Streamlined way to validate website ownership (with javascript?) - javascript

I have a rails app which requires users to verify that they own a website before submitting links from that site.
I have implemented a website verification system that works thanks to the answers given to a question I made several months ago. This system works but it is rather cumbersome for users. It requires them to create a web page on their site with a specific verification key for a url. I feel like I'm asking the user to jump through a lot of hoops just to submit their pages to my site. Site verification is vital, however, and I can't let go of this feature, however cumbersome.
I'm looking to create some javascript code that will help validate websites. When users install the plugin, all they would then have to do is click "verify" on the web app, and all the work is done for them. They don't have to go through the chore of creating a new web page and deleting it.
I have a faint idea of how to get started...
Step one: the javascript code to be placed on the website (simplified version of google analytics code):
"<script type='text/javascript' id="THE VERIFICATION CODE GENERATED BY THE RAILS APP">
(function() {
var secondScript = document.createElement('script');
secondScript.type = 'text/javascript';
secondScript.src = 'http://www.mywebapp.com/verify.js';
var firstScript = document.getElementsByTagName('script')[0]; firstScript.parentNode.insertBefore(secondScript, firstScript);
})();
</script>"
In the second script(verify.js):
//find some way to ensure that the first script has an id of "VERIFICATION KEY"
//if so, return some data that the rails app can understand and verify the site
Any ideas?

That's a REALLY interesting problem, but I don't know if there is a good solution in the way you're looking for. In other words, I don't think you can create some sort of automated utility to upload the script in step one.
You can't assume they have FTP access, or SSH access; some web hosts might disallow those things. You can't assume they have some sort of 'package' installed to communicate with, or even the ability to install such a thing.
One thing that might work (but still has its own set of issues) is to do a whois lookup and email the owner of the site on record with a confirmation link... Of course that's assuming the whois is listed and they didn't provide a dummy email.
Google accounts checks for domain ownership by doing the file upload thing, or letting the user create a custom subdomain (CNAME) on the site. Of course, if your users are having issues uploading a single file, the CNAME thing is probably right out.

There are other ways to verify ownership of website. Many companies will send an e-mail to the registrant of the domain. Create a file with a certain name. Put a piece of specific text into the header of the index page. I think the way you're attempting above is more complex than it needs to be. It's pretty easy for any webmaster to create a file with a certain name and with certain content. I've done it many times for different tools.
Don't sweat it :-)

Related

Hosting a Javascript Source File on to Firebase

I am new to Firebase and thus I am asking this question. Also, I searched something similar to this question, tried them but failed. Thus when writing the reply, it would be great, if someone can add even the significance of the steps.
I have developed a chatbot and code at the following url being loaded when I use the web widget provided by the framework:
http://www.buildquickbots.com/botwidget/v2/demo/static/js/sdk.js
Every time user clicks on the webwidget, the above url gets opened which I doesn't want to happen. Thus I planned to host the code at the above url on to Firebase so that when user clicks on the widget something like myapp.fireabse.com/botwidget/v2/demo/static/js/sdk.js opens up.
How can I do this with nodejs backend?
The sdk.js URL which creates an iframe and appends it your website in a widget. And this domain name is only visible only if you inspect the browser. Check Liva widget: http://www.livafluidfashion.com/
Solution 1:
If you want to see the domain name as myapp.fireabse.com then redirect the incoming traffic from "myapp.fireabse.com/botwidget/*" to "www.buildquickbots.com/botwidget/".
Solution 2:
You can get "firebase.buildquickbots.com" as a domain name also. For that, you have to talk/mail to Gupshup support people.

Using Google Drive as a database for a login form

Recently i created a website with Godaddy's website builder . In the website there is a free membership, though here is the problem.
Godaddy's website builder doesn't allow you to create a login area, you have to do that with your own tools, and the other problem is website builder does not allow you to upload any files like html or php or install anything like MySql. It does allow you though to put some code in your website. The current way I'm managing the login function is by putting some JavaScript in my website which i found elsewhere , the bad thing is the usernames and passwords are shown in the source code and every time there is a new user i have to change the code. Not only that, the link of the membership area is also in the source code, currently i change it every month. After doing lots of research and finding nothing i had an idea.
By putting a text file on google drive which contains all usernames and passwords, i could make it act as a database. Then put some code in my website which reads the text file in google drive. If this didn't work (Which i think it does) How about using a spreadsheet? And the code on my website reads the spreadsheet. The link to the membership area (Which is also in my website) Could be in another text file.
I'm new with code, and that is really all i need, the code to make this idea work. If anyone can write the code, please post it below. You have no idea how much this will help. Thanks in advance - Braulio
If you can use javascript, you could probably use something like
https://www.firebase.com/
or any other 'database as a service' type thing. This will allow you to query the database, and save to the database with client side javascript.
With firebase you could do something roughly like
var myFirebaseRef = new Firebase("https://<YOUR-FIREBASE-APP>.firebaseio.com/");
myFirebaseRef.set({
username: "Braulio",
password: "pass"
}
});
Just one option
yes you can use a google spreadsheet. yes it will be 100% secure. look at the spreadsheet api for this.
however, beware of the limitations:
there is a limit as to how many cells you can have (in the millions).
since all the requests will be made from the same google account, rate limit quotas will apply, and total daily api calls will be limited (to a few million i think).
if you really will have many users, you can workaround these limitations by caching as much as possible the spreadsheet data in your backend.

How to prevent script sharing from it's users?

I am making a small payment system, basically it's just a point system, you pay say 1 USD and you get 100 points which is used later on in a game project to get bonuses. It's a script for game servers, something like a user panel.
Now, the script system is ready, but I'm afraid to give it away, since than someone will share it and it will spread all over the gaming area. What would be the solution keeping it working only if I give them a permission?
I thought about re-making whole code and make it work on my website but I don't think that people will want to put their SQL data to website that located NOT on their host. Please help me out, at least with some clues, maybe its possible to make some widgets? or maybe some license system?
I'm really lost.
You should implement the logic on the server side as an api REST call and include in the script only an ajax call to the api. You can limit the use of the api through an api key that you'll provide only to qualified sites.
You'd need to implement some sort or serverside authentication/api so that only varified users can use the script. Much like how software checks a licence.
On script load your javascript could make a ajax call to a server passing through the users IP, auth key, username etc etc.
This can then be varified on the server, maybe returning a dynamically generated url containing a javascript file which contains your business logic
(so that urls are dynamically generated for that users session only)
That way people cant hot link the script, and the script you give out is solely the ajax call
(With the business logic script injected on auth)

Incorporate LinkedIn to a webpage

I'm trying to create a webpage that can incorporate LinkedIn info's (profile,people,company, etc...).
The things that it can/would do are the following:
When the user enters a name that is registered in LinkedIn, he gets the following
*Name, Company, Email
*List of LinkedIn messages that are waiting for reply
The same process goes on everytime the user adds a profile, I'm planning to use the Profile API of LinkedIn to get the Name, Company and Email but I can't find a working example to be my basis.
As for the 2nd one I still don't know how to get the LinkedIn messages.
Here's my Layout and expected result.
How can I achieved this? Opinions and Suggestions are highly appreciated tnx
This is far to broad a question for me to invest the necessary time in to figure the answers (multiple) for you, but do let me give you some hints. First of all, from my experience with the linkedin API not all the data you wish to access is available (do double check this though, I used the API quite awhile back and stuff might have changed in the meantime). As this data is not available through the API the only alternative would be to somehow bypass the cross domain policy, which in conclusion would require the user to install a chrome extension/firefox plugin which will function as a proxy for your application or even 'better', make you entire application a browser plugin based web app. Not that I am a fan of those whatsoever but if you application is meant in any way whatsoever as a linkedin (dedicated) plugin (probably as part of a greater service you're developing) then it might make most sense.
The whole system you are describing is very long winded and requires a large amount of development time. Alot of the data is not accessible directly or indirectly too. You cannot get email address's out from the API as a security feature (bots could just harvest emails for marketing campaigns).
First of all, you will need to make an application that allows for oAuth2 connections with the linkedin API service. People will log onto your website, click to join their linkedin account with your website and your website will receive back an access token to do the calls.
You will then need to build the queries which will access the data you require. The linkedin API documentation (http://developer.linkedin.com/) isn't greatly indepth but it gives you a good understand and points you where you need to go. There are also a couple of pre-done php API's around such as https://code.google.com/p/simple-linkedinphp/.
I have worked with many API's from twitters, facebooks and LinkedIn's and they all require a lot of back-end work to make sure that they are secure and get the correct data.
It would take me hours to go through exactly how to do it and has taken me many hours to get a solid implementation in place and working with all the different calls available.
If you have minimal coding knowledge, it would be best to go to an external company with a large amount of resources and knowledge in the field who can do it for you. Otherwise it may take many months to get a working prototype.

Tracking the use of my Javascript

Is there a way to track if my javascript code is being used on another site?
I work for a software development company and although I'm not a developer as such I do get involved with some of the more simple Javascript requests we get from our customers.
However, sometimes our customers want to see the Javascript working before agreeing to pay for it. My problem here is that although they are not going to be very technical they may have enough knowledge to look at the page source and effectively 'steal' the script.
Can I either prevent them from doing this or add some kind of tracking to my code somewhere so if they do a simple copy / paste then I can receive notification somehow of the script being used on another site?
Thank you
A few things you can do:
Obfuscate your code so it'll be harder to find out what to copy for non technical people.
Add a line that checks the domain name of the page and throws an exception or does some other trick to terminate if the domain is not your demo server.
Add an Ajax query to your server to validate that the script is allowed to run and terminate if there is no validation.
All said here will only protect against non-technical people. Javascript is an interpreted language and as such the entire code is sent to the browser. A skilled programmer will know to go around your blockings.
it is not easy to track your script over all www but there are ways to protect your js codes. there are plenty of sites for encoding and obfuscation like the site below:
http://javascriptobfuscator.com/default.aspx
They would still be able to use your codes but you can hide some protection codes in obfuscated version like trial timeout values or even posting some values like site url to your server for tracking.
our customers want to see the Javascript working before agreeing to pay for it.
You can achieve a good level of security by setting up a demo machine. Have the users remote into a session to provide a demo of the product. Ideally, a shared session where you can "walk them through it" (aka watch what they are doing).
Similar to a video conference, but this way they can use the browser. Don't make the site public, run the webserver local only (close port 80 on the firewall). Take the remote desktop server down after the demo and change the password.
Use the DOM API to a <script> tag that points to a server-side script on your server and append it to the <head>.
Using jQuery:
$.getJSON('http://yourserver.com/TrackScript', { url: document.location });

Categories