-
Notifications
You must be signed in to change notification settings - Fork 21
Ready for review. #386
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Ready for review. #386
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,137 @@ | ||
| --- | ||
| description: "Learn how to automatically refresh authenticated sessions in the Autorize plugin." | ||
| --- | ||
|
|
||
| # Autorize Session Management | ||
|
|
||
| In this tutorial, you will learn how to automatically refresh authenticated sessions in the Autorize plugin. | ||
|
|
||
| ## Example Authentication Flow | ||
|
|
||
| We will use the [https://dummyjson.com](https://dummyjson.com) API to demonstrate the workflow. According to the [https://dummyjson.com/docs/auth](https://dummyjson.com/docs/auth) documentation, any user credentials returned from the `/users` endpoint can be used to authenticate with the `/auth/login` endpoint. By including the `expiresInMins` parameter, we can simulate a short-lived JWT. | ||
|
|
||
| ```http | ||
| POST /auth/login HTTP/1.1 | ||
| Host: dummyjson.com | ||
| Content-Type: application/json | ||
| Content-Length: 63 | ||
|
|
||
| {"username":"emilys","password":"emilyspass","expiresInMins":3} | ||
| ``` | ||
|
|
||
| In the response to this request, an `accessToken` and `refreshToken` are returned. | ||
|
|
||
| Until the `accessToken` expires, it can be used to access sensitive user data from the `/auth/me` endpoint: | ||
|
|
||
| ```http | ||
| GET /auth/me HTTP/1.1 | ||
| Host: dummyjson.com | ||
| Connection: close | ||
| Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJlbWlseXMiLCJlbWFpbCI6ImVtaWx5LmpvaG5zb25AeC5kdW1teWpzb24uY29tIiwiZmlyc3ROYW1lIjoiRW1pbHkiLCJsYXN0TmFtZSI6IkpvaG5zb24iLCJnZW5kZXIiOiJmZW1hbGUiLCJpbWFnZSI6Imh0dHBzOi8vZHVtbXlqc29uLmNvbS9pY29uL2VtaWx5cy8xMjgiLCJpYXQiOjE3Nzk2NDM0MDEsImV4cCI6MTc3OTY0MzQ2MX0.t-mV4fcqjvQmRu-I2is_iWV7_1MoJ2h8eVmCQMNhlnk | ||
|
|
||
|
|
||
| ``` | ||
|
|
||
| Once a minute has passed, a **401 Unauthorized** response is returned instead of user data with a body notifying the `accessToken` has expired: | ||
|
|
||
| ```http | ||
| { | ||
| "message": "Token Expired!" | ||
| } | ||
| ``` | ||
|
|
||
| With the `refreshToken` that was returned in the initial login response, a new valid `accessToken` can be obtained from the response to a POST request to the `/auth/refresh` endpoint: | ||
|
|
||
| ```http | ||
| POST /auth/refresh HTTP/1.1 | ||
| Host: dummyjson.com | ||
| Content-Type: application/json | ||
| Content-Length: 397 | ||
|
|
||
| {"refreshToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJlbWlseXMiLCJlbWFpbCI6ImVtaWx5LmpvaG5zb25AeC5kdW1teWpzb24uY29tIiwiZmlyc3ROYW1lIjoiRW1pbHkiLCJsYXN0TmFtZSI6IkpvaG5zb24iLCJnZW5kZXIiOiJmZW1hbGUiLCJpbWFnZSI6Imh0dHBzOi8vZHVtbXlqc29uLmNvbS9pY29uL2VtaWx5cy8xMjgiLCJpYXQiOjE3Nzk2NDA4OTIsImV4cCI6MTc4MjIzMjg5Mn0.kmaBxCM5Sq1ybQFZcspzf1HnJBPpZ9maMwOUjxreoYI","expiresInMins":3} | ||
| ``` | ||
|
|
||
| ## Configuration | ||
|
|
||
| To begin, send the initial login request via Replay: | ||
|
|
||
|
ninjeeter marked this conversation as resolved.
|
||
| ```http | ||
| POST /auth/login HTTP/1.1 | ||
| Host: dummyjson.com | ||
| Content-Type: application/json | ||
| Content-Length: 63 | ||
|
|
||
| {"username":"emilys","password":"emilyspass","expiresInMins":3} | ||
| ``` | ||
|
|
||
| [Create environment variables](/app/guides/environment_variables.md) named `ACCESS_TOKEN` and `REFRESH_TOKEN` and set their values to the `accessToken` and `refreshToken` JWTs that are returned in the response to this request respectively. | ||
|
|
||
| <img alt="Environment variables." src="/_images/refresh_jwt_environment.png" center/> | ||
|
|
||
| Next, **click** on the `Configuration` tab of the Autorize plugin interface and select the `Session` tab. | ||
|
|
||
| If this is the first time you are accessing this interface, **click** on the sliding radio button of the **Enable Session Management** feature. | ||
|
|
||
| <img alt="The Enable Session Management button." src="/_images/autorize_session_enable.png" center/> | ||
|
|
||
| In the **Invalid Session Condition** input field, enter the following [HTTPQL](/app/reference/httpql.md) query statement to specify the condition for when a session is considered invalid: | ||
|
|
||
| ```txt | ||
| resp.raw.cont:"Token Expired!" | ||
| ``` | ||
|
|
||
| In the **Re-authentication Request** input field, enter the request to the `/auth/refresh` endpoint that exchanges the `refreshToken` for a new `accessToken`. Using double curly braces syntax, you can set placeholders for environment variables: | ||
|
|
||
| ```http | ||
| POST /auth/refresh HTTP/1.1 | ||
| Host: dummyjson.com | ||
| Content-Type: application/json | ||
| Content-Length: 397 | ||
|
|
||
| {"refreshToken":"{{ REFRESH_TOKEN }}","expiresInMins":3} | ||
| ``` | ||
|
|
||
| To update the environment variables, set the following as rules in the **Extraction Rule** section: | ||
|
|
||
| | Type | Field | Env Variable | | ||
| | ---- | ----- | ------------ | | ||
| | JsonBody | refreshToken | REFRESH_TOKEN | | ||
| | JsonBody | accessToken | ACCESS_TOKEN | | ||
|
|
||
| <img alt="Session configuration." src="/_images/autorize_session_configuration.png" center/> | ||
|
|
||
| Next, **click** on the `Mutations` tab of the Autorize plugin interface. Set the following mutation in the **Add Mutation** section: | ||
|
|
||
| | Type | Header Name | | ||
| | ---- | ----- | | ||
| | Header: Set | Authorization | | ||
|
|
||
| For the value, use double curly braces syntax to reference the `ACCESS_TOKEN` environment variable: | ||
|
|
||
| ```txt | ||
| Bearer {{ ACCESS_TOKEN }} | ||
| ``` | ||
|
|
||
| <img alt="Mutation configuration." src="/_images/autorize_session_mutation.png" center/> | ||
|
|
||
| ## The Result | ||
|
|
||
| In Replay, send the following request to Autorize as a template by **right-clicking** on the request pane and selecting `Plugins`, `Autorize`, and <code><Icon icon="fas fa-key" /> Send Request to Autorize</code>: | ||
|
|
||
| ```http | ||
| GET /auth/me HTTP/1.1 | ||
| Host: dummyjson.com | ||
| Connection: close | ||
|
|
||
|
|
||
| ``` | ||
|
|
||
| In the **Dashboard** tab, **click** on the <code><Icon icon="fas fa-redo" /> Rescan All</code> button to test the request again. | ||
|
|
||
| Viewing the **Mutated** request, you will notice the `Authorization` header is constantly updated with a valid `accessToken` value. | ||
|
|
||
| Now, even after the original token has expired, requests to the `/auth/me` endpoint will return **200 OK** responses with sensitive user data. | ||
|
|
||
| <img alt="Mutated request." src="/_images/autorize_session_mutated.png" center/> | ||
|
|
||
| This configuration method can be adapted to the authentication flow of your target application for continuous testing via Autorize. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.