Access Denied
Hello, i have been trying to fix this alone for around a day now and i'm giving up. I'm trying to get a user id with uuid in the postman but im getting access denied and i have also debugged it.
UserService
UserRepository
AuthenticationController
the debug says
523 Replies
⌛ This post has been reserved for your question.
Hey @Itsurran! Please useTIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here./closeor theClose Postbutton above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically closed after 300 minutes of inactivity.
When i register i get a uuid for the user and i can also login and im getting my user token, i can also logout just incase if this helps with the question.
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
Thanks for a fast response
If you are finished with your post, please close it.
If you are not, please ignore this message.
Note that you will not be able to send further messages here after this post have been closed but you will be able to create new posts.
Before i changed i had Integer Id but i wanted UUID instead then i keep getting acess denied
and i worked getting the id in the postman
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
When i had the id as integer
it worked
but i changed to UUID and now not workng
Tell me what you need to see in the files i will show you 😄
Im giving up 😂
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
@RequestMapping("/api/v1/auth")
yh
@RequestMapping("/api/v1/auth/user/uuid")
right?
when im sending to postman
I can screenshare if u need maybe its easier to understand
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
so a test endpoint?
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
should i just change my requestmatchers to .requestMatchers("/api/v1/auth/user/{id}")
?
in securityconfig
will that work
or should i just add @preauthorize
or soemthing
in my controller
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
Says shoul change to .equals
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
ok
gonna restart
no print
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
yes
the debug
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
yh
Want me to make the uuid to integer?
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
wtf is going on 😂
I have faith that you will help me with this idk why
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
im not autenticated rn
so u know
it wont let me register a user
gives me 403
because we have it authenticated
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
yh
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
ok gonna restart and try again
i get access denied
when i register
canged it to ** and now i can register
200
change
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
ok
403
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
The whole one
?
wait
wait
i hav e user
oh my gofd
in my post man
i have user/test
i should only be test
yh
200
got it printed
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
nope im getting 403
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
both register and login
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
i regsiter, i get a jwt token and when i login i get another jwt token
So i have a jwtService where it gerenates a token etc
then i have a filter where it checks if its valid with the user
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
si i should take away the api/v1/auth?
or with that
like dis?
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
403
200 ok with this
i have a user
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
200 ok
with login
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
so this?
403
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
:/
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
and comment out permitall?
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
.its good
ok gonna try
so i login
what should i do now
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
i restarted my app
ok
403 acess denied
with test
i can login and register
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
should i go back to auth/**
?
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
ok so the authenticate is not letting us
get the test
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
postman?
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
with the test
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
yes
Should we use help ping on this
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
Okej want me to send my everything with jwt invloved?
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
Yh thats why i ask if we should use help ping maybe someone that can jwt better than us find the problem
Do you have a filter doing the authentication?
yes sir
Did you try debugging that filter?
Is it getting executed?
Nope
nope
Working perfectly, i mean when i had the id as int i could ge the user id in postman with the userdetails but somehow i wanted the int to be a uuid so i change places everywhere and now im getting a 403
trying to get the user id with the uuid in the postman
maybe check whether it's getting executed
Should i log it?
I would use a breakpoint/debugger
It looks like you are having issues with debugging or issues that can be solved using a debugger.
Check out this article on dev.java to see how debugging works and how to use a debugger.
This Stack Overflow question and its answers also explain debugging in general.
These links describe how to use the debugger in some IDEs:
• Debugging in IntelliJ
• Debugging in Eclipse
from what row should i use the breakpoint at
UserDetails userDetails = this.userDetailsService.loadUserByUsername(userEmail); here?
I would add it here:
final String authHeader = request.getHeader("Authorization");should i add anything here or just done
just run it in debug mode
and check whether it is executed
nope its running
and you made a request with the JWT?
and nothing in my threads & variable
oh ok
1 sec
sry
the filter should be executed when you make a request with a JWT, right?
Im stuck here and also
so the breakpoint is executed?
Is the line with the breakpoint highlighted?
yes
its highlighted
rn
ok so you have a step over button, right?
check this for debugging
I followed the instruction but i dont know what im looking for, iknow now the highlighted one is not executed and i a step over button
but im not familiar where its getting me at
when i did a step over button
with that, you can move to the next instruction
and it shoulda show you what the program is doing+
yh i did that
did it move the blue thing down?
oh
here
it didn't find an authorization header
btw you can use that button to let the application continue
ok lemme start over 1 sec
actually intressting to learn this, thanks for ur time
If you are finished with your post, please close it.
If you are not, please ignore this message.
Note that you will not be able to send further messages here after this post have been closed but you will be able to create new posts.
you mean debugging?
yes, ive know about this but never took it seriously
I really recommend you to check out https://dev.java/learn/debugging/
Dev.java: The Destination for Java Developers
Debugging in Java - Dev.java
Learning how to use a debugger
ok just quick question when i start over, should i use endpoint register or login for the debug?
it explains it better than I am able to do right now (and I originally requested it and reviewed it when it was written)
ah i see
so im getting a null in my header
looks like it
How are you supplying the JWT token?
when making the request
in my authneticationService
and here is how i generate the token
I meant where you set it in postman or whatever
I'm not, unless i wanna logout i use the bearer token
Well if you want to access it, you need to provide the token..?
in every request that requires authentication
Ye
here
i post it there and when im trying to get a user id i get a 403 with access denied
But i can perfectly register a user, login with a user and logout with a user
wait
Correct picture when sending it
Console
Can you show the complete stack trace of the second image here?
Im logged in now, and also have passed the right token in postman
Can you please share the whole thing as text?
not as an image
just paste it in here
If necessary i can screenshare for you
Maybe you can take a better look
If you debug the filter again (this time using the header), what happens?
Which one the bearer header or auth header
Shows my bearer that i have passed in
Should i resume the program?
if you continue stepping over, where does the blue line move?
this was the user/{id}
with the bearer token in postman
incase ur wondering
error here
Does it stop after that line?
no
if i step over
it just keep going
down and down
until where?
the whole filter
What does
loadUserByUsername do?
Can you show your implementation?
And the class of the object it returns?
ok i will show u everyhing i just watnt this to work
:p
User Class
UserRepository
I meant your implementation
Can you try adding
@ToString.Exclude to tokens here?
(from lombok)like this?
yes
debug or run normally
yours to decide
ok
because the exception means that it is calling
toString of that and that tries to load tokens (which is failing)
which you probably don't want there
Also storing a list of tokens for each user sounds like a bad ideaIm not even getting a response in postman
console
Anyone?
Are you still in debug mode?
Is the program suspended?
oh nvm the issue is probably the StackOverflowError
yep stacckoverflowerror null
you seem to have a circular dependency between two data classes
which are deserialized
deserialized?
ccan it be
betwen
@OneToMany(fetch = FetchType.EAGER, mappedBy = "user")
private List<Token> tokens;
and
@ManyToOne
@JoinColumn(name = "user_id")
private User user;
yes
well probably serialized
Is the application converting a user to JSON here?
I guess the issue is that the user contains a list of tokens and the token contain a user
so you have something like
Yes
then I guess that's what happens essentially
just that it would happen infinitely often resulting in the said issue
Not following with rn, what should I do or think of?
Yes
in my token
and u think this is the issue
?
yes
oooo ok
never thought of it
What's the JSON you are expecting?
for a user
ok sec
gonna reopen my postman had to restart my pc
I am not asking you what happens right now
I want to know what JSON you are expecting
my userdetails
something liek dis
ok so you are expecting the tokens to be exported which in turn contain the user which in turn contains the tokens which in turn contains the user which in turn contains the tokens..?
oh damn
ok
i understand the point
i.e. you would expect an infinitely big json object?
The easiest way to get rid of that issue is to just not include the tokens in the JSON data
Is that ok for you?
Yes
ok then you can just add
@JsonIgnore to th tokens
just like the @ToString.Exclude
this means "ignore that field when creating the JSON"yh, ok on user class i should both have the @toString.Exclude and jsignore
sry for the tag
good?
yes
ok sec
But I do have another question
Why do you use JWT and store a list of tokens for each user at all?
Letsgoooo!!
and if you need to store a list of tokens for each user, why are you using JWTs?
.
also including the password hash is probably not the best idea, just saying
I had a problem with jwt before and i saw someone solve it with putting the jwt in a table
If you are finished with your post, please close it.
If you are not, please ignore this message.
Note that you will not be able to send further messages here after this post have been closed but you will be able to create new posts.
should i not?
jsoningore on it to?
if you don't want to include it
whats the recommendation from you?
like im still a newbie
and ive learn so much from you just this time
Well the whole point of JWT is that you don't need to store all JWTs
but the token itself proves that it is correct (using cryptography/signing if you are interested in that)
Ok so 2 things right now that i need to have checked and probably good to have is that jsonignore on hashpw and not have the jwt token stored
but can i have the jwt token stored for now and later fixed?
or will it be a problem
or is it better to have it fix rn
well there's just no need to store it
it isn't a problem except unnecessary complexity and you need the space (memory and disk space) to store it
Ok, should i just delete the tokenclass
wont it break alot of things
no
i never though a jsignore would solve tihs
😮
I would
- make a backup of the project (since it seems to work now)
- remove the list of tokens from the user
- fix the errors you get from doing that
- try to get the project working again
btw it's jsonignore, not jsignore
yh sry
Ok
so im gonna push this to github then remove token from the user
you can do that
but wont i need it for auth
the token
well you are validating the token, right?
the client sends you the token
Yh true
sry
and when validating, you check whether it's correct
btw a quick question
no need to be sorry
before i sent the application.properties to my github which is wrong right, i heard i either need to delete the github and make a new repo or clear the cache and send it
but how can i clear the cache and send it since i have few commits i want to save
now i have this
app ###
src/main/resources/application.properties
on my gitignore
including the application.properties is not wrong per-se - but you need to make sure you are not including any credentials there
you can't really do that
yh i have my whole passwored and datab ase information
in application
Ok so whats the catch
Also if you just added another commit, that commit would still contain information about the previous state
I would still reset it
so i need to delete the repo
Did you delete the repo and then added another commit to the project and pushed it to a new repo?
or did you amend the commit?
no i had this repo when i started and i forgot to ignore the application
the application.properties is in the repo rn
What did you do after deleting the repo?
ah ok
i didnt delete it
but my friend told me i can either clear the cache
Did you add it in the last commit?
or make a new repo
yh
Was it added in the last commit?
yes 4 days ago
was my last commit
ok then you can change the commit
if you didn't create another commit afterwards
nope
That's called "amending" the commit
i havnt
How are you typically pushing to GitHub?
terminal
git status
git add .
git commit -m
git push
ok so you first need to remove the application.properties from the local repository without deleting the file
you want to tell git the file is gone without actually removing it
What's the output of
git status?
Is anything green in there?
but i have this in gitignore
nope i havnt done git add .
yet
that isn't enough
if you add it to the gitignore, it will continue to stay there
yh
you can use
git rm --cached src\main\resources\application.propertiesok so
that first in the terminal?
that tells git to remove the file but not actually delete it from your file system
yes
you can also use
git add .gitignore if you want to add the gitignore
and now
(NOT
git add .)the enormal git add .
no
so git add .gitignore
?
ok so what do you want to change in the last commit?
applicitaion.properties
type
git status
and it should show the application.properties as deletedahhhh
okkkk
above that
You are the only one working on that project, right?
yes
Is the application.properties above that?
shown as deleted?
in git status or in github repo?
in git status its deleted
git status
yeah ok
yh
Then you can apply that change locally
you can change the last commit
this works with the command
git commit --amend --no-edit
This means "apply the current changes (the deletion) by changing my last commit. Do not change the commit message. Do not create a new commit."i see
yh delete mode
at the lats row
yes
its still in github, is it becuse its not pushed?
yes
but with that, you won't be able to push since you have a different (conflicting) history than GitHub
you can tell git to overwrite the history on GitHub
this is a force push - something you shouldn't do when there are other people working on the project
Okej
it essentially means "I don't care what's on the other side (GitHub), just overwrite it, my changes are all I want"
you can do that with
git push --force-with-leaseyh its gone now
but i can still view it on my commit
?
How did you get to the commit?
But yes it isn't completely gone
History, i see
so it will only be gone
from the current change
and not the past
Is it actually in the history?
If it is, then you added another commit you didn't tell me about after adding the file
but if it's not in the history, it's actually GitHub caching it
I see my mistake, i have 2 commits on my last commit its gone but not the othe one. Though u meant if i had commited like recently something.
my last commit
and my first commits its till there
my first commit
ok yes there is another commit making it more difficult
ah ok
Which commit did you add the password in?
first commit
that one?
if you click on
Load diff there, is the password shown?yes look i have 4 commits, first commit was nothing added the second commit was jwtfilter and no sql pw invlode but my third is sql involed and my fourth is my last commit
and which one added the password to the application.propertiee?
*
my third commit and my last commit
Do you care about having the previous commits?
ope
nop
i can even restart
if its necessary
ok then you can just delete the git repository
I can show you how
😂
that i know how
hahah
How?
I said git repository, not GitHub repository
oh
ok
no idk how
then
so in your project, there's a .git folder
correct
if you delete that folder, git won't know about the commits
this on e right?
and you can just use
git init, git add . etc again
noAHHHH OK
i kn ow
I think IntelliJ doesn't even show that folder
which one
the hidden one
yh
waity
wait
this one
yes
correct
if you delete that, git (not GitHub) won't know about the commits any more
oke
Did you do it?
deleted
now you can use
git init again and it will create a new repositorydone
then the whole
git add ., git commit -m "your commit message here" and git remote origin https://github.com/yourusername/yourrepositorynameok sec
and you need to use a force push (
git push -f) again
or you also delete the repository on GitHub and create it again as well
then you can use the normal git pushisnt it git remote add origin?
yeah my fault
oh you already created it?
What's the output of
git log?Wait so the part i think ive missed is that i need to create a new repo in github and use that reponame and not my current one?
you can also use the same name again
git log
I don't think you properly deleted the .git folder
maybe you deleted the .git folder of another project?
yh
true
now
but i cant git push -f
don't i need to do git push origin main
?
yes
You need to commit before pushing
done
that
Wait just lemme do this easier
lemme delete this GITHUb
repo
and start over
New Github repo
Ok now im gonna delete everthing associated with user & token
The new one doesn't contain anything with user/token, right?
Doesnt contain anything my application properties
but now im gonna delete everything assosiated with the user token
and push
again
oh that
because as u said, unncessary usage
yeah sure do that
Also I recommend you to do the following: Before doing anything security related that's important (e.g. at a company), make sure you really understand what you are doing and what the things you are working with are
Do you have any following guide i can really improve by, docs/tutorials u name it.
on what specifically?
Security, desgin patterns, more about debugging. Like everythng in general just to improve better and better. Im taking my degree on summer and i want to work with spring boot backend and reactjs frontend so a fullstack dev
Like frontend i know liek 80% what im doing cause i put alot of time on it
but its backend time now until summer
I just realized also im handling my logout service with storedtokens
and if i delete everything i will have problem with my logout
I had other project i handle the logout with cookie
but ive heard that the cookie should not be handled in anyway
maybe in http but nothing more
for debugging, I already told you.
For security and design patters, just look up the docs on the specific thing you need
Yes sir, do you recommend that user have field with created at?
if you don't store tokens, you don't need to delete them
oh for revocation
yeah if you need such a logout, that's a little bit more complicated
?
you could have a set of all revoked tokens and remove them once they expire
but generally: Do you really need a logout?
Yes, i want a signout for a user
so he/she can logout
you could do that
but the question is do you really need JWTs then?
like stored jwts?
or in general
Why are you using JWTs when you have a login and a logout and everything in a database?
assuming you don't have microservices
What do you mean?
No clue.
why did you decide for JWTs?
Idk i just learned it from beginning of my spring boot trip
What do you think of it?
By the way I never thanked you properly. Thank you Daniel for your kind and effort to this help, truly amazing you have you and other around here.
If you are finished with your post, please close it.
If you are not, please ignore this message.
Note that you will not be able to send further messages here after this post have been closed but you will be able to create new posts.
JWT is a way of stateless authentication/authorization
that means the token contains the information you need - which user, an expiration, possibly privileges and a signature that proves validity
it's used in cases where you don't want to store a mapping between users and tokens
where you want to have something like "if they have a valid token, they are authorized"
Ok so basically I just have to delete that’s it’s creating a table with tokens but still generates a token to user
Right?
and they don't have revocation - once you create a token, it's valid until it expires (unless you write custom revocation logic which requires a bit of state)
the issue is the logout - JWTs aren't really made for that
the idea of JWTs is that they are short-lived so you don't need to log out
True, but I have no other knowledge around a logout expect this.
If you really want a logout, you could work around this
I mean I need a logout endpoint in case a user want to logout?
I mean one way is to let the client delete the token but someone who has the token would still be able to use it
Okej
or if you really want the token to be invalidated, you could store a blacklist of tokens
I’ve heard about that
About blacklisitng the tokens
i.e. you store all non-expired invalidated tokens in a set or similar
What would you do if u were me?
What’s the best and modern way to do it
I know it’s about preferences
I would start without a logout
then add it
by first invalidating the token
and then add the blacklisting logic
Is that good way for security to?
Blacklisting?
Also what about cookies? How should I handle cookies?
it requires these things
- adding tokens to the blacklist when a user logs out
- checking the blacklist when a user attempts to use a token (don't allow logging in with tokens in the blacklist)
- remove tokens from the blacklist automatically when they are expired (e.g. check every 5min)
if you do it properly, yes
What about it?
if you store the JWT in a cookie, delete the cookie when logging out
Gonna watch over this more tomorrow! Interesting.
Or actually now before I knock my self to sleep
So I can store a jwt in a cookie and a cookie is associated with a user then the cookie gets executed whenever logging out?
Right
you can store it in a cookie but idk what do you mean with it getting executed
Wait so when you mean by blacklisitng you mean a refresh token?
Cause I know a little about refresh token
This what you meant right
I meant the jwt itself which you normally don't invalidate
if you have a refresh token, you'd need to invalidate that
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.I'm trying to implement that a user should only register with a invite, so i want a admin to generate a registeration key to send it over, but i read that i need to store those generation keys. Does that mean i need a table for it?
Don't want to make same mistake as the jwt token(stored)
yes, I would create a table for that
But how does the generation for the key work?
do i always need to go to the db or can i have it generate on the website?
well you can write Java code that generates a random string
using
SecureRandomDaniel, im working on the frontend part a little bit and i fixed that i can register and authenticate as a user but im not getting the user id and i think its because im not inclouding the userid in the response, should i do it?
?
right here?
my frontend part
im getting undefined
oh if you want to add the user id, do that
Thanks, i got another issue here
So im doing a logic here that if the user doesnt have the ROLE_USER OR ROLE_PROVIDER it shouldnt be let to these routes, but when i login with a user_role it doesnt let me go through.
my user class
Can it be that im not getting having a role in my authenticationresponse
?
what specifically is the problem?
So when i try to login with my user that has role_user it should let me pass my privateroute right cause it only lets role_user role_provider to go through
but its not letting me
so im wondering can it be that im not inclouding any userdetails in my authenticationresponse?
i only have id and jwt token as response right now
I am not really experienced with angular
what exactly is the response?
I think it would need to be something like
user.role == "ROLE_USER"Sec, im gonna try to have the role with the response and se
maybe its lacking about it
Yep it was lacking the response in authnetication
now im getting it
and it went throught the private route
Hey Daniel im getting error when sending my logout endpoint,
:5173/login:1 Access to XMLHttpRequest at 'http://localhost:8080/api/v1/auth/logout' from origin 'http://localhost:5173' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I already have this @CrossOrigin(origins = "http://localhost:5173", maxAge = 3600, allowCredentials = "true")
in my AuthenticationController
but.... the logout endpoint doesnt happen there, it happens in my securirtyConfig
Does this mean i have to put a crossorigin in my securirtyConfig?Do you know what CORS means?
Are you using cookies for anything?
Yes its a policy that restrict from making request
nope
not yet
What do you plan on using cookies for?
Do you know why it's necessary?
maybe have session tokens in a secure HTTPOnly cookie
in the future
yes preventing access against server etc
then you should be very careful with both disabling CSRF and allowing CORS
if you want to store the JWT in a cookie
whys that
Let's start with CSRF
assuming your token is provided as a cookie
then someone logs in and gets a token
it's stored in a cookie
Then they visit another website, evil.com
which is malicious
they can tell the browser to send a request to your backend and the browser happily includes the cookie
and all user details
?
For example, it could ask to request POST /user/delete
ahhh
shit
so you have access to the backend
that's what CSRF protects from
okej
it does that by requiring every request to include a csrf token
because the other site cannot read the response
so having CSRF disabled means other can have access
so a CSRF token is added to each response and every request that changes something (e.g. POST) needs to contain that CSRF token
and CORS is exactly that - the browser doesn't tell other sites about the responses - unless you allow it
a simple solution to that is to not use cookies
if you put it in localStorage and use JS to add it to the requests, you don't have that issue
Okej
so
I'm not using a cookie rn for a user only jwt token and it gets validated after they logout or authenticate
right
How are you storing the jwt token?
Same as before
so you won't have that problem- yet
which is?
in a table
I meant the client
User?
yeah
How is the token stored in the browser?
localstorage
ok yeah that's fine
when logging in the token is sent with the userdetails
wait
localStorage is fine
cookies would result in the aforementioned issue
here is how im sending it
Yes ive heard it so i wanna avoid it but a guy said i would use cookies for http something and nothing more
so about CORS - browsers block who can read responses
yes
by default, it only allows it if it comes from the same domain/host/origin
which is @CrossOrigin(origins = "*", maxAge = 3600)
right?
if your frontend is not at the same location as the backend, you need to allow it
that would allow anyone to access the responses
or anyone can send requests and read their responses
same location? how do you mean?
When i tried to authenticate before i got cors and this solved it
@CrossOrigin(origins = "http://localhost:5173", maxAge = 3600, allowCredentials = "true")
only the website example.com can make requests to example.com and read the responses
if evil.com makes a response to example.com, it cannot read the response
oh? so i need to
yes, this allows localhost:5173 to send requests and read the responses
communicate
oh im getting it
so now i need to add
but where though
should i add the cors to allow it to logout
I think this video explains CORS well: https://youtu.be/bSJm8-zJTzQ
LiveOverflow
YouTube
The Same Origin Policy - Hacker History
In 1995 Netscape invented JavaScript (LiveScript) and it marked the start of client-side web security issues. In this video we explore this history and learn about the same origin policy (SOP).
Cookies Explained: https://web.archive.org/web/19970605224124/http://help.netscape.com/kb/client/970226-2.html
Netscape 2.0b1 LiveScript: https://web.ar...
logout?
Gonna watch it rn
Yes because when im sending my logout endpoint im getting that cors
error
LiveOverflow
YouTube
CSRF Introduction and what is the Same-Origin Policy? - web 0x04
What is cross site request forgery and what does it have to do wwith the same-origin policy.
-=[ 🔴 Stuff I use ]=-
→ Microphone:* https://geni.us/ntg3b
→ Graphics tablet:* https://geni.us/wacom-intuos
→ Camera#1 for streaming:* https://geni.us/sony-camera
→ Lens for streaming:* https://geni.us/sony-lense
→ Connect Camera#1 to PC:* https://gen...
it's with all endpoints where you want to read the response
Help Guidelines
1. Don't ask questions like "Can I ask ...?" or "Can someone help me?". It's easier for everyone involved if you provide a detailed description of your problem up-front; this makes it more likely for helpers to want to help, and more likely that you'll get an answer quickly. Please provide code snippets and error messages (if any) to help us help you!
2. Please create a post in <#1023632039829831811> for your questions. Do not use other people's posts for your questions.
3. You may use the
/help ping command if your question is urgent.
Abusing this will result in warnings and/or a ban.
4. Do not ask for help with exams or homework. You may ask for help with understanding individual concepts and parts of a question, but homework and exam questions that show little effort on your part will most likely go unanswered and may be removed.
5. Do not ask your question if you didn't at least try to solve the problem yourself, are ignorant, or, instead of trying to improve, ask repeating, simple, questions.
6. Format your code using Discord's triple-backtick syntax.
7. For reasons similar to those of Stack Overflow, we currently do not allow content created by ChatGPT while helping other people. You may still share its content, when you are not helping somebody and are not looking to deceive others, for example when discussing ChatGPT and its technology.
Holy, actually crazy. But im understanding it more now tbh
Its just as you said here
he showed the exact way
I think it's important to understand these issues
So if i take an example i have right now an cors policy blocked to this
Access to XMLHttpRequest at 'http://localhost:8080/api/v1/auth/logout' from origin 'http://localhost:5173' has been blocked by CORS policy:
if i fix this, for example evil.com can se the response
correct?
you can configure the headers so that only localhost:5173 can do it
like that
Should i have a CorsFilter so i can have more controll over my cors configurations
something like
yeah I'd do it like that
Yep working now
added a corsfilter
damn im learning so much from you tbh
i wanna keep this chat alive
if it becomes dormant, you can just reopen it by sending a message in it
the DM you get when it goes dormant (if enabled) should have a link to the post
Yes sir, hope you don't mind me being annoying and asking 500 questions.
Btw i have never handled a user avatar before, any suggestions how i should do that?
im thinking of integrating so a user can have a profile image
that's how you are learning
not really - I would store the file on some dusk and store the name/identifier in a DB
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.Hi @dan1st | Daniel, i followed this post
https://medium.com/@mertcakmak2/object-storage-with-spring-boot-and-aws-s3-64448c91018f
And its working perfectly but how can i assoicate a uploaded picture to a user id so for exampel you are authenticated and you want a profile image so you upload it and its attached to your account.
Medium
Object Storage with Spring Boot and AWS S3
Hi, I will discuss AWS S3 in this article and demonstrate its usage in Spring Boot.
Sorry this one i meant
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.Hi @dan1st | Daniel
I have these error when running my application, i also debugged my application and it said application running. Can this be wrong with my dependency?
Can you show your build configuration file?
and please as text and not using images
it looks like you might have version conflicts
e.g. mixing Spring 5 and Spring 6
ah ok sorry i forget everything will bare it in mind
dependency
you are using Spring Boot 3.2.2
Too many versions
Why are you using
3.3.3.RELEASE for spring-data-rest-webmvc?yh fixed it
I think that would need 6.x
i added a dependency before to use rest
most of them are not managed by Spring
spring-data-rest-webmvc definitely is
yes I already mentioned that
Spring Data 3 is ancient
Hi, i added this code
and
in my UserService
when im hitting the endpoint im getting access denied and im authenticated already
here is the console
When i hit this endpoint
without a user id it works to send it to the s3 bucket
noticed this
2024-02-08T19:27:21.148+01:00 WARN 23468 --- [nio-8080-exec-4] .w.s.m.s.DefaultHandlerExceptionResolver : Resolved [org.springframework.web.bind.MissingServletRequestParameterException: Required request parameter 'user_id' for method parameter type UUID is not present]
So people can just change the profile picture of other users?
What do you mean?
the client can send whatever they want in the id field
and the server doesn't check it and happily sets the profile picture of that user
How should i restrict it? that only a user can change their own image
you have a JWT filter, right?
yes sir
oh maybe thats why i get also access denied
that sets an
Authentication object
In the controller, you can add an Authentication parameter
and not a parameter for the user id
and just use the id of the current authenticationSorry i took a break, do you mean on my controller?
you mean like this?
and
then
?
if so, im getting
without RequestParam
authentication.getName() doesn't give you the id
it gives you the username or email or whatever
just don't treat it as a uuid
Do you have a way to get a user by its email? use that
you mean in my repo?
Optional<User> findByEmail(String email);
yes
did this and i get user not found in my postman
200ok user not found
can you show your jwt filter?
i have userEmail as my "username"
or whatever
looks like it
I guess use that?
So this is my current endpoint
and its wrong cause im not getting the userEmail like you said but how can i get it from there?
i need a request.setAttribute("userEmail", userEmail);
in my jwt filter?
and then getattribute?
maybe something in your user repo
like getByUserName
you could try that as well
or saving the user id as an attribute
Okej so i added this to my filter
then in my service i added
and my endpoint
and the result
Thank you so much!
If you are finished with your post, please close it.
If you are not, please ignore this message.
Note that you will not be able to send further messages here after this post have been closed but you will be able to create new posts.
i have been on this profileimage for almost 2 days...
Just curiousity question, so when a user wants to upload another image does that hit another endpoint or the same?
Or should I have update endpoint
Like they want to change their current image
Not add another one
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.