I have a little question about possibilities to change authentication on my C# server from Login\Password to PHP session. I am using PHP, HTML5, and JavaScript as client side, and C# server with WebSockets lib as server side. I already have authorization code, but it works only with login and password.
Well, I have the same authentication code, that checks login & password via PHP. But how I can authorize client on C# server, by using WebSockets with PHP session, instead account login & password?
Little pic:
Is this possible? And any piece of code, demo, etc. for it?
Genreate an access token that your c# server can validate. This is how i would implement it:
share a secret between your PHP and C# server (e.g. 64 randcom bytes)
When PHP validates the user/login, generate a token: it contains random characters, the user ID and a signature that was created using the shared secret. E.g. something like this:
$random = base64_encode(mcrypt_create_iv(32));
$token = $random . '_' . $userID . '_' . hash_hmac('sha256', $random . '_' . $userID, SHARED_SECRET);
The C# server can then verify this token by calcuating the HMAC signature from $random and $token with the shared secret. If correct, the C# server can work with the $userID and the MySQL databse.
As long as you pass the token to your JS code via https, you should be secure.
P.S.: You can improve the security of this scheme by adding an expiration date to the token and make your JS code request a new token in time. Dont forget to include the expiry in the signature.
Related
This question already has answers here:
How to send an email from JavaScript
(20 answers)
Closed last month.
I need to send emails in a front-end application that I'm using Vue.js, I would like to know if it's possible to send mail only with Javascript .. or do I need a server-side language for this? Thank you!
No you can't send an email directly with javascript. But you can open user's mail client like this:
window.open('mailto:abc#example.com?subject=subject&body=body');
Where subject and body are optional parameters.
I found it here.
It is possible but not practical. You can use smtpjs.com.
After you setup all the information, add these to your html:
HTML -> Head:
<script src="https://smtpjs.com/v2/smtp.js"></script>
JS
Email.send("from#you.com",
"to#them.com",
"This is a subject",
"this is the body",
"smtp.yourisp.com",
"username",
"password");
If you don't want to send your credentials over http, there's also a way to encrypt it as well.
You can encrypt your SMTP credentials, and lock it to a single domain, and pass a secure token instead of the credentials instead, for example:
Email.send("from#you.com",
"to#them.com",
"This is a subject",
"this is the body",
{token: "63cb3a19-2684-44fa-b76f-debf422d8b00"});
All E-mails are sent through some kind of server so you would either need to use an API online or host a server where you could send and receive mail (Gmail's API requires you to host a server).
No, you can't send emails from javascript or Html client-side because it generates the OTP page which is must be verified then it must be a server or use any third-party API by which you can send the email.
In theory no, you can not. However, there are options nowadays to send e-mail from the client side using third party services such as FormSpree and EmailJS.
I have a dApp where you login with your Elrond wallet and you generate a signature (containing the wallet address and some more data).
While making requests to an endpoint, I pass the signature on payload and I need to verify it on the backend (so you can't change the wallet address and make requests on someone else's behalf).
I am using PHP with Laravel Framework.
How can I verify the signature on the backend and get the wallet address?
i've written a Laravel SDK for Elrond that can help you with that, or you can copy the logic from: https://github.com/Superciety/elrond-sdk-laravel
note: it's still work in progress & mostly undocumented - i'd welcome any contributions
to verify signatures coming from your dapp, you'd use it this way:
$isValid = Elrond::crypto()->verifyLogin($token, $signature, $address);
where $token is an arbitrary string unique to the user's session to avoid replay
This question already has answers here:
How to send an email from JavaScript
(20 answers)
Closed last month.
I need to send emails in a front-end application that I'm using Vue.js, I would like to know if it's possible to send mail only with Javascript .. or do I need a server-side language for this? Thank you!
No you can't send an email directly with javascript. But you can open user's mail client like this:
window.open('mailto:abc#example.com?subject=subject&body=body');
Where subject and body are optional parameters.
I found it here.
It is possible but not practical. You can use smtpjs.com.
After you setup all the information, add these to your html:
HTML -> Head:
<script src="https://smtpjs.com/v2/smtp.js"></script>
JS
Email.send("from#you.com",
"to#them.com",
"This is a subject",
"this is the body",
"smtp.yourisp.com",
"username",
"password");
If you don't want to send your credentials over http, there's also a way to encrypt it as well.
You can encrypt your SMTP credentials, and lock it to a single domain, and pass a secure token instead of the credentials instead, for example:
Email.send("from#you.com",
"to#them.com",
"This is a subject",
"this is the body",
{token: "63cb3a19-2684-44fa-b76f-debf422d8b00"});
All E-mails are sent through some kind of server so you would either need to use an API online or host a server where you could send and receive mail (Gmail's API requires you to host a server).
No, you can't send emails from javascript or Html client-side because it generates the OTP page which is must be verified then it must be a server or use any third-party API by which you can send the email.
In theory no, you can not. However, there are options nowadays to send e-mail from the client side using third party services such as FormSpree and EmailJS.
All I found was with php and node.js (which is based on js, so it should be fine), but I got across this library:
<script type="text/javascript"
src="//media.twiliocdn.com/sdk/js/client/v1.4/twilio.min.js"></script>
What is the relavant JS code to make a "send sms" request?
This is the php I found:
<?php
require __DIR__ . '/twilio-php-master/Twilio/autoload.php';
use Twilio\Rest\Client;
$client = new Client($sid, $token);
$client->messages->create(
'+15558675309', // number to send to
array(
'from' => '+15017250604', // your Twilio number
'body' => "There’s something strange in my neighborhood. I don’t know who to call. Send help!"
)
);
Thanks.
Twilio developer evangelist here.
We don't recommend that you use the Twilio REST API for sending SMS messages within a public HTML page. If you do so, you will expose your account credentials publicly and a malicious attacker could steal them and send messages or phone calls on your behalf, using up your credit and potentially spamming people.
The JavaScript library you found there is for you to use to make phone calls from within the browser using WebRTC. This is built to not leak your credentials as you need to generate a token server side that can be used to authenticate users.
I recommend you check out the SMS quick start guides in a language of your choice to see how you can write server side code to send messages.
I have two domain names (in two hosting locations). Domain 1 is a normal website with authentication. I am using Domain 2 as a place to just upload files (for storage). I am using angular-file-upload https://github.com/danialfarid/angular-file-upload from client side.
My backend code is super simple and it is current working .. but without any form of authentication.
<?php
header('Access-Control-Allow-Origin: *');
$fname = $_POST["fname"];
if(isset($_FILES['file'])){
//The error validation could be done on the javascript client side.
$errors= array();
$file_name = $_FILES['file']['name'];
$file_size =$_FILES['file']['size'];
$file_tmp =$_FILES['file']['tmp_name'];
$file_type=$_FILES['file']['type'];
$file_ext = strtolower(pathinfo($file_name, PATHINFO_EXTENSION));
$extensions = array("jpeg","jpg","png", "gif");
if(in_array($file_ext,$extensions ) === false){
$errors[]="image extension not allowed, please choose a JPEG or PNG file.";
}
if($file_size > 2097152){
$errors[]='File size cannot exceed 2 MB';
}
if(empty($errors)==true){
move_uploaded_file($file_tmp,"images/".$file_name);
echo $fname . " uploaded file: " . "images/" . $file_name;
}else{
print_r($errors);
}
}
?>
Questions:
How to make sure the user is authenticated in Domain 1 before they can upload files? I mean I could just change Access-Control-Allow-Origin but someone can easily go to Chrome Developer and do a POST upload from custom javascript.
Is there a way to do #1 without getting overly complicated? Is it possible to pass some cookie values?
I have full control of both hosting sites so I can do whatever I want.
Sharing a common secret
One way is to share a secret, wich is only known to Site A and Site B.
Suppose Site A and Site B know a common complex and non-predictable string salt [randomness source].
If Site A authenticates a user, A creates a random string rndA, a valueThrough timestamp and then computes a hash like so:
sharedHash = hash( rndA + salt + valueThrough )
Site A hands over this tuple to the client: [ sharedHash, valueThrough , randA ]
The clients hands over this tuple to Site B
Site B then verifies the client's rights using the same hash() operation.
If B computes the same sharedHash and the current timestamp is still smaller than valueThrough, client gets authenticated.
Letting Site A and Site B talk to each other
Alternatively, Site A and Site B might talk directly to each other:
Site A hands over a security token to the client
Client hands over the security token to Site B
Site B then verifies the token by directly talking to Site A
While this technique requires reachability of Site A <-> Site B, the former technique even works, if Site A and Site B can't exchange HTTP-requests directly.
In both cases Generating cryptographically secure tokens might be of interest.
Other and stronger techniques certainly exist.
How's about sharing session in db like redis or mongodb?