Cookie-based API Authentication

Studio supports specific APIs that are based on cookies for authentication.

In this scenario, the Studio creates a session where the API authorizes with a header of Set-Cookie. This header contains an authorization token which is used in the future to authenticate requests from the API by sending the authorization token in the Cookie header. This is generally known as Cookie Forwarding.

Furthermore, when we send a random value in both a cookie and a request response, the server tries to verify whether the cookie value and the request value are identical. This prevents requests from CSRF attacks, this is known as the Double Submit Cookie Pattern. So, the Studio supports both - Cookie forwarding and Double cookie submit pattern.

Cookie Forwarding

Let’s know more about cookie forwarding. The Studio handles all the backend functioning of cookie-based authentication. Studio supports forwarding of cookies set by the API while making a request.

When we first hit the API, it provides a cookie with auth token or session ID depending on the API. This is fetched under set_cookie in the response header. This cookie is further used/ passed while making subsequent requests. The studio saves every cookie in the backend and forwards it as a header to subsequent requests made for that API or connector.

We will now apply cookie forwarding with a multistep authentication method on DronaHQ Studio API.
We will be creating a form modal where it will ask the user for authentication details and then makes an API request to the login endpoint.
After a successful login, the authentication cookie will be parsed from the response and forwarded along to the user’s session to make further subsequent requests.

  1. Add third-party connector of Rest API, under Studio > Connectors, click (+) Connector.

  2. Provide a name for the API and select Multistep Authentication as the authentication type.

  3. Under Multistep Authentication make sure you have checked Forward All Cookies and then add the first step as API REQUEST . Provide the API of the Studio.

    We have 3 steps for login once you hit the first step session for the user is set in a cookie and the same is forwarded when entering username and password after successful login that cookie is forwarded in order to get the data from APIs like connector list, template list which needs authentication, and is achieved using cookies.
    This API will create a session with a cookie in the header. This is handled by the Studio in the backend. You can see that the first cookie session is generated in the headers under set_cookie after doing a test auth.

  4. Add the next step of FORM . Here we will provide a name for it along with an input key for email. This will be fed to the API for the next step.

  5. Add a step of API REQUEST. This step will create an HTTP request with email and operation passed as query parameters to the API.

  6. Next, we will be adding one more step to the authentication process with the addition of the FORM method to get the password from the user.

  7. Finally, we add one more step of API REQUEST to complete the authentication process. This step will create an HTTP request with the provided email and password, and operation passed as query parameters to the API.

    Click on Test auth flow. Provide the details of the form models and you will be given a successful response. It will have a cookie generated from the earlier session cookie with attributes such as domain and expiration date. This is what made set to the user’s browser and made forward with every request made by the API to maintain the state of authentication.

  8. Configure a test API for the connector. Here I am using an API endpoint to fetch the template details of the admin of the account.

  9. Click Test Connection and save it after a successful response.

    So the Cookie based authentication for the above login API is configured without opening login page and it has made a successful response with the login and forwarding of cookies in order to retrieve our required data.

Double Submit Cookie Pattern

About Double Submit Cookie Pattern this is more secure with the option to choose the location of the cookie to be passed. While configuring Multistep Authentication in Studio you have the checkbox od Follow double submit cookie pattern along with Forward All cookies. The feature of the double submit cookie is very simple, a random value is sent in both as a cookie and as a parameter with the server verifying if both values match.

When a session is created in Studio from an API request, it sets the received cookie in the browser derived from the session ID, and at the same time another cookie is set for the CSRF token. When the user submits a secure form, this token is extracted from the cookie and is set as a hidden input field in the HTML. The server will validate the token sent as a form parameter against the cookie value and authorize the action to be completed.

Now let’s create a form model to see the working of the Double submit cookie pattern in the multistep authentication method. We will be taking the form model approach to set the CSRF token and also pass the message while configuring the test API.

  1. Check the Forward all cookies and Follow double submit cookie pattern options.
  2. Provide the name of the incoming cookie as well as the name and location you want to pass your cookie. This name is usually application dependent so the incoming cookie for our API is given in the fields.

    We are passing the cookie with the name csrf in the Body of the request.
  3. Introduce form modal as the first step to take input for login purposes.
  4. Next, we will have the API request step for login using the credentials from the form modal. Set the method as POST.

    In the above image, you can see that we are passing the output variables of the form model in the body parameter of the API request to send the credentials for login.
  5. Click on Test auth flow to check for the response you will see the CSRF token in the body of the response.
  6. Configure a test API for the connector. This will also be a POST method as we will be sending a message to check for cookie authentication. This message will be used to check whether the CSRF token is matched the message value. If it is matched the response will be successful and thus the security of the API is not compromised.
  7. Click on Test Connection and Save .