0

I have the code below. I want to use Post() instead of Get() because I don't want to show the username and password in the string. First I get auth and download a cookie with post(). This works fine. But then I download a xml-file with get() and the username and password is visible in the download string. How can I download latest.xml with post()? I don't get any file at all (latest.xml) if I change to post whre I have the comment (Does not work if I change to Post()).

The url is https and not http.

var apiUrl = s.getPropertyValue('apiUrl');
var apiUser = s.getPropertyValue('apiUser');
var apiPass = s.getPropertyValue('apiPass');
var anyOrders = "";

var theHTTP = new HTTP();
theHTTP.resetParameters();
theHTTP.url = apiUrl + "/wsauth?";
theHTTP.addParameter("username", apiUser);
theHTTP.addParameter("password", apiPass);
theHTTP.authScheme = HTTP.BasicAuth;
theHTTP.post(); //Works fine

while( !theHTTP.waitForFinished( 1 ) ) { }
job.log(-1, "Server response: " + theHTTP.getServerResponse().toString("UTF-8"));


if( theHTTP.finishedStatus != HTTP.Ok )
{
    job.fail("The request failed: %1", theHTTP.lastError);
    return;
}

var theCookie = theHTTP.getHeaderValue( HTTP.SetCookie ).toString( "UTF-8" );
if( theCookie.isEmpty() )
{
    job.fail("Invalid cookie response: %1", theHTTP.lastError);
    return;
}

s.log(-1, "Cookie: " + theCookie);

//Perform query to get xml file 
theHTTP.addHeader( HTTP.Cookie, theCookie );
theHTTP.url = apiUrl + "/order/latest";

theHTTP.localFilePath = job.createPathWithName("latest.xml", false); 

job.log(1,theHTTP.localFilePath, false);
theHTTP.get(); //Does not work if I change to Post()

job.log( 4, "Download started", 100 );
while( !theHTTP.waitForFinished( 3 ) ) {
    job.log( 5, "Downloading...", theHTTP.progress() );
}
job.log( 6, "Download finished" );

//open file to read if there are any orders
var f = new File(theHTTP.localFilePath);
f.open(File.ReadOnly);
anyOrders = f.read();
f.close();

if( theHTTP.finishedStatus == HTTP.Ok && File.exists(theHTTP.localFilePath)) {
    if(anyOrders == "No non-processed order found!") {
        job.sendToNull( job.getPath() );
        job.log( 1, "No non-processed order found! File deleted!");
    } else {
        job.log( 1, "Download completed successfully");
        job.sendToSingle(theHTTP.localFilePath);
    }
}
else {
    job.fail("Download failed with the status code %1", theHTTP.statusCode);
    job.sendToNull( job.getPath() );
    return;
}
Xtreme
  • 1,601
  • 7
  • 27
  • 59
  • 1
    Who are you trying to keep these credentials secret from? – Quentin Apr 15 '19 at 14:03
  • The server might not support using `post` for this particular API endpoint. –  Apr 15 '19 at 14:06
  • 5
    There is no really significant difference in transporting such credentials as GET or POST parameters to begin with. If you think switching this from GET to POST would increase security in any way, you are wrong. – 04FS Apr 15 '19 at 14:08
  • @Quentin From our "partner", 1. you are sending both the username and password as GET parameters instead of POST parameters, which means I can clearly see both of these in the url, so can any system where your request is transiting (like a firewall or a proxy). – Xtreme Apr 15 '19 at 14:14
  • @Amy But post is working when I download the cookie. – Xtreme Apr 15 '19 at 14:15
  • @Xtreme Different API endpoints can support different methods. –  Apr 15 '19 at 14:19
  • @Xtreme If you are sending the user/pass in the query string of a GET request using HTTPS, it's secure. https://stackoverflow.com/questions/2629222/are-querystring-parameters-secure-in-https-http-ssl –  Apr 15 '19 at 14:23
  • @Xtreme — By "partner" do you mean "The person who owns the browser and is in complete control of all data you pass through it"? – Quentin Apr 15 '19 at 14:29
  • @Xtreme If the request is encrypted (SSL/TLS) then only the hostname is visible en route, i.e. `example.com`. The URI, request body, headers (this is really all just the body of the request) is encrypted. If your endpoint only supports GET for this action, you'd have to setup a proxy layer in between that will transform your request. This is probably unnecessary as others have pointed out above. – Charlie Schliesser Apr 15 '19 at 14:34
  • @Quentin yes, the one who owns the web service. – Xtreme Apr 15 '19 at 14:38
  • @Xtreme — You can't give a secret to a browser and hide it from the person who controls the browser. – Quentin Apr 15 '19 at 15:23

0 Answers0