Q: how would one use Aqua's APIs from a third party service?

Question

Q: how would one use Aqua's APIs from a third party service?

Closed this issue 8 years ago · 4 comments

I've found difficulties trying to authenticate as a third party service or using a tool such as POSTMAN to hit Aqua's APIs. I have attempted to use "basic" auth and using "root" / "root" without success. However, I got it working when I manually copied the cookie over from a browser session and added it to the header request.

In this particular example, I'm trying to retrieve /api/users. I've noticed the following in \server\api\users.js

auth: {
            strategy: 'session',
            scope: 'admin'
        },
...
pre: [
            AuthPlugin.preware.ensureAdminGroup('root')
        ]

.. where I noticed the strategy session was doing things like getting Config.get('/cookieSecret').

So I'm left wondering, how would I be able to set up a third party service to consume Aqua's APIs that I can manually set up and authenticate once, which would then become a 'trusted' consumer that can retrieve data in the future?

Thanks,
Alejandro

Answer 1 · 2017-02-17T19:37:35.000Z

Thanks for opening an issue.

Via #104

We're using crumb, which helps diminish csrf attacks. You'll get a new csrf token (via cookies) on each response from the server. The front-end code looks for this token and passes it back to the server via the X-CSRF-Token header with each request made to the server.

This does make it harder to interact with the API manually, or via apps like Postman since you have to do that dance of finding the token from the cookie header and passing it token back via the X-CSRF-Token header with your next request.

Also see: https://github.com/jedireza/aqua/wiki/HTTP-403-forbidden-when-accessing-API-endpoints

I hope this helps. If you're experiencing something else, let's reopen this issue.

Answer 2 · 2017-02-17T19:58:35.000Z

@jedireza , thanks for the prompt response.

I was aware of crumb, and actually have it disabled on my local environment as I've gone through the Wiki and the issues raised here. Still, I'm unable to get the API to respond accordingly.

And more importantly, given that the aim of this is to get a third party to do it's own calls, is it possible at all to have them done automatically and not having to deal with tokens / cookies / sessions manually? If the answer is yes, could you please help me by laying out a few steps on how to get this working?

As a bonus, in case the answer is to do "lighter checks" (less auth, less security), could this be applied to only specific API calls and not all of them?

Thanks,
Alejandro

Answer 3 · 2017-02-17T20:01:54.000Z

Yes, you can use a different auth strategy. Take a look at Frame, I used Postman when building that. It uses basic http auth instead of cookies.

https://github.com/jedireza/frame/wiki/How-to-login

Answer 4 · 2017-02-27T16:19:42.000Z

@alecarg FYI I added "Using Postman" to the wiki: https://github.com/jedireza/aqua/wiki/HTTP-403-forbidden-when-accessing-API-endpoints#using-postman Once I disabled crumb I've been able to do GET/POST/PUT operations locally.