Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .vitepress/sidebars/app/tutorials.ts
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,12 @@ export const tutorialsSidebar: DefaultTheme.SidebarItem[] = [
{
text: "Autorize",
link: "/app/tutorials/autorize",
items: [
{
text: "Session Management",
link: "/app/tutorials/autorize_sessions",
},
],
},
{
text: "Drop",
Expand Down
Binary file added src/_images/autorize_session_configuration.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added src/_images/autorize_session_enable.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added src/_images/autorize_session_mutated.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added src/_images/autorize_session_mutation.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
4 changes: 4 additions & 0 deletions src/app/guides/http_history_filtering.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ To include or exclude traffic table columns, **click** on the <code><Icon icon="

<img alt="Column inclusion/exclusion options menu." src="/_images/http_history_table.png" center>

::: warning NOTE
Certain columns support [sorting traffic table rows](/app/guides/sorting.md), while others do not. For example, the `Path & Query` column does not support sorting but the individual `Path` and `Query` columns do.
:::

Additional filtering options are accessible by **clicking** the `Advanced` button, located above the traffic table.

<img alt="Additional filtering options menu." src="/_images/http_history_advanced_options.png" center>
Expand Down
137 changes: 137 additions & 0 deletions src/app/tutorials/autorize_sessions.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
---
description: "Learn how to automatically refresh authenticated sessions in the Autorize plugin."
---

# Autorize Session Management

In this tutorial, you will learn how to automatically refresh authenticated sessions in the Autorize plugin.

## Example Authentication Flow

We will use the [https://dummyjson.com](https://dummyjson.com) API to demonstrate the workflow. According to the [https://dummyjson.com/docs/auth](https://dummyjson.com/docs/auth) documentation, any user credentials returned from the `/users` endpoint can be used to authenticate with the `/auth/login` endpoint. By including the `expiresInMins` parameter, we can simulate a short-lived JWT.

```http
POST /auth/login HTTP/1.1
Host: dummyjson.com
Content-Type: application/json
Content-Length: 63

{"username":"emilys","password":"emilyspass","expiresInMins":3}
```

In the response to this request, an `accessToken` and `refreshToken` are returned.

Until the `accessToken` expires, it can be used to access sensitive user data from the `/auth/me` endpoint:

```http
GET /auth/me HTTP/1.1
Host: dummyjson.com
Connection: close
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJlbWlseXMiLCJlbWFpbCI6ImVtaWx5LmpvaG5zb25AeC5kdW1teWpzb24uY29tIiwiZmlyc3ROYW1lIjoiRW1pbHkiLCJsYXN0TmFtZSI6IkpvaG5zb24iLCJnZW5kZXIiOiJmZW1hbGUiLCJpbWFnZSI6Imh0dHBzOi8vZHVtbXlqc29uLmNvbS9pY29uL2VtaWx5cy8xMjgiLCJpYXQiOjE3Nzk2NDM0MDEsImV4cCI6MTc3OTY0MzQ2MX0.t-mV4fcqjvQmRu-I2is_iWV7_1MoJ2h8eVmCQMNhlnk


```

Once three minutes have passed, a **401 Unauthorized** response is returned instead of user data with a body notifying the `accessToken` has expired:

```http
{
"message": "Token Expired!"
}
```

With the `refreshToken` that was returned in the initial login response, a new valid `accessToken` can be obtained from the response to a POST request to the `/auth/refresh` endpoint:

```http
POST /auth/refresh HTTP/1.1
Host: dummyjson.com
Content-Type: application/json
Content-Length: 397

{"refreshToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJlbWlseXMiLCJlbWFpbCI6ImVtaWx5LmpvaG5zb25AeC5kdW1teWpzb24uY29tIiwiZmlyc3ROYW1lIjoiRW1pbHkiLCJsYXN0TmFtZSI6IkpvaG5zb24iLCJnZW5kZXIiOiJmZW1hbGUiLCJpbWFnZSI6Imh0dHBzOi8vZHVtbXlqc29uLmNvbS9pY29uL2VtaWx5cy8xMjgiLCJpYXQiOjE3Nzk2NDA4OTIsImV4cCI6MTc4MjIzMjg5Mn0.kmaBxCM5Sq1ybQFZcspzf1HnJBPpZ9maMwOUjxreoYI","expiresInMins":3}
```

## Configuration

To begin, send the initial login request via Replay:

Comment thread
ninjeeter marked this conversation as resolved.
```http
POST /auth/login HTTP/1.1
Host: dummyjson.com
Content-Type: application/json
Content-Length: 63

{"username":"emilys","password":"emilyspass","expiresInMins":3}
```

[Create environment variables](/app/guides/environment_variables.md) named `ACCESS_TOKEN` and `REFRESH_TOKEN` and set their values to the `accessToken` and `refreshToken` JWTs that are returned in the response to this request respectively.

<img alt="Environment variables." src="/_images/refresh_jwt_environment.png" center/>

Next, **click** on the `Configuration` tab of the Autorize plugin interface and select the `Session` tab.

If this is the first time you are accessing this interface, **click** on the sliding radio button of the **Enable Session Management** feature.

<img alt="The Enable Session Management button." src="/_images/autorize_session_enable.png" center/>

In the **Invalid Session Condition** input field, enter the following [HTTPQL](/app/reference/httpql.md) query statement to specify the condition for when a session is considered invalid:

```txt
resp.raw.cont:"Token Expired!"
```

In the **Re-authentication Request** input field, enter the request to the `/auth/refresh` endpoint that exchanges the `refreshToken` for a new `accessToken`. Using double curly braces syntax, you can set placeholders for environment variables:

```http
POST /auth/refresh HTTP/1.1
Host: dummyjson.com
Content-Type: application/json
Content-Length: 397

{"refreshToken":"{{ REFRESH_TOKEN }}","expiresInMins":3}
```

To update the environment variables, set the following as rules in the **Extraction Rule** section:

| Type | Field | Env Variable |
| ---- | ----- | ------------ |
| JsonBody | refreshToken | REFRESH_TOKEN |
| JsonBody | accessToken | ACCESS_TOKEN |

<img alt="Session configuration." src="/_images/autorize_session_configuration.png" center/>

Next, **click** on the `Mutations` tab of the Autorize plugin interface. Set the following mutation in the **Add Mutation** section:

| Type | Header Name |
| ---- | ----- |
| Header: Set | Authorization |

For the value, use double curly braces syntax to reference the `ACCESS_TOKEN` environment variable:

```txt
Bearer {{ ACCESS_TOKEN }}
```

<img alt="Mutation configuration." src="/_images/autorize_session_mutation.png" center/>

## The Result

In Replay, send the following request to Autorize as a template by **right-clicking** on the request pane and selecting `Plugins`, `Autorize`, and <code><Icon icon="fas fa-key" /> Send Request to Autorize</code>:

```http
GET /auth/me HTTP/1.1
Host: dummyjson.com
Connection: close


```

In the **Dashboard** tab, **click** on the <code><Icon icon="fas fa-redo" /> Rescan All</code> button to test the request again.

Viewing the **Mutated** request, you will notice the `Authorization` header is constantly updated with a valid `accessToken` value.

Now, even after the original token has expired, requests to the `/auth/me` endpoint will return **200 OK** responses with sensitive user data.

<img alt="Mutated request." src="/_images/autorize_session_mutated.png" center/>

This configuration method can be adapted to the authentication flow of your target application for continuous testing via Autorize.