odata - HOWTO add request header to breeze batch requests -

-

note not same thing adding header parent request mentioned in other tread: breeze - adding headers request.

i'm using breeze webapiodata dataservice & need add specific header value within each request within batch. can add header value parent request (using afore mentioned link), isn't included in child request. in specific instance, need include antiforgery token request. batch requests split out individual requests webapi odata controllers , such, don't see parent request. i'm exploring how tweak server side code in validates anti forgery token, (1) addresses specific challenge , (2) doesn't others may need include header value in request.  i'm using breeze v1.4.12... looking @ source, appears headers being explicitly set (lines 15280-15284 & line 15380)... isn't clear me if possible override , control inner header individual requests within batch @ present time.

specifically, i'm controlling inclusion of antiforgery token in request breeze:

breeze.config.initializeadapterinstance('dataservice', 'webapiodata', true);  var unsecuredclient = odata.defaulthttpclient; var securedclient = {   request: function (request, success, error) {     request.headers.requestverificationtoken = jquery("#__requestverificationtoken").val();     return unsecuredclient.request(request, success, error);   } }; odata.defaulthttpclient = securedclient;

when @ request sent server, see token in primary request's header, not in inner request:

post https://localhost:44362/odata/$batch http/1.1 host: localhost:44362 connection: keep-alive content-length: 585 cache-control: no-cache pragma: no-cache requestverificationtoken: fnr1oqb3sxnlf5eui9mb-partial-rest-ommitted maxdataserviceversion: 3.0 origin: https://localhost:44362 user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/35.0.1916.114 safari/537.36 content-type: multipart/mixed;boundary=batch_2a9d-ba3e-cf5f accept: multipart/mixed dataserviceversion: 2.0 referer: https://localhost:44362/home/spa accept-encoding: gzip,deflate,sdch accept-language: en-us,en;q=0.8 cookie: asp.net_sessionid=jtfbzyt4zqk5pu43p1qop5tl; fedauth=ommitted   --batch_2a9d-ba3e-cf5f content-type: multipart/mixed; boundary=changeset_1fec-c63e-5864  --changeset_1fec-c63e-5864 content-type: application/http content-transfer-encoding: binary  post odata/projects http/1.1 content-id: 1 dataserviceversion: 2.0 accept: application/atomsvc+xml;q=0.8, application/json;odata=fullmetadata;q=0.7, application/json;q=0.5, */*;q=0.1 content-type: application/json maxdataserviceversion: 3.0  {"id":-1,"type":"sp.data.research_x0020_projectslistitem","etag":null,"title":"test"} --changeset_1fec-c63e-5864--  --batch_2a9d-ba3e-cf5f--

and when @ raw response, can see how fails find token in header (confirmed when step through code on server-side):

http/1.1 202 accepted cache-control: no-cache pragma: no-cache content-type: multipart/mixed; boundary=batchresponse_efc71196-045b-474c-bfe3-e21e20ae64b0 expires: -1 server: microsoft-iis/8.0 dataserviceversion: 3.0 x-aspnet-version: 4.0.30319 x-sourcefiles: =?utf-8?b?rdpcrgv2xfjlcg9zaxrvcmllc1xtc2z0c3bjyw1yavxzcmncu3bszxnlyxjjafryywnrzxjcb2rhdgfcjgjhdgno?= x-powered-by: asp.net date: thu, 29 may 2014 16:42:00 gmt content-length: 4432  --batchresponse_efc71196-045b-474c-bfe3-e21e20ae64b0 content-type: multipart/mixed; boundary=changesetresponse_aa3c98d6-a059-454d-9477-00e0b9497278  --changesetresponse_aa3c98d6-a059-454d-9477-00e0b9497278 content-type: application/http content-transfer-encoding: binary  http/1.1 500 internal server error content-id: 1 content-type: application/json; odata=fullmetadata; charset=utf-8 dataserviceversion: 3.0  {   "odata.error":{     "code":"","message":{       "lang":"en-us","value":"an error has occurred."     },"innererror":{       "message":"the required anti-forgery cookie \"__requestverificationtoken\" not present.","type":"system.web.mvc.httpantiforgeryexception","stacktrace":"   @ system.web.helpers.antixsrf.tokenvalidator.validatetokens(httpcontextbase httpcontext, iidentity identity, antiforgerytoken sessiontoken, antiforgerytoken fieldtoken)\r\n   @ system.web.helpers.antixsrf.antiforgeryworker.validate(httpcontextbase httpcontext, string cookietoken, string formtoken)\r\n   @ system.web.helpers.antiforgery.validate()... bla bla bla"     }   } } --changesetresponse_aa3c98d6-a059-454d-9477-00e0b9497278-- --batchresponse_efc71196-045b-474c-bfe3-e21e20ae64b0--

@update - stopgap we've implemented process when request received serverside (using custom odatabatchhandler, overriding validaterequest() method), grab tokens parent request , store in cache. when validate request within controllers, first check see if property in request (which inner request of batch once controller gets request, batch has been split multiple requests) , if not, see if in cache, looking @ parent request. it's important remove value cache, in our (processbatchasync() within custom odatabatchhandler) otherwise you're introducing security hole keeping around more 1 request.

good catch!

the problem in createchangerequests method (line 15380) doesn't support custom tweaking of inner request.

we'll discuss internally find way address formally. short term can't think of work-around other create custom copy of odata dataservice adapter change fnc. yuck.

what's timeframe?


Comments

Post a Comment

Popular posts from this blog

c++ - OpenCV Error: Assertion failed <scn == 3 ::scn == 4> in unknown function, -

-
i read alot other solution still confused should mine... #include <opencv2/objdetect/objdetect.hpp> #include <opencv2/highgui/highgui.hpp> #include <opencv2/imgproc/imgproc.hpp> #include <iostream> #include <stdio.h> using namespace std; using namespace cv; int main(int argc, const char** argv) { //create cascade classifier object used face detection cascadeclassifier face_cascade; //use haarcascade_frontalface_alt.xml library face_cascade.load("haarcascade_frontalface_alt.xml"); //setup video capture device , link first capture device videocapture capturedevice; capturedevice.open(0); //setup image files used in capture process mat captureframe; mat grayscaleframe; //create window present results namedwindow("outputcapture", 1); //create loop capture , find faces while (true) { //capture new image frame capturedevice >> captureframe; ...
Read more

php - render data via PDO::FETCH_FUNC vs loop -

-
i've been using 2 methods render data. the first one: function name($id,$name){ return '<div id="'.$id.'">'.$name.'</div>'; } echo implode($pdo->query("select id,name user")->fetchall(pdo::fetch_func,'name')); the second one: $users = $pdo->query("select id,name user")->fetchall(pdo::fetch_obj); foreach($users $user){ echo name($user->id,$user->name); } i don't understand how pdo::fetch_func works. tried figure out. however, not well-documented. could please explain fetch mode? , also, 1 performs better? thank you. both methods wrong , have learn how use templates , how separate business logic presentation logic. $users = $pdo->query("select id,name user")->fetchall(pdo::fetch_obj); tpl::assign('users', $users); is code business logic part. then in template <?php foreach $users $row): ?> <div id="<?=$...
Read more

The canvas has been tainted by cross-origin data in chrome only -

-
uncaught securityerror: failed execute 'getimagedata' on 'canvasrenderingcontext2d': canvas has been tainted cross-origin data i getting above error in chrome. code(following) works fine in mozilla. have not corss domain issue. why above error in chrome? var wheel_canvas, wheel_context, can_w, can_h, wheel_grd; var large_radius = 160; var small_radius = 120; var wheel_canvas = document.getelementbyid('wheel_canvas'); var wheel_context = wheel_canvas.getcontext('2d'); var can_w = $(wheel_canvas).width(); var can_h = $(wheel_canvas).height(); var centerx = can_w / 2, centery = can_h / 2; var wheel_grd = null; test('#ff0000'); function test(hex) { $('#clrpicker').css({'left': 210, 'top': 210 }); inverted = hexbw(hex); $('#color_val_show').val(hex); current_color_hex_val_selected = hex; $('#color_val_show').css({'color':inverted,'background':hex}); fillgradient...
Read more