I have an application of Google App Engine(GAE) and I am using Python 2.7. This application receives an GET(ajax) request from user portal(say Chrome). Upon receiving the request, I prepare Asynchronous connections for requesting data from multiple websites(say X1, X2, etc) outside GAE using urlfetch.make_fetch_call() - GET request.
This worked fine for X1 website but not for X2. Started probing on local dev server. Upon probing I suspected that X2 is checking {'User-Agent':'Python-urllib/2.7'} tag in header. This is my best guess since changing this field to {'User-Agent': 'Mozilla/5.0'} returns the desired results.
So I uploaded the code to GAE and started the process with urlfetch.make_fetch_call(). Upon intercepting this call i found that no matter what i do, the default header added by GAE is not removed.
Here is the default header added by GAE.
302 218ms 0kb Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.103 Safari/537.36 AppEngine-Google; (+http://code.google.com/appengine; appid: s~xxx-etching-112014) module=default version=1
107.178.194.96 - - [06/Feb/2016:19:57:04 -0800] "GET / HTTP/1.1" 302 383 "http://www.mywebbsite.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.103 Safari/537.36 AppEngine-Google; (+http://code.google.com/appengine; appid: s~xxx-etching-112014)" "1.usedForIntercepting.appspot.com" ms=218 cpu_ms=224 cpm_usd=0.000043 loading_request=1 app_engine_release=1.9.32 trace_id=fd7b7420e7f8c23371a5b0ea7e9651 instance=00c61b117ce5ebac2a2eba44f26a01d4f2
This is what i have tried
for portal in self.searchPortals:
spoofHeader = {
'User-agent':'Mozilla/5.0----------------------',
'Host':portal.getURL(),
'Accept-Encoding': 'identity',
'Connection': 'close',
'Accept': 'application/json, text/plain, */*',
'Origin': 'http://www.mywebsite.com'
}
logging.info(spoofHeader)
rpc = urlfetch.create_rpc(deadline=5)
rpc.callback = lambda: self.handleCallBack(rpc, portal)
#urlfetch.make_fetch_call(rpc, portal.getSearchURL(searchKeyword), headers={'User-agent':'Mozilla/5.0'})
urlfetch.make_fetch_call(rpc, url='http://1.usedforintercepting.appspot.com', headers=spoofHeader)
rpcs.append(rpc)
for rpc in rpcs:
rpc.wait()
This is what i received.
2016-02-07 13:01:21.306 / 302 59ms 0kb Mozilla/5.0---------------------- AppEngine-Google; (+http://code.google.com/appengine; appid: s~xxx-etching-112014) module=default version=1
107.178.194.20 - - [06/Feb/2016:23:31:21 -0800] "GET / HTTP/1.1" 302 383 - "Mozilla/5.0---------------------- AppEngine-Google; (+http://code.google.com/appengine; appid: s~xxx-etching-112014)" "1.usedForIntercepting.appspot.com" ms=59 cpu_ms=6 cpm_usd=0.000043 app_engine_release=1.9.32 trace_id=a4a1f521c5a6fa65ed0295835dd175 instance=00c61b117ce5ebac2a2eba44f26a01d4f2
What i want is something like this.
GET http://somelink/search/abc HTTP/1.1
Accept-Encoding: identity
Host: somelink.com
Connection: close
User-Agent: Mozilla/5.0
I want to remove everything form header other than User-Agent:Mozilla/5.0 ??
Note - for intercepting the request made from GAE using urlfetch i am using another instance of GAE.
In the documentation, URL Fetch Python API Overview: Request Headers, it says
For security reasons, the following headers cannot be modified by the application:
Content-Length
Host
Vary
Via
X-Appengine-Inbound-Appid
X-Forwarded-For
X-ProxyUser-IP
It also says:
The following headers indicate the app ID of the requesting app:
User-Agent. This header can be modified but App Engine will append an identifier string to allow servers to identify App Engine requests. The appended string has the format "AppEngine-Google; (+http://code.google.com/appengine; appid: APPID)", where APPID is your app's identifier.
If you want custom headers, you will have to write your own urlfetch code or use an outside server that makes the call for you with your headers.
Related
I was trying to POST my login credentials for one of my app built with Cordova and AngularJS. When I login from my browser, it works fine but when test the same in Android (also tested in iOS too, fails on both), the login fails and I get the following headers while debugging.
I saw the differences in these two headers, as in emulator the origin is
Origin: file://. It also has a warning sign for emulator saying "Provisional headers are shown"
Why is it failing in emulator and devices but works fine in browsers? Does cordova does anything internally while wrapping up the POST call?
I really don't understand why is it happening in emulators/devices but works fine in browsers.
In Browser - works fine
Remote Address:xx.xx.x.xxx:xxxx
Request URL:http://myEndpoint
Request Method:POST
Status Code:200 OK
Request Headers view source
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:166
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Host:myHost:xxxx
Origin:http://myComputerName.org:xxxxx
Referer:http://myComputerName.org:xxxxx/myAppName/
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36
Form Dataview parsed
grant_type=mypassword&client_id=1234&client_secret=1234&username=userName&password=mypassword
Response Headersview source
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://myComputerName.org:xxxxx
Content-Type:application/json;charset=UTF-8
Date:Thu, 12 Mar 2015 15:25:53 GMT
Server:Apache-Coyote/1.1
Set-Cookie:
Transfer-Encoding:chunked
======================================================================
In My Android Emulator --> Failed to login
Request URL:http://myEndpoint
Request Headers
Provisional headers are shown
Accept:application/json, text/plain, */*
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Origin:file://
User-Agent:Mozilla/5.0 (Linux; Android 5.0; sdk_phone_armv7 Build/LRX09D) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
X-DevTools-Emulate-Network-Conditions-Client-Id:1234
Form Dataview parsed
grant_type=mypassword&client_id=1234&client_secret=1234&username=myUserName&password=mypassword
I built a oData-Service which works well.
Now I want to query them with Breeze but I always get an 404 error.
In Fiddler I see first a 200 with empty Body and then follows the 404 with "No HTTP resource was found that matches the request URI".
But running in a normal browser the odata Service delivers the right data.
I debug it and set a breakpoint on the Server to see if the service is called correctly. After sending the request the breakpoint shows that the Service is called. But parallel to the break breeze calls the fail-method of
manager.executeQuery(query)
.then(querySucceeded)
.fail(queryFailed);
and e.message is empty.
Any idea??? :-/
Next entry...
I deactivate CORS and now I get the 404 immediately.
Here is the request:
OPTIONS xxx:8080/myDataService/odata/Person?$select=Name HTTP/1.1
Host: xxx:8080
Connection: keep-alive
Access-Control-Request-Method: GET
Origin:localhost:61244
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
Access-Control-Request-Headers: dataserviceversion, accept
Accept: /
Referer: http://localhost:61244/index.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
and here the answer:
HTTP/1.1 404 Not Found
Content-Length: 178
Content-Type: application/json; odata.metadata=minimal
Server: Microsoft-HTTPAPI/2.0
OData-Version: 4.0
Date: Mon, 19 Jan 2015 12:11:48 GMT
{
"error":{
"code":"","message":"No HTTP resource was found that matches the request URI xxx:8080/myDataService/odata/Person?$select=Name'."
}
}
No surprise that the OPTION request passes; you've probably got the server set to say "OK" to every request ... and that's just fine for now.
The rejection has to do with the address of your GET request: xxx:8080/myDataService/odata/Person. Are you sure that's the right endpoint? The path is usually plural (Persons).
It's easy enough to just paste that url into a browser address bar and see what it does.
I'm building a system where the users will upload articles to my app and I need to store them. I've read the tutorial about blobhandlers on Google's documentation and it worked, but only local.
When I test the app on development server, everything is fine, but on production server, I get Error 404 and the following logs:
2014-02-17 08:59:28.490 /http://ciro-app-id.appspot.com/_ah/upload/AMmfu6ah2vpKNsIDSzlpYPqAgnQ_zznnUwDweG571CgMMnGlluXc1GJS0i42UYYOKVZNQMBhzyY3grQFeCgD4hf4usx_YeMwy4n_93qM-QFegsMIFHDkNovRcJ9Rnl9li91bo4bdClfV/ALBNUaYAAAAAUwJCQ_kw2ANG1Tnvs9OIU6cAyOUDscqL/ 404 19ms 0kb Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36 module=default version=1
186.226.15.242 - - [17/Feb/2014:08:59:28 -0800] "POST /http://ciro-app-id.appspot.com/_ah/upload/AMmfu6ah2vpKNsIDSzlpYPqAgnQ_zznnUwDweG571CgMMnGlluXc1GJS0i42UYYOKVZNQMBhzyY3grQFeCgD4hf4usx_YeMwy4n_93qM-QFegsMIFHDkNovRcJ9Rnl9li91bo4bdClfV/ALBNUaYAAAAAUwJCQ_kw2ANG1Tnvs9OIU6cAyOUDscqL/ HTTP/1.1" 404 188 "http://ciro-app-id.appspot.com/enviar" "Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36" "ciro-app-id.appspot.com" ms=20 cpu_ms=0 cpm_usd=0.000021 app_engine_release=1.9.0 instance=00c61b117c6c9b0c25f5b86e2eadac83e2908691
Here is my code: https://drive.google.com/file/d/0B1-lpPH97tV2dzN6aURYVENCMzQ/edit?usp=sharing
Here is my app: ciro-app-id.appspot.com
Try it yourself
Login credentials:
Email: ciromoraismedeiros#gmail.com
Password: 123
Access ciro-app-id.appspot.com/enviar fill the form and submit it.
Obs.: I'm Brazillian, so everything is in portuguese language.
Notice the leading "/" in your request log? In /templates/enviar_artigo.html, change
<form action='/{{upload_url}}' ...>
to
<form action='{{upload_url}}' ...>
After I updated the GWT version on 2.4.0 and the GAE version on 1.6.2 the com.google.gwt.user.client.ui.FormPanel does not submit the jSessionId anymore. I discovered this bug when I tried to get the HttpSession (request.getSession(false)) in the servlet-doPost-method which now returns null.
In my deployed version on appspot.com the app is still working. So I analyzed the post-request with the chrome development tools and detect that the jSessionId is not be submitted by the FormPanel:
Development Mode:
Request URL:http://halligalli:8888/_ah/upload/ahJtcDNzdHJlYW1pbmdwbGF5ZXJyGwsSFV9fQmxvYlVwbG9hZFNlc3Npb25fXxhHDA
Request Method:POST
Status Code:302 Found
Request Headersview source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Cache-Control:max-age=0
Connection:keep-alive
Content-Length:7181438
Content-Type:multipart/form-data; boundary=----WebKitFormBoundaryB1bDbQ8YLCAabTG5
Host:halligalli:8888
Origin:http://127.0.0.1:8888
Referer:http://127.0.0.1:8888/Mp3Streaming.html?gwt.codesvr=127.0.0.1:9997
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Request Payload
------WebKitFormBoundaryB1bDbQ8YLCAabTG5
Content-Disposition: form-data; name="newBlob"; filename="09Anything new.mp3"
Content-Type: audio/mp3
Deployed Version:
Request URL:http://***.appspot.com/_ah/upload/AMmfu6ZrLfT_jYLHJKBXRoWX9_DeeYoa3Ob-vY0bbOcAJ3bj9ihT7Wp5yPmM3yjhn2RBpJAE8Pr7fIA8O-rhY8k0ARTy7hyU3GU3Qw4WrTHvXcSJ9mXZndA/ALBNUaYAAAAATyp8A-H7HSFTkl5ekVfXgXOmd3gK2PQ3/
Request Method:POST
Status Code:302 Found
Request Headersview source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Cache-Control:max-age=0
Connection:keep-alive
Content-Length:7181438
Content-Type:multipart/form-data; boundary=----WebKitFormBoundaryXy11Yxjeo1JfdJdq
Cookie:JSESSIONID=KOiv4hx1rqIJ1aZdP8CufQ ◄◄◄◄◄◄◄◄◄◄◄◄◄◄◄◄◄◄◄◄HERE IS THE DIFFERENCE
Host:***.appspot.com
Origin:http://***.appspot.com
Referer:http://***.appspot.com/
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Request Payload
------WebKitFormBoundaryXy11Yxjeo1JfdJdq
Content-Disposition: form-data; name="newBlob"; filename="09Anything new.mp3"
Content-Type: audio/mp3
I am using the FormPanel to upload files which will be stored in the GAE Blobstore and I need the session object to get the owner of the uploaded file (every other RPC in the development mode contains the jSessionId).
Any suggestions?
Thanking you in anticipation!
From your failing request:
Request URL:http://halligalli:8888/_ah/upload/ahJtcDNzdHJlYW1pbmdwbGF5ZXJyGwsSFV9fQmxvYlVwbG9hZFNlc3Npb25fXxhHDA
[…]
Host:halligalli:8888
Origin:http://127.0.0.1:8888
Referer:http://127.0.0.1:8888/Mp3Streaming.html?gwt.codesvr=127.0.0.1:9997
You're not sending the request to the same origin: your browser doesn't send to halligalli a cookie that has been set for 127.0.0.1.
As far as I can tell, this is a limitation of the BlobstoreService in the dev environment. See GWT Blobstore error calling createUploadUrl()
Https POST's on google app engine are getting redirected to app url with a GET and losing all arguments.
2011-11-28 22:21:06.026 / 302 218ms 0kb
71.167.39.92 - - [28/Nov/2011:19:21:06 -0800] "POST / HTTP/1.1" 302 0 "http://static.ak.facebook.com/platform/page_proxy.php?v=4" -
"9.appname.appspot.com" ms=219 cpu_ms=0 api_cpu_ms=0 cpm_usd=0.000095
My handler is not called at this time, and app engine redirects above post to
2011-11-28 22:21:06.100 / 200 13ms 1kb Mozilla/5.0 (Windows NT 6.1;
WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
71.167.39.92 - - [28/Nov/2011:19:21:06 -0800] "GET / HTTP/1.1" 200 1661 "http://static.ak.facebook.com/platform/page_proxy.php?v=4"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101
Firefox/6.0.2" "9.appname.appspot.com" ms=14 cpu_ms=23 api_cpu_ms=0
cpm_usd=0.000873 instance=00c61b117c6840ba7ad8c376b950491ada80
This happens for every post. A HTTPs GET calls my handler directly.
I had a secure=always on my app.yaml - which caused the redirects to trigger every time on POSTs and resulted in GET's with full loss of post parameters (like signed_requests for FB apps for example). It is solved now.