RESTful API

RESTful API





In this blog post I am going to show how to create a resource server api. First we need to understand how it works.



We can use exiting authorization sever or like there you can create your own authorization sever  and resource server both in a single api.

 Sample code is uploaded to my github 

 LINK : "     "

This is written using node.js. In order to run this on your computer you have to have node.js installed on your comouter.

 app.js 


This app tuns on port 4000. You can give any port number here.There are two endpoints which  I have created in this. One to get the access token which is "/oauth/token" and the other one is to get resources which is "/profile". As resources I have hard-coded one value which is name ("pasan") and this comes as a JSON object
model.js









(username = test, password = test) 

  All the functions that handle requests from client are written here.
Run



 We use RESTclient Mozilla Firefox Add on. You can use other similar products such as Postman for this.
First We have to make a POST request to get the access token from the authorization server, for that we have to send the authorization key in the header.

Authorization : Bearer ***************
And also we have to mention the content type in the header.
Content-Type :  application/x-www-form-urlencoded

Then  mention these 3 parameters in the body.
username=test
password=test
grant_type=client_credentials

The URL should be the endpoint that gives us the access token.

http://localhost:4000/oauth/token



Then we send the GET response with access token which has an expiration time.
after that we make GET request to retrieve the resources we need 



Now our URL is different because we have to call a different endpoint to get these resources which is 

 "http://localhost:4000/profile".

 In the request header we should send the access token we got in the previous step.

Authization: Bearer ****************

 Make sure that the access token is not expired. Otherwise you will get an error message saying that it has expired.

 When you sent this request you get a response that contains the resources we specified in the code.

{"name":"pasan","id":"set"} 
Thnak you for reading My Blog !!!!

 :) :)

Comments

Post a Comment

Popular posts from this blog

Attacks Against Weak Token Generation

Attacks Against Weak Token Generation During our last post to this we discusses about basics of Session Management Attack which is also known as session hacking. In this post we will have a look on how you can attack weak token generation method to attack session management. Following are most common methods of generating weak tokens, Using meaningful tokens Predictable token generation Adding time dependent variations in tokens Now some important things before we discus real hack steps. In applications that use standard cookie mechanism for transmitting session tokens, it is easy to identify which item of data contains the token. In other cases it needs real brain work to identify them. Many web developers add extra tokens to cookies to fool hackers for example an application might add 14 tokens to yours browser's store, out of which only six are responsible for session management no matter what value other eight have only six of them will hand...
Read more

Some Terminologies You Should Know About Trojans

Image
Some Terminologies You Should Know About Trojans in this following post we will discus some most frequently used terminologies that we usually hear when word Trojan pops out. They are discussed here because after knowing them you'll be able to understand how attacker manages to circulate RAT server, hide its presence and also bypasses firewall rules. Over And Covert Channel: A channel here describes means of communication. An overt channel means legal, obvious or known where as covert means hidden and concealed. In other words overt means legal means of communication whereas covert means illegal means of communication. In technical terms overt channel follows rules by TCP/IP suite where as covert channel exploit weakness of TCP/IP model for illegal communication. Wrappers: Wrappers are programs that helps binding two files together. They can bind either multiple files of same extension or multiple files with multiple extension. Wrappers are ...
Read more

Nmap Scanning

Image
Nmap best known as hacker’s best friend may it be ethical or criminal is one of the best known network scanners available today. Today nearly each and every hacker uses nmap as network scanning tool and even pen-testing tools are bundled with Nmap as basic port scanning tool. Nmap can scan network, ports, services and also garb OS. This tutorial is written keeping this in mind that everyone should be able to grasp all commands and switches given in this tutorial in single reading. Do you think it’s impossible so why not give a try. First we divide switches into four types, 1.Synchronous Scans 2.Ping Scans 3.Time Scans 4.Output Type Synchronous Scan :All synchronous scans start with “-s”(without quotes), note that the ‘s’ denoting synchronous is not capital. Now a basic synchronous scan command is written as follows, nmap -s[synchronous scan type] ip_address ---------------------------------------------- -sT Synchronous TCP scan -sS Synchronous Stea...
Read more