I am currently building a Rails backend for an iphone app. The iphone accesses special controllers which returns JSON that the iphone app parses and displays appropriately. The Rails app does have an admin panel and is used to insert new data for the iphone app. That authentication is controlled by Devise. Outside of that, there is no need to have complex authentication since the iphone app does not require any user information to function.
Here is where I'm stuck. I've added a controller where the user can submit feedback from the app. That feedback will be stored in the Rail's database. In order to do this, I have turned off protect_from_forgery by using skip_before_filter :verify_authenticity_token, :only => [ :create ] for that controller method. But by doing this, I understand that this creates a security problem. I also understand that I must create custom protection (such as a token) as per this answer, and this answer. My web searching has only found how to do this using Devise or through Oauth, but as I mentioned, there is no user authentication for the iphone. All I want to do is gap this one security hole, unless I'm missing something. I'm having trouble finding any articles regarding this particular situation.
By default, Rails apps with :protect_from_forgery on include an authenticity token in the <meta> information about a page, like so:
<meta content="arBBP614zvMxug9+5ozHakrXhAaTNmQ9aBJ/Ehp3nl8=" name="csrf-token">
What you need to do is download a plain old html copy of your form, with :protect_from_forgery on, so this tag is generated. Then, once you have that HTML in a NSString* you can find the token like so:
NSArray* firstArray = [htmlString componentsSeparatedByString:#"\" name=\"csrf-token\">"];
NSArray* secondArray = [[firstArray objectAtIndex:0] componentsSeparatedByString:#"<meta content=\""];
NSString* authToken = [secondArray objectAtIndex:1];
Then you just need to send authToken as the X-CSRF-Token header field. These usually don't change very often, so you can probably keep a copy around for a while.
I ended up coming up with a token of my choosing. I setup the controller to check for the token using a before_filter. Then locking it all down with SSL.
before_filter :has_token?, only: :create
skip_before_filter :authenticate_user!, :verify_authenticity_token, only: :create
Here is the method I'm using to check for the token:
def has_token?
if request.request_parameters[:token] == "SECRET"
true
else
head :unauthorized
end
end
Then the token is hard coded into the iPhone app and passed with the parameters that it sends to the Rails backend. I know this means that I have to release new versions of the iPhone app if that token has to change, but this way I have more control over what is going on.
Related
I am trying to set the AppClip invocation for my App which is already released on app store.
I need an url such that it provides me a jobId e.g.: https://example.com/task?jobId=00001.
My use case is that I send the sms with the url https://example.com/task?jobId=00001 to the user, the user clicks on the url and the app gets started. Then for the other user I send the next url with corresponding jobId.
I did setup the AASA file for my domain (contains the JSON with "applinks" and "appclip" objects) which is valid, also the Domain status is valid on App Store Connect. There is a default experience set with title, subtitle, image and action. I also configured an advance experience for the url https://example.com/task.
However, my app clip doesn't get invoked if I access the url from either sms text or safari. :(
I do not have a web page for https://example.com/task therefore I haven't set up the meta data for this.
Is it possible to invoke the AppClip this way? It is really important for me that the URL is dynamic and I pass that jobId every time for each individual booking.
There s no much documentation and I already read at least twice Apple documentation about AppClip.
Because of this:
I do not have a web page for https://example.com/task therefore I haven't set up the meta data for this.
The answer to this:
Is it possible to invoke the AppClip this way?
Is no. Sorry, you need to own the domain you're working with, or at the very least have means to access its CNAME config (thus, be able to induce the owner of that domain to change the CNAME configs to what you want it to be, similar to what branch.io and AppsFlyer does with its users/clients).
Experience cloud vistor id is used. App, web are using same adobe launch library. When I login into app url change and mid changes and then if I navigate from app to web responsive page mid is changed and I am not seeing any cross-domain pathing report from app to web ?
anything do I need to do with s.cookiedomainperiod or anything to make this work?
The Experience Cloud Visitor ID is not automatically carried over from the native mobile app to a (mobile) web page. The long story short is native apps don't really store data locally in the same way as web browsers, so there's no automatic ability to use the same local storage mechanism/source between the two.
In order to do this, you must add some code to the mobile app to append the mid value to the target URL, e.g. :
Android
String urlString = "http://www.example.com/index.php";
String urlStringWithVisitorData = Visitor.appendToURL(urlString);
Intent browserIntent = new Intent(Intent.ACTION_VIEW, Uri.parse(urlStringWithVisitorData));
startActivity(browserIntent);
iOS
NSURL *url = [NSURL URLWithString:#”http://www.example.com/index.php"];
NSURL *urlWithVisitorData = [ADBMobile visitorAppendToURL:url];
[[UIApplication sharedApplication] openURL:urlWithVisitorData];
If implemented properly, you should now see a adobe_mc= parameter appended to the target URL. Then on page view of the target page, if you have the Adobe Analytics javascript and Experience Cloud Visitor ID libraries implemented, they will automatically look for and use that value instead of generate a new value (should not require any config / coding on this end).
Update:
#Ramaiyavraghvendra you made a comment:
Hi #Crayon, mny thanks for your profound answer. I am sorry that i
missed to inform that this app is not native one but this is a SPA
app. so the implementation of entire app is also done through launch.
Could you pl help in this case then.
I'm not entirely sure I understand your issue. If you are NOT moving from a native mobile app to web page, and your mobile app is really a web based SPA that outputs Launch as regular javascript code throughout the entire app, then you shouldn't have to do anything; the Experience Cloud ID service should carry over the id from page to page.
So it sounds to me like perhaps your Experience Cloud Visitor ID and/or Adobe Analytics collection server settings are not configured correctly. the cookie domain period variables may be an issue, if logging in involves moving from say www.mysite.com to www.mysite.co.uk or similar, but shouldn't be a problem if the TLD has the same # of periods.
Or, the trackingServer and trackingServerSecure variables may not be configured properly. In practice, I usually do not set trackingServerSecure at all. These variables get kind of confusing and IMO buggy in different scenarios vs. what you are using, so I tend to use the "secure" value in the trackingServer field and leave the trackingServerSecure blank, and then Experience Cloud Visitor ID and Adobe Analytics will just use the secure version 100% of the time.
Or..it could be a number of other config variables not properly set. It's hard to say if any of this is off, without access to the app and Launch container.
Also you may want to check the response headers for your logged in pages. It may be that they are configured to reject certain existing non-https cookies or something else that effectively causes the existing cookies to be unreadable and make the Experience Cloud ID service generate a new ID and cookies.
Or.. maybe your app kind of is a native mobile app but using an http wrapper to pull in web pages, so it is basically a web browser but it is effectively like moving from one web browser to another (e.g. starting on www.site.com/pageA on Chrome, and then copy/pasting that URL over to Internet Explorer to view). So effectively, different cookie jar.
Launch (or DTM) + Experience Cloud ID (Javascript methods)
In cases such as the last 2 paragraphs, you have to decorate your target links the same as my original answer, but using the Launch + Experience Cloud ID Service javascript syntax:
_satellite.getVisitorId().appendVisitorIDsTo('[your url here]');
You write some code to get the target URL of the link. Then run it through this code to return the url with the parameters added to them, and then you update your link with the new URL.
Super generic example that just updates all links on the page. In practice, you should only do this for relevant link(s) the visitor is redirected to.
var urls = document.querySelectorAll('a');
for (var i = 0, l = urls.length; i < l; i++) {
if (urls[i].href) {
urls[i].href = _satellite.getVisitorId().appendVisitorIDsTo(urls[i].href);
}
}
I'm using the Javascript SDK inside a node.js (Express) App.
Connecting Users works fine, but the connection does not persist between page reloads.
Is this the default behaviour, or is the User supposed to stay connected in new requests?
Do I have to use OAuth token authentication and if so, how can this be done with the JS-SDK?
Inside the "Permission"-Popup, Users are already logged in with soundlcoud, though.
(just have to click the "connect" button each time)
Figured I'd share my answer for those who are unsatisfied with the current answers for automated oauth:
Retrieving access_token:
I had to define get and set cookie functions and then I use the functions to set and retrieve a function holding the access token. I'm not going to give these functions for conciseness but you can easily find them with a google search. I then use this line of code to get the SC access token (once the user has authenticated for the first time)
SC.accessToken()
Setting token:
So this is kind of just an elephant in the room in my opinion that for some reason no one has mentioned. How in the **** do you connect w/ SC using the access token? Do you set it as oauth param? On each call pass it? Well, after experimenting with putting the parameter in every single place I could think, I found out you have to do something like this:
SC.initialize({
client_id: '[removed for security reasons]',
client_secret: '[removed for security reasons]',
redirect_uri: '[removed for security reasons]',
access_token: getCookie("sc_lm2"),
scope: 'non-expiring'
});
//Where "sc_lm2" is the name of my cookie
Hope the helps! Took me a while to figure this out for such a simple thing
EDIT
Using PHP and Wordpress:
$json = wp_remote_get("http://api.soundcloud.com/users/[user_id]/tracks.json?client_id=[client_id]");
$soundcloudData = json_decode($json['body'],true);
(substitue cURL functionality if you're not using Wordpress). #krafty I assume you would just change the endpoint from "/tracks" to "/users" but I can't say I have ever really needed to grab anything but tracks using the Soundcloud API. Hope this helps, though I'm not sure I fully understand what it is that you are trying to accomplish (or rather, how exactly you're going about it) - are you trying to allow user logins? If you want to explain fully what you're trying to accomplish and the steps you're taking I'd be happy to take a crack at it.
Yep, this is the way to do it, officially. :)
For the Next SoundCloud site, we store the token in localStorage (until the user logs out, of course). In each AJAX request to the API from the front end, we put the oauth token in a request header:
jqXHR.setRequestHeader('Authorization', 'OAuth ' + the_oauth_token);
This is with reference to using Google Contacts Data API.
It requires that the application gets authentication view a WebBrowser/WebView (in the case of android).
Therefore the RequestTokenUrl is passed to the webview which will show a Google Sign-in page and then ask the user if it allows the application to access their account.
Once authorized, there needs to be some kind of callback to the activity.
The activity will then use the WebViews cookie (which should contain the AccessToken) with an HTTP client to request data from Google Data API. This could be anything, in our case it is the Google Contacts.
Any ideas on how this can be done?
EDIT: Found another way around the problem by using OAuth 2.0.
This still required getting the AuthorizationCode from the WebView but that is accessed through the pagetitle instead of a cookie.
The selected answer still addresses the original question correctly.
The following code which uses the reflection library will print a line with the cookies:
Sub WebView1_PageFinished (Url As String)
Dim r As Reflector
r.Target = r.RunStaticMethod("android.webkit.CookieManager", "getInstance", Null, Null)
Log(r.RunMethod2("getCookie", Url, "java.lang.String"))
End Sub
I'm creating a webapp with this combination of tools. I'm authenticating with App Engine in the following manner:
class googleLogin(webapp.RequestHandler):
def get(self):
callbackURL = 'http://%s/googleLoginCallback' % getHost()
#Create a client service
gdClient = gdata.docs.service.DocsService()
gdata.alt.appengine.run_on_appengine(gdClient)
gdClient.SetOAuthInputParameters(gdata.auth.OAuthSignatureMethod.HMAC_SHA1,
_GoogleConsumerKey,
consumer_secret=_GoogleConsumerSecret)
#Get a Request Token
requestToken = gdClient.FetchOAuthRequestToken(scopes=_GoogleDataScope,
extra_parameters={'xoauth_displayname': APP_NAME})
#Persist token secret
self.session = Session()
self.session[TOKENSECRETKEY] = requestToken.secret
gdClient.auto_set_current_token = True
gdClient.SetOAuthToken(requestToken)
authUrl = gdClient.GenerateOAuthAuthorizationURL(callback_url=callbackURL)
self.redirect(authUrl)
I authenticated my domain with Google at https://www.google.com/accounts/ManageDomain, entering a target URL and am using the given Consumer Key/Secret. For instance, if my domain was 'juno.appspot.com', I am using http://juno.appspot.com as the target url path prefix.
The process is working; however, Google presents this message to the user in a yellow security box:
"The application that directed you
here claims to be 'xxxxxx'. We are
unable to verify this claim as the
application runs on your computer, as
opposed to a website. We recommend
that you deny access unless you trust
the application."
I don't think I should be getting this error, since my server is getting the request token and creating the authorization URL. Does anyone have any insight on how to get rid of this warning?
Google's domain registration has an option to upload a certificate, but I shouldn't need to do that because I'm using OAuth with the HMAC_SHA1 signature method.
Also, not that it should matter, but I'm doing all this through a UIWebView on the iPhone. I'm specifically trying to do all authentication server-side to avoid exposing my Consumer Key/Secret.
Thank you for any tips :)
Solved.
The culprit is this line from above:
extra_parameters={'xoauth_displayname': APP_NAME})
Setting this value for a registered application intentionally triggers a warning to users, as indicated by the Google documentation:
xoauth_displayname:
(optional) String identifying the
application. This string is displayed
to end users on Google's authorization
confirmation page. For registered
applications, the value of this
parameter overrides the name set
during registration and also triggers
a message to the user that the
identity can't be verified. For
unregistered applications, this
parameter enables them to specify an
application name, In the case of
unregistered applications, if this
parameter is not set, Google
identifies the application using the
URL value of oauth_callback; if
neither parameter is set, Google uses
the string "anonymous".
Removing this line no longer allows me to use a 'nice' name in place of the domain, but it gets rid of that annoying yellow box :)
I'm not sure exactly where the issue may be in your code, but I've got a one page oauth/appengine/gdata example which may at least set you in the right direction. Have you tried to navigate to the site directly from the iPhone/desktop browser to see what message is delivered?
Hope it helps.
Alternatively, is it possibly to do with the user agent the UIWebView sets?