Oauth2 - get access token, server to access Google-Cloud-platform - javascript

The Oauth2 documentation for google doesnt contain (that I have seen yet)
Information on what I am trying to do.
From my server I want to post request to my google cloud to get a response.
For this I need an access token, currently i'm taking it manually from the playground. I am going from my server to my cloud and the documentation states about a user accepting access and then being redirected etc but I don't involve any users.
I need to continuously, automatically get an access token for my requests, or similar. Without needing to click for access?
this is the request, for context:
var options = {
method: 'POST',
uri: 'https://dialogflow.googleapis.com/v2beta1/projects/someproject/agent/sessions/1:detectIntent',
headers: {
'Authorization': 'Bearer ya29.GlsGBscelmqeHgOVgx1p4EF_L45zetym6s3isC1HF4IYJqb20vHd8FolxvsmM_vU2fmIPWN3JElGIEuNN3i_-N9V-68YlwNvEduMIA5SuSltK-Sepsl0yNYM9REy',
'Content-Type': 'application/json'
},
body: {
"queryInput": {
"event": {
"name": "Matching",
"languageCode": "en"
}
}
},
json: true // Automatically stringifies the body to JSON
};
For more information, I am triggering an intent from dialogflow.

If the application does not involve user interaction, and if you would like to automate the authentication method, you should use service accounts, notably, you could use the JSON Web Token (JWT) or the Google ID Access token to authenticate between services.
For more information in this regard, you may follow this article in the GCP documentation.
You may also find useful information in this StackOverflow thread. It offers help on how to pass a token through DialogFlow.

Related

Using GitHub's REST API to list public repos from my external site deletes my token

I am trying to list my GitHub public repos on my public website using their REST API. I have been creating personal tokens so far. In localhost it works.
When I do the request from my site it responds a 401 and it deletes my token.
To get the repos I am doing this simple request:
async function loadRepositories() {
const token = 'my_token';
const response = await fetch("https://api.github.com/users/tauromachian/repos",
{
method: "GET",
headers: {
Authorization: `Bearer ${token}`,
},
}
);
const repositories = await response.json();
return repositories;
},
How can I get this done?
Github is trying to protect you from someone stealing your identity here. There are ways to detect if a HTTP request is sent from the browser or a server (it's not 100% reliable though).
As you make the request from the browser which is a public client, meaning everyone can read the code and hence secrets you use within the code you are exposing your Personal Access Token (PAT). This PAT identifies you against Github, therefore if someone else could get hold of it, they can impersonate you and e.g. delete repos, steal code etc. (if the token has the correct scopes).
As Github wants to prevent that from happening, they delete tokens which are publicly exposed (they know it's exposed as the the request comes from a browser). Therefore attacks like that are not possible anymore.
To make your website work however you can simply make the request from your server as you can securely store secrets on the server-side and call the endpoint of your server from your website. Once you do that, Github won't delete the token, your token is save and you can display the data on the website.

Correct way to store this token

I'm writing my first flask app and using the spotify api. I want to pass the access token from this api into java script like so
var token = "{{ token }}";
fetch('https://api.spotify.com/v1/me/player/currently-
playing', {
headers: {
'Authorization': `Bearer ${token}`
}
I'm doing this outside the flask app so I can frequently update the json data to the webpage easier. This method doesn't seem secure so I was wondering what is the perferred method in a situation like this.
Since your example is almost literally straight out of the Spotify Authorization Documentation and it is in relation to accessing the Web API, you're good.
If you were auth'ing on behalf of a user for more serious actions then you wouldn't be making client side requests.
Since the token you're using can be revoked and does in fact expire, you can store it in your db in plaintext.
You can store keys/secrets using Microsoft's Azure Software. Once you register you'll have access to those resources. You can set the secret in the secrets file in your azure portal and reference the secrets from there in your application source code.

How to safely store JSON Web Token in Chrome Extension for further API use?

I've looked all over and cannot find a definitive way to safely store a JWT for an API inside a Chrome Extension.
My app allows users to log into their 3rd party account over an HTTPS connection, which then returns a token to use for further API requests.
var credentials = {
"email": username,
"password": password
};
$http({
method: 'POST',
url: 'https://api/login',
data: credentials,
headers: {
'Content-Type': 'application/json'
}
}).then(function successCallback(response) {
// Token provided here
})
What is the best and safest possible way to then store the token inside the Chrome Extension to be used for further API calls down the line?
Chrome Docs say LocalStorage and Session Storage is not secure.
I don't want users to have to login every time they open the Chrome Extension.
Any help is greatly appreciated.
Thank you
All i am saying is you can use Google Chrome's storage API to do this as well. Unlike localStorage, this is accessible from content scripts as well.
you can't access the localstorage.getitem(token) inside content script,
Sol: chrome.storage.local.set/get

POST request to GitHub API

I'm having trouble making a POST request to the GitHub API using the JavaScript fetch method:
fetch('https://api.github.com/repos/organization/repo/issues?client_id=CLIENT_ID&client_secret=CLIENT_SECRET', {
method: 'post',
body: {
title: 'Title',
body: {body: "body", title: "title"}
}
})
I am using a client ID and a client secret that I got from registering the application with the GitHub API:
Any help would be greatly appreciated! Thank you!
I guess you need access token to access Github API. If you want to try manually here's my suggestion steps.
I will try to explain from the first step.
Register your app.
On your github account, go to settings -> OAuth Applications
This is the image when you register your application
Get the Client ID and Client Secret.
This is the image after you receive Client ID and Client Secret
Ask for Github Code
Now you have Client ID. Go to this url.
https://github.com/login/oauth/authorize?client_id=b420627027b59e773f4f&scope=user:email,repo
Please define your own client_id and scope.
Get the Github Code
Remember the Authorization callback URL you input when register?
After you go to the link above, you should have redirected to your callback URL with the code as the parameter.
For example http://localhost:8080/github/callback?code=ada5003057740988d8b1
Ask and Get the Access Token
Now you need to do http request post with Client ID, Client Secret, and Code you have got as the parameter.
Request
POST https://github.com/login/oauth/access_token?client_id=a989cd9e8f0137ca6c29&client_secret=307d18600457b8d9eec1efeccee79e34c603c54b&code=ada5003057740988d8b1
Response
access_token=e72e16c7e42f292c6912e7710c838347ae178b4a&token_type=bearer
Post Issue to Github
Now you have access token you can use it to access Github API.
fetch('https://api.github.com/repos/organization/repo/issues?access_token=e72e16c7e42f292c6912e7710c838347ae178b4a', {
method: 'post',
body: {
title: 'Title',
body: {body: "body", title: "title"}
}
})
To achieve what you want you have to implement the web application flow described here.
This means you have to redirect the user to https://github.com/login/oauth/authorize?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI so that he can login to GitHub and authorize your application. After successful login GitHub redirects you to the redirect_uri, which usually points to an endpoint of your application. This endpoint extracts the authorization code from the URI to request an access token from GitHub with it (See here). As soon as you have the access token you can consume the GitHub API by sending the OAuth token in the Authorization header as follows.
Authorization: token OAUTH-TOKEN

Stripe + React Native - How can I create Transfers to a Managed Account (error: "Must provide source or customer.")?

I am trying to transfer money to a Managed Account, but I am getting the error: "Must provide source or customer.". Here is the request body and headers sending to the API.
var transferBody= {
"amount": "1000",
"currency": "usd",
"destination": "default_for_currency",
}
let apiTransferRequest = {
method: 'post',
headers: {
'Accept': 'application/json',
'Content-Type': 'application/x-www-form-urlencoded',
'Authorization': 'Bearer ' + secret_key,
'stripe_account': 'acct_198vxeLmTNKjRg7x'
},
body: transferBody
}
Shouldn't providing 'stripe_account' in the headers make myself act on behalf of the Managed Account, so in turn should act as the source?
From what I understand, providing 'stripe_account' in the headers and using 'destination' parameter set to 'default_for_currency', makes the Managed Account to transfer funds from its own Stripe Managed Account balance to its default debit card.
I am following this example, under Standard transfers https://stripe.com/docs/connect/bank-transfers , and I'm using React Native so this would be the only approach to using Stripe.js as far as I know of. I'm following http://blog.bigbinary.com/2015/11/03/using-stripe-api-in-react-native-with-fetch.html
Thank you in advance and will accept/upvote the answer.
First, please note that you should not be creating transfers or issuing any other API requests with your secret API key from your frontend code. It would be trivial to retrieve your secret key and use it for malicious purposes. (The comments in the blog post you mentioned say as much.)
You must use a backend server. The only part of the payment flow that should be handled in your frontend code is the tokenization of payment information, using Checkout or Stripe.js.
That said, if you want to issue a request on behalf of a connected account, the header you need to use is Stripe-Account, not stripe_account. The latter is used in the Node.js examples on Stripe's site because those use Stripe's Node library, in which stripe_account is a special argument to make use of the Stripe-Account header.

Categories