I am using jira-client npm module to make API calls on my jira instance, I want to check that if the user has a valid credentials before doing anything else, depending on that I would either:
Tell the user that they don't have a valid username or token.
or Let the user use the project functionalities
is that possible? I am able to make calls and with invalid credentials I will got response with a special message, but I want to know if there is a specific call for checking username and token.
Using normal fetch we can use
https://myJiraInstance/rest/auth/1/session
but for jira-client module it seems there is no way, however we can use findproject method in this way we can make sure that the user has a valid credentials as well as have access to the project itself.
If there any other solution I would be happy to have it.
Related
Is it possible to find a user by searching with a Username in AWS Lambda? The GetUserCommand does not seem to accept a Username as a parameter. The input shape does not include a Username parameter. Am I misunderstanding?
GetUserCommand documentation.
The command you are referring to only needs an access token. Since the access token belongs to your user it will return information about her/him. You don't really need to provide a username. Would be kind of redundant.
If you want to get information about a user as an admin (so not as a user that is currently signed in), then you need another method: AdminGetUserCommand. There you can specify which username you want using AdminGetUserCommandInput.
i setup rules to limit user access like this:
.write": "auth != null && !root.child('blockedUsers').hasChild(auth.uid)",
The problem is, i dont know how to use it on the client side. I am assuming this is duplicate question, but i cant find anything on actual usage of the limited user access.
When user tries to create comment for example, i get an error that permission is denied. Thats desired result, problem is how do i check for the user write permission on the client ?
I was hoping for something like user.canWrite or something along those lines. All i am doing right now is just check if user was authenticated, which he was and there is no mention of read/write access rules in the user object as far as i can tell.
if (this.props.user) {
firebase.database().ref(`comments/${key}/rating`)
.transaction(
(value) => (value += rateValue)
)}
Thanks for any help.
By writing you rule you are setting an authorization to authenticated users to write to the specific node of your database.
Therefore, in the client, you only need to insure that your user is authenticated. This should be done through Firebase Authentication. See the doc for the web here: https://firebase.google.com/docs/auth/web/start
In case the user cannot write to this specific node (either because he/she is not authenticated or because his/her uid is listed under the blockedUsers) he/she will receive an error in the front-end.
Update following our comments below:
If you want to be able "to modify the client UI based on the user's role or access level" you should use another mechanism for setting up the authorization: Custom Claims. See the doc here: https://firebase.google.com/docs/auth/admin/custom-claims.
In this case, in the security rule, you would not check if there is a record under the 'blockedUsers' node but you would check the Claims attached to the token, as explained in the documentation.
I am not able to find any documentation on how to restrict the login to my web application to only accept authentication requests from users with an email on a specific domain name or set of domain names. I would like to block as opposed to blacklist.
Does anyone have any document or template which how to achieve using jsp,angularjs,javascript, documentation on the officially accepted method of doing so, or an easy, secure work around?
For the record, I do not know any info about the user until they attempt to log in through Google's OAuth authentication. All I receive back is the basic user info and email.
You can use method of string class String. contain("#yourdomain") it will return boolean value true or false
It will go like..
if(request.getParameter("email").contains("#yourDomainName"))
Do something;
I'm building a Slack integration that is intended to modify some text and then post it to a Slack channel as though the user who triggered the command had said it.
e.g. /makeFace disapproval
#Ben 3:45pm
ಠ_ಠ
I ask for the client permission scope, which adds the chat:write:user permission. But when I hit the chat.postMessage endpoint, it only seems to allow you to post as the user who added the integration because the token it returns seems to be individuated for that user.
I know that giphy, for instance, sends its gif messages as though you are the originator, but I can't find out how they manage it. Is there any documentation for sending messages as other members of the team?
There are 2 ways to achieve this:
A. Overwriting username and icon
When you send a message with chat.postMessage it is possible to set a user name with the property username. The message will then appear as being send by that user (same for icon with icon_url).
However, this is not meant to impersonate real users, so even if you use the same username and icon as the real user the message will have the app tag, so that they can be distinguished from a real user.
Here is an example how it looks like (from a gamer Slack about flying and killing space ships):
But depending on what your requirements are that might work for you.
If you want to use it make sure to also set the as_user property to false (yes, really) and it will not work with a bot token, only with a user token.
See here for more details on how it works.
This also works for the legacy version of Incoming Webhooks, not with the current version of incoming webhooks though. (You can still get the legacy version, see this answer)
B. Having the user's token
Another approach is to always use the token from the respective user for sending the message. In combination with as_user = true messages sent by your app will look exactly as if they would come from the respective user (no APP tag).
To make that happen your app would need to collect tokens from all users on your workspace and store them for later use. This can be done by asking every user to install your app (called adding a "configuration") through the Oauth process (same you use to install your app to a workspace), which allows your app to collect and store those tokens for later use.
Update: This doesn't work. It impersonates the user who installed the app, so it merely seems to work... until another user tries to use it (and they end up impersonating you).
Go to your App's management page. Select "OAuth & Permissions".
Add the chat.write OAuth Scope to your app as a User Token Scope, not a Bot Token scope.
Take note of your User OAuth Token at the top of this page (not your But User OAuth Token).
Call chat.postMessage with
username = user id of the user you'd like to post on behalf of
token = the token from step 3. above
The resulting post will be 100% impersonated. Not just the name and icon as mentioned in other answers, but it'll 100% function as if it came from the user.
I hope this will help those who are still facing this issue.
First give the chat:write and chat:write.customize scope to your bot. The scope chat:write.customize Send messages as #your_slack_app with a customized username and avatar
From "OAuth & Permissions" settings get the bot OAuth token or even bot access token (both will work).
Then set the arguments like the following.
username to specify the username for the published message.
icon_url to specify a URL to an image to use as the profile photo alongside the message.
icon_emoji to specify an emoji (using colon shortcodes, eg. :white_check_mark:) to use as the profile photo alongside the message.
You can visit the docs from here
I am trying to use signed cookies in Node's express module, and have read the documentation, but am confused on how to verify them. As I understand it, I must verify the cookies on the server. However, how I do so is unclear to me. I will receive the cookie, and then what? Must I run a function to verify it? If so, what function? If not, and its automatic, how do I program what to do if the cookie is indeed modified? What code must I use to check for this? I intend to use these signed cookies for user authentication. So if I go to a page, and want to show different content depending on whether or not the user is authenticated, I'm not sure how to do this. If the page renders before I verify the cookie, I don't see how this would be possible. I therefore assume that I must verify the cookie before rendering the page, which leads me to ask this question, in order to figure out how to do so.
Essentially, I wish to do something like this:
if(CookieIsVerified)
{
.....
}
else if (!CookieIsVerified)
{
.....
}
You don't need to verify the cookie yourself. If you use the cookieParser middleware you can pass in a secret which will be used to sign the cookie. This means that nobody can change it.
Secondly, use the cookieSession middleware. This will take anything that is in req.session and serialize it into the cookie.
app.use(express.cookieParser('yoursecretkeyhere'));
app.use(express.cookieSession());
To check whether a user is authenticated, you can create your own middleware which checks that the current session has been authenticated. If it's not redirect to the login page or return a 401. This middleware should be used on all your routes except the login route.
Create a login route which takes credentials and doesn't use the above middleware. In here you can check username/password or tokens and if the user is a valid one, set an authenticated flag on the session. You can check this flag in your above middleware.