I use libcurl share+easy interface and I need to "fix up" some cookie info that is set by a webserver.
In my case I use multiple threads and I would like to know at what point received cookie is "shared" to all other curl handles and when it's the right time to fix received cookie data:
right when I received it from remote server (but at this point I'm not sure if the corrupt cookie data might be picked up by some other thread that was making a new http request at the same time)
on making new requests to ensure that I don't end up using corrupt cookie in new http requests.
Here's my code flow. I call curl_easy_perform. When response containing Set-Cookie comes in, libcurl at first parses that cookie and stores it in its internal store (which gets shared in case of curl share interface).
Then curl_easy_perform returns and now I try to check if server send specific cookie that I need to "fix up". To check that cookie the only way is to use CURLINFO_COOKIELIST.
My question is: from the time curl parsed incoming Set-Cookie header (with invalid cookie data) to the time when I inspect cookies using CURLINFO_COOKIELIST the updated invalid cookie might be picked up by another thread. That means that to avoid that issue I don't see any other options other than inspecting cookies on each new request in case if there is another thread out there that might have updated cookies with invalid data.
Even in this case I still may end up using invalid cookie data. In other words, there is no proper solution for this problem.
What's the right approach?
Typically when using libcurl in multiple threads, you use one handle in each thread and they don't share anything. Then it doesn't matter when you modify cookies since each handle (and thus thread) operates independently.
If you make the threads share cookie state, like with the share interface, then you have locking mutexes setup that protects the data objects from being accessed from more than one thread at a time anyway so you can just proceed and update the cookies using the correct API whenever you feel like.
If you're using the multi interface, it does parallel transfers in the same thread and thus you can update cookies whenever you like without risking any problems with parallelisms.
Related
I need a serverless communication between a server(less backend) and a client. The client asks for a token. When the client makes a request with this token, the backend generates a new token and sends it back to the client. When the client tries to make a request with a previous token, the backend rejects it. I don't want the backend to keep track, either in ram or in a database, a whitelist or a blacklist of valid/invalid tokens. The backend is allowed to have a static lookup table or/and a static rule/algorithm to perform this logic if needed (to use the information inside token's payload).
So, is it possible to achieve something like this ? Is there a way to apply certain kind of information inside each token to know wether you have accepted it once or not ?
In your scenario the server is stateless (at least regarding authentication) so you cannot use the state of the server to discriminate if a received token is already used.
Also the moment you generate the token it is before it's first usage, so you cannot inject into it anything that tells if it was used or not: simply you don't have that information at that time of course.
So basically if your only information containers are these two (stateless server and self generated token) the answer is no no matter how it is done; simply there is no place where this bit of information (is this token last one or not) can be placed in the moment the information is generated (at the first usage time).
Theoretically speaking you can send this information to a third party entity and ask it back when you need it.. ..but this is just cheating: if you are not accepting a DB or RAM or filesystem storage, I suppose that sending this information somewhere through an API or else is just an excluded option as the other ones.
May be you can try TOTP, https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm. This is the same algorithm used for MFA.
Here is the python implementation, you can find implementation in other languages as well.
https://pypi.org/project/pyotp/2.0.1/
Backend:
Create a random key and save it static database.
When client request for token create a token(+base64 conversion) using random key and send back to client.
When your server gets the token(-base64 conversion). Using the same random key verify the received token.
The totp algorithm will ensure that the old tokens are not valid.
You token is usually valid for 30 secs. so you may want decide on managing the validity of tokens.
i have been reading on IdentityServer4 and my understanding is that (at a high level) once IdentityServer4 is set up, a registered client can make API calls to API resources that are defined, if the client has been granted that access.
Using C#, i can:
1. Make a request for an access token from IdentityServer4, and then,
2. Pass this token along with my request to an API.
My question is, since the token has a defined lifetime, say 3600 seconds, is it correct to say that the client needs to store this token locally and use it for all its API calls within the 3600 seconds? If so, this would mean the client should somehow know when the token has expired. How would this be achieved?
Another question i have is how the 'Refresh' tokens work. When do they 'kick-in' in this whole process.
Thanks
Long story short, it's up to the client to be responsible for renewing tokens it uses. This can be based on the known expiry time (with a bit of a buffer) but OAuth also defines standard error responses from API endpoints that can indicate to a client that a new token is required. Clients should respect these and act accordingly.
It depends on the grant type being used to. E.g. using client credentials, although maybe not the most efficient, it may be desirable to get a new token for every call or "session" (i.e. multiple calls related to processing a given task) to avoid this complexity.
I have a page with multiple widgets, each receiving data from a different query in the backend. Doing a request for each will consume the limit the browser puts on the number of parallel connections and will serialize some of them. On the other hand, doing one request that will return one response means it will be as slow as the slowest query (I have no apriori knowledge about which query will be slowest).
So I want to create one request such that the backend runs the queries in parallel and writes each result as it is ready and for the frontend to handle each result as it arrives. At the HTTP level I believe it can be just one body with serveral json, or maybe multipart response.
Is there an angularjs extension that handles the frontend side of things? Optimally something that works well with whatever can be done in the Java backend (didn't start investigating my options there)
I have another suggestion to solve your problem, but I am not sure you would be able to implement such a thing as from you question it is not very clear what you can or cannot do.
You could implement WebSockets and the server would be able to notify the front-end about the data being fetched or it could send the data via WebSockets right away.
In the first example, you would send a request to the server to fetch all the data for your dashboard. Once a piece of data is available, you could make a request for that particular piece and given that the data was fetched couple of seconds ago, it could be cached on the server and the response would be fast.
The second approach seems a more reasonable one. You would make an HTTP/WebSocket request to the server and wait for the data to arrive over WebSocket.
I believe this would be the most robust an efficient way to implement what you are asking for.
https://github.com/dfltr/jQuery-MXHR
This plugin allows to parse a response that contains several parts (multipart) by having a callback to parse each part. This can be used in all our frontends to support responses for multiple data (widgets) in one requests. The server side will receive one request and use servlet 3 async support (or whatever exists in other languages) to ‘park’ it, sending multiple queries, writing each response to the request as each query returns (and with the right multipart boundary).
Another example can be found here: https://github.com/anentropic/stream.
While both of these may not be compatible with angularjs, the code does not seem complex to port there.
I'm pretty new to go and I want to build a CRUD rest API on GAE without views just simple JSON Rest API.
There is allot of frameworks out there,
go-http-routing-benchmark.
But I'm not sure which one will be most suitable for GAE.
My main concern is how to handle a safe and secure session .
As mentioned in a comment, you can start with the Go standard library, and only utilize 3rd party libs if you reach a point when the standard library is not sufficient for you (which point you may never reach).
If your clients are not browsers (you said you don't want any views) but any other arbitrary HTTP clients, an HTTP session may not be what you want. An HTTP session is usually managed by storing a session ID in an HTTP cookie which is automatically sent by the browser along with each HTTP request, and at the server side this session ID is read and an associated, server side data structue is looked up by it.
A common solution is to use some kind of secret information referred to as a key or API key. The idea is that if you want to grant access to someone, you generate a secret key (e.g. a random text) at server side which you store in the database. You send this key to the client who has to attach this to every API request he makes. At server side in the beginning of each API request you can check if the provided API key is valid (this also identifies the caller) and act accordingly.
The API key can be sent in various ways by the clients, e.g. as a URL parameter (strongly not recommended for unsecure HTTP requests but is perfectly fine for HTTPS requests), as an HTTP header field or as part of the request data structure. It is really up to you how you expect it, usually depends on how the requests look like (e.g. if they don't include any data, it's better to put the KEY in a header or URL parameter; if the clients are expected to send other, complex data which can be in the form of JSON text, it can be convenient to also include the API key in the JSON data too).
Iam writing a C program to interact with HTTPs server. Server is expecting the data without
any assignments(Ex: normally a request can be "https://xz.aspx?name=google" where as is it
possible to send the name "https://xz.aspx?google"). Currently server is getting an entry
log for my request but not able to fetch request data.
1.Is it possible to send a value with out assignment?
2.Will .net look for default assignments?
3.Is there anything else to probe?
The data you're sending is just whatever you put in the query part of the request-uri in the HTTP request.
That data can be almost anything you like (as long as it is using letters that are valid according to RFC2616). The "assignments" concept is not something HTTP knows or uses, it is just a common way for clients and servers to deal with the data.
so... Yes, you can send a value "without assignment" with curl. Weather the receiver will like it or understand it is a completely different matter.