I need to get the XMPP-User Groups from all Users inside a MUC and the user itself ("me"). I'd like to use them to set some permissions inside the candy xmpp client.
There is no plugin for this issue. Inside candy.min.js I found this function:
Candy.Core.Contact.prototype.getGroups = function() {
return this.data.groups; };
I didn't found any notes about it in the docs nor any correlation inside the other code/plugins. So maybe, this function does not even work.
I tried to write my own plugin. But I'm not that deep in JS. Calling the getGroups() function did not work for me.
I am able to read the user groups data by using the REST API from openfire (xmpp server). So there is no issue with permissions or data. It's generally possible to get the user groups data in this configuration. But I'd really like to get a cleaner solution inside of a candy chat plugin.
There are some core functions in Candy, which allows to send queries via strophe.js. I don't get it, yet. But I think, there is a way to use these to get the userGroups. They look like this example to SET a user password.:
var pwChangeRequest = $iq({
type: 'set',
to: 'shakespeare.lit'
})
.c('query', {xmlns: 'jabber:iq:register'})
.c('username').t('bill').up()
.c('password').t('newpass');
Candy.Core.getConnection().sendIQ(
pwChangeRequest,
function () {
console.log("Password change was successful.")
},
function (responseStanza) {
console.log("Password change failed.");
console.log(responseStanza);
}
);
So, how do I need to change this snippet to request the XMPP user groups?
I'd also like to RTFM :) but i found nothing explaining for the CANDY <-> Candy Plugin <-> prototype / strophe /stanza <-> XMPP (openfire) communications. Got something to read for me?
Related
Would really appreciate some help here. Been banging my head against the table for a couple hours now.
I’m trying to create a simple search function to search for usernames. My goal is to be able to search the usernames and eventually add the selected username to a “teams” collection.
I’ve tried easy-search but had no luck. I’m trying to user Accounts.FindUserByUsername now but I keep getting undefined. I have accounts-password installed, btw.
This is my code:
Server side:
Meteor.methods({
findUser: function (username) {
const user = Accounts.findUserByUsername(username)
return user
}
})
Client side:
Template.search.helpers(function() {
Meteor.call('findUser', 'username', findUserCallback)
})
function findUserCallback(error, username) {
console.log(username)
}
Template.search.events({
'submit .search'(event) {
event.preventDefault()
Meteor.call('findUser', 'username', findUserCallback)
}
})
I know I’m doing something very wrong but I can’t figure out what. I haven’t found much help online.
Thank you so much – I really appreciate it!
Welcome to Stack Overflow Julia.
The Meteor users collection is special, because it's used for authentication, and access to other users is not advisable in the UI, because of the security risks.
It is usual to have another collection called 'players' or 'members' - the advantage of this is that you can store additional information, and you can easily publish/subscribe to these collections and manipulate them without the need to be writing Meteor methods to do your work.
In the new collection you can store the _id of the user, so you can always reference the user record (ie for the username) if you need to.
I've been searching around the internet for a way to define a query in JavaScript, pass that query to PHP. Let PHP set up a MySQL connection, execute the query and return the results json encoded.
However my concern is with the security of this method since users could tamper with the queries and do things you don't want them to do or request data you do not want them to see.
Question
In an application/plugin like this, what kind of security measures would you suggest to prevent users from requesting information I don't want them to?
Edit
The end result of my plugin will be something like
var data = Querier({
table: "mytable",
columns: {"column1", "column2", "column3"},
where: "column2='blablabla'",
limit: "10"
});
I'm going to let that function make an AJAX request and execute a query in PHP using the above data. I would like to know what security risks this throws up and how to prevent them.
It's unclear from your question whether you're allowing users to type queries that will be run against your database, or if your code running in the browser is doing it (e.g., not the user).
If it's the user: You'd have to really trust them, since they can (and probably will) destroy your database.
If it's your code running in the browser that's creating them: Don't do that. Instead, have client-side code send data to the server, and formulate the queries on the server using full precautions to prevent SQL Injection (parameterized queries, etc.).
Re your update:
I can see at least a couple issues:
Here's a risk right here:
where: "column2='blablabla'"
Now, suppose I decide to get my hands on that before it gets sent to the server and change it to:
where: "column2=');DROP TABLE Stuff; --"
You can't send a complete WHERE clause to the server, because you can't trust it. This is the point of parameterized queries:
Instead, specify the columns by name and on the PHP side, be sure you're doing correct handling of parameter values (more here).
var data = Querier({
table: "mytable",
columns: {"column1", "column2", "column3"},
where: {
column2: {
op: '=',
value: 'blablabla'
}
}
limit: "10"
});
Now you can build your query without blindly trusting the text from the client; you'll need to do thorough validation of column names, operators, etc.
Exposing information about your scheme to the entire world is giving up information for free. Security is an onion, and one of the outer layers of that onion is obscurity. It's not remotely sufficient unto itself, but it's a starting point. So don't let your client code (and therefore anyone reading it) know what your table names and column names are. Consider using server-side name mapping, etc.
Depending on how you intend to do, you might have a hole bigger than the one made in this economy or no hole at all.
If you are going to write the query on client-side, and send to php, I would create a user with only select, insert, delete and update, without permissions to access any other database.
Ignore this if you use SQlite.
I advise against this!
If you build the query on server-side, just stuff to the server the data you want!
I would change the code into something like this:
var link = QuerierLink('sql.php');//filename to use for the query
var data = Querier('users',link);//locks access to only this table
data.select({
columns: ['id','name','email'],
where: [
{id:{'>':5}},
{name:{'like':'%david%'}}
],
limit:10
});
Which, on server-side, would generate the query:
select `id`,`name`,`email` from `db.users` where `id`>5 and `name` like '%david%' limit 10
This would be a lot better to use.
With prepared statements, you use:
select `id`,`name`,`email` from `db.users` where `id`>:id and `name` like :name limit 10
Passing to PDO, pseudo-code:
$query='select `id`,`name`,`email` from `'.$database_name.'.users` where `id`>:id and `name` like :name limit 10';
$result=$PDO->exec($query,array(
'id'=>5,
'name'=>'%david%'
)
);
This is the prefered way, since you have more control over what is passed.
Also, set the exact database name along the name of the table, so you avoid users accessing stuff from other tables/databases.
Other databases include information_schema, which has every single piece of information from your entire databasem, including user list and restrictions.
Ignore this for SQlite.
If you are going to use MySQL/MariaDB/other you should disable all read/write permissions.
You really don't want anyone writting files into your server! Specially into any location they wish.
The risk: They have a new puppy for the attackers to do what they wish! This is a massive hole.
Solution: Disable FILE privileges or limit the access to a directory where you block external access using .htaccess, using the argument --secure_file_priv or the system variable ##secure_file_priv.
If you use SQlite, just create a .sqlite(3) file, based on a template file, for each client connecting. Then you delete the file when the user closes the connection or scrap every n minutes for files older than x time.
The risk: Filling your disk with .sqlite files.
Solution: Clear the files sooner or use a ramdisk with a cron job.
I've wanted to implement something like this a long ago and this was a good way to exercice my mind.
Maybe I'll implement it like this!
Introducing easy JavaScript data access
So you want to rapidly prototype a really cool Web 2.0 JavaScript application, but you don't want to spend all your time writing the wiring code to get to the database? Traditionally, to get data all the way from the database to the front end, you need to write a class for each table in the database with all the create, read, update, and delete (CRUD) methods. Then you need to put some marshalling code atop that to provide an access layer to the front end. Then you put JavaScript libraries on top of that to access the back end. What a pain!
This article presents an alternative method in which you use a single database class to wrap multiple database tables. A single driver script connects the front end to the back end, and another wrapper class on the front end gives you access to all the tables you need.
Example/Usage
// Sample functions to update authors
function updateAuthorsTable() {
dbw.getAll( function(data) {
$('#authors').html('<table id="authors"><tr><td>ID</td><td>Author</td></tr></table>');
$(data).each( function( ind, author ) {
$('#authors tr:last').after('<tr><td>'+author.id+'</td><td>'+author.name+'</td></tr>');
});
});
}
$(document).ready(function() {
dbw = new DbWrapper();
dbw.table = 'authors';
updateAuthorsTable();
$('#addbutton').click( function() {
dbw.insertObject( { name: $('#authorname').val() },
function(data) {
updateAuthorsTable();
});
});
});
I think this is exactly what you're looking for. This way you won't have to build it yourself.
The more important thing is to be careful about the rights you grant to your MySQL user for this kind of operations.
For instance, you don't want them to DROP a database, nor executing such request:
LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE test FIELDS TERMINATED BY '\n';
You have to limit the operations enabled to this MySQL user, and the tables he has accessed.
Access to total database:
grant select on database_name.*
to 'user_name'#'localhost' identified by 'password';
Access to a table:
grant select on database_name.table_name
to 'user_name'#'localhost' identified by 'password';
Then... what else... This should avoid unwanted SQL injection for updating/modifying tables or accessing other tables/databases, at least, as long as SELECT to a specific table/database is the only privillege you grant to this user.
But it won't avoid an user to launch a silly bad-performance request which might require all your CPU.
var data = Querier({
table: "mytable, mytable9, mytable11, mytable12",
columns: {"mytable.column1", "count(distinct mytable11.column2)",
"SUM(mytable9.column3)"},
where: "column8 IN(SELECT column7 FROM mytable2
WHERE column4 IN(SELECT column5 FROM mytable3)) ",
limit: "500000"
});
You have to make some check on the data passed if you don't want your MySQL server possibly down.
Ok guys. I've built a web application with some friends that is somehow complex and took us some time to built. It is entirely built using JavaScript
Now the application has some functions which we don't want to readily share with the world(view-source).
The application works by sending an input to an algorithm and receiving the output from that algorithm and displays it on a canvas. (Thats how all functions work anyway:) )
Okay i don't know much about node.js but from what i've heard its server-side JavaScript. Does that mean that i can transfer the function server-side and using POST-GET to send an input and receive an output? All without having the source code of that particular function readily visible to anyone?
Please don't get started about how i should be more worried about doing things better rather than worrying about the safety of our work. I already know that so consider my question as a complimentary safeguard, at least for the time being.
Obfuscation is not a very concrete option since many developers de-obfuscate code just for fun.
This application is not like a hen with a golden egg and i am not being grandiose about this, but i was just having this question in my mind for some time now so i just shoot it here to know in the future how things work.
Thanks guys!
If you're worried about protecting your ultra sweet super secret codes, you could host your app and use a little something called RPC. Remote. Procedure. Calls.
Check out this little guy
https://github.com/deoxxa/pillion
Easy as 1-2-3 or A-B-C or cake or strippers or whatever else is easy
% npm install pillion burro && echo omg that was so easy
DISCLAIMER
I'm about to reveal a super secret greeting function that says hello to our clients. This is ultra secret intellectual IP properties and should not be shared with anyone on the internets.
You could provide the function calls you need using something like this on the server
// server.js
var net = require("net"),
burro = require("burro"),
pillion = require("pillion");
var server = net.createServer(function(_socket) {
var socket = burro.wrap(_socket),
rpc = new pillion(socket);
rpc.provide("greet", function(name, cb) {
cb("hi there, " + name);
});
});
server.listen(3000);
Then on the client side
// client.js
var net = require("net"),
burro = require("burro"),
pillion = require("pillion");
var _socket = net.connect(3000),
socket = burro.wrap(_socket),
rpc = new pillion(socket);
rpc.callRemote("greet", "friend", function(res) {
console.log(res); // prints "hi there, friend"
});
I have created a Story using Open Graph and the object I want to use is called Service, which is really just a Profile but I want the text in the post to say 'service' rather than 'person' (which it does now). I have tried creating a custom object but it seems overly complicated for what I need so I have 2 questions:
Can I create a custom type that simply inherits from Profile that can be created in the same way (using the FB.api javascript method)? I don't want to have to use self-hosted types..
Can I simply re-label person.noun from 'person' to 'service' somehow? I can't see a way to do that..
My code to post the story is:
FB.login(function (response) {
if (response.authResponse) {
var strmessage = 'Some message';
var profileid = 'xxxxxxxxx;
var opts = {
profile: profileid,
message: strmessage,
no_feed_story: false,
'fb:explicitly_shared': true
};
FB.api('https://graph.facebook.com/me/mynamespace:myaction', 'post', opts, function (response) {
if (!response || response.error) {
Result("Your message has not been posted");
}
else {
//Message has been posted
Result("Your message has been posted");
}
});
You're going to have to do the custom object if you want a custom name. And, you're going to have to do it on the FB Developer site and go through the whole approval process and all that. And no, there is no way to do any sort of inherence on this.
FB's Open Graph is pretty simple if you use the built in actions and objects, but as soon as you go down the road of wanting custom names for stuff, you are going to have to go all in with it.
I finally put the time aside to implement a custom action and type. It wasn't the most intuitive process but I got there in the end and my app is now approved and doing exactly what I wanted it to do. I'm actually glad I put myself through this learning process as custom stories have great potential and I'm sure I'll find other applications for them in the future.
I have to integrate Sign-in-with Twitter in my app as below.
https://dev.twitter.com/docs/auth/sign-twitter
It is browser based app developed in JavaScript
I have been refering google code java script OAuth, but im confused how to use oauth/authenticate and how to get the oauth_token
Can any one please help me out with some samples ?
Problem with this is that anyone who views your page can also now view your consumer key and secret which must be kept private.
Now, someone could write an app that uses your app credentials and do naughty and bad things to the point that twitter and users ban you, and there isnt anything you can do.
Twitter do state that every possible effort must be made to keep these values private to avoid this happening
Unfortunately, there is currently no way to use oAuth in Browser based JavaScript securely.
Check out the Twitter #Anywhere JSDK authComplete and signOut events and callbacks at https://dev.twitter.com/docs/anywhere/welcome#login-signup
twttr.anywhere(function (T) {
T.bind("authComplete", function (e, user) {
// triggered when auth completed successfully
});
T.bind("signOut", function (e) {
// triggered when user logs out
});
});
Use below code in consumer.js and select example provider in index.html drop down list
consumer.example =
{ consumerKey : "your_app_key"
, consumerSecret: "your_app_secret"
, serviceProvider:
{ signatureMethod : "HMAC-SHA1"
, requestTokenURL : "https://twitter.com/oauth/request_token"
, userAuthorizationURL: "https://twitter.com/oauth/authorize"
, accessTokenURL : "https://twitter.com/oauth/access_token"
, echoURL : "http://localhost/oauth-provider/echo"
}
};
Since I was searching for the same thing, trying not to use a custom PHP solution, I came across this very simple integration at http://www.fullondesign.co.uk/coding/2516-how-use-twitter-oauth-1-1-javascriptjquery.htm which uses a PHP proxy that accepts whatever twitter api call you'd like to retrieve from your javascript ..
I'm definitely taking a look at it