Id like to make my Code in my respository only visible with a password
When i set my Visibility to private & open the RAW page, i get this URL
https://raw.githubusercontent.com/---.lua?token=TOKEN
But this TOKEN is only active for a short time, is there anyway to assign a token that is always active?
Related
I'm currently troubleshooting a login issue for a deployed Moodle. Login page uses an alternate page which I have managed to identify. The alternate page considers everything except successful login as invalid or expired login or password.
Since some correct login and password are also getting the same issue.I am trying to restore the Moodle instance to use its default login page but did not find any $CFG->alternateloginurl configuration set in moodle.php. Kindly please provide any pointers you can think of on where to look next to restore the login page.
PS: I've also searched within the active theme, and there has not been any code changes. Uses a variant of Moove
Thank you
Rest assured that its a common issue
https://docs.moodle.org/401/en/Managing_authentication#Alternate_login_URL
There is an entry in the database
SELECT *
FROM mdl_config
WHERE name = 'alternateloginurl'
Note the value, just in case, then blank it out
UPDATE mdl_config
SET value = ''
WHERE name = 'alternateloginurl'
Then purge the cache to update Moodle
php admin/cli/purge_caches.php
When you do manage to log in, check which other authentication methods are active via
Site administration > Plugins > Authentication > Manage authentication
https://docs.moodle.org/401/en/Managing_authentication
The default methods are manual and email self registration
Although self registration is disabled by default in the settings on the same page (registerauth)
I'm trying to use Form-Based Authentication feature of OWASP ZAP using ZAP's python API.
I noticed that while using a HTTP application (for example - http://demo.testfire.net/) it is able to spider and give additional URLs once logged in. However, when I try the same for HTTPS application it isn't fetching additional URLs once logged in.
My question here is - Does ZAP support Form-Based authentication for HTTP related web application only?
Yes, and we have a FAQ for it: https://github.com/zaproxy/zaproxy/wiki/FAQformauth
Its difficult to debug issues when just using the API, so I recommend using the UI first and once you've got that working then converting what you've done to the API.
Via the UI:
List item
Explore your app while proxying through ZAP
Login using a valid username and password
Define a Context, eg by right clicking the top node of your app in the Sites tab and selecting "Include in Context"
Find the 'Login request' in the Sites or History tab
Right click it and select "Flag as Context" / " Form-based Auth Login request"
Check that the Username and Password parameters are set correctly - they almost certainly wont be!
Find a string in a response which can be used to determine if the user is logged in or not
Highlight this string, right click and select "Flag as Context" / " Logged in/out Indicator" as relevant - you only need to set one of these, not both
Double click on the relevant Context node and navigate to the "Users" page - check the user details are correct, add any other users you want to use and enable them all
Navigate to the Context "Forced User" page and make sure the user you want to test is selected
The "Forced User Mode disabled - click to enable" button should now be enabled
Pressing this button in will cause ZAP to resend the authentication request whenever it detects that the user is no longer logged in, ie by using the 'logged in' or 'logged out' indicator.
Via the API the process is the same but using the API calls:
context/includeInContext
authentication/setAuthenticationMethod
authMethodName : formBasedAuthentication
authMethodConfigParams : loginUrl=http://example.com/login.html&loginRequestData=username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D
authentication/setLoginIndicator or setLogoutIndicator
forcedUser/setForcedUserModeEnabled
The values for authMethodConfigParams parameters must be URL encoded, in this case loginRequestData is username={%username%}&password={%password%}
I've extended the User model in my loopback application, and added phone number as a login method, I use the username field to do this, the only deal is that on login I get the 'email not verified' error, I have my own phoneNumberVerified field, and have overwritten the confirm method to validate the token against the emailVerificationToken and against the phoneNumberVerificationToken and update the corresponding flag, I thought of overwriting the original login method to not allow login only if both emailVerified and phoneNumberVerified fields are false (not just the email) but I don't know how to actually do the login the way loopback does it (I believe it creates an AccessToken or something), and I'm asking for some help on how to do this, thanks XD. I can do the overwriting and validations myself I just need to know how to do the actual login without using the original login method, since I'll be rewriting it.
So I figured out that I actually don't need email or phone number verified validation at all on login (later on the workflow will be required, but that'll be another use case, so it's irrelevant on login to me now XD). So when I was looking on how to overwrite the login method I realized that all the models code it's on the node_modules folder xD
node_modules/loopback/common/models/user.js
And found there in the login method a flag that validates if should check email verified or not, so on my startup script I just put this:
app.models.MyUser.settings.emailVerificationRequired = false;
That stops the email verified validation on login.
And maybe if some of you would like to override the login method I believe copying the whole method from the original user model up there and attaching it to your model and doing some modifications might work xD, it invokes the createAccessToken from the user model (itself) and that's what I believe creates the 'login', what I came to understand is that there is no "session" data, it creates an accesstoken when you successfully login, and as I've been doing just sending the token id to every request 'authenticates' your logged user.
Thanks for reading, have a nice day :)
Ok, here is the requirement.
I want to build a system look like this:
- Header: have a PleaseLoginPanel and SuccessfulLoginPanel
- Content Page just contains content & communicate with header via EventBuss
- HeaderPresenter is the parent presenter & ContentPresenter is nested inside the Header presenter.
Let say when user opens this url "mydomain#content" they will see a page that has header contaning PleaseLoginPanel on top & a content part (beneath the header) contaning some textarea and button for user to input data and submit to DB .
To be able to access the widget in content page the user need to login, after logged in, the PleaseLoginPanel will be invisible and the SuccessfulLoginPanel will be visible. User now can play with widgets in content part.
Let say Session & Cookies will last 1 hour, after the session cookies expired the user can not submit the content data.
Let say user spent a lot of efforts to prepare data & about to submit but the session expired so he can't submit. At that time, in the header the SuccessfulLoginPanel still stay there. So the user can lose all his content he prepared before. You may say, he can open a new page & login & copy the data from the old page (the page that has session expired & does not have PleaseLoginPanel), but that still cost him a lot of effort to copy over.
So I want that, when the Cookes has just expired it will fire an Event to the Header & ask the header to show the PleaseLoginPanel
How can we do that in GWT or GWTP?
Found a solution that is to use timer
Timer showLoginPanelTimer = new Timer() {
public void run() {
getView().getLoginPanel().setVisible(true);
getView().getSuccessfulLoginPanel().setVisible(false);
getView().getEmailBox().setText("");
getView().getPasswordBox().setText("");
Utility.removeUserInfoCookies();
}
};
showLoginPanelTimer.schedule(Utility.COOKIE_TIMEOUT);
I have a GWT project, using Activities and Places. My problem is with history token.
Pattern of my token :
#/{key 1}/{value 1}/{key 2}/{value 2}
Value 1 must be Number
Value 2 must be Number
the valid token is :
#/view/1/date/123123123123
I decided to validate the token and then the problem appears.
In example, if the user change manually the token :
#/view/qqweqweqwedate/date/123123123123
In this case Value 1 is not a Number. I catch this exception and fix the token with the default value. The problem is that the invalid token is in the history and when I click "Back" button on the browser it appears again .
Could someone tell me how to remove the invalid token from the history or don't allow it to be written in the history ?
Once you set a new hash (new token in GWT), it is stored in the browser history stack.
You cannot remove tokens from the browser history, so the most you can do is to handle this event with code. I mean, when the user clicks back, the malformed token will be visited, and you can be notified doing whatever you want: to fix the token again and bring the user to the correct token, or to call History.back() so as the user is sent to the previous token.
The problem I see is whether to know when the user comes from the already fixed token screen to send it back.
In theory, you could use event.oldURL and event.newURL using javascript, but those attributes are not exposed in GWT, so you should implement them by hand using jsni.