search

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.61k stars 303 forks source link

Authorization using setting 'token_refresh_cmd' not working #899

Open henning410 opened 5 months ago

henning410 commented 5 months ago

Description

I tried to use Authorization with JWT. Therefore, my settings.json file looks like: 

{
  "per_resource_settings": {},
  "max_combinations": 20,
  "authentication": {
    "token": {
      "token_refresh_cmd": "python3 getNewToken.py",
      "token_refresh_interval": 60
    }
  }
}

In the documentation, there is not really specified how the file getNewToken should look like. Currently, this file calls my POST /login endpoint, which returns the valid JWT. Then, the script prints this out. The script itself is working. But I think, I should need to return the JWT in some other format?

import json
import requests

# Function to get the token from the login endpoint
def get_token():
    url = "http://localhost:3000/login"
    # Replace with your actual login credentials if required
    login_data = {
        "username": "john_doe",
        "password": "password1234"
    }
    response = requests.post(url, data=login_data)
    if response.status_code == 200 or response.status_code == 201:
        # Assuming the token is in the 'token' field of the JSON response
        return response.json().get("access_token")
    else:
        print(f"Failed to get token: {response.status_code} - {response.text}")
        return None

# Get the token from the login endpoint
token = get_token()
if token:
    print(f"Authorization: Bearer {token}")
else:
    print("Could not retrieve the token.")

Steps to reproduce

All files are mentioned in my Description

Expected results

I expect everything to work and RESTler takes the correct Authorization header

Actual results

Authentication failed when refreshing token:

Using Token authentication method: 
TokenAuthMethod.CMD 
 with error unterminated string literal (detected at line 1) (<unknown>, line 1)

Authentication failed when refreshing token:

Using Token authentication method: 
TokenAuthMethod.CMD 
 with error unterminated string literal (detected at line 1) (<unknown>, line 1)

Authentication failed when refreshing token:

Using Token authentication method: 
TokenAuthMethod.CMD 
 with error unterminated string literal (detected at line 1) (<unknown>, line 1)

Authentication failed when refreshing token:

Using Token authentication method: 
TokenAuthMethod.CMD 
 with error unterminated string literal (detected at line 1) (<unknown>, line 1)

Authentication failed when refreshing token:

Using Token authentication method: 
TokenAuthMethod.CMD 
 with error unterminated string literal (detected at line 1) (<unknown>, line 1)
2024-06-10 14:50:57.390: Generation: 1 
2024-06-10 14:50:57.640: Terminating garbage collection. Waiting for max 300 seconds. 
Done.

Environment details

No response

henning410 commented 5 months ago

Okay, got it working by using 

"authentication": {
    "token": {
      "token_refresh_cmd": "/usr/bin/python3 /home/user/Desktop/restler-tests/getNewToken.py",
      "token_refresh_interval": 60
    }
  }

Also in my script, I added some print, so the script produces the following output: 

{"id":{}}
Authorization: Bearer <My_Token>

At this point, PLEASE adjust the documentation. There are so many issues about authentication in this Repo, I only got the solution by searching through all issues.

tandrew-test commented 4 months ago

Plus one to updating the docs. This tool is fantastic but is rough around the edges. I also had to search the issues and the web to figure out how auth and a bunch of other features work.