Bypass OAuth to create cards on Trello programmatically - javascript

I'm trying to use Trello API to create cards on our boards. But i cannot really bypass authentication programmatically, because a user prompt always appears asking for authentication in trello.
The idea is i create a system user on trello, add it to the boards, then use its API key to create the cards. I'm following this approach because I used Zapier to generate cards from Freshdesk, and wondering how Zapier bypass OAuth to do this.

You simply cannot bypass the authentication of the API, however what you can do is to generate the valid oAuth tokens for your "System User" and use them for authentication.
I'm not aware of the complete Auth process of trello, but most oAuth providers give you the possiblity to create tokens which last quite long (refresh tokens). You could use these in your code to call the api without any additional auth process.
You could also store the normal auth tokens and re-validate them from time to time using the prompt.
Best solution depends on what you are trying to achieve...

Related

How to authenticate as Google service account without a client library but only with HTTP Post?

I want to trigger my Cloud Function via HTTP but also authenticated with IAM and a service account auth0-hook I created therefore.
I generated a private key like this:
gcloud iam service-accounts keys create ~/.gcp-keys/auth0-hook-sa.key.json --iam-account=auth0-hooks#my-platform.iam.gserviceaccount.com
and applied this service-account to my cloud function.
On the outside - in the Auth0 Hook code - I know need to fetch the credentials first and send the fetched token with the POST request to the Cloud Function endpoint.
My problem here is that I can not use any of the Google Auth client libraries (Node.js in this case) because Auth0 Hooks can not import any fancy libraries as it seems.
I am hereby stuck with only using var request = require('request#2.56.0'); to make this all work.
I'd like to ask how I can manage this? There is some authentication service I can call right? But what is the API for that one? In the docs I could not find the manual way but only the client library documentations.
I am hereby stuck with only using var request =
require('request#2.56.0'); to make this all work. I'd like to ask how
I can manage this? There is some authentication service I can call
right?
Google does not provide a simple HTTP endpoint that you can call. If you think thru the process, you need the authorization to call an endpoint that generates authorization credentials. Chicken and Egg situation.
Google does not yet accept Auth0 credentials at an endpoint to exchange for Google credentials. However, keep reading for more information about Workload Identity Federation, which can/might provide that ability eventually.
There is no simple answer for your goal of creating an Auth0 hook that can generate a Google Access or Identity Token. Below are details to help understand what is possible.
To go from a Google Cloud service account JSON key file to an Access Token requires libraries also. The process is to create a JWT, sign the JWT, exchange the JWT for an access token. I wrote an article that shows how to do this in Python. The process for Node.js is similar. Your issue is that the process is too complicated for an Auth0 hook.
Google Cloud – Creating OAuth Access Tokens for REST API Calls
Google has recently introduced Google Workload Identity Federation which supports exchanging OIDC tokens for a Google OAuth access token via federation and service account impersonation. The process is just a series of HTTP method calls. I am authoring several articles on how to do this, but I am not finished at this time.
Accessing resources from an OIDC identity provider
One possibility is to create another Cloud Function or Cloud Run service that you can call in a single HTTP GET that creates the tokens for you. That way you can use Google Client libraries. Your Function/Run code would receive an HTTP GET request, interface with the client libraries to create the access token and return the token as the HTTP GET response.
However, that creates the Chicken and Egg situation. You need to authorize the request to the Function/Run code to get an access token.
You may want to change strategies and instead disable Cloud Functions authorization and verify the Auth0 Identity Token within your code and skip Google-based authorization.
Auth0: Validate ID Tokens
Auth0: Validate JSON Web Tokens
Pay attention to whatever process you choose as getting authorization correct and secure is not easy.
Note: Your question states "I want to trigger my Cloud Function via HTTP". I am not sure what method you plan to use. If you are using Cloud Functions Authorization, that requires an OAuth Identity Token. That adds more steps to the process. I have not figured out how to do that with Workload Identity Federation, but the Functions/Run code can easily handle that for you.
In summary, Cloud Functions are intended for small, light-weight code in a serverless framework. Once you add authorization, complexity grows. Provided you stick with Google Cloud authorization, everything is easy. Once you try to go from one identity system (Auth0) to another (Google Cloud IAM) the complexity jumps dramatically.

Can Custom Authentication be made in Firebase

I am trying to use a 6 digit code to log-in a user.
The code is available for 20 seconds and is unique to every user.
Briefly explained:
User is already logged in on a mobile app
User press the button "Get Unique Code"
Then, user enter the code on a WebPage on his PC
If the code is correct, show data for that user
What am I asking is if there is way to properly authenticate the user who introduces that code correctly given that I have the userID and all the informations about the user?
I can try and "fake log-in" (display all the information for that user when the code is correct) but there are some issues with this and I would like to avoid it.
I am using Firebase Authentication and Firebase Firestore. JavaScript is used for Web.
You can implement any authentication scheme you want by creating a custom provider for Firebase Authentication.
See Authenticate with Firebase in JavaScript Using a Custom Authentication System and Creating Custom Tokens with the Admin SDK.
In this flow you:
Sign in the users yourself.
Create a custom token for those users in a trusted environment, such as a server you control, or Cloud Functions.
Pass that custom token to Firebase Authentication, which can then use it to identify the user, and secure access to Firestore, Storage, and Realtime Database.

Spotify API automated initial authorization

I'm making a personal smart mirror and i'm looking to integrate the spotify API to display my 'currently playing' track. However, I've noticed that in the authorization process, you need to physically click log in and authorize the app in order to get the credentials required to move forward in obtaining your data. Could this be automated/require no user interaction?
I am referring to step 1 of the api authorization guide.
Many thanks.
If you are using this for a personal smart mirror you shouldn't have a problem. You only need to authorize by clicking a button in a browser one time and will be able to make all API calls afterward without needing to click anything.
Specifically, after you do in step 3 of the authorization flow you will be given a refresh token. After the authorization token expires you can use the refresh token to refresh the authorization automatically without clicking anything.
From their documentation:
Accessing your data without showing a login form
I want to interact with the web API and show some data on my website. I see that the endpoints I need authorization, but I don’t need/want a login window to pop-up, because I want to grant my own app access to my own playlists once. Is there any way of doing this?
You basically need an access token and a refresh token issued for your
user account. For obtaining a pair of access token / refresh token you
need to follow the Authorization Code Flow (if you need a certain
scope to be approved) or Client Credentials (if you just need to sign
your request, like when fetching a certain playlist). Once you obtain
them, you can use your access token and refresh it when it expires
without having to show any login form.
If its not for you personally you could jump through hoops and write code that fakes being a web browser, perhaps using something like curl or selenium but odds are it is against their terms of service and are if you get caught they'll ban you.

Implementing Facebook's Graph API without user authentication

I'm newbie to Facebook Graph API and Facebook JavaScript SDK but I'd like to know some things:
Is there any way to put my Access Token in a Open Source application without actually showing it? I'm using GitHub and for security purposes I'd like to make it private.
Can I show my user information without asking the users to Authenticate themselves?
Where in Facebook Developers App can I allow more "scopes" to share publicly? For example, user_photos, user_posts, user_likes, user_status, etc...
These "scopes" that Facebook allows by default are actually the information I'm getting from the user while I'm Authenticating them right?
Just to clarify what I'm trying to do, I want to share things about my Facebook Account through the Facebook Graph API in the gh-pages branch on GitHub, but I don't like the idea of having to authenticate every single user that has access to the page.
I'd like to make my user information public, but don't want to show my access token, because it's Open Source and it can get dangerous eventually.
If you'd like to see my repository and have a better understanding of the project. You can access https://github.com/iszwnc/rye
If I recap:
you don't want to share your app access token (good!),
you don't want your users to authenticate.
Basically, you can't hide your token and let your users query Facebook directly. You need some server-side code on a machine that would be the only one reaching Facebook. Your server would play the role of an interface between Facebook and your users. So you will have to:
do the API calls from a server using server-side code (i.e. Node.js),
save the information you want in a database. This is optional but better to avoid the same information to be retrieved multiple times, thus avoiding your future 100 users to (voluntarily or not) reach your app API limit.
let the users query your server using some client-side code (i.e. AngularJS) in order to retrieve what you and only you know (remember, you own the token).
About Github, don't share your token on it. People can generate their own token if they want to run your app. Here are several suggestions:
Add your token to an environment variable which you can set just before launching the app (don't forget to mention that in your README),
Add your token to a file:
Create a credentials.js file that contains an empty token:
// Please use your own token
var APP_TOKEN = '';
Commit the file to Github,
Have a .gitignore file that contains the credentials.js,
var APP_TOKEN = 'now-you-can-put-your-token-here';
Good luck with your project, it looks exciting :-)

Generic Facebook User Access Token for public event search

I'm trying to create a Javascript application that has a filterable listing of certain kinds of public Facebook events. The thing is, the FB Graph API requires that you provide a User Access token in order to use the search for public events. I really don't want to make people log in to facebook in order to use the website, especially because ANY facebook user's credentials are sufficient to query the events I want to query (ie the search is independent of any user credentials, I just need them because the fb api requires me to have a user access token.)
Do y'all have any suggestions for a work around? I'm thinking about providing my own credentials securely, and just using them to make the actual queries. The thing is I would potentially need to be doing A LOT of queries per minute, so this might not be terribly realistic. Any suggestions would be helpful.
Simply do this server-side not client-side.
You just need an app token (no user token) to do this search, but using this client-side is a bad idea since it would expose your app token publicly.

Categories

Resources