search

roottusk / vapi

vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.
GNU General Public License v3.0
1.15k stars 301 forks source link

Authorization-Tokens are not well documented. #44

Open tayler6000 opened 1 year ago

tayler6000 commented 1 year ago

Hello, first, thank you for the great practice API!

I came across vAPI through an API hacking course hosted by APIsec. I, and a lot of other students, are having a lot of fun with it, and learning a lot, but many students have run into a problem with the Authorization-Token header. The documentation at http://localhost/vapi always references `{{apiX_auth}} but never specifies what format the auth token is in. I personally took about 4 hours trying to figure it out and eventually looked up this repo, read the README, and realized you have a Postman import then generates these tokens for you.

I've completed the course, and so I've had quite a few other students ask me about this when they get stuck as well. Some students figure it out just by guessing since you essentially use the Authorization: Basic {{base64}} scheme; and those students will ask me how I figured it out, or if they just didn't understand something properly. Then I've seen other students who were also stuck for hours, like me, just give up and ask.

I gave four passes at trying to code beautify vapi/resources/views/index.html to then manually add a section on the auth token format as a PR, but with each attempt, it broke the page styling or JS. I'm not familiar with redoc at all to know if there is a way to put a section at the beginning of the documentation, but if there is would you perhaps add that section? Worst case, though it wouldn't be as immediately obvious, do you think we could add a section about it in the README and vapi/resources/views/welcome.html?

If you want to go for the latter, or you want me to try and add a section without beautifying the index page code, let me know and I don't mind submitting a PR for it. Thank you again for all your work!

roottusk commented 1 year ago

Hi @tayler6000 ,

Thank you for bringing this to notice. You can run redocly on the updated Postman collection and it will generate the html for it. I haven't done it yet , so feel free to go ahead and do it if you want to . Once done you can replace the generated html with the index.html after testing and create a Pull request. I'll be happy to merge it

Let me know if you have any questions.

Thanks

brootware commented 1 year ago

Hi just on this, I tried to import the ENVs but {{apix_auth}} is still empty tho. Am I missing something? https://github.com/roottusk/vapi/blob/master/postman/vAPI_ENV.postman_environment.json

adaskaan commented 1 year ago

Authorization-Token is base64 result of username password combined in this format "username:password". Example, for username:foo and password:foo valid Authorization-Token is "Zm9vOmZvbw==". Please add this information to documentation to be clear.