I want to identify how many topics a single device is subscribed to. Then I found and followed this post. I don't know if I follow it right because i receive this message
{"error":"MissingAuthorization"}"
Here are the steps:
Get token from the device
Generate a URL: https://iid.googleapis.com/iid/info/<paste token here>
Copy-paste the URL to the browser
Get the response.
I don't know if I'm doing something wrong. I hope someone can help me solve this problem.
It's saying that there is no authorization specified. Make sure you're including the Authorization:key=<Server API key here> in your request, where the Server Key is the one found in your Firebase Console, under Cloud Messaing tab.
Yeah this how you check Add the KEY=
U forgetting to put the Authorization starting with "KEY=BLALALALALA"
Authorization
Related
I am trying to implement FIDO2 on Android. I have the assetlinks.json hosted on my domain (Sorry I don't want and not sure if I'm allowed to reveal the whole url yet).
I have the assets_statements string defined and added it to my Manifest and I also implemented the whole get register challenge logic where I am creating a pending intent from PublicKeyCredentialCreateOptions.
After I launch the intent I see a white screen which shows up and closes really fast without any descriptive error or anything and I have no idea how to debug this issue. The log shows:
ActivityTaskManager: Displayed com.google.android.gms/.fido.fido2.ui.Fido2FullScreenActivity
E/Fido: [DigitalAssetsAssociationChecker] JSON Object doesn't have linked key
E/Fido: [Fido2RequestController] The incoming request cannot be validated
E/Fido: [Fido2RequestController] The incoming request cannot be validated
On https://developers.google.com/digital-asset-links/tools/generator it says that my domain grants app deeplinking to my package name.
I am using com.google.android.gms:play-services-fido:18.1.0
The errors in the log are not helpful in any way and I'm not sure if I am still missing something here, any help would be appreciated.
OK, I figured it out by playing with the example app https://github.com/googlecodelabs/fido2-codelab and changing things around, so I'm going to answer my own question.
When requesting a registration challenge the RP.id field needs to be the same as your domain name.
On the sample the Rp.id value is "webauthn-codelab.glitch.me", I changed it to "webauthn.glitch.me" just to try out what would happen. Guess what, I'm getting the same errors as before:
E/Fido: [DigitalAssetsAssociationChecker] JSON Object doesn't have linked key
E/Fido: [Fido2RequestController] The incoming request cannot be validated
E/Fido: [Fido2RequestController] The incoming request cannot be validated
To conclude, be sure that the RP.id that get's returned from backend matches the domain url.
Also here is a link explaining RP id: https://www.w3.org/TR/webauthn-2/#relying-party-identifier
Got the same error JSON Object doesn't have linked key on Fido2ApiClient.getSignPendingIntent() call.
The solution for my case was to set real user key (aka id) in allowList.
I found at https://developers.google.com/instance-id/reference/server#get_information_about_app_instances the following example GET request:
https://iid.googleapis.com/iid/info/nKctODamlM4:CKrh_PC8kIb7O...clJONHoA?details=trueAuthorization:key=AIzaSyZ-1u...0GBYzPu7Udno5aA
The key in that example is: AIzaSyZ-1u...0GBYzPu7Udno5aA. Where can I find my key, the one that I should use in my GET request? I am trying to find it at https://console.developers.google.com/apis/credentials, and this is what I see:
I tried using all of the four keys that you see in the image above, and I always receive this message from the browser:
{"error":"MissingAuthorization"}
Does this error refer to the key being wrong, or to something else? Am I looking in the right place for the key? Thank you.
EDIT 1: I was looking at the question at How to check how many topics has been subscribed?, and I also tried using the keys that I found in my Firebase Console, under the "Cloud Messaing" tab. This is what I see:
I tried the GET request using those keys in the image above as well and I still see the same error: {"error":"MissingAuthorization"}.
EDIT 2: I am using this from the command line:
C:\curl>curl -k https://iid.googleapis.com/iid/info/nKctODamlM4:CKrh_PC8kIb7O...clJONHoA?details=trueAuthorization:key=AIzaSyZ-1u...0GBYzPu7Udno5aA
{"error":"MissingAuthorization"}
C:\curl>
Notice how I simply copied/pasted what I found at https://developers.google.com/instance-id/reference/server#get_information_about_app_instances under the "Example GET request" heading. I am not even attempting to use my own keys and I see the same error: {"error":"MissingAuthorization"}. Does it mean the problem is with the key I am using? Is not it the one I see in the Firebase Console?
Based on the instructions at https://developers.google.com/instance-id/reference/server, under the heading "Get information about app instances", it shows that it is necessary to provide the Authorization: key=YOUR_API_KEY, which is set in the header. See at https://android.jlelse.eu/firebase-push-notification-using-curl-command-devoid-backend-e63795d282c4 an example of how to provide a parameter in the header.
Concerning the Authorization: key=YOUR_API_KEY that has to be used, it is the key that appears in the "EDIT 1" section of this question. I used the Server key, not the Legacy server key, and it worked for me.
https://developers.google.com/instance-id/reference/server shows this end point: https://iid.googleapis.com/iid/info/IID_TOKEN. But IID_TOKEN must be replaced with the instance ID token which corresponds to the instance of the app that was installed on a device. In my case, I found it by printing the instance ID or token of the device, using the following code in the first activity of my Android app:
Log.d("The token of device: ", FirebaseInstanceId.getInstance().getToken());
In the log of the Android monitor, I found the IID_TOKEN that I needed:
D/The token of device:: f35EFw4bsef:QWE34bFm56ZuQLWYSDDgPlkf4a88Lu6Gp4DoXVDJ5dRIlsdDncq0UdNnlDi7wxbbut6YX7Z1kwgyS3bzk_Zrl-1doHCf9XFdOXTThNzo4sDFEWqQjHKfNa3uH2Js4Flbf_CnRkD2Mftr
Finally, I used cURL from the command prompt, and you can see how I obtained results correctly:
C:\curl>curl -X GET -k --header "Authorization: key=AAAAJ5XteYp:DKE32aIdFalyFXku6A-eR_wHL6ZBUFxfyPtcrm3wwF2l-nPEv_vAeYqo3NJzaIKKcSSow6gqoAwf3cBEm8QWYbF6w-asW0SX0RmHZftQglwmo_ziwrk8wFcGp1_DOQ1PLFFgP4BFWXAD" "https://iid.googleapis.com/iid/info/f35EFw4bsef:QWE34bFm56ZuQLWYSDDgPlkf4a88Lu6Gp4DoXVDJ5dRIlsdDncq0UdNnlDi7wxbbut6YX7Z1kwgyS3bzk_Zrl-1doHCf9XFdOXTThNzo4sDFEWqQjHKfNa3uH2Js4Flbf_CnRkD2Mftr
{"applicationVersion":"22","attestStatus":"NOT_ROOTED","application":"com.[myapp]","scope":"*","authorizedEntity":"232255245625","appSigner":"3d34g3fs3443292d825f21da4fdd5b34a56f2a3h","platform":"ANDROID"}
C:\curl>
Note: In the code above I have changed the values of things such as tokens and keys for privacy purposes, but you need to use your values and everything should work.
I am building an App API in Lumen, and I am a bit confused about how to lock down what/who can make requests to it.
At present I have no way of authenticating requests from the app, so anyone who knows the link could make requests from a browser and potentially cause havok. I know in the .env file there is an appkey variable which is currently empty, and after some research I can't seem to find a clear answer on what it actually does and if I need it.
So basically:
If request comes from my app, proceed.
If it comes from anything else, stop it.
That is what I am looking for.
I am using Ionic $http to make the requests.
Any help would be great
App Key is used for encryption which you can read at https://laravel.com/
use below command to generate key
php artisan key:generate
For more info on lumen auth check below github, Lumen 5.3 token auth
github link for lumen token auth
I am trying to send information from my Android device to my php server. I followed this tutorial (http://www.codeofaninja.com/2013/04/android-http-client.html), but then realized there is nowhere to specify my useID and password to log into the server. a lot of search but could not get anywhere. I am new to both Android and Apache. Please advice, thanks.
well, i have to learn to ask the right question or enter the right words to search. i finally found with this post and got my answer.
Android HttpClient authentication always returns 401 code
I'm trying to make an app that accesses a user's Google Calendar using OAuth. I have the code in place that gets all of the proper tokens and they are saved into some preferences. I used the tutorial here to do this all, by the way. I have successfully changed the scope and request URL's so that I'm getting the needed tokens. The problem comes when I actually try to USE the token. Instead of calendar info, I get back some HTML that says "Unknown authorization header Error 401". The request URL I am using is:
https://www.google.com/calendar/feeds/default/allcalendars/full
and the scope is:
http://www.google.com/calendar/feeds/
I have tried replacing 'default' with my email address (which is also the one that I used for the OAuth) to no avail. Am I using the wrong URL? if not, what else could cause this error? I have been looking for a few days now to find someone who has accessed the Calendar using OAuth, but everything I have found is people giving up because it's too difficult or doesn't work.
EDIT:
I believe my header is correct, here is an example of it:
OAuth oauth_token="************-********-**********-****",
oauth_consumer_key="anonymous",
oauth_version="1.0",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1303161387",
oauth_nonce="*******************",
oauth_signature="*******************"
That is pulled directly from my app, and from what I could find it looks right to me, but I'm still getting the error above (Unknown Authorization Header Error 401).
The Authorization header needs to be "Authorization: OAuth oauth_nonce="deadbeefdeadbeef" oauth_version="1.0" ....
See http://code.google.com/apis/accounts/docs/OAuth_ref.html#RequestToken. You can, supposedly, also but the authorization parameters in the querystring or in the body of a POST, but I have not attempted that.
As noted in the comments below, Google is now, at least with the Calendar feed, appending a 'gsessionid=' querystring and redirecting; and so a redirect handler must create a new nonce and timestamp, and make a new signature making sure to add the gsessionid to the base signature string in the correct lexicographical order (preceding any of the oauth_ variables).