These are chat archives for feroult/yawp

24th
Aug 2016
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 10:03
Good morning
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 11:46
I successfully got it working!
Using the JS plugin etc
Now I just got to make it return a JWT
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:22
Hmmm what do you think the format should be?
Fernando Ultremare
@feroult
Aug 24 2016 13:22
great news!
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:22
Of the response
I thought of
Having a code, a message, and a JWT string (null if login failed)
Fernando Ultremare
@feroult
Aug 24 2016 13:23
neat
don't forget that you'll need to setup SSL
on appengine
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:23
SSL?
I already got it enabled
Fernando Ultremare
@feroult
Aug 24 2016 13:23
https://
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:23
By default
Fernando Ultremare
@feroult
Aug 24 2016 13:23
oh, nice
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:23
Alright
let me test now something
Hmmm
Can you help me out?
Fernando Ultremare
@feroult
Aug 24 2016 13:24
with?
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:25
I want to make an object (to use as payload for the JWT) containing all the Account public vars
Or a list or whatever I can give to JJWT
Fernando Ultremare
@feroult
Aug 24 2016 13:25
ok
have you take a look at the JJWT claims api?
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:30
I can't find the docs...
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:35
Or do I do setClaim?
you can do a setClaims(Map)
or create a Pojo setClaims(Pojo)
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:42
Okay
I will use a HashMap
Great, it works now
And returns a JWT!
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:48
Now I want to implement a @GET("me") route
And I don't know what return type to use
Fernando Ultremare
@feroult
Aug 24 2016 13:49
well
you could return the Account
no?
just a tip, you don't need to put "me" if the method is the name of the route
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:51
Well
Fernando Ultremare
@feroult
Aug 24 2016 13:51
for instance:
@GET
public void me() {}
will be the same as @GET("me")
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:51
What if a user requests /me without an authorization JWT?
Yeah got it
Fernando Ultremare
@feroult
Aug 24 2016 13:51
you need to check
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:51
The problem is if the user has no JWT or has an invalid one
Fernando Ultremare
@feroult
Aug 24 2016 13:52
and return an error
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:52
Exactly
How should I do it
If I set the return type to Account
Fernando Ultremare
@feroult
Aug 24 2016 13:52
you make it:
@GET
public Object me() { if(success) return account; else return error; }
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:52
Oh yeah sorry
I didn't think of it
Fernando Ultremare
@feroult
Aug 24 2016 13:53
you can return object
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:53
yeah
Maybe I can return an AuthenticationResponse
right?
Fernando Ultremare
@feroult
Aug 24 2016 13:53
right
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:54
Alright I will do it now
Fernando Ultremare
@feroult
Aug 24 2016 13:54
usually I return forbidden when the user is not logged
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:54
yeah possible too
Also
Fernando Ultremare
@feroult
Aug 24 2016 13:54
public Account me() { if(success) return account; else throw new HttpException(403); }
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:54
Right now
I think it generates a random key to be signed with
            Map jwtPayload = new HashMap<String, Object>();
            jwtPayload.put("name", account.getName());
            jwtPayload.put("email", account.getEmail());
            jwtPayload.put("admin", account.getAdmin());

            Key key = MacProvider.generateKey();

            String compactJws = Jwts.builder()
                    .setSubject(account.getName())
                    .setClaims(jwtPayload)
                    .signWith(SignatureAlgorithm.HS512, key)
                    .compact();
How can I specify my own secret
Or some way to generate a Key out of a String
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:58
String secret = "secret";
Key key = new HmacKey(secret.getBytes("UTF-8"));
?
Fernando Ultremare
@feroult
Aug 24 2016 13:58
never used it
but it seems to be a way
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 13:59
Yeah
Well it doesn't resolve (HmacKey)
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 14:05
Yeah HmacKey doesn't resolve to something
Fernando Ultremare
@feroult
Aug 24 2016 14:09
look this:
i can't find where apiKey comes from
but seems to better for jjwt
DatatypeConverter.parseBase64Binary(apiKey.getSecret());
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 14:10
Hmmm
Fernando Ultremare
@feroult
Aug 24 2016 14:11
i normally use the JWT generated by firebase
maybe just String.getBytes
will work
i think that the important part is here: Key signingKey = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 14:19
Yeah
I guess I will test it now
Alright!
I tested it
with our secret
and it worked perfectly
Now I got to make the me route
:D
As for the authorization
I will use
String JWT = requestContext.req().getHeader("Authorization");
Right?
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 14:32
now
how to set it in yawp JS?
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 14:41
How to set Authorization I mean in yawp
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 16:30
Oh well
I set it all up now
Only thing is
I can't do c.accessToken(token) in yawp.config :/
Fernando Ultremare
@feroult
Aug 24 2016 16:46
            yawp.config((c) => {
                c.accessToken(baggrToken);
            });
why?
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 16:46
No
Fernando Ultremare
@feroult
Aug 24 2016 16:46
which version are you using?
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 16:46
It doesn't work
this one
<script src="https://cdn.rawgit.com/feroult/yawp/yawp-1.6.5/yawp-client/lib/web/yawp.min.js"></script>
Fernando Ultremare
@feroult
Aug 24 2016 16:47
try 1.6.8
I think we've added it after
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 16:47
Okay
?
Fernando Ultremare
@feroult
Aug 24 2016 16:48
<script src="https://cdn.rawgit.com/feroult/yawp/yawp-1.6.8/yawp-client/lib/web/yawp.min.js"></script>
1.6.8
this service cache after the first request
so it needs to have a new url for new versions
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 16:49
Still same problem
Fernando Ultremare
@feroult
Aug 24 2016 16:49
hnnn
let me see
i see
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 16:51
?
Fernando Ultremare
@feroult
Aug 24 2016 16:51
this is specific to my project
we have a more generic api
we need to documento that
better
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 16:52
So what do I do?
Is there any way to set a header?
Or something like that
Fernando Ultremare
@feroult
Aug 24 2016 16:57
yawp.config((c) => {
c.defaultFetchOptions({
headers: {
Authorizations: 'Bearer ' + token
}
});
});
ops, Authorization
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 16:58
Okay
Fernando Ultremare
@feroult
Aug 24 2016 16:58
you'll have to extract the Bearer part
on your filter/servlet
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 16:58
Yeah
I gotta find how
is there any remove/replace string function in Java?
Fernando Ultremare
@feroult
Aug 24 2016 16:58
:)
substring("Bearer".length())
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 16:59
in Java?
Fernando Ultremare
@feroult
Aug 24 2016 16:59
yeah, authToken.substring("Bearer".length());
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 17:00
okay
Let me use it
XMLHttpRequest cannot load https://work-wanders-api.appspot.com/api/accounts/me. Request header field Authorizations is not allowed by Access-Control-Allow-Headers in preflight response.
request.js:16 XHR failed loading: GET "https://work-wanders-api.appspot.com/api/accounts/me".(anonymous function) @ request.js:16t.default @ request.js:4value @ yawp.js:68value @ yawp.js:214value @ yawp.js:218(anonymous function) @ VM731:1
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 17:05
:(
Fernando Ultremare
@feroult
Aug 24 2016 17:05
are you using chrome?
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 17:05
Yep
Fernando Ultremare
@feroult
Aug 24 2016 17:05
can you monitor your network panel
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 17:05
Sure
Fernando Ultremare
@feroult
Aug 24 2016 17:05
and paste the request tab here?
the headers tab
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 17:06
Request URL:https://work-wanders-api.appspot.com/api/accounts/me
Request Method:OPTIONS
Status Code:200 
Remote Address:172.217.16.177:443
Response Headers
access-control-allow-headers:Origin, X-Requested-With, Content-Type, Accept
access-control-allow-methods:GET, POST, PUT, OPTIONS, DELETE
access-control-allow-origin:*
alt-svc:quic=":443"; ma=2592000; v="35,34,33,32,31,30"
alternate-protocol:443:quic
cache-control:private
content-encoding:gzip
content-length:43
content-type:application/json;charset=UTF-8
date:Wed, 24 Aug 2016 17:05:38 GMT
server:Google Frontend
status:200
vary:Accept-Encoding
x-cloud-trace-context:ebb20eefa11cc8e10bac45cc931d451b;o=1
Request Headers
Provisional headers are shown
Access-Control-Request-Headers:authorizations, content-type
Access-Control-Request-Method:GET
Origin:http://localhost
Referer:http://localhost/login/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Fernando Ultremare
@feroult
Aug 24 2016 17:07
oh
I see
it is Authorization
without an S
in the end
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 17:07
Ohhhh
I forgot
Well
Still same problem
Request URL:https://work-wanders-api.appspot.com/api/accounts/me
Request Method:OPTIONS
Status Code:200 
Remote Address:172.217.16.177:443
Response Headers
access-control-allow-headers:Origin, X-Requested-With, Content-Type, Accept
access-control-allow-methods:GET, POST, PUT, OPTIONS, DELETE
access-control-allow-origin:*
alt-svc:quic=":443"; ma=2592000; v="35,34,33,32,31,30"
alternate-protocol:443:quic
cache-control:private
content-encoding:gzip
content-length:43
content-type:application/json;charset=UTF-8
date:Wed, 24 Aug 2016 17:08:00 GMT
server:Google Frontend
status:200
vary:Accept-Encoding
x-cloud-trace-context:747bcc3ec205500991564f3b947ff497;o=1
Request Headers
Provisional headers are shown
Access-Control-Request-Headers:authorization, content-type
Access-Control-Request-Method:GET
Origin:http://localhost
Referer:http://localhost/login/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
I know the solution
But don't know how to do it
Basically
I need to make the server allow the Authorization header
As part of the CORS policy headers I guess
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 17:13
I guess I should modify something in web.xml?
Fernando Ultremare
@feroult
Aug 24 2016 17:44
yeah
i think so...
Oh man
this think is hard-coded on yawp
:/
I think I should to release a new version with this header allowed
would mind test it for us before I release?
would you
we need a more flexible way to customize CORS
on yawp... what we have now sucks a lot
Fernando Ultremare
@feroult
Aug 24 2016 17:53
<repositories>
    <repository>
        <id>oss.sonatype.org-snapshot</id>
        <url>http://oss.sonatype.org/content/repositories/snapshots</url>
        <releases>
            <enabled>false</enabled>
        </releases>
        <snapshots>
            <enabled>true</enabled>
        </snapshots>
    </repository>
</repositories>

<pluginRepositories>
    <pluginRepository>
        <id>oss.sonatype.org-snapshot</id>
        <url>http://oss.sonatype.org/content/repositories/snapshots</url>
        <releases>
            <enabled>false</enabled>
        </releases>
        <snapshots>
            <enabled>true</enabled>
        </snapshots>
    </pluginRepository>
</pluginRepositories>
would you mind to add this XML to your pom.xml?
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 17:54
hmm
Fernando Ultremare
@feroult
Aug 24 2016 17:54
and then change the yawp version to <yawp.version>1.6.9-SNAPSHOT</yawp.version>
?
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 17:54
Sure
Fernando Ultremare
@feroult
Aug 24 2016 17:54
I've made a fix
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 17:54
Where should I add it though
Fernando Ultremare
@feroult
Aug 24 2016 17:54
I'll release it today
to your pom.xml
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 17:54
Hmm let me see
Fernando Ultremare
@feroult
Aug 24 2016 17:54
bellow the </properties> tag
I'm publishing this SNAPSHOT release
it will be available in 5 minutes
I think it is already avaiable
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 17:56
Okay
So I added it now
and modified the version
Fernando Ultremare
@feroult
Aug 24 2016 17:56
yes
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 17:56
what should I do now
Fernando Ultremare
@feroult
Aug 24 2016 17:57
you could also a Filter and add the CORS headers manually
normally i do this in my security filter
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 17:57
How?
Fernando Ultremare
@feroult
Aug 24 2016 17:57
this is why this setup is that shi* in yawp
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 17:57
Don't worry
I can help you once I know how it works
:)
Fernando Ultremare
@feroult
Aug 24 2016 17:58
I've created an issue: feroult/yawp#104
well... try with yawp 1.6.9-SNAPSHOT
it should work for your case
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 17:58
Okay
Fernando Ultremare
@feroult
Aug 24 2016 17:58
I have a meeting now..
brb
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 17:58
Alright
Walid Nawfal Sabihi
@LvlAndFarm
Aug 24 2016 18:17
I got it working!
Thank you @feroult for the help today too!
Tomorrow I can help you btw do better CORS management
Fernando Ultremare
@feroult
Aug 24 2016 19:07
nice!
see ya