Telegram offers "secret chats". Is it possible that a bot opens a secret chat and sends a message? I could not find any method or parameter for this function.
Telegram's Bot API does not support secret chats at the moment. You can read the documentation, but a short explanation is: end-to-end encryption is used in secret chats which is tricky to implement for bots and requires additional work.
There's no word on when it'll be supported, if ever. At any rate, Telegram Bots are generally meant as a useful aid or for fun, not for sensitive things like financial transactions.
I know this is too late, but following the post, I found out they support for secret chat API REST API . You can check if still interested.
Related
Is there an API exposed for Actions on Google, similar to what Dialogflow offers with their API? The only API-like flow I have found through my research is this webhook flow API, but that only deals with conversation requests, prompts, and responses, which I have already handled.
Ideally I'd like to be able to dynamically create "agents" and their conversation flows without having to use the AoG console, similar to what Amazon offers with Alexa SMAPI.
There's not a full API to do everything that you want end-to-end. Some parts, like Dialogflow and fulfillment, can be automated, but it will still require some manual work in the Actions Console.
I had a conversation with another developer on this subject once. As a workaround, which is admittedly hacky, they decided to use the Puppeteer library to programmatically control a browser instance to fill in fields and click buttons.
That may not necessarily work when the console changes, and isn't a good substitute for an API, but it may work for you.
Yes you can do it using Google Dialogflow REST API
Here are APIs for the agent :
There are many more APIs available for different operations.
From the official tutorials on https://community.algolia.com/instantsearch.js/, Algolia requires you to code the key into your application and used with each api request. If someone were to dig this up, what's to prevent them from spamming search requests with your api key?
If someone were to dig this up, what's to prevent them from spamming search requests with your api key?
Do you want the cruel truth? Nothing...
Unfortunately in a web app does not exist anyway of securing secrets, be they api-keys, tokens or any other name convention that may be used.
In a web app all is needed is to use F12 or view the page source and search for them in the raw html and JavaScript.
You can try to use JavaScript obfuscation to make it hard to find but will still be easy to reverse engineer. Even in a mobile app that have their code obfuscated and released as a binary is easy to extract this secrets.
If you want to understand a little more about Mobile Api Security Techinques please read this series of articles to find how api-keys, access tokens, HMAC and other techniques can be used and bypassed. While the article was wrote in the context of a mobile API is still valid in a web app context for the security techniques used to protect the API.
Possible Solution
The best approach is to always delegate your web app access to third part API's to a backend you can control.
In this backend you can then use a User Behaviour Analytics(UBA) solution to monitor bad use of this third part access.
Once UBA can be complex and expensive to deploy you could start by using the new Google reCaptcha V3 across all pages of your web app. ReCaptcha V3 does not require direct user interaction once it works on the background to differentiate humans from bots.
So I would have the web app requesting the Agolia search to my backend that would use reCaptcha V3 protection to differentiate abuse in the search functionality by bots or attackers.
Remember that this approach has the huge benefit of never reveal your Agolia API Key, thus attackers can never directly use it.
I'm building an app that requires authentication and I'm worried users might want to be able to remotely log out. Is there a way to use JSON Web Tokens and be able to blacklist or reject them? I understand that their benefit is statelessness, but it would be nice to have a remote logout.
EDIT: With Express.js using the express-jwt module, there is a method to revoke tokens. Also, there is a module express-jwt-blacklist. I still don't understand how these strategies work and would like to know what is the best practice at this point.
There is a nice article on Auth0 about
Blacklisting JSON Web Token API Keys where they give a good real world example on how to blacklist a JWT API key so it is no longer valid. You should give it a read.
Framing the problem
Providing support for blacklisting JWTs poses the following questions:
How are JWTs individually identified?
Who should be able to revoke JWTs?
How are tokens revoked?
How do we avoid adding overhead?
This blog post aims to answer the previous questions by leveraging our
experience from implementing this feature in our API v2.
The article breaks down each point and then shows some example code on how to achieve it and concludes with:
Most of the aforementioned content applies to blacklisting JWTs in
general, not just JWT API keys.
Hopefully this blog post has provided some useful ideas on how to
tackle this problem.
I've personally applied similar methodologies to revoke multiple sign ins where the tokens were used similarly to session ids and stored in cookies. I modeled it like the GitHub profile section where you the user can see all your other active sessions and revoke them (remote sign out) when needed.
As far as best practice is concerned, I believe that topic would be rather opinion based. I do however see Auth0 as source of good practices in this topis area with a lot of people experienced on the matter.
UPDATE:
Found this express-jwt plugin for token blacklisting on npm
In my current work, I have to develop an intern REST API engine.
I have read the Roy Fielding thesis, documented myself, and I finally got something that works great easy to use, with high performance, corresponding to the Fielding REST spec.
There is only one point that I dont really know how to overcome : the security problem.
Again, I documented myself, and I wanted to use OAuth2.0 in my engine.
The problem is that I dont understand nothing at all how to use this protocol.
I dont understand how the consumer can connect himself and be recognized by the server.
I dont understand if I have to provide API key to my consumer(like Facebook, Twitter and Google make it) or if a token will automatically be generated if I send a login / password to the server
I dont know if I have to create my own OAuth2.0 server that provides keys, or if OAuth2.0 libraries are sufficient to provide security.
In fact, I dont understand nothing at all with OAuth2.0, and I need to learn. The problem is, every documentation that I try to read is like chinese, I didn't find an easy one, step by step that will help me with this.
That's why I post here, can you help me understanding a bit more OAuth2.0 and the secured authentication for API ?
I willingly didn't speak about the technologies, because I want to understand OAuth2.0 before applying it technically.
Thanks for all
The main problem with OAuth (both versions) is that you'll see a lot of talk about the three legged version. That is when you have user, a data-providing service and a consuming service, let's say a service that will create physical copies of your flickr photos. In this case the OAuth flow allows the user to tell flickr that the third party can access their data. This is not the scenario you are after, you are interested in 2-legged OAuth, see here for a description.
Of course you could look at other methods too. I've used HAWK in a number of REST/Hypermedia APIs and found it to be great to use in both nodejs and .NET server stacks.
Thank you for your answer, I studied a bit more OAUth2 en tried to implement it with 3 stragery : basic, clientPassword, bearer.
I created a new thread for an other problem, if you want to take part of it :
OAuth2 server creation with nodejs
I've never used an API and was wondering how you use them... I would like to use facebook, twitter and vimeo's api,
Can someone explain the basics of using them, how do i access them and use them etc.
Please and thanks
Neil
How to use an API depends on the API. Usually the API creator has documentation on how to use their specific API.
Mostly, things work like the following:
You register to get a developer key. Then, you send requests to the service via HTTP (for example Twitter is using REST, which requires you to send XML or JSON to a specific http-URL providing your key). You get an answer from the service, which you must then parse and react to accordingly (for example filling a list with contacts, etc.).
Most of the time this all comes down to:
Create an XML or JSON document that describes the call parameters
Send the document to an URL using GET, POST or other request methods
Get the server's response
Parse and evaluate the response
The specific ways to use the API, especially performing authentication, can be found on the service's developer pages.
The best way to start if you want to use an API is to read it's documentation, find some tutorials and code examples. This is always/usually published by the one offering an API.
Good luck :)