Where and how should I keep Client Secret? - github

For OAuth authorization through applications, you must specify the clientID and clientSecret. This is necessary so that GitHub can identify my application and remove some restrictions.
I registered my application and got the id and secret, but! it is not clear where to keep Secret, many people do not recommend storing it in the source code, which is also public. I do not have a server, I do not know where to store it.
I write on C# + UWP.

I know you are C# and Universal Windows Platform (UWP), but thought I would post this, since it may help.
My Git-Captain node.js project stands up a server that does calls to the GitHub API. In the GitHub Git-Captain project readme, I explain to store the client_secret and client_id on the server.
I store the client_secret and client_id on the server in a ".env" file on the "controllers" directory (Node.js controller).
The idea with the .env files is that when the node.js server starts it loads environment variables from a .env file, which can be accessed from the process.env node.js property.
The solution may be too much for what you are trying to do, but checkout the project and if you can setup a Node.js server on a windows server than you can modify it to do whatever you need.
In the coming months I'm going push the Linux Server instructions and we know a Linux server running on AWS is dirt cheap and GitHub is also free.
If interested, checkout the demo on YouTube.

Related

How could I get code of the application deployed on digital ocean?

I need to edit application developed by somebody else in Meteor.js deployed on Digitalocean. I have an access to digitalocean account, but have no idea how to access code and the whole folder where is application stored. Is this even possible ? Should I ask him for github repo with the app to get it instead ? Thanks.
Ask for the repo. The server may only contain the built version of the app (since that's all that's needed to run it) and that's no good for developing. You can't edit that directly.

Automated deployment of web site

I'm planning to do an automated deployment of a website,but im kind of stuck at this moment. I have looked at MS-Deploy, it got all the functions for deploying Website. I have a created a Web application package (.ZIP file) and I tested this on my local machine it is deploying website i.e
Create Web application under default website
Publishing files in c:\inetpub\wwwroot directory
Set ACLs on directories,etc
But i want to achieve few more extra steps for example:
Check whether Web application exists in Default Website, if not
create a Web application
Check whether Application pool exists, if not create a App pool
(given name) with a specific credentials and Assign App-pool to Web
application
Before it deploys take a backup copy of existing Web application (IF
exists)
publish offline page (app_offline.htm)
publishing the files to application directory
Replace the AppSettings section(in web.config file) to with actual values
Encrypt Web.config connection string
If there is any error whilst installing web application, rollback the web application to its previous version
The question is whether can i achieve all these functions via MS-Deploy or do i need to write any script, please suggest me what scripting language should i use
Please let me know if you need more information.
Thanks in advance
I'm not an expert on this topic but have been doing a bit of research on automated deployment with MSDeploy lately, and think I can offer the following;
This is default behaviour if you use the iisApp provider.
I know you can do this with the appPoolConfig provider, but I'm unsure as to how you would run this and #1 together as part of the same package. Perhaps as part of a pre- or post-sync command?
This is standard in v3, as long as it's set up on the server. Not used it myself, but read this anyway.
Fiddly. Not supported in MSDeploy, but you can vote for it if you want. Also, check out this SO answer (and also worth checking out PackageWeb, but the same answers' author).
Not sure I follow. This is done as part of a successful deployment, surely?
Use web.config transforms and optionally the aforementioned PackageWeb for a neat way to do this. Also check out Web Publish Profiles.
Difficult. My understanding is that the encryption is based on the machine.config, so you'd either have to run a post-sync script which would run some sort of remote Powershell script on the remote server to encrypt the web.config using aspnet_regiis, or you'd have to encrypt the config as part of your build process and then muck about with custom keys and the RSA provider (some info here).
I hope that helps. As I said, I'm no expert, so happy to be corrected by those more knowledgeable. Maybe also worth mentioning that MSDeploy is a lot more powerful if you use it via the command-line rather than creating packages from VS, although there is a bit of a learning curve to go with it.

Developing with Azure Mobile Services?

What is currently the "best" way to develop a back-end system in Azure Mobile Services?
Specifically, what tools are available? From what I've seen, most examples just go to the Management portal and manually add a few lines into the script window. This is worse than using just Notepad, and doesn't have any concept of version control...
Is there any way to make a project in VS 2012 that contains all the Node.js code that will run in the Azure Mobile service? Is there a way of fully running that code on a local development environment that mimics the Mobile Services?
I need to have server-side code with much more complexity than is shown in most of the Mobile Services samples or documentation that I've been able to find.
I have a web site, and a Win 8 Store App that need to authenticate against, and access relatively complex data structures from a back-end database. The solution being pushed right now all seem to include Mobile Services at the center of it, using simple REST against raw tables, but all the examples are too simple to be useful.
Can someone point me to a "real-life" sample of using Mobile Services, and a "mature" way of developing and testing such a system using the tools in Visual Studio?
Thanks.
Why you have no other option than the Management portal is really beyond me. It seems very awkward for a C#/.NET developer to go back to Notepad style programming with console.log() debugging.
What I would love to see is some Node.js entry points that you could connect to a regular C# assembly which could fulfill the request (as in ASP.NET MVC or Web API) having the full .NET Framework at your disposal.
What I could see as a possible architecture is to have:
ASP.NET MVC hosted on Azure
--- writes processed data with logic to --->
Azure SQL DB <--- reads from --- Azure Mobile Services ---- bridge to ---> Mobile devices
Or
Cloud Worker Role on Azure ---- crunching/processing ----> Azure SQL DB <---- reading/writing raw data ---- Azure Mobile Services ---- bridge to ---> Mobile devices
You can use the Mobile Services facility for mobile devices facilities, scheduling and push notifications with limited code and do most of the coding in a managed .NET environment.
The AMS (Azure Mobile Services) along with Azure has advanced dramatically since this post was written and the replied answers.
Some of this stuff still holds true. If you have a ton of node.js written not in the Azure cloud portal, you will want to copy and paste to the portal online, custom api calls section and even perhaps sql backend tables for CRUD operations.
The hope for C# developers is that it is NOW in preview mode in which YOU CAN skip node.js and build everything without node.js very shortly... Some bugs to work out, but in 6 months this will be fairly solid.
I had questions and issue and a guy named Carlos carlosfigueira was very helpful.
Azure Mobile Services - Getting more user information
Josh covers unit testing server-scripts here: http://www.thejoyofcode.com/Unit_testing_Mobile_Services_scripts_Day_7_.aspx
In this tutorial, he uses the Mocha testing framework for JS (id TDD mode) and walks through an example for testing an INSERT script that encrypts the value of a particular property (text) and a read script that decrypts it (value is encrypted at rest in SQL db).
You can also find aggregation of links and tutorials here.
I would suggest that you build this solution using Windows Azure Mobile solutions especially it supports the Node JS NPM right now, which means you can create the API you want on the Windows Azure using the Node JS NPM and can work with it using WAMS easily. have a look on the following link it will help you understand what I want to say more.
http://weblogs.asp.net/scottgu/archive/2013/06/14/windows-azure-major-updates-for-mobile-backend-development.aspx
For the Client I also suggest that you build it using SignalR which is designed for cases such yours where real time applications require a lot of transactions from the server side.
http://www.asp.net/signalr
you can also find more details about how you can integrate both of them in the following link: http://hhaggan.wordpress.com/2013/07/12/signalr-node-js/
I hope these help you, let me know if you need anything else.
For running locally, the mobile service has the same Kudu environment available in azure websites, so you can browse to https://your_service_name.scm.azure-mobile.net If you navigate to the Debug Console from the top nav, you can download everything running in the site/wwwroot folder.
You can run this nodejs project locally (On windows only if you require the SQL Server npm package). Your code is in App_Data/config/scripts. If you replace the downloaded content with your current local git working copy, you can develop and debug locally, and then push changes as usual.
Tools I use:
Eclipse with JS environment (or any nodejs IDE).
Git
Postman
Steps:
Enable source control to your azure mobile service.
Pull to your local and create a eclipse project with the source.
Make changes and push.
Test with POSTman
This procedure allows me to develop really fast and eclipse tell me the common JS errors. But it has obvious downside:
No debugging (I use console.log)
The project ended up with a lot of commits (its hard to use git for proper source control)
I just did a blog post on running Azure Mobile Services locally: http://www.mikelanzetta.com/2014/09/running-azure-mobile-services-locally/ - basically it interrogates the API and starts up express, and allows you to run mocha yourself locally. It's a bit cleaner than pulling down the full wwwroot from the scm link, and I found using my local runner as a git submodule made it easy to work with (and easy for me to use VSO for managing my tests).
Anyway, for actual development, I use the Git integration and WebStorm - it automatically figures out the tasks in my local Gruntfile and makes it easy to run and test. For once it's deployed, Postman is helpful.

what's the best way to protect secret keys when deploying a Meteor App?

I'm hooking up Filepicker.io to my meteor app for file uploads. That service has an API key which (of course) they recommend keeping secret. I've found a couple other sample apps on github where the filepicker secret is in plain site in the client code. That just seems a little shaky. And even if it's not in a public repo, since it's specified in client code, I can grab the key from the app using the Javascript console (if I wanted it).
I wonder there is a way to stash secrets along with an application (like heroku config) that would make it easy to keep that key secret.
My current plan is to put the key in the database and lock up that model so it's only available from server code. Is there a simpler way?
Thanks for any pointers.
The devel branch (soon to be in 0.5.3) has a new Meteor.settings feature: if you pass a JSON file as an argument to meteor run or meteor deploy, the object will be available on the server as Meteor.settings. (With meteor deploy, this is persistent so that you don't have to remember to pass it each time.)
(If you're using your own hosting environment, you can pass the contents of the JSON file in via the METEOR_SETTINGS environment variable.)
Using the database works too --- that's how Meteor Accounts stores configuration for OAuth accounts. My personal opinion is that Meteor.settings is best for app configuration, whereas the database is best for package configuration, since that allows packages to show an interactive configuration widget on first run like accounts-ui does.

Facebook API Integration: testing on different URL?

I'm trying to develop a website which uses Facebook Connect for authentication and other things. However, it seems that FBConnect in general requires the URL of the website to be the same one as you registered the app with. This is a problem, because although I'm running the site at
www.example.com
i am testing the site at
localhost:9000
So all the facebook stuff breaks on my local machine. Currently I'm simply working around this by doing testing on the actual server. So each time I want to test my code after doing stuff, I perform a
// local machine
git commit -a
git push origin master
// remote server
git pull origin master
Which apart from being annoying to do for every small change, is obviously going to be a problem when real people are actually reaching the website, and I want to continue development & testing without breaking it over and over while people are using it.
Is there a better way of doing this sort of thing? I'm sure others (i.e. everyone else who has ever used FBConnect) have run into this problem before. Is it possible to trick my DNS to point www.example.com at localhost during testing, so the Facebook Javascript is tricked to continue working?
One way around this is to edit your system's hosts file to point your domain to localhost. Add a line like this to your /etc/hosts file (or %SystemRoot%\system32\drivers\etc\hosts on windows):
127.0.0.1 www.yourdomain.com
Another approach is to create a second app on facebook for you in-development version, and use localhost as the URL for that version. Just don't forget to update the app id and secret to the production version when you deploy :)
The real answer here is to set up a staging server not located on your own localhost and create a staging application in FB pointing to that staging URL.
I like to use an entirely separate server for this purpose so I can develop and experiment at will without worrying about crashing my production application due to an errant loop or something.
--or--
Create a subdomain (staging.example.com) and stick a clone of your code in a separate root folder with the same directory structure as your application.
Yes, you will need some small conditional code to determine if you're looking at the staging or the production version of your site and then call the appropriate FB keys accordingly.
I ran into this problem when trying to move my code from development (localhost) to production. I was able to use localhost as the canvas url and my production domain for the secure canvas url. That way I was able to