diff --git a/.vitepress/sidebars/app/tutorials.ts b/.vitepress/sidebars/app/tutorials.ts index 5ce4b9df..bb9903d7 100644 --- a/.vitepress/sidebars/app/tutorials.ts +++ b/.vitepress/sidebars/app/tutorials.ts @@ -120,6 +120,12 @@ export const tutorialsSidebar: DefaultTheme.SidebarItem[] = [ { text: "Autorize", link: "/app/tutorials/autorize", + items: [ + { + text: "Session Management", + link: "/app/tutorials/autorize_sessions", + }, + ], }, { text: "Drop", diff --git a/src/_images/autorize_session_configuration.png b/src/_images/autorize_session_configuration.png new file mode 100644 index 00000000..34104b69 Binary files /dev/null and b/src/_images/autorize_session_configuration.png differ diff --git a/src/_images/autorize_session_enable.png b/src/_images/autorize_session_enable.png new file mode 100644 index 00000000..1763f81c Binary files /dev/null and b/src/_images/autorize_session_enable.png differ diff --git a/src/_images/autorize_session_mutated.png b/src/_images/autorize_session_mutated.png new file mode 100644 index 00000000..898826f9 Binary files /dev/null and b/src/_images/autorize_session_mutated.png differ diff --git a/src/_images/autorize_session_mutation.png b/src/_images/autorize_session_mutation.png new file mode 100644 index 00000000..bea01f35 Binary files /dev/null and b/src/_images/autorize_session_mutation.png differ diff --git a/src/app/guides/http_history_filtering.md b/src/app/guides/http_history_filtering.md index 573dfeef..1bbf0fe0 100644 --- a/src/app/guides/http_history_filtering.md +++ b/src/app/guides/http_history_filtering.md @@ -12,6 +12,10 @@ To include or exclude traffic table columns, **click** on the +::: warning NOTE +Certain columns support [sorting traffic table rows](/app/guides/sorting.md), while others do not. For example, the `Path & Query` column does not support sorting but the individual `Path` and `Query` columns do. +::: + Additional filtering options are accessible by **clicking** the `Advanced` button, located above the traffic table. Additional filtering options menu. diff --git a/src/app/tutorials/autorize_sessions.md b/src/app/tutorials/autorize_sessions.md new file mode 100644 index 00000000..66d12af4 --- /dev/null +++ b/src/app/tutorials/autorize_sessions.md @@ -0,0 +1,137 @@ +--- +description: "Learn how to automatically refresh authenticated sessions in the Autorize plugin." +--- + +# Autorize Session Management + +In this tutorial, you will learn how to automatically refresh authenticated sessions in the Autorize plugin. + +## Example Authentication Flow + +We will use the [https://dummyjson.com](https://dummyjson.com) API to demonstrate the workflow. According to the [https://dummyjson.com/docs/auth](https://dummyjson.com/docs/auth) documentation, any user credentials returned from the `/users` endpoint can be used to authenticate with the `/auth/login` endpoint. By including the `expiresInMins` parameter, we can simulate a short-lived JWT. + +```http +POST /auth/login HTTP/1.1 +Host: dummyjson.com +Content-Type: application/json +Content-Length: 63 + +{"username":"emilys","password":"emilyspass","expiresInMins":3} +``` + +In the response to this request, an `accessToken` and `refreshToken` are returned. + +Until the `accessToken` expires, it can be used to access sensitive user data from the `/auth/me` endpoint: + +```http +GET /auth/me HTTP/1.1 +Host: dummyjson.com +Connection: close +Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJlbWlseXMiLCJlbWFpbCI6ImVtaWx5LmpvaG5zb25AeC5kdW1teWpzb24uY29tIiwiZmlyc3ROYW1lIjoiRW1pbHkiLCJsYXN0TmFtZSI6IkpvaG5zb24iLCJnZW5kZXIiOiJmZW1hbGUiLCJpbWFnZSI6Imh0dHBzOi8vZHVtbXlqc29uLmNvbS9pY29uL2VtaWx5cy8xMjgiLCJpYXQiOjE3Nzk2NDM0MDEsImV4cCI6MTc3OTY0MzQ2MX0.t-mV4fcqjvQmRu-I2is_iWV7_1MoJ2h8eVmCQMNhlnk + + +``` + +Once three minutes have passed, a **401 Unauthorized** response is returned instead of user data with a body notifying the `accessToken` has expired: + +```http +{ + "message": "Token Expired!" +} +``` + +With the `refreshToken` that was returned in the initial login response, a new valid `accessToken` can be obtained from the response to a POST request to the `/auth/refresh` endpoint: + +```http +POST /auth/refresh HTTP/1.1 +Host: dummyjson.com +Content-Type: application/json +Content-Length: 397 + +{"refreshToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJlbWlseXMiLCJlbWFpbCI6ImVtaWx5LmpvaG5zb25AeC5kdW1teWpzb24uY29tIiwiZmlyc3ROYW1lIjoiRW1pbHkiLCJsYXN0TmFtZSI6IkpvaG5zb24iLCJnZW5kZXIiOiJmZW1hbGUiLCJpbWFnZSI6Imh0dHBzOi8vZHVtbXlqc29uLmNvbS9pY29uL2VtaWx5cy8xMjgiLCJpYXQiOjE3Nzk2NDA4OTIsImV4cCI6MTc4MjIzMjg5Mn0.kmaBxCM5Sq1ybQFZcspzf1HnJBPpZ9maMwOUjxreoYI","expiresInMins":3} +``` + +## Configuration + +To begin, send the initial login request via Replay: + +```http +POST /auth/login HTTP/1.1 +Host: dummyjson.com +Content-Type: application/json +Content-Length: 63 + +{"username":"emilys","password":"emilyspass","expiresInMins":3} +``` + +[Create environment variables](/app/guides/environment_variables.md) named `ACCESS_TOKEN` and `REFRESH_TOKEN` and set their values to the `accessToken` and `refreshToken` JWTs that are returned in the response to this request respectively. + +Environment variables. + +Next, **click** on the `Configuration` tab of the Autorize plugin interface and select the `Session` tab. + +If this is the first time you are accessing this interface, **click** on the sliding radio button of the **Enable Session Management** feature. + +The Enable Session Management button. + +In the **Invalid Session Condition** input field, enter the following [HTTPQL](/app/reference/httpql.md) query statement to specify the condition for when a session is considered invalid: + +```txt +resp.raw.cont:"Token Expired!" +``` + +In the **Re-authentication Request** input field, enter the request to the `/auth/refresh` endpoint that exchanges the `refreshToken` for a new `accessToken`. Using double curly braces syntax, you can set placeholders for environment variables: + +```http +POST /auth/refresh HTTP/1.1 +Host: dummyjson.com +Content-Type: application/json +Content-Length: 397 + +{"refreshToken":"{{ REFRESH_TOKEN }}","expiresInMins":3} +``` + +To update the environment variables, set the following as rules in the **Extraction Rule** section: + +| Type | Field | Env Variable | +| ---- | ----- | ------------ | +| JsonBody | refreshToken | REFRESH_TOKEN | +| JsonBody | accessToken | ACCESS_TOKEN | + +Session configuration. + +Next, **click** on the `Mutations` tab of the Autorize plugin interface. Set the following mutation in the **Add Mutation** section: + +| Type | Header Name | +| ---- | ----- | +| Header: Set | Authorization | + +For the value, use double curly braces syntax to reference the `ACCESS_TOKEN` environment variable: + +```txt +Bearer {{ ACCESS_TOKEN }} +``` + +Mutation configuration. + +## The Result + +In Replay, send the following request to Autorize as a template by **right-clicking** on the request pane and selecting `Plugins`, `Autorize`, and Send Request to Autorize: + +```http +GET /auth/me HTTP/1.1 +Host: dummyjson.com +Connection: close + + +``` + +In the **Dashboard** tab, **click** on the Rescan All button to test the request again. + +Viewing the **Mutated** request, you will notice the `Authorization` header is constantly updated with a valid `accessToken` value. + +Now, even after the original token has expired, requests to the `/auth/me` endpoint will return **200 OK** responses with sensitive user data. + +Mutated request. + +This configuration method can be adapted to the authentication flow of your target application for continuous testing via Autorize.