Swagger Authorization keys - javascript

In Swagger I have had problems to configure the authorizations.
In Available authorizations there are two fields to fill:
subscription_key (apiKey)Provide your cognitive services subscription key here.Name: Ocp-Apim-Subscription-Key
token (apiKey)
Provide an access token from the JWT returned by the STS of this region. Make sure to add the management scope to the token by adding the following query string to the STS URL: ?scope=speechservicesmanagement
I did not find it clear where I have to get this info.
Could someone help me?

The two paramters can be found as follows:
1. subscription_key parameter: this can be found in Azure portal> Navigate to the Speech service that you must have created (Cognitive Service) or see here to create new Speech service > use the value from Key1
Mine looks like below :
Things to remember :
The speech to text api (especially conversational api) is supported only in specific regions, I chose centralus.
The pricing tier should be S0 Standard to get the apis working (atleast for conversation apis)
2. token (apiKey) parameter :
You will need to generate the token by sending a post request to the speech service endpoint (see image above for location of endpoint url).
Add your subscription key as a header.
The post request will generate the access token as response
Things to remember :
As instructed in swagger, remember to add the query string of '?scope=speechservicesmanagement' to your endpoint url before generating the token.
ex: https://centralus.api.cognitive.microsoft.com/sts/v1.0/issuetoken?scope=speechservicesmanagement

Related

Using Google Sheet's v4 JSON Endpoint with my API but still getting "Unauthorized" message

I am trying to get a simple JSON package from putting the URL of my Google spreadsheet so I can use it on my webpage; I am using my Google Cloud Console API as it is said on the documentation of the v4 Google API format, but I still get the error of "Unauthorized API"
Documentation: https://developers.google.com/sheets/api/guides/migration#v4-api
I am using this URL:
https://sheets.googleapis.com/v4/spreadsheets/SHEET_ID/values/Sheet1?key=API_KEY
My google sheet is set as published on the web. And also I am the creator of the google sheet.
What could I be missing? I am new to API's!
First Edit:
Answering the comment of ABDULLOKH MUKHAMMADJONOV
Here is the code I am using to make a GET request to the google sheet, you can see the Sheet ID is there, and also the API of the google cloud platform.
fetch("https://sheets.googleapis.com/v4/spreadsheets/1S652uS2FLVoZ1m3apb6R4H783v6GkV58HbQ6Idec5aY/values/Sheet1?key=AIzaSyCpFZ7mcqMNc6Q_bP6h1kCEfAi6c_fd8AM", {"method": "get"})
.then( (httpResponse) => {
if (httpResponse.ok) {
console.log(httpResponse.json());
return httpResponse.json();
} else {
return Promise.reject("Fetch did not succeed");
}
} )
.then(json => console.log(json.someKey))
.catch(err => console.log(err));
This code is from the Wix code editor.
The caller doesnt not have permissions
Means that the user you are authenticated as does not have permission to do what it is you are trying to do.
The method
https://sheets.googleapis.com/v4/spreadsheets/SHEET_ID/values/Sheet1?key=API_KEY
I believe is this method spreadsheets.values/get if you check the documentation you will notice that it requires authorization with one of these scopes
You appear to only be sending an api key. You need to be authorized to access that sheet. You cant access it with an API key that only grants access to public data.
Ok, so I investigated about the OAuth 2.0 authentication and authorization for using Google Sheet's REST API. I added one of the needed scopes.
But I am stuck at the point on how to do the authorization process...
I am looking at this google documentation - How to use Google OAuth 2.0 authorization
But I haven't been able to get to the answer I seek. I am stuck at the part where it says "When your application needs access to user data, it asks Google for a particular scope of access." I do now know how to code this request or to do this request through the Insomnia software.
I am trying to do the GET request with a wix testing website, and also with Insomnia, but I haven't been able to achieve it.
These are the images from Insomnia, which tell me "Invalid authorization URL"
Insomnia's OAuth 2.0 authentication parameters
Insomnia's API Query parameter

Authenticate requests from frontend that doesn't have tokens

Not sure if the title summarises my question well.
Basically, I am trying to authenticate routes such as checking if user exists etc. I only want to allow
requests coming from my frontend application to be approved, but, since no user is signed in there is no token to send.
Api request -
mywebiste/checkUser/email
This route is unprotected on my backend because no user is logged in.
BUT I want to protect this route, in such a way that it's accessible only from the frontend.
Some ideas I came up with were adding specific headers tag from the frontend and check them on the backend, but that could be easily replicated, is there something more secure like using tokens etc.
I am using React and Node.js
Same origin policy is going to give you some basic protection, but basically if an API endpoint is exposed publicly, it's exposed publicly. If you don't want that route to be publicly accessible you need to add access control.
If you use that route to check if a user is already registered, you could, for example, merge it with the user registration route and send a different error code if the user already exists (which is not a great idea because it leaks which emails are registered on your system).
You can verify that a request was originated by a user (by authenticating him) but you cannot verify that a request comes from a particular client because of these two reasons :
If you include some API key in your client (web page or other), it's easily retrievable by everyone (the best thing you could do is offuscate it which makes things slightly harder but still possible)
If you send an API key over the network it's easily retrievable as well
The only thing you could do is prevent other web pages from calling your backend on behalf of the user, by using CORS (which is actually active by default if you dont specify an Access-Control-Allow-Origin header)
I ended up creating a kind of working solution, so basically, I create a new base64 string on my frontend and attach that to the header while making a request to the backend. The base64 string is different every minute, so even if the header is copied, it differs every minute and is combined with your secret key.
I have made a package so that people can use it if they want - https://github.com/dhiraj1site/ncrypter
You can use it like so
var ncrypter = require('ncrypter');
//use encode on your frontend with number of seconds and secret key
var encodedString = ncrypter.encrypt(2, 'mysecret1')
//use decode on your backend with same seconds and secret
var decodedString = ncrypter.decrypt(encodedString, 2, 'mysecret1');
console.log('permission granted -->', decodedString);

Updating List of Entity Entries of DialogFlow Agent via API

Have been looking for a way to programmatically update our agent's entity entries for a certain entity type through the DialogFlow API. The purpose is to automate the updating of our entity entries on a scheduled basis (as our entries will be changing daily).
Came across this documentation page by Google on batch updating entity entries but have not been able to get anything better than a 404 when testing.
Have tried sending POST's via Postman using the supplied path and inserting my project name in URL but I believe I may be making naive mistakes as I am new to this area (specifically REST-stuff)
Below is an example of the current 404 response & path used.
We are just looking to get past the 404 error, once we have the contact setup, should be able to figure out auth & the rest.
There are several things you need to take into account.
The URL should look like this:
https://dialogflow.googleapis.com/v2/projects/julia-development-2/agent/entityTypes/actual_id/entities:batchUpdate
the "parent" you used in the URL is just the name of the path param
make sure "julia-development-2" is the id of your GCP project and not just the name
(Hint: when you click the drop-down for selecting a certain GCP project in the google cloud console, both the name and the ID of the project will be visibile in the list)
replace "actual_id" with the entity type id
Related to auth:
you need a bearer token in the Authorization header
to get this token you first need to download a JSON key from your projects service account and set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to your JSON file. More details about setting up the service account and downloading the JSON key, you can find here: https://cloud.google.com/dialogflow/docs/setup
to get the token from the command line you can use
gcloud auth application-default print-access-token

Soundcloud API /resolve method 404 error

Simple dimple one here- trying to use Soundcloud's resolve method to retrieve a JSON feed of track data for a private set.
http://api.soundcloud.com/resolve.json?url=http://soundcloud.com/myUser/private-set
resolve returns a 401 unauthorized error, as it should
http://api.soundcloud.com/resolve.json?url=http://soundcloud.com/myUser/private-set&client_id=myClientID
resolve returns a '404' not found error. it should be 301 redirecting to the authorized JSON feed for the track, such as http://api.soundcloud.com/tracks/49931.json in the doc's example
I've created an App
I'm using the App's Client ID
I've enabled App access in the Set's edit menu
I'm formatting it as per the API docs
Am I missing something here?
So after some testing I've confirmed that the issue is related to the fact that you're trying to request a private set. Because the set is private, you would need to first go through SoundCloud's OAuth 2 authentication process before being able to access the set.
Try resolving the set url with the url found in the share dialog of your set. This url contains a secret token that can be used to access a private set without logging in.
Not sure how far this'll get you if the tracks in the set are also private, though. And like bbone mentioned, you'll be exposing this secret token, which may or may not be a problem.

Google Analytics API access with a service account

Can I access Google Analytics data using a service account in a client-side application? If not, are there other ways of achieving the same outcome?
Must be entirely client-side, and must not require users to authenticate (hence the desire to use a service account).
Yes you can in https://code.google.com/apis/console make sure you say that its a Service account it will give you a key file to download. With that you dont need a user to click ok to give you access.
For a service acccount to work you need to have a key file. Anyone that has access to that key file will then be able to access your Analytics data. Javascript is client sided which means you will need to send the key file. See the Problem? You are handing everyone access to your account. Even if you could get a service account to work using javascript for security reasons its probably not a very good idea.
You can use the official (and alpha) Google API for Node.js to generate the token. It's helpful if you have a service account.
On the server:
npm install -S googleapis
ES6:
import google from 'googleapis'
import googleServiceAccountKey from '/path/to/private/google-service-account-private-key.json' // see docs on how to generate a service account
const googleJWTClient = new google.auth.JWT(
googleServiceAccountKey.client_email,
null,
googleServiceAccountKey.private_key,
['https://www.googleapis.com/auth/analytics.readonly'], // You may need to specify scopes other than analytics
null,
)
googleJWTClient.authorize((error, access_token) => {
if (error) {
return console.error("Couldn't get access token", e)
}
// ... access_token ready to use to fetch data and return to client
// even serve access_token back to client for use in `gapi.analytics.auth.authorize`
})
If you went the "pass the access_token back to client" route:
gapi.analytics.auth.authorize({
'serverAuth': {
access_token // received from server, through Ajax request
}
})

Categories