REST - How to use auth token in subsequent requests

Question

I'm using a java application the provide a REST interface for mongodb database called "RESTHeart"

When I make a normal GET request.

http -a admin:temp http://172.18.18.122:8080/_logic/roles/admin

I get an auth token Auth-Token: 10dc2eeb-9624-47f2-a542-c97e0af82b23, how can I use it subsequent requests?

Here is the full response

HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Origin: *
    Access-Control-Expose-Headers: Location, ETag, Auth-Token, Auth-Token-Valid-Until, Auth-Token-Location, X-Powered-By
    Auth-Token: 10dc2eeb-9624-47f2-a542-c97e0af82b23
    Auth-Token-Location: /_authtokens/admin
    Auth-Token-Valid-Until: 2016-04-25T14:37:22.290Z
    Connection: keep-alive
    Content-Encoding: gzip
    Content-Length: 109
    Content-Type: application/hal+json
    Date: Mon, 25 Apr 2016 14:22:22 GMT
    X-Powered-By: restheart.org

    {
        "_links": {
            "self": {
                "href": "/_logic/roles/admin"
            }
        },
        "authenticated": true,
        "roles": [
            "ADMIN"
        ]
    }

I have tried the following:

http http://172.18.18.122:8080/_logic/roles/admin Auth-Token:'10dc2eeb-9624-47f2-a542-c97e0af82b23'

Response:

HTTP/1.1 403 Forbidden
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Location, ETag, Auth-Token, Auth-Token-Valid-Until, Auth-Token-Location, X-Powered-By
Connection: keep-alive
Content-Length: 0
Date: Mon, 25 Apr 2016 14:30:27 GMT
X-Powered-By: restheart.org

I'm not sure what I'm doing wrong here, any ideas?

Your GET server response needs to include an Access-Control-Allow-Headers header. See http://stackoverflow.com/questions/13994507/how-do-you-send-a-custom-header-in-a-cross-domain-cors-xmlhttprequest — RamblinRose, Apr 25 '16 at 14:39

score 1 · Answer 1 · answered Apr 25 '16 at 17:30

1

I found the solution for this question, all what I needed was to pass authorization header along with 'username:password' encoded in base64 format

  http GET http://172.18.18.122:8080/auth/users authorization:'Basic YWRtaW46dGVtcA=='

answered Apr 25 '16 at 17:30

Deano

11,582
18
69
119

score 1 · Accepted Answer · answered Apr 26 '16 at 07:42

1

with httpie you can simply do:

http -a <username>:<Auth-Token> GET http://172.18.18.122:8080/auth/users

answered Apr 26 '16 at 07:42

Andrea Di Cesare

1,125
6
11

score 1 · Answer 3 · answered Apr 26 '16 at 07:48

Clients authenticate passing credentials via the standard basic authentication, a standard method for an HTTP user agent to provide a username and password when making a request. RESTHeart is stateless: there isn't any authentication session and credentials must be sent on every request.

Of course, it means you must secure your communications with HTTPS.

There's documentation on how the authentication process works in restheart at https://softinstigate.atlassian.net/wiki/x/JgDM

REST - How to use auth token in subsequent requests

3 Answers3