Auth- | 基本的thinkphp3.2的auth管理 -

• Why it works on Postman and not on the client code?

The difference is the format of the request. In Postman, you're sending the data as JSON object. While in the client code, you're sending data inside a form-data. They are different. That's why the req.body is empty. Different request formats require the server to parse in different ways.

I see in your code the line //formData.append("thumbnail", newProject.thumbnail); is commented, you prepare to send the project's thumbnail in the request. In this case, you cannot send the request in JSON format. You need to modify the server to make it understand the form data.

For this, I recommend this popular package

Multer is a node.js middleware for handling multipart/form-data, which is primarily used for uploading files.

Try to read this document: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#offline_access.

This permission currently appears on all consent pages, even for flows that don't provide a refresh token (such as the implicit flow). This setup addresses scenarios where a client can begin within the implicit flow and then move to the code flow where a refresh token is expected.

On the Microsoft identity platform (requests made to the v2.0 endpoint), your app must explicitly request the offline_access scope, to receive refresh tokens.

It’s not currently possible to remove the offline_access scope from the initial consent screen when using the v2 endpoint with an AAD account. There is a feedback of this issue here.

Your TEMPLATES setting is as follows (truncated to keep answer short):

Ingress internal means "Accept only the requests coming from the project's VPC or VPC SC perimeter".

When you use API Gateway, you aren't in your VPC, it's serverless, it's in Google Cloud managed VPC. Therefore, your query are forbidden.

And because API Gateway can't be plugged to a VPC Connector (for now) and thus can't route the request to your VPC, you can't use this ingress=internal mode.

Thus, the solution is to set an ingress to all, which is not a concern is you authorize only the legit accounts to access it.

For that, check in Cloud Run service is there is allUsers granted with the roles/run.invoker in your project.

• If yes, remove it

Then, create a service account and grant it the roles/run.invoker on the Cloud Run service.

Follow this documentation

• Step 4: update the x-google-backend in your OpenAPI spec file to add the correct authentication audience when you call your Cloud Run (it's the base service URL)
• Step 5: create a gateway with a backend service account; set the service account that you created previously

At the end, only the account authenticated and authorized will be able to reach your Cloud Run service

All the unauthorized access are filtered by Google Front End and discarded before reaching your service. Therefore, your service isn't invoked for nothing and therefore your pay nothing!

Only API Gateway (and the potential other accounts that you let on the Cloud Run service) can invoke to the Cloud Run service.

So, OK, your URL is public, reachable from the wild internet, but protected with Google Front End and IAM.

The UID of a user is a unique, constant identifier for that user. So if the same user logs in multiple times, they'll get the same UID.

It makes no sense to use the ID token as the identifier for the user in the database, as an ID token will change every hour.

You should continue to use the UID to identify the user, and only use the ID token when you need to verify the user's identity.

You are missing bearer which specifies the token type.

Change:

I was finally able to resolve this issue. The problem was entirely an authentication issue as the error messages pointed out. While I still don't know why the built in '/broadcast/auth' endpoint didn't work, my initial attempt to authenticate by creating a '/pusher/auth/' was wrong in the way I set up the route and controller.

The correct route set up should be 'post' and call a controller, using a closure based route didn't work for me. My previous (see above) implementation of the controller was also wrong.

This is the controller code that worked:

If you are using django-heroku package than you have to add this in your settings.py

Add the following import statement to the top of settings.py: