RESTful API

A RESTful API defines a set of functions which developers can perform requests and receive responses via HTTP protocol such as GET and POST.

RESTful API’s use HTTP traffic, It can be used by practically any programming language and easy to test (it’s a requirement of a REST API that the client and server are independent of each other allowing either to be coded in any language and improved upon supporting longevity and evolution).

What is the OAuth? 

OAuth (Open Authorization) is an open standard for token-based authentication and authorization on the Internet.

OAuth, which is pronounced "oh-auth," allows an end user's account information to be used by third-party services, such as Facebook, without exposing the user's password. OAuth acts as an intermediary on behalf of the end user, providing the service with an access token that authorizes specific account information to be shared. The process for obtaining the token is called a flow.

What is the OAuth resource Server Role? 

The resource server is the OAuth 2.0 term for your API server. The resource server handles authenticated requests after the application has obtained an access token.

Large-scale deployments may have more than one resource server. Google’s services, for example, have dozens of resource servers, such as the Google Cloud platform, Google Maps, Google Drive, Youtube, Google+, and many others. Each of these resource servers is distinctly separate, but they all share the same authorization server.


In this blog post, I am going to demonstrate how to create a resource server API. There are many existing servers on the internet such as WSO2 identity server. In this case, I'm going to create the authorization server and resource server both in a single API. There is an endpoint that you can call in order to retrieve the resources.

This program is written in using node.js. In order to run this program on your computer, you have to have node.js installed on your computer.


The sample code is uploaded to the Github and the link is mentioned below.
https://github.com/chathurangasineth/RESTful-API

In here, there are main two Js files are there 1) app.js and the model.js








In this program I have created a user account it's username = sineth password = password and all the functions that handle requests from the client are written in this file.
Need to run the resource server using node.js 



Then only we can make all get and post requests to the resource server. I'm going to use the rest client application in the Firefox web browser as a plugin. First of all, We have to make a POST request to get the access token from the authorization server. For that we have to send the authorization key in the header.
.

To create the Web application and get the authorization code for you can refer my earlier blog post:
http://chathurangasineth.blogspot.com/2017/05/oauth-20-facebook-app.html

I will show how to do take the access token with RestClient on Mozilla Firefox with creating all the requests manually and of course how to retrieve resources. 

The header should need to be like this. So there are two headers 
      1) Authorization
      2) Content_type

Authorization : Bearer XXXXXXXXXXXXXXX
And also we have to mention the content type in the header.
Content-Type :  application/x-www-form-urlencoded


Then we have to mention these 3 parameters in the body.

      username=sineth
      password=password
      grant_type=client_credentials

The URL should be the endpoint that gives us the access token.

http://localhost:6565/SSE/OAuthToken/

After sending this post request this we get the response which has access token in it. This access token also has an expiration time.


http://localhost:6565/profile
Using get a request we can retrieve the resources we need.



Now our URL is different because we have to call a different endpoint to get these resources which is "http://localhost:6565/profile".
We do not have to mention anything in the body.
In the request header we should send the access token we got in the previous step.

Authization: Bearer XXXXXXXXXXXXXXX

Make sure that the access token is not expired. Otherwise, you will get an error message saying that it has expired.

I hope you will get an idea about Restful API.

Comments

  1. AnonymousNovember 3, 2020 at 10:36 PM

    I cannot thank Mr Benjamin service enough and letting people know how grateful I am for all the assistance that you and your team staff have provided and I look forward to recommending friends and family should they need financial advice or assistance @ 1,9% Rate for Business Loan .Via Contact : .  247officedept@gmail.com. WhatsApp...+ 19893943740. Keep up the great work.
    Thanks, Busarakham.

    ReplyDelete

Post a Comment

Popular posts from this blog

Phishing

Image
Phishing on Course web at SLIIT What Is Phishing?                   Phishing is the attempt to obtain sensitive information such as usernames, passwords and credit card details , often for malicious reasons, by disgusting as a trustworthy entity in electronic communication. What is spear phishing attack ?                   S pear phishing  is an email that appears to be from an individual or business that you know. But it isn't. It's from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your PC. Introduction ?         First you need know some details about how it will be work. Phishing attack can be done creating web pages like original web sites. Attacker create similar site like original one and host that site in the server and send that link to the target person o...
Read more

CySCA 2014 Web Penetration Testing Write-up

Image
Hellow Peeps !!! Today I bring some interesting hacking challenge walkthrough. Let's see what it is, CySCA2014 Web Penetration Testing Write-up We need to first setup the cysca2014 box in VM. When the VM configuring we can check connectivity is their using ping commands. Web Penetration Testing 1 – Club Status Turn on the intercept in the burp suit and go to the web site using cysca2014 IP address. Then you can see the GET request. There are two cookies called PHPSESSID and VIP. Then we have to edit the VIP cookie value from 0 to 1 and forward the request. Then we need to forward this packet in burp suite. Then we can get a website. Index.php Now we cannot access the blog. Now we need to change VIP 0 to 1 then we can access the blog.   Now we can access Blog. Web Penetration Testing 2 – Om nom nom nom After completing challenge 1, you can browse on the Blog page. There is...
Read more

Double Submit Cookies Patterns

Image
Cross-Site Request Forgery (CSRF)  Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The impact of a successful CSRF attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context. In effect, CSRF attacks are used by an attacker to make a target system perform a function via the target's browser without knowledge of the target user, at least until the unauthorized transaction has been committed. Impacts of successful CSRF exploits vary greatly based on the privileges of each victim. When targeting a normal user, a successful CSRF attack can compromise end-user data and their associated functions. If the targeted end user is an...
Read more