im making a webservice in JSON to get the user data. for example i pass the user id and get the address of that user or i pass the user id and i get his favorites.
for example:
<script>
$.post('http://www.example.com/webservices/get-address.php', {
userid: "13"
}, function(data) {
$.each(data, function(index) {
alert(data[index].address);
});
}, "json");
</script>
but anyone could change the userid: 13 for userid:14 and get the address of other user.
(i cant use PHP on Mobile APPs so i cant use $_SESSION['id'], i will use localstorage to store the user id)
maybe i should mask the user id with a md5() so they cant guess the "user id" of other users?
which is the correct way to do it?
You need a session cookie. They are negotiated when you visit and log in and are trackable. Also, you should use ssl to avoid sniffing of data.
You need to track your session id at the server end somewhere and link it to the user, so if they ask for a user they aren't allowed to see, you return a 4xx code informing them that they aren't allowed to access that resource.
You could use a tripcode as some anonymous boards do, but then you're more limited to providing the facility to see groups of people etc.
Related
I'm creating a tampermonkey userscript that sends a POST request from a website containing the user's high score. Something like this for example:
$.post('https://example.com/scores', {
id: 123, high_score: 999,
});
However, the issue is it's very easy for users to forge a fake score and send their own POST request with a fake high_score. Would there be a way to somehow authenticate these requests so I could differentiate between real requests from my userscript and forged fake ones from users? Perhaps some encryption/decryption?
you can add a hidden input into your page with a nonce (number only used once it can be generated based on the platform you are using (unique identifier)) value in it, when you send the post read the value and add it to you post body, on the server side you check if this nonce exists in the database then this post is authentic otherwise it is not.
On your back end you could save this nonce with the session if you have sessions, this is an example
<input type="hidden" value="your-nonce" id="your-id">
<script>
let nonce = $("#your-id").val();
$.post('https://example.com/scores', {
id: 123, high_score: 999,nonce
});
</script>
I have everything working for the views/sender, and I have envelopeId/recipients working - so I know every piece of data that I think I need.
In my envelope I have 2 inPersonSigners. The first is a "client" always, and the second is an employee, always.
I have the UserId, RecipientGuid, RecipientId, UserName, etc. Since these are In Person AND Embedded signers, they do not have email addresses.
I have been unable to get the recipient view to return the URL because the "UNKNOWN_ENVELOPE_RECIPIENT" OR "INVALID_ENVELOPE_RECIPIENT" errors I am receiving with every combination of data I have tried.
In the documentation it states you only need the clientUserId or a userName and Email combination. I have tried a variety of these, and still cant get the in person, embedded signing recipient view to return the correct response. 100% of the time it is an envelope recipient invalid error. I have tested every combination I can think of in postman and code;
inPersonSigners
[0]
clientUserId:"SomeoneHelpfulsomeonehelpful#stackexchange.com"
hostEmail:"someonehelpful#stackexchange.com"
hostName:"StackExchange User"
note:""
recipientId:"1"
recipientIdGuid:"xxxxxxxx-xxxx-xxxx-b65d-3bb23fbf8860"
requireIdLookup:"false"
roleName:"1"
routingOrder:"1"
signerEmail:""
signerName:"Test Testeroni"
status:"sent"
userId:"xxxxxx-xxxx-xxxx-913e-c347a9f2dafd"
I just need to be able to take the data above, post to /views/recipient and get the response url.
I think the problem is that when this document template is being created, via Drawloop ->Docusign, there is no Email being passed, but there is a Name and clientUserId. Hopefully its something simple that I have missed after looking at the same thing for hours.
The below sample invocation/POST would work. I did notice that your clientUserID resembles an email# - typically this value is in a GUID format. Something to keep in mind.
POST
https://demo.docusign.net/restapi/v2/accounts/459963/envelopes//views/recipient
{
"authenticationMethod":"email",
"username": "StackExchange User",
"email": "someonehelpful#stackexchange.com",
"returnUrl":"http://www.something_you_provide.com",
"clientUserId":"SomeoneHelpfulsomeonehelpful#stackexchange.com"
}
As a project, I want to learn how to create an email tracker that generates a unique pixel, tracks open rates in JavaScript (MeteorJS).
Does anyone have any resources I can look into to accomplish this? I know ToutApp does this in PHP and found similar tutorials in PHP but nothing in JS.
Cheers!
Use Iron:Router's server-side routing to track when a user clicks on something like /emails/ew45gf23. The ID in the URL could be the _id from the collection that stores all the emails sent, e.g. EmailsSent.findOne({_id: _id})
Router.route('/emails/:_id', function () {
var emailClicked = EmailsSent.findOne({_id: _id});
... do whatever you need to with the tracking ...
this.response.end('email click received\n');
}, {where: 'server'});
Using this method, facebook will return an object of the user's liked pages
FB.api('/me', {fields: 'gender, first_name, last_name, email, likes'}, function(response) {
console.log(response);
}
result
email: "ariel#dropbox.com"
first_name: "Ariel"
gender: "female"
id: "178006027123671"
last_name: "Yeung"
likes: Object data: Array[2]
However, I only want to get the object whether this user is liking my facebook page
As https://developers.facebook.com/docs/graph-api/reference/user/likes describes, you can ask whether the user likes a certain page using
/me/likes/{page_id}
Since you are asking for specific user fields already, you probably don’t want to make a separate API call for that – but you can fit it in there as well, using field expansion:
/me?fields=gender,first_name,last_name,email,likes.target_id({page_id})
If the user likes that particular page, you get a likes property in the response data.
(Not sure if that works using the syntax you are using currently as well, passing the fields via object, but you can simply try: {fields: 'gender, …, likes.target_id({page_id})'} … let us know if that works, thanks.)
Edit: Although this will still work, as long as you get user_likes permission from the user, Facebook will not approve the use of that permission for this singular purpose. Like Gating in any way, shape or form is not allowed any more.
You canot get the list of users liking you page via graph api. So, you can not check wether or not a user has like your page directly.
You already have the likes of a user, just loop through them and check that your page is liked or not.
I'm working on an internal web app and we are using secure query string keys generated server side for some simple security to prevent users from accessing pages they haven't been given access to. The page I am currently working on grabs data via AJAX calls and renders it in a table on the page. Each row has an edit button that will take the user to an edit page with more information, with the id of the row kept in the query string. Since every row id is unique, the key for every edit page will be unique to that row-user combination.
My problem is that I need to be able to get these secure query string keys from the server in some way that allows the JavaScript to redirect the user. I can't move the key generator client side because that opens up the possibility of users generating their own keys for pages they don't have permission to visit. And similarly I can't expose the generator in a web service.
Basically what this boils down to is I am stumped in finding a way to send data from the client to the server in order to generate a secure key and then redirect the user to the new page.
Not exactly sure if I am being 100% clear but I'll edit this as questions come in.
Your question is a little unclear, but PageMethods might work for this:
[WebMethod]
public static string GetSecureID()
{
return "Secure";
}
clientRedirectSecure = function() {
PageMethods.GetSecureID(onSuccess, onFailure);
}
onSuccess = function(result) {
window.location.href = "somepage.aspx?id=" + result;
}
onFailure = function(error) {
alert(error);
}
Here's an article that discusses PageMethods:
http://blogs.microsoft.co.il/blogs/gilf/archive/2008/10/04/asp-net-ajax-pagemethods.aspx