This post and video shows how to complete the unauthorized secret note challenge, which returns a status code of 403 Forbidden.
What are the API Challenges?
Our API Challenges Application has a fully functional cloud hosted API, and a set of challenges to work through.
Authorization Challenge
Most of the challenges simply require the correct payload, and an X-Challenger header to track the session. The authentication challenges require an extra header, the value for which can only be obtained with a username and password. This value is obtained when completing challenge 30.
The X-CHALLENGER
header authenticates you to access a specific set of secret notes, and the X-AUTH-TOKEN
authorizes you to gain access.
- Authentication is “are you who you say you are” (
X-CHALLENGER
) - Authorization is “do you have the right permissions” (
X-AUTH-TOKEN
)
Challenge 31 Forbidden
Issue a GET request on the
/secret/note
end point and receive 403 whenX-AUTH-TOKEN
does not match a valid token
GET
request means use the HTTP Verb GET- e.g.
GET /secret/note
sends to the secret note endpoint
- e.g.
X-AUTH-TOKEN
means include a header namedX-AUTH-TOKEN
in the message. TheX-
implies it is a non-standard custom headerdoes not match a valid token
means that the value in the header should be different from the value returned from thesecret/token
endpoint- add the
X-CHALLENGER
header to track progress and because the authentication code we need is asociated with theX-challenger
session - Receive a 403 FORBIDDEN response because the authorization token does not match the token required to access the data
Basic Instructions
- Create a new request for the
/secret/note
end point- if running locally that endpoint would be
http://localhost:4567/secret/note
- if running in the cloud that endpoint would be
https://apichallenges.herokuapp.com/secret/note
- if running locally that endpoint would be
- The verb should be a
GET
- Add a custom header with the name
X-AUTH-TOKEN
the value should be different from the value returned in Challenge 30 - The request should have an
X-CHALLENGER
header to track challenge completion - You should receive a 403 response - meaning you are not authorized
> GET /secret/note HTTP/1.1
> Host: apichallenges.herokuapp.com
> User-Agent: insomnia/2021.2.2
> X-CHALLENGER: x-challenger-guid
> X-AUTH-TOKEN: bob
> Accept: */*
< HTTP/1.1 403 Forbidden
< Connection: close
< Date: Sat, 24 Jul 2021 16:18:40 GMT
< Content-Type: application/json
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: *
< X-Challenger: x-challenger-guid
< Server: Jetty(9.4.z-SNAPSHOT)
< Via: 1.1 vegur