I have an online form to collect user's information.
In this form, I would like to make a call to NetSuite to get data.
I built a call to RESTlet with 'Authorization' on header, test this script by using postman and it works correctly
However when I do same thing on Online form (client script, call https.get() to RESTlet with valid header contain 'Authorization') It's return error "error code: INVALID_LOGIN_ATTEMPT" (none-sense error). I take 2 days to research why it's happening and found the issue is cross domain (i tried to call to RESTlet by using $.ajax and find issue).
Now, I would like to know how to pass "cross domain" issue while calling from online form.
What is best solution to call to NetSuite to get data from online form?
Thanks
Even if you were able to get around the CORS restriction, if call a Restlet from client side code that is a massive security problem because you are exposing your authorization token to end users.
A good approach is to "proxy" your Restlet using middleware such as a serverless function (like a Google Cloud Function, AWS Lambda etc.). This will solve both the CORS issue and keeping your credentials secure.
Related
I have a problem that I got stuck how to receive POST data in angularjs sending from PHP? Let me explain in detail. My project url is http://test.com/callback and other party will use FORM POST to my callback URL. I want to display all FORM POST data inside that callback controller. Please let me know how to do it. Thanks.
To answer you question you must understand these two concepts:
Web server: (PHP, Node, Apache, etc): the server hosting your page
receives HTTP requests
sends HTTP responses
Web agent: (Chrome, IE, FF, curl, etc) displaying/requesting your page
sends HTTP requests
receives HTTP responses
And find out things does not work the way you want.
So a couple of days ago i was looking for something like this and had actually found it but never found a use for it. I know its listed somewhere on mozilla's site but i forget what the function is called.
In anycase i wish to request an external domain that doesn't have cors and does not requir external help from things like proxy's. its a rather recent function added to javascript as when i read about it (before i forgot the name) it was listed as expiremental technology. It's supposedly a safe alternative to CORS the only catch is unlike cors you are not allowed to view the response.
What i want to use it for is to basically see if the status code returned is 404 or 200 so i can tell users whether a specific site is having issues and since the ammount of sites that would be requested is huge if i do it server side id prefer to have it done in a clients browser only on specific pages.
I think you could get by with sending a HEAD HTTP request.
I want to create an API at www.MyDomain.com that is accessible from public websites www.Customer1.com and www.Customer2.com. These public websites display each customers inventory and do not have any login features. They will use AJAX calls to read data from my API.
How can I secure the API so that it can be accessed via AJAX from different domains but no one can access the API to be able to scrape all of my customers data and all of their inventory?
I have tried thinking of different solutions on my own but they would all either require people to login to the public websites (which isn't an option) or it would require some secret "key" to be displayed publicly in the browser source code which could then be easily stolen.
Any ideas would be greatly appreciated.
Thanks!
P.S. Are their any obstacles that I am going to run into using Javascript & CORS that I need to look into now?
Anything that is accessible without authentication from a browser is by definition insecure, so you can't stop that. Your best bet is to have to have a relationship with the owner of customer1.com and customer2.com - the server apps for those two websites would make an HTTP call to you and authenticate with your service. Going this way also avoids the CORS issues you're talking about.
If you've already designed the client functionality, you can still probably do it without much change to the javascript - have it point to customer1.com for its AJAX call instead of your API, and customer1.com would accept this request and just act as a proxy to your API. Aside from the authentication, the rest of the request and response could just be pass-throughs to your API.
You can use Microsoft.AspNet.WebApi.Cors.
It's just need add ONE line at webapi config to use CORS in ASP.NET WEB API:
config.EnableCors("*","*","*");
View this for detail.
The simplest way to provide a minimum security here is to provide some kind of token system. Each app has its own token, or combination of tokens which it must pass to the server to be verified. How you generate this tokens is up to you and other than being linked to app's access, doesn't have to mean anything.
Provide a way for each API implementer to open an account with you. This way you will know who is accessing what and in some cases you can block/stop service.
For instance, a token can just be an MD5 hash:
7f138a09169b250e9dcb378140907378
In the database, this hash is linked to their account. On each request, they send this token with what they want. It is verified first to be valid, then the request is fore filled. If the token is invalid, then you can decide how to deal with it. Either don't return anything or return an "access denied" (or anything you want).
One thing to avoid is having a single token for everyone, though this can be a starting point. The reason for this is if some unauthorized app gets a hold of this token and exploits it, you have to change the token for everyone, not just the app that somehow leaked the token. You also can't control if someone has access to something or not.
Since you listed ASP.NET, I can also point you to WCF, which is fairly complex but has all the tools that you need to setup a comprehensive web service to service both you and your clients.
I hope this gives you a starting point!
EDIT:
There are security concerns here in the case that someone leaks their token key somehow. Make sure that you setup a way in which the app/your service do not expose the the token in anyway. Also have a flexible way of blocking a token, both by your clients in you, if it so happens that a token is exploited.
I am trying to create a drag and drop interface for my website that integrates with Imgur. The problem is that I am trying to use ajax with cookies. I have gotten it to work without signing in, but I need the pictures to be under my account. In theory my code should work, but in practice for some reason the ajax requests/cookies aren't working. What am I doing wrong? Thanks :D
My code: http://jsfiddle.net/msm595/9arFd/
My username and password aren't in there (although i was testing with a dummy account anyway).
https://developer.mozilla.org/en/http_access_control#Requests_with_credentials
You are using cross domain plus credentials. Then the server has to response with:
Access-Control-Allow-Origin: http://jsfiddle.net/msm595/9arFd/
and not with:
Access-Control-Allow-Origin:*
Wildcards are not allowed in this case.
You may want to test with Chrome, it shows both headers and gave me this message:
XMLHttpRequest cannot load http://api.imgur.com/2/signin. Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.`
That's all I can say, imgur has to explicitly allow your JS solution. You may need a piece of code running on server's side not having cross domain issues.
to start off, I know C++, C#, Python, some Ruby, and basic Javascript. Anyway, my question revolves around how to interact with RESTful API's via Javascript. I haven't been able to find any good examples on various websites, and so I've come here.
So my basic question is: How do I interact with RESTful API's via JS? And where can I find out how to implement OAuth in JS? I know how to get my keys and such, just not how to actually code them in.
Below is an example of a twitter API status update run from my MAC terminal with curl:
curl -u username:password
-d "my tweet"
http://api.twitter.com/1/statuses/update.json
How can I implement this in Javascript (preferably with OAuth authentication)? This would at least start me going in the right direction.
Thanks so much!!
The problem is that you will need to use AJAX to query the remote REST API, and AJAX is only allowed to query resources on the same domain as the page. So, a request to api.twitter.com will fail because it is on a different domain than your server.
To correct this you will need to code your server to make the request to twitter. You can however create your own AJAX stubs that will accept data directly from your page, and then build / send requests to twitter server-side using data supplied by your client.
Generally Justin's approach is the correct one, however if you must have your client script interact with the REST service then you can do it with JsonP. that's JSON data wrapped in a function call.
see this page how to do it
http://www.ibm.com/developerworks/library/wa-aj-jsonp1/
OAuth version 1.0 in JavaScript is a bad idea because you need to expose your application's secret key, by doing so you may be allowing anyone else to impersonate your application. OAuth 1.0 was intended for use with a server under your control. So your users can send their tokens to your server and then you fire off the request to twitter on their behalf.
OAuth 2.0 solves this though twitter does not support it yet.
If you really want OAuth 1.0 you use my plugin: https://github.com/jpillora/jquery.rest and also make the change specified in this GitHub issue