3

I'm attempting to log into my nike account using http requests and parse. Here's my request:

Parse.Cloud.httpRequest({
      method: 'POST',
      headers: {
        'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'
      },
      url: 'https://www.nike.com/profile/login',
      params: {
          'Content-Locale' : 'en_US',
      },
      body: {
          'login' : <userId>,
          'rememberMe' : 'true',
          'password' : '<password>'
      }
    }).then(function(httpResponse) {

      //Log
      console.log(httpResponse.text);
    }, function(httpResponse) {

      //Log
      console.error('Request failed with response code ' + httpResponse.status);
});

I'm using rest to call my function, and it's working correctly. The only problem is that it keeps returning a 403 error. Is there something I'm doing wrong with my request?

Here is all the info of the actual request I found in Safari when logging in through the browser (NOTE: I'm new to http requests).

enter image description here

Update:

The image above is of a valid login using the web browser.

Also, here's an image of the request and response section for more details:

enter image description here

KingPolygon
  • 4,753
  • 7
  • 43
  • 72
  • Is it an image of a failed request or is that one valid? – MinusFour Feb 06 '16 at 22:48
  • there is an OPTION request to do before – Pierre Emmanuel Lallemant Feb 06 '16 at 22:48
  • This one is valid. A failed one returns a 401 code. – KingPolygon Feb 06 '16 at 22:49
  • Could you post the `request & response` section? Without the sensitive information of course. – MinusFour Feb 06 '16 at 22:54
  • @MinusFour Sure. Just updated my answer :) – KingPolygon Feb 06 '16 at 23:04
  • Is the `Request & Response` submenu just for show? What I'd do is grab the raw HTTP request and replicate that as best as you can. I have never used safari network inspector but it might be not showing all the headers sent. – MinusFour Feb 06 '16 at 23:19
  • Hmm. What do you recommend I use to get the full headers? Chrome or firefox? Sorry for asking a noob question, but how would I get the raw HTTP request? – KingPolygon Feb 06 '16 at 23:20
  • @PierreEmmanuelLallemant Can you explain a bit more? Thanks :) – KingPolygon Feb 06 '16 at 23:33
  • @KingPolygon, first I'd start by replicating all the headers that safari show you. `Referer`, `Origin`, `User-Agent`, `Accept`, `DNT`. – MinusFour Feb 06 '16 at 23:34
  • @MinusFour Thanks. Tried that but nothing. Pierre mentioned that an OPTIONS request has to be done before the POST. Not sure how that should be done. – KingPolygon Feb 08 '16 at 23:59
  • My guess is that nike.com has some hard security protection which checks not only header params but also your cookies refferer page etc to identify that request was made from their own page then only allows you to login, totally same data should be sent from your side as i see you are missing cookies in your request try to include it also and all params which sent in your browser login request – Armen Feb 10 '16 at 14:09
  • I would put money on it being CORS, https://en.wikipedia.org/wiki/Cross-origin_resource_sharing – Ed' Feb 16 '16 at 10:12
  • It would be useful to see your actual 403 error to determine whether it is a CORS response from your browser, or a real 403 response from the server. Sometimes this is hard to tell from a browsers dev tools. – Phil Feb 16 '16 at 22:16

2 Answers2

4

I don't believe there's anything wrong with your request structure, if you are consistently seeing 403 - Forbidden response. That implies that your request is being rejected due to cross-origin restrictions, improper or unexpected request headers and/or spoofing your referrer and origin, etc.

But without knowing the details of Nike's login services, we can only speculate.

I would expect to see other HTTP responses like 400 Bad Request, 406 Not Acceptable, 500 Timeout, etc if there was something fundamentally wrong with your request.

To properly answer, we'd need to know more details about the environment your requests are made from. Is this a local server? Are you a Nike developer with access to internal nike.com environments? Where is this HTTP request being initiated from?

The best I can suggest with the information provided is some tools to help troubleshoot further:

  • Charles Proxy: to monitor all outgoing requests + responses
  • Postman: for convenient testing of request structures in a more pure, browser/tech agnostic way

I can't post more than 2 links yet, but search for cross origin access and http status codes for more details on general HTTP requests.

rkd
  • 694
  • 6
  • 12
1

As rkd sais, 403 is Forbidden. Server is rejecting yout request. I think is not a cross-origin restriction because in the second image apperars Access-control-allowed:true. Check if there is a previous cookie setted. look at the first image, in headers if there is a "set-cookie" and it values. But at all, more information about headers is needed for a better response.

Piter Carranza
  • 66
  • 5