Got a very strange issue, never seen it before. Basically in the admin section of our website, a user attempts to edit something by clicking a button.
This button attempts to call a webservice (via jquery, which the page will then use to show an edit form in shadowbox).
However the user informs me that instead of the form popping up as usual it is blank for a few seconds. Then this pops up:
Any ideas? The webservice is in the admin section, which requires the user to be in a role (which the user is, otherwise they would never get to the point of being able to click the edit button).
This is normal if your web service is located on a different machine as your web server.
If the two machines are on the same domain, then the browser will attempt to use the default network credentials that has been cached.
This dialog will also pop up if the default credentials used to access the web server (which could be anonymous) does not have access to the resource (folder) where the web service is running. The pop up gives the user an opportunity to enter another set of credentials.
Related
We have to implement a mechanism to protect content on our main www.oursite.com. We also have AMP pages being served from amp.oursite.com. Finally, the AMP pages are also getting served from the Google cache via https://www.google.com/amp/s/amp.oursite.com/
The mechanism that we want to implement is similar to a freewall which requires users to register and once they do, they will have access to most of the content on the website.
Registration and login happens on a subdomain such register.oursite.com.
We envisage a typical flow would be as follows:
User finds a page while performing a search on their mobile device via a Google search results.
They click on search result and are taken to the page on the google.com domain.
A pop-up or modal window (served over register.oursite.com) appears over the page with protected content asking them to login.
They login and on successful login, the pop-up or modal window disappears. (assumes user has registered at a previous point)
The protected content which was hidden or blurred in the main/parent window, appears so the user can proceed to read it.
We can assume that, upon successful login, a cookie (let's say named login-status) is dropped on the user's browser, scoped to .oursite.com which could serve as a flag.
The problem we are facing is that the page in the original window was served over the .google.com domain and therefore we do not expect that it would be possible for the main window to apply display logic on the content based on the cookie named as login-status.
It would appear from this page that the way to solve this challenge is via identifier reconciliation on the server by maintaining a matching table between the reader id that AMP generates and the cookie. We have looked at the AMP access feature and AMP page implementation for New York Times but we cannot tell for sure whether they have achieved this via server side or client side solution.
Can anyone
validate the assumption that it is not possible somehow via AMP to share the login state of a user between 2 windows with content served over different domains?
suggest a way to solve this on the client side rather than the server side?
Thanks in advance
I am implementing PayPal payment system through smart buttons in a PWA app. The problem I am facing is that, by default in a PWA the address bar is hidden, so when the payment dialog for PayPal open it seems as if it's a dialog of the app itself. This is worrying because it doesn't give the user assurance that they're using PayPal's system and that their account is secure.
If I do the same thing through the browser, then the payment window opens in a separate tab with the URL being show.
How can I make it so that the similar behaviour is replicated on the app, or is there a way to show the address bar when the payment dialog is opened?
Screenshot of the dialog
I can't answer about showing an address bar in PWA, but if the goal is to make Smart Buttons open a new tab or redirect, the solution is: don't use Smart Buttons.
Instead, integrate two routes on your server, one for 'Set Up Transaction' and one for 'Capture Transaction', documented here: https://developer.paypal.com/docs/checkout/reference/server-integration/
The first call will return an approval_url that you can simply redirect to (or open a full browser for), rather than using Smart Button JS.
After approval at PayPal in this new window/tab/browser you opened, the return will be to the return_url you specified at Set Up time, which can be a deeplink.
The return should then present an order review/confirmation page (unless you wish to skip this, for which you should specify an application_context object with user_action: 'PAY_NOW' so the user is clicking on the right verbiage for what you're going to be doing.)
Then on this return -- using the provided query string information -- run that second 'Capture Transaction' call. If the response happens to be INSTRUMENT_DECLINED, simply reopen the original approval_url since this situation is recoverable (some details on the situation here, though that demo and Handle Funding Failures guide are for Smart Buttons, but the concept is the same). If the response is success or any other error, proceed accordingly.
I am trying to figure out if it is possible to click on a button on the Amazon website from outside of the website.
For Example: At the bottom of every product review is a "Helpful" button. If a review was helpful, the reader/shopper can click this button to let the reviewer (and Amazon) know that the review was helpful. (It's basically a "Like" button).
What I'm trying to accomplish:
I want to post my reviews on my own website/blog and still obtain "Likes" without asking readers to click a link to a product page, then search for my review, then click the button.
You probably won't be able to do what you have in mind.
JavaScript can generally access information on another domain except if specifically configured in the origin website through CORS. Unless you own amazon.com, you won't be able to configure amazon's CORS headers to make them accessible to some JS running on your website.
You can however, from your website front-end, make a request to your website back-end that would be able to access amazon's data just like your browser does. Using a browser emulator like Puppeteer, you'll be able to launch an amazon page and programmatically retrieve infos, click on things and do other stuff.
However, the page that Puppeteer will be able to spin up will include credentials (cookies, localstorage content, auth token, etc) provided by your server, so Puppeteer will not see the same amazon.com your user sees on his browser, unless your user agrees to give you its amazon credentials, and at this point I'm pretty sure no user would do that, and that would not be authorized by amazon's terms of services.
TL;DR even if what you have in mind is not impossible, it would weeks for your and your team to code a system that would potentially allow you to do that, and that's provided the law is on your side, which is probably not the case.
In my work with a Javascript single page application, i have recently run into a problem.
The whole idea behind this project, is to avoid page reload. When the user comes to my application they won't need to make any reloads. This is done with jQuery and Backbone.js and PHP as service.
I have this static index.html file, where i hide my login container and application container. Then i show the login container, if the user is not recognize by my application, and if they have auth i show the application.
if auth:
application.show()
elif not auth:
login.show() // like Gmail or Facebook etc.: Information + login-form
I wan't to show users who aren't authenticated, both login-form and general info. Very important is also that the site can be found by robots as Google etc.
Can this only be done with 2 different files, giving me reload? A site.com and login.site.com. That solution irritates me, because my login, as it is by now, is quite instant.
Not sure I get the question completely but if you want to check if a user in authenticated, try to do an ajax call. If it fails with "401 unauthorized" the user needs to login...
You can achieve what you want by using ajax calls to authenticate (Although this is not a recommended approach, and people usually prefer the two page solution you have outlined).
What you can do, is have very skinny controllers that just exist to provide data to rich client UI.
Your gateway controller(A separate controller, with no model that acts as an entry point in the application) will just render the basic application structure to the client (without any user specific data, you dont know if the user is logged in, you dont need to know at this point). Then the client will query the UserController for identity of currently logged in user, if user is logged in server returns a json response containing information related to user and if not, server returns a response saying that user is not logged in. Then you can fetch a partial for the login form and then submit it again through ajax. As you see, creating the UI once and communicating with the server with lightweight ajax calls can solve your issue easily.
I have a problem with a website I'm currently working on.
I have added a Tweet box to my page for the user to tweet about the current article. If the user submits from the Tweet box and is not currently logged in or is not connected with my site, he/she gets a popup from twitter asking for username/password and/or if he/she accepts the connection with my site.
If the user accepts the popup is closed and all is good, if the user declines the window is just closed and the tweet remains a dream of what could have been.
So far so good, But! My site is mainly aimed at smartphones (in particular iPhone), and if the user adds my site to the home screen (which I recommend) then the twitter popup fills the whole app window. This I can understand, and everything works out if the user accepts.
If, on the other hand the user declines, there is no window for the button to close so noting happens. My webapp is running fullscreen and standalone so doesn’t even have a back button. So if the user doesn’t accept the twitter connect, he/she basically needs to restart the app to get avay from the “popup”.
So (finally ;) ) my question is this; is there a twitter page that performs the connect authentication that is not required to be in a popup? A page that basically sends you back to the callback url on both accept and cancel? Or is there a different approach that I have over looked?
Looking forward to some helpful tips!
EDIT
I was suggested The standard OAuth flow and Web intents, the problem is that the app needs to be client code/javascript only. This makes The standard OAuth flow impossible because it sends application secrets over http/https wich makes me put the secrets in the javascript ( I might be somewhat of a hobbyist programmer but there are limits ;) ).
Web intent pages don't have a cancel/back button so I'm still stuck if the user dont want to connect and is running my app in stanalone mode.
I guess I should have included this in the original post, thanks anyway for the suggestions.
The standard OAuth flow for Twitter does not require a popup. You can instead redirect the current window. You will then have to process the the form submit yourself and post the status through your server.
You might also checkout Web Intents. The user posts the tweet from a mobile optimized twitter.com page.