All I found was with php and node.js (which is based on js, so it should be fine), but I got across this library:
<script type="text/javascript"
src="//media.twiliocdn.com/sdk/js/client/v1.4/twilio.min.js"></script>
What is the relavant JS code to make a "send sms" request?
This is the php I found:
<?php
require __DIR__ . '/twilio-php-master/Twilio/autoload.php';
use Twilio\Rest\Client;
$client = new Client($sid, $token);
$client->messages->create(
'+15558675309', // number to send to
array(
'from' => '+15017250604', // your Twilio number
'body' => "There’s something strange in my neighborhood. I don’t know who to call. Send help!"
)
);
Thanks.
Twilio developer evangelist here.
We don't recommend that you use the Twilio REST API for sending SMS messages within a public HTML page. If you do so, you will expose your account credentials publicly and a malicious attacker could steal them and send messages or phone calls on your behalf, using up your credit and potentially spamming people.
The JavaScript library you found there is for you to use to make phone calls from within the browser using WebRTC. This is built to not leak your credentials as you need to generate a token server side that can be used to authenticate users.
I recommend you check out the SMS quick start guides in a language of your choice to see how you can write server side code to send messages.
Related
I never built a REST API, so,
My idea is: I have an SQL database that has a table with name and description (for this example it is car name and its description is somewhat simple) I want to create a REST API, and thus be able to consume it in any future application. I thought I would do it in php, now my question is for me to be able to access this rest api I must access using url and this will return the results in json form. But as it is done so that only my website can use it (in this example I am developing it in reactjs) and not any other that does not have authorization. I know something about JWT, but I do not know if it is indicated, this web page has no users, it only serves for you to see these "products", I read something about oauth 2.0, I do not know if this is what I am thinking of.
https://blog.restcase.com/4-most-used-rest-api-authentication-methods/
Basic Authentication is probably the easiest. Just google PHP Basic Authentication REST API implementation
There's a very basic old example on php.net in the comments https://www.php.net/manual/en/features.http-auth.php
<?php
$valid_passwords = array ("mario" => "carbonell");
$valid_users = array_keys($valid_passwords);
$user = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];
$validated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]);
if (!$validated) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
die ("Not authorized");
}
// If arrives here, is a valid user.
echo "<p>Welcome $user.</p>";
echo "<p>Congratulation, you are into the system.</p>";
?>
But the above is not using a database to store user login/hashed password, it's just storing it in an array. But it would be very quick to prototype your authentication before making something a bit more complicated
Here's another basic example along the same lines
https://gist.github.com/rchrd2/c94eb4701da57ce9a0ad4d2b00794131
So with this setup, if you're sending a GET request to your REST API endpoints to get the json, you would also need to include the username/pass in the Http request headers otherwise you would get the 401 not authorized response instead of the JSON.
See the answer here for how you would code the GET request from your PHP to call the REST endpoint
How do I make a request using HTTP basic authentication with PHP curl? or here also has a good example PHP: how to make a GET request with HTTP-Basic authentication
What is the best way to check if Twilio auht_token, account_sid are correct and sms can be sent, number checked? Some call which doesn't cost extra credits?
E.g. I see https://www.twilio.com/docs/api/rest/usage-records on RESTfull documentation but can't find how to get the same thing with JS SDK. Can't see dedicated endpoint for config checking so looking for anything else.
Environment: NodeJS 8.9
Twilio developer evangelist here.
Most API calls to the Twilio REST API don't cost, particularly those where you retrieve a resource or list resources. Since you mentioned SMS you could, for example, list your latest messages like this:
const client = require('twilio')(accountSid, authToken);
client.messages.list({ limit: 10 })
.then(function(messages) {
console.log("Everything is good!");
})
.catch(function(err) {
console.error("Something went wrong: ", err)
})
Take a look through the API reference and pick one that takes your fancy.
Using JS SDK might be insecure here. Because of that I think they didn't include a method in the JS API which may present the user the account_sid and the auth_token, which may be exploited. I assume you can use a server bridge between your client JS and Twilio API. Like this:
Client makes a JS AJAX request to http://my.domain.tld/checkstatus
Server connects to the Twilio API with C#, PHP, NodeJS or whatever tech it uses
Twilio returns that the credentials and tokens are still valid or expired
Server prepares the client response as true/false or 0/1
Client reads the status and continues or redirects somewhere else.
Edit There's a GET method here which you can also use with JS AJAX call:
https://www.twilio.com/docs/api/rest/usage-records#list-get
which is requested by this format:
/2010-04-01/Accounts/{AccountSid}/Usage/Records/{Subresource}
I am creating a SPA blog website with PHP/MySQL and a Javascript frameworks, still haven't decided which one yet.
The idea is that I am willing to create an API and consume it using Javascript, but I want to protect the API, so that no one can access /posts/ for example and get a list of all the posts.
I am not requiring any registration and I don't have a users system.
How would I go about it?
Thanks
You might be able to hard code whitelisted IP addresses, but as Steve pointed out in the comments: it's either public or it's not.
I'd go with some little registration functionality that generates API-keys that can be used to access your API.
It has been pointed out that a public API is public, however there are some steps that could take to make it more difficult for consumers other than your UI to access it.
The problem is akin (though not the same as) Cross Site Request Forgery, and you can use a variation of any of the prevention techniques listed to mitigate unauthorized access to your API.
The simplest implementation might be something like this:
index.html
<?php
$mytoken = uniqid();
$_SESSION['token'] = $mytoken;
?>
<input type='hidden' name='apitoken' value='<?= $mytoken;?>' >
some-api-endpoint.php
<?php
if($_GET['apitoken'] !== $_SESSION['token']) {
header("HTTP/1.0 403 Forbidden", true, 403);
}
If someone wants to access your public API, they will be able to, but they will have to put forth at least a little bit of effort to do so.
Using a JWT service will work just as well.
Have a look here: introduction to JWT
You can also use an api key and secret which will be passed on initial session auth for your service.
Here's a Stackoverflow answer that helps explain what you'll need to do: key and secret in php
If you're really lazy, you can just use basic authentication or digest auth to auth on the client side. (This is not advisable and has security risks as if you're not using ssl the passwords are passed as plain text in the request)
Another article for your information: PHP HTTP Authentication
How to use the latest captcha from google for node.js ?!
I know how to use this(explained here), but I don't know how to use latest captcha on the server side of node.js.
Only on the client side:
Adding this(Client-side):
<script src='https://www.google.com/recaptcha/api.js'></script>
<div class="g-recaptcha" data-sitekey="public_key"></div>
Adding on server side, they write:
If your users send the form with integrated reCAPTCHA, you will receive among other things, a string containing the name "G-recaptcha-response". If you want to find out if Google has verified the user in question, send a POST request with the following parameters:
URL: https://www.google.com/recaptcha/api/siteverify
secret (needed) ...
Response (required) value of 'g-recaptcha-response'
remoteip The IP address of the end user
On the reCAPTCHA documentation website you will find more information and advanced configurations.
The problem here is, I don't know how to do this securely with node.js and by the way I could not find "G-recaptcha-response" in the response.
Can you give me informations on it ?
I am using Express.js and handlebars.js.
I'm writing a Nodejs app that needs to be able to send email. So far, I've used Postfix in conjunction with a Nodejs module called Nodemailer to send my email through Amazon SES.
Postfix has been handling the DKIM signing, but now I wish to get rid of postfix and just use Nodemailer to send emails through Amazon SES.
My only problem now is finding a way to sign emails within Nodejs. I've thought of running a opendkim command using "exec" in node but haven't been able to figure that out. From searching, there looks to be no modules for this either.
Can anyone help me on this?
Latest version of Nodemailer supports DKIM signing out of the box, also tested with SES.
var transport = nodemailer.createTransport("SES", {
AWSAccessKeyID: "AWSACCESSKEY",
AWSSecretKey: "AWS/Secret/key"
});
// all messages sent with *transport* are signed with the following options
transport.useDKIM({
domainName: "example.com",
keySelector: "dkimselector",
privateKey: fs.readFileSync("private_key.pem")
});
transport.sendMail(...);
you can find at https://gist.github.com/2198497 an implementation I developped to dkim-sign mails sent through SES. It's heavily inspired by the php implementation by Ahmad Amarullah found here : http://code.google.com/p/php-mail-domain-signer/. I'm well aware the code is far from clean, but it should help you get started. The mails sent through it are considered correct by gmail and yahoo. Don't hesitate if you have questions / can't get it to work.