When requesting an OAUTH Grant Password token, the user can specify his desired scope. How can one prevent a regular user from requesting and admin scope?
The code exemplifies a malicious request that asks for an admin scope, although he shouldn't have accesss to it.
curl -X POST \
http://a.myapiserver.com/api/oauth/token \
-F grant_type=password \
-F client_id=2 \
-F client_secret=PpMrx32Zow5OcQf491GXXT0dlEzMNuYHt6fe4Wdy \
-F username=regularuser \
-F password=strongpasss \
-F scope=admin
Problem has been solved by adding a middleware ScopeLogic and adding it to the passport::routes.
found the solution here: https://code.i-harness.com/en/q/259c0dd
Related
Hey i want know if github have a endpoint to verify if a access_token have expired ?
I have tried this but i have a 404 error
404 would mean you did not authenticate properly.
Make sure to use a PAT (Personal Access Token) to authenticate your query (assuming you are not testing you own PAT itself!)
curl \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \ <==== Important
https://api.github.com/applications/Iv1.8a61f9b3a7aba766/token \
-d '{"access_token":"e72e16c7e42f292c6912e7710c838347ae178b4a"}'
We are using Mailgun for email sending with Laravel and currently facing issues regarding the email being sent daily. There are four instances of sites and unable to track from where the emails are being sent out.
So is there any way we can trace IP address from where the Mailgun API is calling?
Adding a custom header to mailgun emails
The best way in my opinion is to mark the mails with a custom header using h: option:
curl -s --user 'api:YOUR_API_KEY' \
https://api.mailgun.net/v3/YOUR_DOMAIN_NAME/messages \
-F from='Sender Bob <sbob#YOUR_DOMAIN_NAME>' \
-F to='alice#example.com' \
-F subject='Hello' \
-F text='Testing some Mailgun awesomness!' \
-F h:X-Sender-Reference='server3'
This way, you can see in the event log the X-Sender-Reference custom header to know which server sent the message.
Keep in mind, these headers can be viewed by thee receiver aswell so do not expose sensitive information.
Depending on your library, something like this can be used:
$headers = $message->getHeaders();
$headers->addTextHeader('X-Sender-Reference', 'server3');
See: https://documentation.mailgun.com/en/latest/api-sending.html#sending
Tagging a mailgun email message
There is also the option to tag a message using o::
curl -s --user 'api:YOUR_API_KEY' \
https://api.mailgun.net/v3/YOUR_DOMAIN_NAME/messages \
-F from='Sender Bob <sbob#YOUR_DOMAIN_NAME>' \
-F to='alice#example.com' \
-F subject='Hello' \
-F text='Testing some Mailgun awesomness!' \
-F o:tag='September newsletter' \
-F o:tag='server3'
The allowed tags per message are limited to three and the purpose are marketing aggregations I think. Technically, it is possible to use it the same way as the custom header in the example above.
Some PHP libraries might be used this way:
$headers = $message->getHeaders();
$headers->addTextHeader('X-Mailgun-Tag', 'server3');
See: https://documentation.mailgun.com/en/latest/user_manual.html#tagging
I have created a captive portal with iptables
I use what many people seem to use : Users can request DNS, packet marked as 99. 99 means no internet else the user does have access.
When a user visits a page when visiting for example stack overflow. The user gets the disclaimer. He/she clicks on okay. What happened is that the server executes the following rules :
`sudo /sbin/iptables -t mangle -I captivePortal 1 -m mac --mac-source {$mac} -j RETURN`;
`sudo /sbin/iptables -t mangle -I captivePortal 1 -s {$_SERVER['REMOTE_ADDR']} -j RETURN`;
What i have tried:
Used sinatra stand alone with thin. Render template with erb. When the user reloads after authenticating they get the disclaimer when visiting the initial domain. When the visit another they dont get the disclaimer page.
Set up apache2 with php, rewritten all in php. added meta tags to prevent caching in the browser but same result. original domain redirects to disclaimer always but other sites are okay.
What i want to achieve
Users need to click accept on disclaimer before they can use WIFI.
Edit : Reloading apache2 does correct this problem.
Used rmtrack as described here : http://www.andybev.com/index.php/Using_iptables_and_PHP_to_create_a_captive_portal
/usr/sbin/conntrack -L \
|grep $1 \
|grep ESTAB \
|grep 'dport=80' \
|awk \
"{ system(\"conntrack -D --orig-src $1 --orig-dst \" \
substr(\$6,5) \" -p tcp --orig-port-src \" substr(\$7,7) \" \
--orig-port-dst 80\"); }"
I have a bash script on a cronjob.
do
curl -d "test=working" https:/mysite.com/test
echo "done"
done
Right now, it just makes a post request on my site.
But now I want to make a post request in a members only area 2 times
So how can I login keep the session, and post 2 times?
I can't test this as I'm on my phone for a while but it's been bugging me.
do
curl -d "uname=a&pass=b" https:/mysite.com/login
for run in {1..2}
do
curl -d "test=working" https:/mysite.com/memberarea
echo "done"
done
Would this work?
you can use the cookies:
curl -b cookies.txt -c cookies.txt -e website.com -d 'xx=yy' http://website.com/path/to/resource
The -b(--cookie) means use the cookie from cookies.txt,
and the -c(--cokie-jar) means dumps the cookie to cookies.txt.
so always add the two option when use curl in your script and so that you can keep the session.
FYI:
do
curl -b cookies.txt -c cookies.txt -e mysite.com -d "uname=a&pass=b" https:/mysite.com/login
for run in {1..2}
do
curl -b cookies.txt -c cookies.txt -e mysite.com -d "test=working" https:/mysite.com/memberarea
echo "done"
done
If your website uses cookie for keeping authenticated session, you can use --cookie name=data to pass the authentication username and password and use --cookie-jar <filename> to store the cookie.
The goal of my task is to create a console script, which will insert recently uploaded videos on my own site to my own Youtube channel.
I want to use server-to-server authentication but YoutubeApi does not support this way of authentication now.
So my question is: How could I upload video to youtube channel, using oauth2 authentication with console script without any help of a user? Is there any way to do this without using deprecated ClientLogin authentication protocol?
Yes this segment explains how to: https://developers.google.com/youtube/v3/guides/moving_to_oauth#standalone
Basically, you go through once and save the token from there.
If you even want to skip that one time as well, you can get a refresh token in OAuth2 Playground with respected scopes and plug it in directly in your code, with client secret and id. That way your script won't need a web browser.
Here's the video explaining this workflow step-by-step.
here is a script to upload a video via curl
# WARNING, this works only with GNU grep, if you run this on a mac replace grep with ggrep after 'brew install grep'
# Store our credentials in our home directory with a file called .<script name>
my_creds=.`basename $0`
client_id='YOURCLIENTID'
client_secret='YOURCLIENTSECRET' # really a secret
if [ -s $my_creds ]; then
# if we already have a token stored, use it
. $my_creds
time_now=`date +%s`
else
scope='https://www.googleapis.com/auth/youtube'
# Form the request URL
auth_url="https://accounts.google.com/o/oauth2/auth?client_id=$client_id&scope=$scope&response_type=code&redirect_uri=urn:ietf:wg:oauth:2.0:oob"
echo "Please go to:"
echo
echo "$auth_url"
echo
echo "after accepting, enter the code you are given:"
read auth_code
# swap authorization code for access and refresh tokens
auth_result=$(curl -s https://accounts.google.com/o/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d code=$auth_code \
-d client_id=$client_id \
-d client_secret=$client_secret \
-d redirect_uri=urn:ietf:wg:oauth:2.0:oob \
-d grant_type=authorization_code)
echo COMPLETE ANSWER WAS:
echo $auth_result
access_token=$(echo "$auth_result" | \
ggrep -Po '"access_token" *: *.*?[^\\]",' | \
awk -F'"' '{ print $4 }')
refresh_token=$(echo "$auth_result" | \
ggrep -Po '"refresh_token" *: *.*?[^\\]",*' | \
awk -F'"' '{ print $4 }')
expires_in=$(echo "$auth_result" | \
ggrep -Po '"expires_in" *: *.*' | \
awk -F' ' '{ print $3 }' | awk -F',' '{ print $1}')
time_now=`date +%s`
expires_at=$((time_now + expires_in - 60))
echo "access_token=$access_token\nrefresh_token=$refresh_token\nexpires_at=$expires_at" > $my_creds
fi
# if our access token is expired, use the refresh token to get a new one
if [ $time_now -gt $expires_at ]; then
refresh_result=$(curl -s https://accounts.google.com/o/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d refresh_token=$refresh_token \
-d client_id=$client_id \
-d client_secret=$client_secret \
-d grant_type=refresh_token)
access_token=$(echo "$refresh_result" | \
ggrep -Po '"access_token" *: *.*?[^\\]",' | \
awk -F'"' '{ print $4 }')
expires_in=$(echo "$refresh_result" | \
ggrep -Po '"expires_in" *: *.*' | \
awk -F' ' '{ print $3 }' | awk -F',' '{ print $1 }')
time_now=`date +%s`
expires_at=$(($time_now + $expires_in - 60))
echo "access_token=$access_token\nrefresh_token=$refresh_token\nexpires_at=$expires_at" > $my_creds
fi
# finally this is the call to upload the video (but I haven't managed to set title and description, you might want to make another call for that)
curl https://www.googleapis.com/upload/youtube/v3/videos?part=snippet \
-d part='snippet' \
-d snippet.title='test of a title' \
-d snippet.description='test of video description' \
--data-binary "#./small.mp4" \
-H "Content-Type: application/octet-stream" \
-H "Authorization: Bearer $access_token"
to make this work you will need to
go to https://console.developers.google.com/projectselector/apis/library and click 'credentials' and the 'create credentials' to get your client_id and client_secret make sure it is a 'oauth Client ID' for native application (select 'Other' as the type)
enable 'YouTube Data API v3'
this script is based on this other question
Moreover there is this github project which address the problem with python...
After disc with YoutubeAPI developer, we got such solution:
IT IS IMPOSSIBLE TO DO YOUR OWN SERVER-TO-SERVER APPLICATION WITHOUT USING DEPRECATED ** **ClientLogin Auth Protocol
It will be fully deprecated on April, 2014 (but until April you can use it).
So, if you want your users to upload videos into your YT channel from your site, you should work in scheme like this:
- Your users upload videos to your site
- You (or somebody else who has your YT account credentials) import video to your YT channel
To resolve this you can easily use OAuth2 Protocol.
I have been able to upload a video to my channel on YouTube using the following shell script.
#!/bin/sh
# Upload the given video file to your YouTube channel.
cid_base_url="apps.googleusercontent.com"
client_id="<YOUR_CLIENT_ID>.$cid_base_url"
client_secret="<YOUR_CLIENT_SECRET>"
refresh_token="<YOUR_REFRESH_TOKEN>"
token_url="https://accounts.google.com/o/oauth2/token"
api_base_url="https://www.googleapis.com/upload/youtube/v3"
api_url="$api_base_url/videos?uploadType=resumable&part=snippet"
access_token=$(curl -H "Content-Type: application/x-www-form-urlencoded" -d refresh_token="$refresh_token" -d client_id="$client_id" -d client_secret="$client_secret" -d grant_type="refresh_token" $token_url|awk -F '"' '/access/{print $4}')
auth_header="Authorization: Bearer $access_token"
upload_url=$(curl -I -X POST -H "$auth_header" "$api_url"|awk -F ' |\r' '/loc/{print $2}'); curl -v -X POST --data-binary "#$1" -H "$auth_header" "$upload_url"
Refer to the previous answer for how to get your custom variable values.
If you want to upload without login then you have to first save login data into pickle file and next time just call that pickle file. It will contain your channel authentication data. DO NOT LET pickle file public.
youtube = googleapiclient.discovery.buil(...)
Just save this youtube variable into a pickle file. You can do it locally while testing. Just save this pickle file into the server and call its deserialize object.