Invalid server-key when performing a POST request to FCM? - javascript

I'm following this tutorial for push notifications, and I'm stuck at the part where it says
To trigger a push message, make a POST request to this URL.
I generated the public and private keys using this site and placed the public key in the applicationServerKey key before calling registration.pushManager.subscribe, and I get a properly formatted JSON response, but I'm unsure of how exactly to generate the Authorization header for use in the POST request to send a notification. Here's what the JSON response from subscribe looks like:
{
"endpoint":"https://fcm.googleapis.com/fcm/send/asdf:qwer",
"expirationTime":null,
"keys":{"p256dh":"key","auth":"auth"}
}
I surmised that the portion after /send should be placed in the to field, but I'm unsure of how to format the Authorization header. Surely I should need to use the private key in some way, but I'm not sure how.
My assumption is that I need to perform some sort of operation on my private key, the p256dh field, and the auth field, and that result will be placed in the key= field in the POST request, but I cannot find the reference for this.
Do you need to create a Firebase project to do this? I'm unsure of whether or not this is the case.

Yes, all access to Firebase products and services requires the creation of a Firebase project. You can't use arbitrary keys to invoke FCM. You must use a service account that's been granted permission to call the API.

Related

ExpressJS - make route accessible only from internal redirect

I have an ExpressJS app with some routes that I don't want to work when typed into the url, they should work only when I redirect to them from my code.
Meaning, if an user types "myapp.com/url" it should not work. But if I add res.redirect("/url") in my code, it works
basically you can't prevent a client from sending an HTTP request to an endpoint (you can't make it "not work"). Having said that your requirements aren't that different from a login logic using JWT.
You can use JWT to set which endpoints the client can gain access to. If the client is not permitted you will redirect him to a different page.
See: https://github.com/auth0/express-jwt
Update (see comments):
when submitting the form you should generate a UUID for the request. This UUID will be a token that represents a temporary resource (video).
This is how the API will look more or less.
POST /submit
GET /generated/:UUID
GET /download/:UUID
You will need to implement some logic that will manage this temporary resource.
This is not possible as res.redirect (https://expressjs.com/en/4x/api.html#res.redirect) accept the routes which are already available via URL. If you don't want to publish the route to the outside world, you might do some sort of authorization before displaying or sending data.

A simple data storage schema to restrict public access

I have been working on a library which enable a website to add a comment section to their website.
The idea was to keep it as lightweight as possible thus I preferred to use JSON for basic data storage like comment's message, website and username. All of these data is public and can be access directly via JSON. I don't mind this since comments are going to get display publicly anyway.
However, the problem arises when I want a user to be notified when someone replies to their comment. Email is there in input field but I don't want it to be stored in the public JSON file. Is there any other server side data storage schema where I can store the email privately and at the same time use those emails from server side scripts to send email?
MySQL and others will make the library clunky, so that's out of the list.
Or even beside these conditions is there any other possible way to do this?
What you need is APIs and not a data source. A data source is a truth where all data lives. Like in your example, if you have email in your data, it will always be there. Unless you keep email field separately.
The way is to create api that will output required data from JSON files (or database). You can choose to hide the data that you don't want to show.
This way, you only expose the api, instead of the file name directly, which has risks of being modified or altered or hacked very easily.
Other way without using API is to have multiple JSON files.
One file will have basic data, and other will have confidential data, along with a foreign key like unique key that'd map the confidential or other data with the main record.
Example:
Comments.json:
{
"comments": [{userId: 1, ...},{...}]
}
CommentDetails.json
{...}
Users:
[
1: {"username": "", "email": "asdas#asdas.com",...}
]
You can use a database like MongoDB, that stores JSON documents, to keep the data of users and comments.
Then, the users collection will not be sent completely to the user, filterint the emails and other sensitive data.
Create a second JSON file, or CSV file for that matter, which is kept private, that maps users to their emailIDs.
Interesting project you are attempting, btw. Good luck!! :)
Why not just use a .htaccess in a directory where the data is stored and use something like "Deny from All"?
Your scripts could access then, but no user's browser.
Assuming there will be a mail server involved, can you host a web service with two endpoints?
Endpoints:
sends emails; takes an sender guid instead of an email address
stores an email; takes an email address and returns a sender guid
This web service could then be used by your library from any www accessible server. At the web service host the emails could be stored in the format of your choice. You will also want to secure you web service to prevent others from triggering mail notifications.

How to reference a specific group of customers

I need to be able to allow a customer (or group of customers in this case) to register for the store, and I need to be able to reference that group of customers in the code somehow, for example:
if (currentUserIdOfSomeSort === 9) {
// do something
} else {
// do something else
}
THE CATCH: I need to be able to accomplish this without the need for a person to go into BC and change a setting on the customer - if I have to go and assign the customer a specific group id, then that is not a solution because it involves human intervention.
Everything also needs to be local, as in I am not able to configure an external server to make API calls for specific information (for example, if I added a 'code' field to the registration form - I already asked, this will not create a new variable for that field, and I am told you would need to use a separate server to make the API call to return that info, something I do not know how to do)
Any ideas would be greatly appreciated
There is not a way to create your own custom global variables as these are functions of the core app. If you wanted to call to the API, you'd need to use Heroku (or your own server of choice) to make a request to the API. It can be a purely cURL request or you can use an API client.
curl --request GET \
-u "_username_:_API_key_"\
https://store.mybigcommerce.com/api/v2/customers/{id}.json
You can pass that into a js file hosted on the same server and then load the javascript on your storefront.
<script src="https://myserver.com/favoritenumber.js"></script>
You'd also need to do some validation that you were displaying this to the correct customer. I'd elect to use CustomerID instead of CustomerName and validate against this.

Json parameter casting inheritance web api 2

I am using MS Web API 2 to receive calls from our web page using ajax.
Then I have 2 classes: subscriber and externalSubscriber. Subscriber contains very basic data like a name and id. External subscriber inherits from subscriber and adds basic data like address and email. I have one api method to edit the data of a subscriber defined like this:
public IHttpActionResult PutSubscriber(int id, Subscriber subscriber)
In our page I create a json string using the data provided which leads to it ether being a external or a normal subscriber.
I am able to post to this function using both but with an externalSubscriber object the added data gets lost and trying to cast from subscriber leads to an error.
my question is if anyone has any experience with this issue and if there is another way to fix this besides creating a specific function for putting a external subscriber.
I have got it to work by using the information provided on the following pages:
http://www.newtonsoft.com/json/help/html/SerializeTypeNameHandling.htm
Polymorphism in Web API: Single endpoint possible?
First I set the json setting:
jsonsettings.SerializerSettings.TypeNameHandling = TypeNameHandling.Auto;
then setting the type of the json object before sending with ajax using
jsonObject { '$type' : .Models.ExternalSubscriber, solution.project', ....}
after this I am able to cast the incoming Subscriber to an ExternalSubscriber and access its properties.

Facebook json url to retrieve event wall feed

I'm currently trying to pull the wall from this event page: https://www.facebook.com/event.php?eid=139373546157232, but I'm not sure how I go about getting the graph url to use in an ajax request.. I want to get it in json format and I also need the auth token.. This event is not private so should I need a auth token just to read the data?
I have used this url to get the event info: https://graph.facebook.com/139373546157232 but the object has limited data...
Thank you
Events have a number of 'connections' to give you more data:
http://developers.facebook.com/docs/reference/api/event/
Unfortunately it seems you do need an access token to access the interesting parts of the info. However, a public access token from any user should be sufficient if the event is public. Perhaps generate an offline access token as yourself and store it permanently and try using that if you need to query event info in a non-connected-user context.

Categories

Resources