I have a browser extension (google chrome) that fetches and displays some public tweets, based on user input.
I've been using the Search API just fine, but according to the API changes, I have to migrate to API v1.1 where authenticated requests via oauth is required.
I have no previous experience with oauth, but it seems like a bad idea to implement it in pure client-side javascript, as the consumer key/secret will be exposed.
If I implement the authentication via a browser npapi/ppapi plugin, will it provide the needed security ? or does this mean that I have to dump this project and simply move on ?
Thanks.
You need to obtain an access token so that you can read data on behalf of your users. This involves implementing Twitter's 3-legged auth, which is very similar to implementing Twitter sign in (which thankfully is well documented).
The link below will take you to Twitter's overview of the differences between the two approaches to authenticating. From there you can get to the code samples that you'll need to implement this securely yourself.
https://dev.twitter.com/docs/auth/3-legged-authorization
Related
I need to access the active version on SAP Cloud Platform of HTML5 apps through an api.
I know for the java apps you have the lifecycle api: doc
But you can't access HTML5 information with this API.
What I found is this service: https://account.hana.ondemand.com/ajax/getHtml5AppDetails/{subaccountName}/{appName}
This will return a JSON string with the required info, but I'm not authorized to access this page, although I have all the possible admin rights.
So I'm wondering If any of you has any idea to solve my issue, and other people's issues.
Well, we needed something similar and used this kinda hack to get the active versions via WebIde Api (need basic Auth to login) replace XXXX with your account
https://webide-XXXX.dispatcher.hana.ondemand.com/api/html5api/accounts/XXXXX/applications
You get back a json array with all your applications of that sub account, including active version and other interesting information
Hope it helps ;))
Regards Mathias
You could create a HTTP Proxy Servlet based on https://github.com/SAP/cloud-connectivityproxy that provides read only access to https://dispatcher.hanatrial.ondemand.com/hcproxy/b/api/accounts/<subaccount>/applications/<app> for your app.
I'm working on a PhoneGap project using Ionic. It's basically a chat app, so I need the user to be able to register, login and send messages using a backend API on my server. Naturally this needs to be secure, so I'm wondering what the best way to securely communicate with an API endpoint is, when using a AngularJS and PhoneGap.
Ideally, it should not require a server cert, as currently I don't have the funds to purchase one. In previous projects, I used a method where each account was assigned an ID, and a hash consisting of a secret + their ID, which had to be included with each request to ensure that the user couldn't forge requests from another ID, however I don't know how secure this method is.
Any tips, suggestions or read material would be really appreciated. I understand this question sounds subjective, so if possible please answer based on facts, security disclosures and any documentation on methods.
I know the solution to all your needs and it is called Firebase.
How your requirements will be met by firebase:
1. You are using Ionic to build your hybrid app(you are cool!) and that means AngularJS.. Firebase has the perfect library called AngularFire, that uses AngularJS to interact with the firebase servers.
You are building a chat app, awesome! Firebase has real time syncing between your app and database. That is a lot of work saved for you by Firebase (Claps).
You need to register users, Firebase has super easy user register management(both OAuth and manual registration)
Security! It is super important and Firebase has you covered even here. Implementing user level security is super simple using some simple json format security rules. I will quote this from the site "The safety and security of your data is our top priority. Firebase requires 2048-bit SSL encryption for all data transfer and allows you to restrict reading and writing via granular access controls and custom authentication.
All data is replicated and backed up to multiple secure locations."
It is free(upto some level. Do some research about it, I am not sure).
Your basic id + hash security measure is not bad at the same time not perfect or dependable. Firebase has you covered here through simple login and read/write rules and as well as some closed sourced security.
I want to display the number of times a video has been viewed using the core reporting API via Javascript. However, the API is designed with OAuth, for building applications and not just logging into my account to get the event count.
Is there a way to login for just my account via Javascript?
Thanks,
Matthew.
I think what you are looking for is a Service account. To my knowledge you cant use a Service account with JavaScript due to security issues with the key file.
What you could try and do is to authenticate the script once using normal Oauth2 then save the refresh token to the file and hard code that into your script and send that. But I wouldn't recommend it as then anyone that checks your script will also be able to access it. So basically you have the same security issues you had with using a Service account.
As you can see doing what you are trying to do with JavaScript isn't really going to work. As you can see this is something I have also tried unsuccessfully in the past to do. I recommend you try and do this with some kind of server sided scripting language, like PHP.
I'm trying to create a webpage that can incorporate LinkedIn info's (profile,people,company, etc...).
The things that it can/would do are the following:
When the user enters a name that is registered in LinkedIn, he gets the following
*Name, Company, Email
*List of LinkedIn messages that are waiting for reply
The same process goes on everytime the user adds a profile, I'm planning to use the Profile API of LinkedIn to get the Name, Company and Email but I can't find a working example to be my basis.
As for the 2nd one I still don't know how to get the LinkedIn messages.
Here's my Layout and expected result.
How can I achieved this? Opinions and Suggestions are highly appreciated tnx
This is far to broad a question for me to invest the necessary time in to figure the answers (multiple) for you, but do let me give you some hints. First of all, from my experience with the linkedin API not all the data you wish to access is available (do double check this though, I used the API quite awhile back and stuff might have changed in the meantime). As this data is not available through the API the only alternative would be to somehow bypass the cross domain policy, which in conclusion would require the user to install a chrome extension/firefox plugin which will function as a proxy for your application or even 'better', make you entire application a browser plugin based web app. Not that I am a fan of those whatsoever but if you application is meant in any way whatsoever as a linkedin (dedicated) plugin (probably as part of a greater service you're developing) then it might make most sense.
The whole system you are describing is very long winded and requires a large amount of development time. Alot of the data is not accessible directly or indirectly too. You cannot get email address's out from the API as a security feature (bots could just harvest emails for marketing campaigns).
First of all, you will need to make an application that allows for oAuth2 connections with the linkedin API service. People will log onto your website, click to join their linkedin account with your website and your website will receive back an access token to do the calls.
You will then need to build the queries which will access the data you require. The linkedin API documentation (http://developer.linkedin.com/) isn't greatly indepth but it gives you a good understand and points you where you need to go. There are also a couple of pre-done php API's around such as https://code.google.com/p/simple-linkedinphp/.
I have worked with many API's from twitters, facebooks and LinkedIn's and they all require a lot of back-end work to make sure that they are secure and get the correct data.
It would take me hours to go through exactly how to do it and has taken me many hours to get a solid implementation in place and working with all the different calls available.
If you have minimal coding knowledge, it would be best to go to an external company with a large amount of resources and knowledge in the field who can do it for you. Otherwise it may take many months to get a working prototype.
About to open up a public api with OAuth access, no problem with that. Main site uses the api but with basic authentication instead (restricted for our internal ip range)
Next step is to plan a mobile application but how should one handle authentication there?
First thought was to create a special log in screen just for our appid to make it look like authentication (instead of authorization) but it would not be very hard to revers engineer our appid.
How does (for example) facebook handle log in within the facebook iphone app?
Look and feel says they're using authentication but if so, how do they keep others from using it?
Suggestions appreciated.
I think you will find your answer in this document, and particular paragraph:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-threatmodel-07#section-5.2.3.4