I wanted to share some improvements to the HTTP Requests v4.0.0 plugin (formerly REST) that we recently made that supports more authentication types, services, and a workaround that allows users to more safely pass a secret (credential) in HTTP Headers.
Authentication methods now include
- Basic Auth (Username and Password)
- Digest Auth (Username and Password)
- Bearer Token (Secret Key)
- Custom (custom HTTP headers)
In addition, we now support a few specific vendor APIs within the plugin so that you can think less about how to authenticate to a service, and more about the actual request that you want to make. This list will grow over time as we expand the services the plugin supports based on your requests.
Out of box services include
- Rapid7 Insight - which allows you to easily make a request to any Insight platform or Insight product API
- Pendo
- OpsGenie
This means you can use any of these service API’s by just providing the Base URL and passing in your API key in the Secret Key input in the connection. We take care of setting any headers those services require for you!
Regarding passing secrets (credentials) into custom HTTP headers. The way to do this now is to choose the Custom authentication type in the menu and pass your secret credential into the Secret Key input, which will encrypt it and store it safely. Finally, as you fill out the HTTP headers input in the connection you can use the hardcoded string of CUSTOM_SECRET_INPUT (must match exactly) which will tell the plugin to substitute this value for the Secret Key at runtime. For example, to use the value stored in the Secret Key field in an HTTP Header called X-Auth-Token you can set the Headers object as
{ "X-Auth-Token": "CUSTOM_SECRET_INPUT"}. Note that we only support one secret at this time.
This last one is done as a workaround so bear that in mind, we will be making more improvements to this plugin over time so let us know if you have any feedback.
Thanks