I'm building an app and want to leverage AWS SNS for the push notifications. The documentation seems a bit spars.
I'm not using Cognito, and at the stage where I have got the deviceToken from Apple, the hasn't been a login in any case. The app uses AppAuth for the authorisation.
let defaultServiceConfiguration = AWSServiceConfiguration(
region: AWSRegionType.USEast1, credentialsProvider: nil)
AWSServiceManager.default().defaultServiceConfiguration = defaultServiceConfiguration
Obviously 'nil' doesn't work as credentialProvider. Is there anything I can give there to satisfy AWS?
Yes, you can.
For that, register the device tokens in a platform application endpoint, so you will receive an ARN reference for it, and then you attach it to your app user's entity at the end. This way you can directly push notifications for each individual user.
Here's a flow for the app token/ARN management:
More info here:
https://docs.aws.amazon.com/sns/latest/dg/mobile-platform-endpoint.html#mobile-platform-endpoint-pseudo-code
Similar solution applied here:
https://stackoverflow.com/a/32684226/3270938
Related
We are using google cloud platform to host our stripe payment gateway. The cloud function sends the payment intent to stripe and a callback that stripe calls with a session object.
Inside the google cloud platform, we are not sure what permission to set our cloud function. Right now, we allow all public access and we are fearing that a hacker can see our secret key from our index.js (where the cloud functions live), or has the ability to manipulated the code inside of the index.js.
With the function's purpose described above, what is the safest permission setting that does not allow any public users to read or manipulate our functions? All we want is to allow the users to invoke the function,
thank you
I've implemented Stripe for an app using a combination of the Golang SDK and JavaScript SDKs that I'm deploying as an app to Cloud Run. So my config is slightly different to yours.
You should be able to:
Provide some protection by keeping Stripe's API keys as environment variables so that the JavsScript only accesses these in-memory. You may want to consider using Secret Manager.
Differentiate between authenticated handlers that trigger the flow and restricted handlers that accept the callback from Stripe.
You can authenticate using Cloud IAP (Google auth requiring users be part of the project) or e.g. Cloud Endpoints and Firebase auth
You can restrict access to the callback to Stripe's endpoints
I'm not a security guy.
Your learnings would make an interesting customer story for Stripe and GCP.
check how these guys implement their stripe functions, they have a bunch of them https://functions.store
I'm using Firebase Cloud Messaging in my Dart/Flutter app. The code below updates a user doc with a retrieved android notification token.
FirebaseMessaging().getToken().then((token) {
_usersRef.doc(user.id).update({
"notificationAndroidToken": token,
});
});
I then read the notificationAndroidToken in my cloud functions. Works great except I had wrongly assumed the token would be invalid if the user had shut off their notifications (e.g., empty or null). What's the best way for determining if notifications are enabled for my app in cloud functions? I'm finding some hits in my searches but many are outdate or for a different dev environment.
The firebase_messaging package does not provide any method for checking if notifications are enabled by calling NotificationManagerCompat.areNotificationsEnabled on the platform. The awesome_notifications package provides such a isNotificationAllowed method.
I am facing the challenge to request the Bing Ads API to get a couple of metrics from it.
I am using Apache Airflow DAGs hosted on a remote Kubernetes cluster to do so. It is a nice way to automate and schedule tasks.
Now, the documentation is rather light on the point of gaining access to the API.
I have followed this https://learn.microsoft.com/en-us/advertising/guides/authentication-oauth-identity-platform?view=bingads-13#registerapplication
and the official SDK docs https://github.com/BingAds/BingAds-Python-SDK/.
I am failing at authenticating when querying, since I am lacking a couple of pieces of information.
When authenticating using the "refresh token" and "redirect URI", I do not have either. (Class OAuthWebAuthCodeGrant here: https://github.com/BingAds/BingAds-Python-SDK/blob/294d01eea57d80ba381a42cde8d006fc318af056/bingads/authorization.py#L566)
When using a different method (Class OAuthDesktopMobileAuthCodeGrant here: https://github.com/BingAds/BingAds-Python-SDK/blob/294d01eea57d80ba381a42cde8d006fc318af056/bingads/authorization.py#L532), I fail w/
AADSTS700016: Application with identifier '<someidentifier>' was not found in the directory '<somethingelse>'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
Thank you very much in advance! If you need more details, let me know!
Also great documentation in general, if I can make it more "newb"-friendly, let me know!
Edit1:
Sadly, while there has been some traffic to this question, nobody seems to be able to answer.
I will specify the set up a bit further.
We use Airflow DAGs to request daily updates from the API. For this, we need to authenticate. The authentication comes from a "new device" every time, since the code runs on a k8s cluster which allocates the jobs dynamically to it's pods.
For authentication, we ventured into different solutions, but all require some form of human interaction to get the refresh token into the DAG.
Is there any solution which allows for a hands-free deamon like many-server-to-server communication?
This link sheds some light on what we are looking for: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-app-registration#api-permissions---app-permissions-and-admin-consent
Sadly, the Bing Ads API does not show up there.
What key piece of information are we missing?
Bing Ads, like Google Ads, uses OAuth for its API.
If you reference the Getting Started page, it mentions that you need a developer token, complete with links.
You can follow these steps to get a developer token for production.
Sign in with Super Admin credentials at the Microsoft Advertising Developer Portal account tab.
Choose the user that you want associated with the developer token. Typically an application only needs one universal token regardless how many users will be supported.
Click on the Request Token button.
Regarding your specific scenario--an application running in the cloud without an interface--you should know that OAuth requires you to interact with it to set things up. So run your app locally ONCE, or at least the getting_started code from your language's walkthrough: https://learn.microsoft.com/en-us/advertising/guides/walkthrough-desktop-application-python?view=bingads-13
Running it locally will go through the authentication process with your browser and generate a refresh token (in the file refresh.txt by default). Store this file with your code. It will have to be on the server that's making the request, and since it's in Kubernetes, you'll have to keep it with your container file.
Im new to Flutter.
I wondered why I need to use Cloud Functions to send notifications to the other device in Flutter.
If one device simply know the token of the partner device, I think that it can specify the token and send a notification directly from the client side.
Does this question relate to this answer?
How to send push Notification using FCM and Flutter(One to Another Device)?
Thank you.
You certainly could send the message directly from your client app, but you would then have a huge security problem. The Admin SDK requires a service account to initialize, and you would have to package that service account in your app so it could call the FCM API.
Distributing your service account is strongly discouraged, as it now allows everyone to do everything to your project that the service account is allowed to do. This could be anything and everything.
Instead, people put messaging code on secure backends where the service account can't be seen by others. Cloud Functions is a popular option for this, but you can use whatever backend you want.
I have seen the tutorial for starting the cloud functions and creating a guestbook on IBM Cloud, but when trying to connect an App ID it actually requires an application and not a Cloud Functions API.
So how can I connect them? Is there some tutorial somewhere? What needs to be considered?
depending on what you want to do, take a look in https://console.bluemix.net/docs/services/appid/relatedlinks.html#secure.
Specifically one of
Securing your Cloud Functions API
Securing your serverless Cloud Functions mobile backend with App ID
Tutorial: GitHub traffic analytics with Cloud Functions and Cloud Foundry
Cloud Functions supports OAuth 2.0 user authorization out of the box and you can bound your App ID instance directly to it.
Here's a fairly recent tutorial showing the steps:
https://www.ibm.com/cloud/blog/authenticating-users-with-cloud-functions-api-gateway-and-app-id
If you're looking to automatically initiate a new authentication flow as in redirect to the an identity provider where you're user will sign in, you'll have to either add logic to your application using an OIDC SDK (For instance App ID's: https://github.com/ibm-cloud-security/appid-serversdk-nodejs/) or add it manually handle the flow from a set of actions.
If you go the action approach, you'll have to keep in mind that they are ephemeral and can't keep session state, so you'll have to keep secure cookies in the user's browser.