Use Postman to Login a Cognito user with API alone - json

I'm migrating from Firebase where this was rather simple to do.
I'm building a custom api because the environment I need to build in will not let me use any official sdk's or anything, so this solely has to be done via rest type actions.
I essentially want to just post the username/password to aws cognito, and recieve an auth token that I can then append to the headers of future requests (to other api calls)
After hunting for quite a bit, almost all help has postman connecting to Amazon's login UI etc, and I cannot do that. It must completely handle the login process "behind the scenes" and not prompt the user with Amazon's own UI.
So, assuming this is possible:
What headers do I need (content-type etc)
How do I format the body json (or is it using something else?)
I assume I'd send it as "raw" body.
This is as far as I got so far and I'm scratching my head:
Url: https://[DOMAIN].auth.us-east-1.amazoncognito.com/oauth2/token
Body Json:
{
"ClientId": "1234etc",
"Password": "Password1_",
"UserAttributes": [
{
"Name": "email",
"Value": "test#test.com"
}
],
"Username": "test#test.com"
}
No idea if this is even the right format for the JSON I just scalped it from other posts.

Related

ADF, CopyData & Rest API

I actually try to make a simple pipeline to read JSON Data on a API REST and store it in a database.
I try first with a CopyData acticity.
I set up the linked service, the dataset, etc etc...
I need to call an API with POST Method and a Body's payload.
Everything is set, I launch the pipeline and... the api respond like i don't providethe Body's payload.
Double check it, check it via the generated json :
and in the generated pipeline JSON
...
"source": {
"type": "RestSource",
"httpRequestTimeout": "00:01:40",
"requestInterval": "00.00:00:00.010",
"requestMethod": "POST",
"requestBody": "{ \"startDate\":\"2022-09-01T00:00\", \"endDate\":\"2022-09-01T23:59\"}"
},
...
Because requestBody wait a string type, the double quote are escaped...
Never wanted to work. Nothing to do. API never seems to find the body.
I find the "Web" activity and I decide to give it a quick try.
Same api call,same linked service, same dataset same url, same method, same body payload...
Just a big copy&paste.
And it's work...
So, why Web activity works and not CopyData?
I reopen the generated pipeline's JSON and :
Web Activity:
"body": {
"startDate": "2022-09-01T00:00",
"endDate": "2022-09-01T23:59"
},
Copy Activity:
"requestBody": "{ \"startDate\":\"2022-09-01T00:00\", \"endDate\":\"2022-09-01T23:59\"}"
Seems that Web activity don't request the body type to be a String.
Maybe it's the problem,
Maybe Copy rewrite body "badly" and it's fail.
So,
Do I miss something?
or
Is it a bug?
And how do you do it? (consume API data in adf pipeline)
Cheers,
Mike.
You can use #json('{"startDate":"2022-09-01T00:00","endDate":"2022-09-01T23:59"}') in copy activity body
After using the above dynamic content, my copy activity receives the requestBody as an object. Look at the following image:
https://learn.microsoft.com/en-us/answers/questions/1000566/adf-copydata-amp-rest-api.html?childToView=1001129#answer-1001129
Just miss the additional header : content-type : application/json
...
:)

How to design RESTful services with server side logging capability of client information

I'm designing RESTful web services to expose functionalities in a SOA Architecture. Clients of the services are logged in the enterprise intranet, have a client name, ID and other technical information (not business relevant I mean).
I have a requirement which says that all calls to the RESTful services must be logged and must contain the client "not business" information (id, application name, logged user, etc.).
I want to collect all the technical information in a JSON object "technicalData" and the business data (the Data Transfer Object) for PUT/POST in another JSON object "dto".
Is it correct to put this information in the request body for GET, POST, PUT, DELETE?
This information in the GET/DELETE body does not have a semantic meaning to the request since they are used only for logging purpose see this answer on SO
Examples:
GET /books?author=AUTHOR
{
"technicalData":
{
"id": "...",
"loggedUser": "...",
"applicationName": "..."
}
}
POST /books
{
"technicalData":
{
"id": "...",
"loggedUser": "...",
"applicationName": "..."
}
"dto":
{
...
}
}
PUT /books/ID
{
"technicalData":
{
"id": "...",
"loggedUser": "...",
"applicationName": "..."
}
"dto":
{
...
}
}
DELETE /books/ID
{
"technicalData":
{
"id": "...",
"loggedUser": "...",
"applicationName": "..."
}
}
No, you shouldn't pass that information in the body of every request. You certainly shouldn't pass it up the wire in GET and DELETE calls, as that violates the spec:
sending a payload body on a GET request might cause some existing implementations to reject the request. (RFC 7231)
sending a payload body on a DELETE request might cause some existing implementations to reject the request. (RFC 7231)
Meta information like this belongs in headers. Presumably you're using an Authorization header or other means of identifying the user? That will give you the username. If not, maybe the From header would be an appropriate place to store it. Perhaps User-Agent can be used to specify the application. Alternately, look at using a JWT, which will let you embed arbitrary information.
Usually, the information called "technicalData" are not sharing between client and server by request call. You should share only a request token that identify the current session. The token will be related on the server with loggedUser and so on...

Making REST API call using curl to Bluemix Predictive Modeling service

I would like to create HTTP GET request to REST API using the curl tool that comes with the Cloud Foundry command line interface (cf). The content/format of the request is described here, under "Retrieving a list of all currently deployed models:" subtitle. In short, the description gives me the url that I can make the request to, it also gives me the following "request example":
Content-Type: */*
Parameters:
Query Parameters:
accesskey: access_key from env.VCAP_SERVICES
I know how to retrieve all necessary parameters (i.e. the access keys, etc). The problem is that I am not sure how to interpret the above "request example" (is it header or body of the request?) and how to create curl command that will properly send the request.
I want to briefly describe what I have tried so far. When I try:
cf curl -X GET "http://{my_url}/model?accesskey={my_access_key}"
I always get the following response:
{
"code": 10000,
"description": "Unknown request",
"error_code": "CF-NotFound"
}
, when I try:
cf curl -X 'GET' http://{my_url}/model?accesskey={my_access_key}
, I think I actually get a response from the server:
<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx</center>
</body>
</html>
Whenerver I try to use just "normal" curl (not the one that comes with the cf command line interface) the Bluemix Predictive Modeling service doesn't respond at all - the connection always times out. I'm not sure why, since Bluemix documentation says that any programming language can be used to make the REST API calls. In the future I would also like to use POST requests - an explanation of how to make one would be very helpful too.
Any help will be greatly appreciated.
You first need to "bind" an instance of the Predictive Model service to an app. When you have done it, you will have a "Show credentials" link below the app widget in your Bluemix dashboard. Click "Show credentials", and you will see a JSON object (which happens to be the VCAP_SERVICES value that Bluemix sets as environment variable for your app), for example:
{
"pm-20": [
{
"name": "Predictive Modeling-i6",
"label": "pm-20",
"plan": "free",
"credentials": {
"url": "https://ibmpmsrvus1.pmservice.ibmcloud.com:8443/pm/v1",
"access_key": "xxxyyyzzz"
}
}
]
}
(I have just removed my own credentials).
Finally for the Curl command, use the "url" above as root of your API, and add a query parameter "?accesskey=xxxyyyzzz" (whatever credentials you have on your own) to all API calls. For example, I add /model to my URL to query my list of models (none created):
curl -X GET "https://ibmpmsrvus1.pmservice.ibmcloud.com:8443/pm/v1/model?accesskey=xxxyyyzzz"
which returns
[]
(as I have not created any models). Note that you will likely need to quote the URL, since the access key contains characters that may mess up your shell command.
I explicitly used "-X GET": You will want to do "-X PUT" in some commands (PUT HTTP method), and most likely you can use "-d #" to upload a file as form data payload:
curl -X PUT -d #mymodelfile "https://..."

Secure JSON requests and responses

This may be a stupid question, but how can one write a secure RESTful API? If I want to ensure that the client is a valid user, would it be unwise to send a post request with the following object?
{
"user": "some_user",
"password": "some_password"
"field1": "some_data",
"field2": "some_more_data"
}
I currently hesitate to do something like that. Doesn't that reveal the username and password in plain text to everyone on the network and everything between the client and the server? Should I use SSL or something similar? Are there any RESTful security readings you have found valuable?
Thanks for the help.
For a RESTful API is not recommended to pass the credentials in the JSON body in every request, instead you use the headers to authenticate each call. For further options on how to secure your API you can check this blog, full disclosure I work for that company, but since it's what we do, I think is a good resource.

Accessing Google AppEngine Cloud Endpoints using ActionScript 3?

Is anyone aware of method of accessing Google AppEngine Cloud Enpoints using ActionScript 3 without having to go through the JavaScript layer? I have been going on the docs and Google to find any tutorials or examples but did not find anything useful.
We don't have AS3 client libraries and currently there are none planned that I know of, so you'll have to rely on HTTP to make your REST calls.
TLDR; Use the APIs Explorer
If you visit
https://your-app-id.appspot.com/_ah/api/explorer
(replacing your-app-id with your actual application ID), then you'll be redirected to your own custom version of the Google APIs Explorer.
In it you can click on individual APIs and see the list of all available methods. Within a the page for each method, you can try out forming requests and the Explorer will suggest the correct values to use.
After you click "Execute", the full HTTP request (headers and all) and response will be printed on your page, which will show you which commands to use.
Description of how to use the Discovery Document
The Discovery Document for your API will contain all the information you need to construct a request.
To find the root for calling your API, check out the baseUrl key. It should be something like:
https://your-app-id.appspot.com/_ah/api/tictactoe/v1/
To figure out how to call a specific method, there are descriptions of every method, nested down as resources in the Discovery Document. For example, for the Tic Tac Toe Python sample, the board_get_move method has a name of board.getmove in the #endpoints.api decorator. This means the method getmove is owned by the resource board.
If you look in the resources.board.methods key in the Discovery Document you can see the getmove method:
"getmove": {
"id": "tictactoe.board.getmove",
"path": "board",
"httpMethod": "POST",
"description": "Exposes...",
"request": {
"$ref": "TictactoeApiMessagesBoardMessage"
},
"response": {
"$ref": "TictactoeApiMessagesBoardMessage"
}
}
Combining the path with our baseUrl we know requests will need to be sent to
https://your-app-id.appspot.com/_ah/api/tictactoe/v1/board
and from httpMethod we know requests will use the HTTP method POST.
Finally, to specify the request, we see a reference to a schema:
"$ref": "TictactoeApiMessagesBoardMessage"
Looking in the schemas.TictactoeApiMessagesBoardMessage key in the Discovery Document we see:
"TictactoeApiMessagesBoardMessage": {
"id": "TictactoeApiMessagesBoardMessage",
"type": "object",
"description": "ProtoRPC message definition to represent a board.",
"properties": {
"state": {
"type": "string"
}
}
}
so we know the payload must contain a single field called state and that field must be a string.