← iOS

Quering the Banno API with a userId

Note: https://github.com/Banno/beelzebub may be a better way?

Introduction

Often while toubleshooting an issue in production it can be useful to query the API for a user’s data without knowing the users login or password. This can be done with just the users id and your auth token from Banno People.

So what we are going to do is log into Banno People and then look in the request headers(with the browsers dev tools) and grab the auth token and use it to authenticate our Postman requests.

Basic Steps

  1. Get access to the user’s FI if needed Request access in the #org-firefighter-requests channel including the FI and the ticket # its for in your request.

    If you don’t have access you will like see node-api-gateway: Invalid user ID provided from the API and won’t be able to search for the FI in People

  2. Log into People with your ldap username/password and get your eauth token from response headers

    Use your browsers dev tools to see the response headers for the request GET https://www.banno.com/a/auth/api/session or another auth’d call and you should see a cookie: eauth=$token similar to this Eauth token

  3. Using Postman(Download the app if you don’t have it) : Add cookie: eauth=$token to your headers

    Create a request in Postman, select the headers tab and switch to Bulk Edit mode then copy the whole thing from cookie to the deviceId in to the header.

    cookie: eauth=eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiZGlyIn0..4zeYFrEFimydEXWSCuOzcA.i9BvLDN-a2uC9VmrR7rBc6hKMTNyg8LwcZY1ckTkVyO7uXkfO10Z4cxLS6qXM0-8LAX0bWU4NVj7LGDBvQwVaMgtKU3KP5JJdufX2xXWqwe6wAfAdRW0EIWS_j2-e6LASnZViR2tXt3AY4JWPhWh_GVXosDLL1QBCk09mGKSJdmfnv_Gtia5uDJGl_uKwFVYW8yosU_vd8wu_-VOS2gcyNldBi5PtRmckHlyO82durFXcd0CQIkn7lRovw-SfkF2FTxM332cIBHzjnAQQqPwuFXg1DNlE9SJh7OpNodeRDyp3rfj_ase2U63Qz0gxhVoRFQjazfhMQ7nOYRvHT7hg.6LEHCzwGzO6499DImJXPuQ; _ga=GA1.2.373603663.1539099094; enterpriseDeviceId=6b316d96456ced2a2d6d0b21f292d0bd; _gid=GA1.2.1612300236.1565618603; deviceId=online-c4852ec5ada5918252ea5886dbd5c28f

    so it looks like this

    Postman Header example

  4. Query the API using your eauth token and the user’s Id

  5. Once you are done be sure to ask ops to remove your access to the FI.