I want to get Microsoft user informations like name and email after authentication but I'm a noob at javascript ! The code I use is here : https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-spa
I can configure the authentication page, but once the user is connected, how to redirect him to another page while transmitting his informations?
I thought about using document.cookie = "user_mail = data.mail" then window.location.href = "mypageafterauthentication" but :
Is this a secure solution? Is it not easy to modify Javascript code and insert bad informations in the cookies?
If this solution is good, where should I put the code in the example script?
Thanks a lot for your answers!
PS : I try to get the code in PHP but it uses Laravel and I don't know this framework. I work with Codeigniter... If someone also know how to use Microsoft Authentication with php I'll be happy to know how to do :)
Related
I need to send only special Users an Email. That is not a big amount. The Website must send 6 E-Mails a week. I found many solutions. I found this simple solution: https://medium.com/#edigleyssonsilva/cloud-functions-for-firebase-sending-e-mail-1f2631d1022e
When you look at the code, I need to fill out the variables. So I must type in my Email and the Password. As the web is opensource I think that is a very bad way. Do you know other simple solutions or know how to do this without typing in password?
With this solution you are using firebase functions. You most certainly want to set some environmental variables to protect some sensitives data like your gmail password.
You can do this in firebase: go check their documentation right here : https://firebase.google.com/docs/functions/config-env
The doc is going to help you set something like :
{
"mailer": {
"mail":"YOUR GMAIL ADRESS",
"password":"YOUR GMAIL PASSWORD"
}
}
So instead of you password in plain text you'll have this in your code :
'password': `${functions.config().mailer.password}`
Much safer right ?
The web is not open source. If you run a script in the browser then yes, the user can read the code. The example you link, however, runs on the server in response to HTTP(S) requests, and as such is not readable by a visitor.
EDIT : tried the authorized domain and it seems to be what i need, i'll try to go deeper with André's answer :)
Thank you !
Hi,
I'm new to firebase and i just finished a project but i had a question:
Since the doc says i have to put my api keys and else in the javascript, they are visible to anyone even if put into process.env
i've read here : Is it safe to expose Firebase apiKey to the public?
that making the api key public is normal and not a big deal.
I'm using the email/password auth and i'm scared
If someone takes my :
API_KEY_FIREBASE
AUTH_DOMAIN
DB_URL
PROJECT_ID
that are in the source code and use the createAccount function, is he gonna be able to create an account ?
Is yes, is there a way to disable this ?
I want to be able to create account only through the firebase console
I'm not using firebase database for my data, i only use it for auth so i don't have to create a user table in my database, but i use the IDTokens they provide to secure some routes on express.
thank you ! :)
Someone can only create an account when you have that option enabled in your firebase console. So If you have it disabled there is no problem.
You can look here in the "before you begin" section for how to enable/disable Email/password sign-in method.
Hello guys I'm trying to make a web app, basically it delete a row in data base through ajax, but I wonder, is there any way that someone edit the value sent by Ajax?
I have the next code.
$(function(){
$('.eliminar').click(function(){
alert($(this).closest('.contenedor').children('.pregunta').children('.id').text());
});
with this code I receive the id, when we use chrome we can edit html temporally obviously we are not editing the site, I wonder if this way is secure to protect the data base, other wise anybody can edit the id 89 to 64 or 4555 etc.
I hope you can help me.
Regards!
You haven't given much information regarding your server or what framework you are using. Those things will determine some of this.
You will want to setup https on your server. These are some Apache examples:
https://www.sslshopper.com/apache-server-ssl-installation-instructions.html
https://www.digicert.com/ssl-certificate-installation-apache.htm
And
Authenticate your request with, on the server you will want to have a check for authentication prior to allowing any changes. How this will actually work will depend on your framework and server.
beforeSend: function (xhr) {
xhr.setRequestHeader ("Authorization", "Basic " + btoa(username + ":" + password));
}
Reference:
How to use Basic Auth with jQuery and AJAX?
Yes. A user can edit that field.But you should never expose rest API for deleting any sensitive or generic data to any guest user.Expose only for authenticated user. If you are exposing some APIS for the guest user as well it would be good to mask sensitive info before presenting it to the client.
If you give power to delete stuff in your database to an authenticated user
then it is easy.
All users authenticated will have session cookies (something unique that identifies them when they are authenticated.)
You collect that in the server then you will know that it is them.
In your backend you should construct an authentication system which decides which user can do something or don't. You can restrict them from somethings or allow.
If you give power to delete stuff to guest users or any user.
You can write an API on top of your database operations and you only expose the right part of it to guest users.
I am creating a SPA blog website with PHP/MySQL and a Javascript frameworks, still haven't decided which one yet.
The idea is that I am willing to create an API and consume it using Javascript, but I want to protect the API, so that no one can access /posts/ for example and get a list of all the posts.
I am not requiring any registration and I don't have a users system.
How would I go about it?
Thanks
You might be able to hard code whitelisted IP addresses, but as Steve pointed out in the comments: it's either public or it's not.
I'd go with some little registration functionality that generates API-keys that can be used to access your API.
It has been pointed out that a public API is public, however there are some steps that could take to make it more difficult for consumers other than your UI to access it.
The problem is akin (though not the same as) Cross Site Request Forgery, and you can use a variation of any of the prevention techniques listed to mitigate unauthorized access to your API.
The simplest implementation might be something like this:
index.html
<?php
$mytoken = uniqid();
$_SESSION['token'] = $mytoken;
?>
<input type='hidden' name='apitoken' value='<?= $mytoken;?>' >
some-api-endpoint.php
<?php
if($_GET['apitoken'] !== $_SESSION['token']) {
header("HTTP/1.0 403 Forbidden", true, 403);
}
If someone wants to access your public API, they will be able to, but they will have to put forth at least a little bit of effort to do so.
Using a JWT service will work just as well.
Have a look here: introduction to JWT
You can also use an api key and secret which will be passed on initial session auth for your service.
Here's a Stackoverflow answer that helps explain what you'll need to do: key and secret in php
If you're really lazy, you can just use basic authentication or digest auth to auth on the client side. (This is not advisable and has security risks as if you're not using ssl the passwords are passed as plain text in the request)
Another article for your information: PHP HTTP Authentication
I've got two websites aaa.com and bbb.com. I want to, on button click, postMessage from website aaa.com to website bbb.com but cannot get it done.
I'm calling from aaa.com:
window.postMessage('this is test', 'bbb.com');
and listening on bbb.com:
window.addEventListener('message', function(e) { alert(e.data); }, false);
Please point me where I'm doing it wrong.
;) oh, man , this way it won't work at all, at least to my understanding
maybee this could help you:
read about javascirpt and cross-domain-calls
read about curl
read about $_GET $_POST / $_SERVER - Variables (f.e for php)
try making simple form in php to understand webserver - mechanics
basically if you want to send something to a site, the target-site should have a form (post) / url ( get ) where it accepts this. so you send a HTTP-REQUEST where your parameters/message is UrlEncoded.
i like the basic idea of what you trying to achieve, since this is not "so unrealistic" in application programming .... but the thing which is bothering you i think is the "stateless" http-protocl , and the fact that javascirpt is ClientSide-ONLY ;)
you possibly could build a javascript runnin on the client listening for connection... but thats also out of my scope --- maybee someone else knows ...
hope it helps
cu