I have a small app hosted on pythonanywhere. Can an outsider get all the sensitive data from my db?
Is pythonanywhere protecting against attackers?
Data stored on your PythonAnywhere account is basically as safe as the account itself. So as long as your credentials are not compromised, you can assume that no outsider has access to it. If you have a web app, users have as much access to your data stored on your account, as you expose it via the web app and the code visible in the browser.
Related
I've read through these and many linked documents for the last several hours:
https://cloud.google.com/storage/docs/uploading-objects
https://cloud.google.com/storage/docs/authentication
Yet, I still don't see a way to simply upload a file to Google Cloud Storage from my web server (not browser), without using OAUTH or some type of short-lived token. Since I'm uploading from my secure server, I would think I can just use an API key or some persistent service credentials or client secret directly without having the overhead of extra OAUTH calls and refreshing tokens. Is this not the case?
Probably doesn't matter, but I need to use the REST API because my server is a garbage platform that doesn't support any of the client libraries.
I have an identity server implementation set up with our website and users can log in locally or with external providers and everything is working fine.
We now have a requirement where a customer wants to log onto their local system and have a link from their system to ours, effectively they wont have to log into our system again so they would send us a token that we would verify.
Has anyone any experience with this kind of set up and could give me any pointers on how they have done it?
Thanks
Ideally you configure the customer as just another OpenID relying party.
If you must log in from the customer's system, look into Resource Owner Flow. There is an IdentityServer3 sample console application. Here is my walk-through for creating an MVC application.
Resource owner flow is less than ideal; you must completely trust the customer's local system with user credentials.
My plan is to develop an application which creates user recommendations based on the userĀ“s Facebook data (age, likes,...).
In this Figure (sry, i am not allow to post images directly) you can see the flow of the application. Is this the configuration "Login on Client, API Calls from Server" from the Facebook Documentation?
I am not sure because the Recommendation Server, which calls the Graph API, is not the same as the Web Server. Additionally, in the documentation it is mentioned that the Client forwards the API calls to the server. However, in my case the Web Application (Client + Server) does not know which API calls the Recommendation Server makes.
Is my project feasible? If not, how do I have to adapt my plan?
I don't see a problem here if I understood correctly. Have one web server to the OAuth login, exchange the short-lived Access Token for a long-lived one, and store the Access Token somewhere in a (NoSQL or SQL) database such as Redis, MongoDB or MySQL where both web server and recommendation server have access to.
Then, the web server needs to trigger the recommendation server to do the calls he needs after the Access Token has been stored.
I am just learning Mobile Services. I've created a simple one which works fine locally. I published the mobile service to my Azure account. I then tried to access a method on it from the browser and I get a log in dialog. I figured out that I need to provide the application key generated by Azure as the password. Once I do this, it executes correctly. However, is there a way I can execute a method without providing a key? In other words, what if I wanted to expose one or more methods to everyone, without any authentication. How would I do this?
Yes, there is a way. There are four authentication levels in Windows Azure Mobile Services.
scripts and admins
authenticated users
users with application key
everyone
By default, the authentication level is set to "users with application key".
Depending on the backend you use, you either have to specify the auth level in the Management Portal in the data-tab (Javascript) or as a method attribute in your Controller-class (.NET) to "everyone".
I am writing an application that consumes several web services. There is not a authentication system in place per say however each web service requires a login/password.
So in my application when a user first opens the app, a login/password box prompts them to enter that information. Once entered, that same login/password needs to persist for all the other web service calls. What is the best/logical way to persist this information during the session?
your thoughts would be appreciated.
Thanks
NSUserDefaults would be a good place to start.
I would also recommend not storing credentials per se, but instead storing the tokens that the web services send back if they support it.
An example are Facebook's APIs. You can have a user login, but you only need to store two pieces of information, an access token and expiration date in order to continue making calls to the API "as" that user.