I am using the Dropbox Core API for a web application. On my server, I want to have a profile for each user, that is linked with his Dropbox account. How can I ensure, that only this user has access to his information? Can I get some sort of a secure unique Dropbox password hash for the Dropbox user?
Thanks.
Maybe you could just store the profile in the user's Dropbox (e.g. via the Datastore API). Then you don't have to worry about it at all... only the authenticated user can see his or her own data.
Otherwise you could just use the user ID. If you're doing this server-side, pass the OAuth token to the server, and on the server call /account/info to get the user ID. Then just tie the profile to that user ID.
Related
I have and app that uses connected accounts with Stripe. I need to store information about which Stripe account is linked to the specific client in my app. So my current workflow is:
I set a Stripe Account Id to the client of my app in Database
On the specific page, my Frontend sends request about which Account Id is linked to the specific client
I send a Stripe Account Id as a response to my Frontend
I process Card information with the connected account on my Frontend and send the Token to my Backend
On the backend, I create Source and retrieve it back to Frontend
On the Frontend, I handle the possible 3DS and send a Source back to my Backend
On the backend, I finish the payment and send status back to my Frontend
So, my question is - Is there any possible security risk during the process? I could not figure out any other way of passing Account Id information to the frontend. I need to initialize Stripe on Frontend with a specific Account Id to check Credit card data via Stripe Elements. Without the Account Id in my Frontend, I cannot create Card payment linked to the specific connected Stripe Account, so I think, there is no other way - Am I wrong?
As clients in my application changes, there is no possibility to store an Account Ids in an ENV file, I just have to get it from my server somehow.
I also tried to check Card info via Stripe elements using just PK stored in my ENV file, but then, when I wanted to finish payment with a connected Account, the process failed.
Do you guys have any secure workflow for this situation?
Sharing account and source (did you mean PaymentMethod?) IDs with your frontend is not just fine, it's expected. In order to make requests with Stripe.js on behalf of connected accounts you need to provide the account ID when initializing.
Doing anything malicious with those IDs requires a secret key, which as long as you aren't sharing that with the client you should be fine.
I wonder if it is possible to retrieve a user details only using it's UID, I want it because I want to show my users their list of friends, I have checked the documentation on Firebase Auth., It seems to be only supported in 'admin' section. Should I save my user data in the database instead of Auth. or Is there a way to do it without using Firebase Auth. in my server ? I am running a web application and using Javascript to manipulate data.
There is no API to list or query Firebase Auth accounts directly from a web or mobile app. That would be a security problem, and that's why it's limited to admin/backend access only via the Firebase Admin SDK.
If you do want anyone to be able to find other user accounts, you will need to store that user data in your database, or provide a backend API endpoint that it can access.
I'm completing an unfinished project someone else worked on and trying work out how to create a secure page for an API driven front-end.
When a user logs in successfully, a local storage variable is being created that contains user information, including user token and user secret.
I require a secure dashboard page that calls secure API's.
Am I correct in the following approach :
When secure page loads, a JS routine is executed which checks local storage for user token. Can this be a simple check for user token existence ?
If token present then the secure API's are called using the secret key. The api then returns sensitive data to populate table.
Will this work?
UPDATE:
Both server and client will run under https. As data in encrypted, secret token can be stored on client. Front-End is static html/JS making API calls for sensitive data using secret (only available to authenticated user). None of the user data is hardcoded to F/E but instead is referenced from local storage. Then tokens can be used securely to make further API calls as required for sensitive data. So basically, no-one else should be able to get to sensitive data as cookie/storage is limited to client machine and will expire anyway.
I was looking for a blog/tutorial to confirm my understanding as above.
Thanks
This approach seems OK. I don't know your exact requirements, but I would suggest using a cookie instead of localstorage, given that the token is sensitive information and should not be stored for a long time if it doesn't have to.
If the user has it's personal permanent access token go with localstorage. If the token is fetched from an auth-server upon login, use cookies instead.
I am using the Facebook login as an authentication for my PhoneGap application - once a user logs in, their data is retrieved from my database to display information. I am not using the SDK for any other purpose.
I have the Facebook auto login working fine - it retrieves an authResponse and my Facebook information. Since the access token changes with each login, what can I use to store locally and in my database to authenticate the user on my server for future logins?
Here is a flow that I think could work...
User sees logs in screen and enters Facebook credentials
Facebook securely validates and returns user information & access token
The app uses localStorage to store user email and access token
For future autologin, the localStorage values are used as email/password
I feel like this cannot be the correct answer, however.
I figured out a solution - I was confused about storing passwords on my database to fetch user information. Rather, these are the correct steps:
Use Facebook SDK to handle the login and retrieve the authResponse
Update the user table in my database with the temporary access token and retrieve user's information
For every POST or GET the user wishes to perform, I will match the FB.getLoginStatus() results from the database's access token (the check will be done server side)
If the tokens match, perform requests. Otherwise, force the user to login again.
I want to create a client-side (server-less) application using the AWS SDK for JavaScript in the Browser. All intended users of the tool have individual IAM users and access to the AWS Web Console.
I want all API calls to be executed in the context of individual IAM users, so they are subject to each user's individual permissions, and so that I can see who did what in CloudTrail.
Since no kind of browser local storage should be trusted with persistent credentials, I cannot simply let the user enter his secret access key once and keep it.
However I guess I could request the user's access key id and secret access key on the beginning of each session, then call STS GetSessionToken with it, and only store the resulting temporary security credentials in the session storage and use that for all following SDK usage.
Of course it would be much nicer for users to be able to log in with their IAM user and password instead of their long and cryptic access key (think of mobile devices...).
Is there any kind of federated login option for IAM users (redirecting them to the AWS IAM login page), or a way to call the STS API with username and password?
Ideally, what you want is login via IAM user/password combination. As far as I am aware (and also see this) there is no standard way of doing this.
In one of my projects, I've simulated online login using HTTP client. If you can get the session token with that, that could work for you. But it does not support MFA, and is relying on the internals of the AWS authentication implementation which might change without warnings.