Code Bug Fix: API not invoking the lambda based on the response from the lambda authorizer and return null message

Original Source Link

I am trying to authenticate api based on the response from the Lambda authorizer. So i have created following stack:

  1. Lambda function call ‘Test-Lambda’ which return some value

  2. Created an API Gateway and attached to the ‘Test-Lambda’

  3. Now created a Authorizer Lambda which validate the request header and return the policy . Attached the same with API Gateway

Now after deployed the API, i tested via post man with the following parameter’s

Key: Authorization
Value:allow

But in the response i am getting following output

{
    "message": null
}

Here is the Lambda Authorizer code. As i verified in the cloud watch logs, this is executing fine based on the request

module.exports.handler = async function(event, context) {
   const token = event.authorizationToken.toLowerCase();
   const methodArn = event.methodArn;
   console.log("Lambda Invoked")

   switch(token){
       case 'allow':
           return genertaeAuthResponse('user','Allow', methodArn);
       default:
          return  genertaeAuthResponse('user','Deny', methodArn);

   }

}

function genertaeAuthResponse(principalId, effect, methodArn) {
    const policyDocument= generatePolicyDocument(effect, methodArn);

    return {
        principalId,
        policyDocument

    }

}


function generatePolicyDocument(effect, methodArn){
    console.log("Lambda Invoked in the generatePolicyDocument", effect,methodArn)
    if(!effect || !methodArn) return null

    const policyDocument =  {
         Version: '2012-10-17',
         Statemnet: [{
             Action:'execute-api:Invoke',
             Effect: effect,
             Resource: methodArn

         }]

   };
   console.log("policyDocument in the generatePolicyDocument", policyDocument)
   return policyDocument

}

I seeing below response in the logs

 Version: '2012-10-17',
  Statemnet: [
    {
      Action: 'execute-api:Invoke',
      Effect: 'Allow',
      Resource: 'arn:aws:execute-api:ap-southeast-1:myresource'
    }
  ]
}

But i am not understanding why post man returns ‘null’, which usually returns for the ‘fail’ value ? It looks like the api gateway not invoking the lambda based on the response from the authorizer

Appreciate if anybody can help on this?

Thanks

Tagged : / / /

Code Bug Fix: StreamReader reads u00fc but Postman reads OK

Original Source Link

Probably duplicate question but I couldn’t find an answer for my problem. I have this code to call a web service:

        var httpWebRequest = (HttpWebRequest)WebRequest.Create("http://172.21.122.1:5001/autocomplete");

        httpWebRequest.ContentType = "application/json";
        httpWebRequest.Method = "POST";
        //tried this too: httpWebRequest.Accept = "gzip, deflate";

        using (var streamWriter = new StreamWriter(httpWebRequest.GetRequestStream()))
        {
            streamWriter.Write("{ "message" : "mü" }");
            streamWriter.Flush();
            streamWriter.Close();
        }

        var httpResponse = (HttpWebResponse)httpWebRequest.GetResponse();

        response = "";
        using (var streamReader = new StreamReader(httpResponse.GetResponseStream()))
        {
            response = streamReader.ReadToEnd();
        }

But no matter what Encoding I tried with StreamReader() c’tor, I get this response or worse: {“words”:[“mu00fcu015fteri”,”mu00fcu015fterisiyim””]}

When I use Postman or SoapUI to call the same service with the same request: {“message”: “mü”},
response looks ok: {“words”: [“müşteri”,”müşterisiyim”]}

Strange thing is: The same code works OK with many other services. It is only this specific service that the reponse is not correctly encoded. We believe there is a programming error with the service, but what I wonder is how Postman or SoapUI handles this. There should be a control in their code and if the response contains “uxxxx”, then Postman or SoapUI decodes it again.

I’ve checked all request / response headers in Postman and SoapUI with no luck. What can be the reason?

Postman screen
SoapUI screen

You have to make sure that your request is encoded correctly:
Set the Content Type to:

httpWebRequest.ContentType = "application/json;charset=UTF-8";

Check if request body is also UTF-8 encoded. Set the StreamWriter encoding to UTF-8 as well:

...

using (var streamWriter = new StreamWriter(httpWebRequest.GetRequestStream(), Encoding.UTF8))

...

If you are getting the request content from other source, make sure to read it also using UTF-8 encoding.

Regex.Unescape(response) worked like a charm, thanks JosefZ!

Tagged : / / / /

Code Bug Fix: Set authorization for imported collections in Postman

Original Source Link

Current Workflow:
I develop an API backend and whenever I change or add a route, I want to update my Postman collection accordingly. Therefore I’ve setup a Swagger endpoint. I run the app, get the swagger.json and import it into Postman overriding the already existing collection (from a previous iteration).
My API uses Bearer Token authorization. So I create a token, and edit the collection’s authorization. I navigate to the request I want to test, edit its authorization to “Inherit auth from parent” and hit send.

Pain point:
I have to edit every request’s authorization manually, every time I re-import the collection. Because unfortunately there authorization for imported requests defaults to “No auth” (as opposed to created requests, which default to “Inherit auth from parent”).

Question:
Is there a way to set the authorization for all requests to “Inherit auth from parent” more easily?

Research:
The best thing I found was this thread:
https://community.postman.com/t/batch-edit-authorization-type/8327/6
The idea is to export the Collection as json, edit the auth via find and replace and then re-import it again. This is better than manually doing it for all requests, but still quite a pain.

Tagged :

Code Bug Fix: Is there a way to import a bunch of JSON files into Excel

Original Source Link

I have about a hundred JSON files of data that I would like to be able to manipulate in Excel. The reason why there are so many files is that the API I pulled from limits responses to 50 items per request, so I chained 100 requests together in Postman and each request generated its own file.

The layout of each file is as follows:

{
  "href": "dsjdsjds.com",
  "total": 4293,
  "next": "sdsadsads.com",
  "prev": "dsjdjsdj.com",
  "limit": 50,
  "offset": 50,
  "itemSummaries": [...]
}

Pretty much all of the data that I want lies inside the itemSummaries class.

I’m pretty new to this and not sure if the optimal way would be to use a Python script, or if there was a way to use VBA or something. I was thinking that I’d need to combine all of the data into a single file first, but I don’t know how to do that either. I appreciate the help!

Here is what I did for similar situation where I had to import multiple JSON files, all with same structure.

  • Use Get & Transform in Data Ribbon to import the JSON file as text.
    The Power Query will recognize this as JSON. Edit the result in Power
    Query window and expand/transform the imported data until you can
    show in tabular form.
  • You can then convert these manual sequence of
    steps into Custom Function. See here for details –
    https://www.poweredsolutions.co/2019/02/19/parameters-and-functions-in-power-bi-power-query-custom-functions/
  • Go back to Excel and this time instead of importing the JSON file, import the folder where all these JSON are available and apply your custom function on the individual JSON files to produce a consolidated table.
Tagged : / / /

Code Bug Fix: Hide / restrict access to data in an REST API endpoint (Node.js)

Original Source Link

What is the most secure way to restrict access to data (json) in an REST API endpoint, if there is one?
I tried to limit by referral (show only if request come from specific domain) and by putting a computed one time only key.

That worked fine until I discovered that with POSTMAN Interceptor (and probably other solutions) the above scenario becomes useless since someone can catch the data very easily.

The data in these endpoints is not sensitive (on the endpoints with sensitive data I use authentication), but I would prefer to protect myself from giving ideas about database structure or reverse engineering etc.

Thank you very much!

Tagged : / / /

Code Bug Fix: All the requests in a postman collection do not run

Original Source Link

I am new to postman. I have 6 requests collection and I am using variables that pass from these requests.

In request 3 I am using the If else statement and postman.setNextRequest to ensure that the request goes in loop until I get the required parameters, once I get the parameters I should run the next request which is mentioned in the else statement.

The request in the else statement does not seem to run when I run the collection. In the collection runner I do not see any error either. After request 3 runs, request 4, 5 and 6 should run.

When I run requests 1, 2, 3, 4, 5, 6 individually, all of them work as expected. When I run them as a collection It executes until request 3 which is in loop and the request 4, 5, 6 do not run.

Please help me understand how I can fix this issue. Please check the code below –

Request 3: i.e “Get Dataflow Execution Time 2”

bodyData = JSON.parse(responseBody);

if (responseCode.code === 200 && bodyData.dataflowJobs[0].status !== "Success" && bodyData.dataflowJobs[0].label === "MyOpps_Data_Dataflow") {

// Request 3 which is in loop until I get the status === "success"
  postman.setNextRequest("Get Dataflow Execution Time 2"); 
} else {

  postman.setNextRequest("Schedule Recipe"); // Request 4
  var current_timestamp = new Date();
  console.log(current_timestamp.toISOString())
}

Tagged : / /

Code Bug Fix: Unable to read json body [duplicate]

Original Source Link

Quite new to golang, I am trying to read the post json request body in golang, but it just converts to empty string.

Below is the struct which I am trying to convert by request json body to

type SdpPost struct {
    id string
    sdp string
}

func (s *SdpPost) Id() string {
    return s.id
}

func (s *SdpPost) SetSdp(sdp string) {
    s.sdp = sdp
}

func (s *SdpPost) Sdp() string {
    return s.sdp
}

When I try to print the below snippet, I do see my json request body which I am passing through postman

Dumping the json POST /v1/sdp HTTP/1.1
Host: localhost:8080
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 62
Content-Type: application/json
Postman-Token: 5f0f9961-f058-446a-86e8-7f047c1dc5cc
User-Agent: PostmanRuntime/7.24.1

{
        "sdp":"This is the test sdp",
        "id":"This is the test id"
}

But the below code prints nothing, it is just empty string for Id and sdp

    r.Header.Set("Content-Type", "application/json")
    decoder := json.NewDecoder(r.Body)
    sdp := handler.SdpPost{}
    decoder.Decode(&sdp)
    w.WriteHeader(http.StatusOK)
    fmt.Print(sdp.Id())
    fmt.Println(sdp.Sdp())

Is there anything which I am missing somewhere? I literally searched every where and this is pretty much being used.

Problem is that SdpPost fields are unexported, so json decoder doesn’t see them, you can fix that like that:

type SdpPost struct {
    Id string
    Sdp string
}

Tagged : / / /

Code Bug Fix: How can I test a CSP report-uri endpoint?

Original Source Link

I’ve added a Content Security Policy to my website and made a report-uri endpoint with AWS API Gateway, Lambda, and DynamoDB. I’ve tested it with Postman using the following JSON

{
      "resource": "/",
      "path": "/",
      "requestContext": {
        "resourcePath": "/",
        "httpMethod": "POST",
        "path": "/latest"
      },
      "headers": {
        "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
        "accept-encoding": "gzip, deflate, br",
        "Host": "70ixmpl4fl.execute-api.us-east-2.amazonaws.com",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36",
        "X-Amzn-Trace-Id": "Root=1-5e66d96f-7491f09xmpl79d18acf3d050"
      },
      "multiValueHeaders": {
        "accept": [
          "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
        ],
        "accept-encoding": [
          "gzip, deflate, br"
        ]
      },
      "queryStringParameters": null,
      "multiValueQueryStringParameters": null,
      "pathParameters": null,
      "stageVariables": null,
      "body": {
        "csp-report": {
          "document-uri": "https://example.com/signup.html",
          "referrer": "",
          "blocked-uri": "https://example.com/css/style.css",
          "violated-directive": "style-src cdn.example.com",
          "original-policy": "default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports"
        }
      },
      "isBase64Encoded": false
    }

It seems to work properly when using Postman. But when I added the endpoint to my Content Security Policy and attempt to violate the policy, I can’t seem to get it to report correctly.

Does the JSON above adequately demonstrate what a real CSP violation would look like?
I’ve looked around and haven’t seen much about developing your own endpoint. Any resources or other advice is greatly appreciated.

Tagged : / / / /

Code Bug Fix: cannot send request to API

Original Source Link

am building a rest api with node and using postman to test it was perfectly alright and getting the request from post man but when i attached my mongodb atlas to connect my api to it i couldnt like send any request the postman stuck at this message sending request its neither connecting nor showing any errors i also tried to send request using a python script as well as curl everything has a same problem it never shows anything on my server am getting only the **POST/PRODUCTS –ms– ** and bout the code there were no errors or warning if you need any reference i can send the part which you ask all i want is to make this thing work help me

Tagged : / / / /

Code Bug Fix: Rest API real time Tricky Question- Need Answer

Original Source Link

I was recently interviewed by a MNC technical panel and they asked me different questions related to RestAPI , i was able to answer all but below 2 questions though i answered but not sure if those are correct answers. Can somebody answer my queries with real time examples

1) How can i secure my Rest API when somebody send request from Postman.The user provides all the correct information in the header like session id, Token etc.
My answer was: The users token sent in the header of the request should be associated with the successfully authenticated user info then only the user will be granted access if the Request either comes from Postman or application calls these API.(The panel said no to my answer)

2) How can i handle concurrency in Rest API Means if multiple users are trying to access the API at the same given time (For e.g multiple post request are coming to update data in a table) how will you make sure one request is served at one time and accordingly the values are updated as requested by different user request.
2) My answer was: In Entitiy framework we have a class called DbUpdateConcurrencyException, This class takes of handling concurrency and serves one request is served at a time.
I am not sure about my both the above answers and i did not find any specific answer on Googling also.

Your expert help is appreciated.

Thanks

1) It is not possible, requests from Postman or any other client or proxy (Burp, ZAP, etc) are indistinguishable from browser requests, if the user has appropriate credentials (like for example can observe and copy normal requests). It is not possible to authenticate the client application, only the client user.

2) It would be really bad if a web application could only serve one client at a time. Think of large traffic like Facebook. 🙂 In many (maybe most?) stacks, each request gets its own thread (or similar) to run, and that finishes when the request-response ends. These threads are not supposed to directly communicate with each other while running. Data consistency is a requirement of the persistence technology, ie. if you are using a database for example, it must guarantee that database queries are run one after the other. Note that if an application runs multiple queries, database transactions or locks need to be used on the database level to maintain consistency. But this is not at all about client requests, it’s about how you use your persistence technology to achieve consistent data. With traditional RDBMS it’s mostly easy, with other persistence technologies (like for example using plaintext files for storage) it’s much harder, because file operations typically don’t support a facility similar to transactions (but they do support locks, which you have to manage manually).

Tagged : / / /