operations/getAllDeviceTypes?exclude={{exclude}}
with exclude being an environment variable set as : href,metadata,name,arguments
Nominal use requires basic authentication, in this case it works and I get a JSON body with expected result. It properly works in Postman (so I think my import is correct)
If no authentication is provided:
in Swagger Editor : nominal behaviour, request is rejected with error code 401
in Postman : UNEXPECTED behaviour, I end up with status code 200 and it returns a response body identical to the one that I get when authenticated
if I generate the cURL code snippet from Postman and launch it out of Postman: nominal behaviour, I get the same error as the one I get in Swagger Editor (the one expected)
Why do Postman behave differently from the cURL request ??
I probably do something wrong, but I can't figure out what
Thanks for any help
Alexandre
I finally found out that the server returns a cookie that holds authentication validation. So after a valid authentication, whatever the request (with or without authentication) it will be considered as authentified.
Unfortunately, the only way to overcome that problem is to remove the cookie by hand through the "Manage cookies" window. Postman does not implement a function that erase it (even through the pm.cookies and pm.cookies.clear() function).
Postman developpers are aware of that, but there's no scheduling for this feature ...
EDIT: the feature is followed here https://github.com/postmanlabs/postman-app-support/issues/3312
I am developing an application for my AppleTV. The App will read movies from an online website that hasn't developed any API for this kind of thing.
I use XMLHTTPRequest to get the different URLs and have the user search for his movie, etc... Everything is working fine, except for a single request. To get the movie URL, I have to send a get request to a specific address (let's say http://example.com/getmovie.html) with a constant cookie (let's say mycookie=cookie).
I've tried using setRequestHeader:
var xhr = new XMLHttpRequest();
xhr.open("GET", url, false);
xhr.withCredentials = true;
xhr.setRequestHeader('Cookie', 'mycookie=cookie');
xhr.send();
But no cookie seems to be sent.
I also tried setting the cookie with Document.cookie like I would have probably done in a "normal" js script (running in my browser) but no luck either.
This is extremely frustrating, especially since I'm stuck so close to the end of my app.
I guess cross-origin might be the issue but I'm able to get URLs without issues if I don't have to set cookies, so I am a bit lost there.
Please let me know how I can get http://example.com/getmovie.html with a specific cookie header.
Thanks for your help
im sorry to inform you but the xmlHTTPRequest function of javascript does not allow a cookie header to be set for security reasons as shown here: Why cookies and set-cookie headers can't be set while making xmlhttprequest using setRequestHeader? the best way i could see you making that get request would be to a proxy server that you would be running. I believe that it is built this way to prevent you from setting cookies on domains that you do not own, furthermore i do not see an alternate resolution to this problem as no were in the docs i looked at was cookie persistence or management mentioned
In case someone has the same issue:
I didn't find a solution to sending a cookie with javascript. However, in my situation, the origin of the request didn't matter, only the cookie did. My solution was then to create a PHP file receiving the destination URL and the cookie content as parameters, and then sending the get request with the cookie as a request header. (more information about how to do so here: PHP GET Request, sending headers).
In my javascript I then use XMLHttpRequest to connect to my PHP file (hosted online) with simple get parameters and I then receive the response from the PHP. That trick of course won't work if the origin of the request matters (except if you host your file at home I guess, but in my case I want my application to work even if my WAMP isn't on).
Well... the problem here is the line xhr.setRequestHeader('Cookie', 'mycookie=cookie'); line just because the 'Cookie' header is reserved for the client browser to send the stored cookies. This means you are trying to do what the browser already does. When you send a any request, the client browser automatlycally will take all the cookies related to the site you are requesting and put them on the 'Cookie' header, you don't need to do anything else, if your cookie exist in your browser, it will be send.
Cordova how to send session cookie, allow credentials with XMLhttprequest:
// JS
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://example.com/ajax.php', true);
xhr.withCredentials = true;
xhr.onreadystatechange = function() {
if(xhr.readyState == 4 && xhr.status == 200) {
// alert(xhr.responseText);
// Get header from php server request if you want for something
var cookie = xhr.getResponseHeader("Cookie");
// alert("Cookie: " + cookie);
}
}
xhr.send();
// Php
// You can add cookie to header and get with (session works without it)
header('Cookie: PHPSESSID='.$_COOKIE['PHPSESSID']);
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
header('Access-Control-Allow-Headers: Origin, Content-Type, Accept, Authorization, X-Request-With, Set-Cookie, Cookie, Bearer');
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Max-Age: 86400');
I've created a channel in Mirth which first calls authentication service and returns response. Source I've configured to HTTP Listener and in destination I've used HTTP Sender which calls a rest service for login and returns token as below.
{"token":"5912aa99-af21-5614-c232-d22be9e5c102","app":"TEST API Suite","expires":845,"userID":"ZCT06D123Cfk20oROB9x-bEXeY12oQGfack6dMMc-0o="}
Question: From the response that I'm receiving from rest service , how do I extract the token part and then pass that token to another channel and use it for calling another service.
Is there a way that I can set the token in a variable or global map in Destination1 and use that in Destination2 configuration?
Please Help. I'm a Newbie in Mirth.
Thanks.
The following helped me and solved my issue.
Add a post processor script as this in channel1:
var dest1 = responseMap.get("Destination 1");
var response123=dest1.getMessage();
var obj = JSON.parse(response123);
logger.info('token==='+obj.token);
router.routeMessage('newChannelName', obj.token);
return;
And then in newChannelName Channel preprocessor script, I was able to get this token as message.
logger.info('token: '+message);
So I know there are a lot of questions about CSRF (because I have read some of them) but there is one point I still don't understand. Let's imagine the following case:
I am logged in(with cookies) on my server where there is a page with a button 'Delete my account'. Which I don't want to press.
I visit a hacker's server:
a. My browser requests 'bad.html', which contains JS, with a callback function defined. It also has a script like:(thus avoiding the Same-Origin Policy problem)
var s = document.createElement('script');
s.src = 'url to "deleteAccountPage" of my server?'
s.src += 'callback=hackerCallback';
s.type = 'text/javascript';
document.body.appendChild(s);
b. Script is "appended" the browser will load the page and then call hackerCallback passing the page HTML text as parameter.
c. With this HTML, the callback can parse the token in there.
The hackerCallback now has the token, sends an Ajax request to my server on the "deleteMyAccount" page.
My account is now deleted, because the Token, the cookies and even the browser trace matches the ones registered by the server.
How do you avoid that behaviour ? I have read things about only allowing certain Headers on my server. This would cut short all Cross-Domain request on my server, however according to this link (http://blog.alexmaccaw.com/jswebapps-csrf) it is not enough... (Which I totally believe)
Thansk for the help
Seba-1511
You are using JSONP in order to make a cross domain request via a scr tag. The JSONP is only allowed for GET requests and you shouldn't have GET endpoints that make changes (not idempotent).
deleteAccount should be a POST endpoint that couldn't be requested via JSONP.
If you insist in use GET on deleteAccount you should use CSRF tokens or send the token in a header instead of a cookie (if you're using XHR requests)