Hello All, I'm struggling with a simple thing: Getting the Authorization Header from a Response. I see it in the browser console, however I don't know how to get it in my app. I'm not that long in clojure(script) (I love it), so I guess I'm missing something obvious. I tried with https://github.com/day8/re-frame-http-fx using:
{:http-xhrio {:method :post
:uri (str " " username)
:headers {"X-GraphDB-Password" password}
:on-success [:login-success]
:on-failure [:login-failure]
:format (ajax/json-request-format)
:response-format (ajax/json-response-format {:keywords? true})}}
but i dont get any headers object at all in my response
and I tried @superstructor https://github.com/superstructor/re-frame-fetch-fx
{:fetch {:method :post
:url (str " " username)
:headers {"X-GraphDB-Password" password}
:response-content-types {#"application/.*json" :json}
:credentials :include
:mode :cors
:on-success [:login-success]
:on-failure [:login-failure]}}
where i get some headers but not the authorization header (though I see it in the browser network tab).
{
"ok?": true,
"redirected?": false,
"final-uri?": null,
"status-text": "",
"type": "cors",
"headers": {
"cache-control": "no-store",
"content-type": "application/json;charset=UTF-8"
},
"status": 200,
"reader": "json",
"url": "",
"body": {
"username": "admin",
"password": "[CREDENTIALS]",
"authorities": [
"ROLE_USER",
"ROLE_ADMIN",
"ROLE_MONITORING",
"ROLE_REPO_MANAGER",
"ROLE_CLUSTER"
],
"appSettings": {
"DEFAULT_INFERENCE": true,
"DEFAULT_VIS_GRAPH_SCHEMA": true,
"DEFAULT_SAMEAS": true,
"IGNORE_SHARED_QUERIES": false,
"EXECUTE_COUNT": true
},
"external": false
}
}
could you please point me in the right direction?By "Authorization Header", do you mean literally the Authorization header? Or something else, like a cookie?
I'm looking for this: Authorization: GDB eyJ1c2VybmFtZSI6ImFkbWluIiwiYXV0aGVudGljYXRlZEF0IjoxNzI2OTk4...
But I'm also new on the whole auth topic. So if I'm going into the wrong direction, feel free to point it out
I wanted to store the token in my app db to use it in further requests. I thought this would at least be more sensible than storing the password and use Basic Authentication
I hope that's not a sensitive string, because you should not share such info on public servers. :)
The Authorization header is a request header. Unless someone did it deliberately for some reason, servers don't respond with Authorization. I'm surprised you see it in a response.
Assuming you're able to fetch that header - what are you going to do with it?
no, it's just something local for testing 🙂
I need it to authenticate requests. I want to store the token in my db (of the re-frame application) and use it for further requests. The documentation of the db I'm using (and want to authenticate against) suggests it this way: https://graphdb.ontotext.com/documentation/10.7/access-control.html#gdb-authentication
Or am I totally on the wrong path here? 😄
Yikes...
GraphDB is very wrong from the security perspective.
They have notes about the necessity of "encryption in transit", and that's totally true, albeit I'd call it just "HTTPS" and not a vague "encryption in transit" which can mean different things.
But they don't seem to realize that storing anything secure in JavaScript is a recipe for stolen identity. Even if you use stuff like closures. Maybe they were thinking about communicating in a server-to-server manner, not from browsers.
And since you're using a CORS request, you cannot even access the Authorization header, in principle - your browser prevents it. Replies for CORS requests are filtered and the client JS can access only a handful of headers.
What they should've also provided is plain old cookies. It's a reliable and secure mechanism when you follow the guidelines. Nobody can intercept or steal anything unless there's a vulnerability in browsers or SSL.
In any case, if the GDB server is configured to allow non-CORS requests then you can send such requests and responses should have that header.
If the server is not configured to allow such requests, then it basically doesn't have what the docs call "GDB authentication" when it comes to browsers.
thanks for this detailed answer. I guess I have to change my approach here then. I was using cors because for testing I have both running on my local machine and I was not getting my requests through. So today I learnt and will have to learn a lot more. Thanks!
If you have your own server, what I would do is proxy the GDB by that server and use good old secure HttpOnly cookies between browser clients and your server.
Thanks for the advice. I will look into that!