I am developing a web app and I'm using Firebase for that. Since I do not have a domain name yet, I'm trying to use my localhost. I can see localhost in OAuth redirect domains. Also the initializing part is working fine.
But when I create a user using firebase.auth().signInWithEmailAndPassword it shows [HTTP/2.0 400 Bad Request 447ms] when posting to https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword.
I'm new to web app development and Firebase web as well. Somebody please help me to do this using my localhost.
Thank you
You can create a user using firebase.auth().createUserWithEmailAndPassword(email, password). The email must be in a valid format. Don't forget that the password must be strong enough. Firebase returns auth/weak-password error code when using a weak password (less than 6 chars).
See also:
https://firebase.google.com/docs/reference/js/firebase.auth.Auth#createUserWithEmailAndPassword
Related
I am trying to integrate docusign with a React Native app I am building. My desired workflow is to have the user launch a remote signing envelope based on a template.
From the Node JS examples, eg009 seems to be the end result I am after. However, I am wanting to complete this with Axios/Fetch and Javascript.
My intended flow is to have the user enter in their name and email, and their spouses name and email. From there they press a submit button which sends the API call, and that is the extent of what the app does.
I am wanting the API call to then start the template flow, sending a document to sign via email to both that were entered into the app. I want the users to authorize themselves from the email, not the app. After both parties have signed, I want it sent to a third static email.
I do not want the users to have to authorize inside the app or be redirected anywhere. It seems a JWT would be best.
Does this seem possible? How would you suggest going about this?
I appreciate the help!
Looks like the JWT grant flow is the right fit for you here. Please see this article for more details: https://developers.docusign.com/platform/auth
There's no good solution for running DocuSign API calls from client as a result of CORS limitations.
Larry has some blog posts on this topic - https://www.docusign.com/blog/dsdev-building-single-page-applications-with-docusign-and-cors-part-2
You could use something like AWS lambda which is not a server per-se, but gives you server capabilities without the hassle of a server.
Check also the latest blog by Larry on this topic which superficially covers using React for single-page apps.
I'm new to Django and JavaScript, so please forgive me if this is an obvious question.
What is the best way to authenticate users?
I can only find posts about using this which doesn't support django 2.
Thanks for your help.
django-rest-framework provides several solutions for authentication. I recommend to read carefully the docs : http://www.django-rest-framework.org/api-guide/authentication/
I've already used Token authentication on several projects and it works fine:
You need to install the rest_framework.authtoken app in your project. This app is provided with django-rest-framework
Then you need create a token for every user. There are several ways described in the docs.
On the client side, you need to implement a login form. Your backend will check user and password and gets back the user token.
Then you can pass this token in the header of every request:
Authorization: Token value-of-the-token
Make sure to use https if you use Token authentication.
I have been looking for an open google api to get google authentication token by using a user's google username and password. I have came across google-auth node package. And according to it, I first need to log in to create a project in google developer console and then use the key to access the information.
But I want to know whether there is any open api where I can directly pass the username and password, without creating any project in google developer console. And get the authentication token as part of response.
This is my first project using google apis, so if it sounds naive please let me know the right way of authenticating a google account user using a node project.
Sorry, I can't provide any code, as I am stuck at understanding the initial part itself, about how to authenticate different users.
Thanks in advance
You can't use google or any social login, without first creating a project and using it's api key.
That is just how oAuth is designed.
I am currently writing a NodeJS application based on Sails.JS, and I'm using ntlm-express for NTLM authentication. This works perfectly fine when the authentication succeeds but in cases where it fails (for example, a Firefox user entering wrong credentials) ntlm-express returns a 500 error code, FireFox stores the credentials in its cache and the user is unable to login to the web app at all, since he's not getting a new prompt to enter credentials. The only way for the user to log in is to manually clear the authentication cache in FireFox and try again.
What I'd like to do is in cases where ntlm-express fails to authenticate the user, to prompt him again for credentials instead of returning 500.
Has anyone done something like this and can point me in the right direction? I found very little information online regarding this topic...
For anyone who runs into a similar issue, I managed to solve it by overriding the express-ntlm forbidden function to return a 401 instead of of 500 and editing the default Sails unauthorized.js response to also return a "WWW-Authenticate: NTLM" header.
That way I am forcing the client to retry NTLM negotiation until he gets it right...
When I use Facebook's JS SDK to authenticate my app (using FB.init method) all I need is my App ID. It does not require my app secret and/or app key.
However when I used PHP SDK, it required my app secret (atleast the example I used to learn used the app ID and app secret both).
Is it secure and recommended to use the JS SDK for authentication ? How really does the authentication flow happen with the JS SDK ?
Thanks,
Vineet
I'm looking into how secure the authentication is also - I think things have changed since you asked this q, so perhaps this information was not correct when you asked.
The new version of the JS SDK uses OAuth 2.0. This is well documented - check out the OAuth 2.0 site for details.
Regarding the issue of whether the SDK needs the app secret - I'm having a little bit of confusion relating to this. On the app server side, the libraries indicate that the JS SDK signs the cookies using the app secret (see the function get_user_from_cookie in the facebook-python sdk) - however, it's completely unclear to me how the JS SDK can know the app secret. I'm guessing that it can obtain it dynamically from FB when it talks to FB directly in the authentication process, but I'm not sure.
(Edit: I think that the JS SDK gets the cookie signed with the app secret directly from FB - the JS SDK never knows the app secret).
Not fully answering your q, but perhaps shedding a little more light on how this works.
Another issue to be wary of is not to use the FB user object you get from the client for anything on the server side. This is because it would be really easy for someone make a script which instead of calling fb.api '/me' would send a "fake" JSON user object with another users ID to your app. If you're doing any kind of server side processing of the user then you really need to do some kind of server side authentication as well I think.
It's NOT safe, this is why you have the "Verify Fields" and "Not Verifying the Signature" paragraphs in the Advanced Registration document:
When you request facebook data, we
verify the form fields before
packaging them up in the
signed_request. This lets you assume
that all the data is genuine and saves
you from having to verify things. The
one problem that could arise, is a
smart attacker could change the form
fields and submit them to you, thereby
giving you unverified data.
Read that document for more information, I've also wrote a tutorial (an introduction about the plugin) and showed how to handle the fields attribute coming from client-side.