Headless Shopify - Reest Password Token Email - shopify-api

I'm in the process of building a headless implementation of Shopify+.
I'm trying to setup the shopify email reset notification to redirect back to my site (in this case just localhost) but I need it to also pass the recovery token.
I can't find any documentation on how to get only the token in the email template. I want to replace the link below with something like http://localhost:8449/auth/reset/{{ ??resettoken?? }}.
My question is how do I get just the token part without the URL in the Liquid email template? And is there a documentation somewhere I should follow for this?

You can use the split tag and extract the token, please check the below code.
{% assign resetUrlData = customer.reset_password_url | split: "/" %}
{% assign resetUrl = "http://localhost:8449/auth/reset/" | append: resetUrlData[6] %}
Add this code on the top of the template or before the start of the table tag, or anywhere in the code where you want, and after that replace the "Reset your password link" anchor tag code with the below code.
Reset your password

Related

Password type field in gmail card service

Right now, in gmail appscript we don't have any option to add a password type field.
Gmail Card Service for add-on has a very good ability to show any thing in it. We can integrate with any app which has basic REST api. We need authentication for that which commonly need password type field.
Any work around to show password type field?
As of now, there is no support for password field in Gmail add-on.
But we can build a hack for it. I hope password is needed only in registration forms. So, we can build a registration form using HTML and that can be served through authorization action.
CardService.newAuthorizationAction().setAuthorizationUrl(loginUrl)
Here, host registration HTML in a web server and pass this URL as "loginUrl" in the above snippet. We have to supply AuthorizationAction for the signup/register button. So, when the user clicks on this button, a new popup page is launched, the user will give the username, password, etc... onsubmit, we can encode all the form data and pass it to the parent Gmail add-on by redirecting it to a script redirection URL which you can generate an add-on. Once the redirection to the script URL comes, there will be a callback in our add-on code from there you can get the form fields which were encoded from registration HTML page.
function generateNewStateToken(callbackName, payload) {
return ScriptApp.newStateToken()
.withMethod(callbackName)
.withArgument("payload", JSON.stringify(payload))
.withTimeout(3600)
.createToken();
}
function getRedirectURI() {
return "https://script.google.com/macros/d/" + ScriptApp.getScriptId() + "/usercallback";
}
var state = generateNewStateToken("registerCallback", {"signup": true});
var reg_url = <reg_url> + "?redirect_uri=" + getRedirectURI() + "&state=" + state;
function registerCallback(cbResp) {
// to access payload which passed in state token: cbResp.parameter.payload;
// in the html serialize all the form fields or data which you want to pass to plugin as query params like: <redirect_uri>?form_data=<encoded_data>&state=<state>
//Note: here the registration HTML page should parse the URL to get the state & redirect_uri from URL.
// to access form_data: cbResp.parameter.form_data
}
I hope this will help you. This is how we are doing the signup/signin flow now.
Looks like you are authorizing a non google service . Please refer to Authorizing custom google services .

Owasp ZAP not performing authentication during active scan using "Form-Based-Authentication" ON python project

I am facing roadblock on a owasp zap form based authentication. I setup zap property as per guidance. When i run active scan then "when to attempt login it give FORBIDDEN error. CSRF token not available.
Owasp ZAP not performing authentication during active scan using "Form-Based-Authentication" ON python project.
[
My target url is:
http://example.com:84/admin/login/?next=/admin/
Post data ;
csrfmiddlewaretoken=IjYwHHavnCYgcWYMy2oL3L9Z0ldUH95s&username={%username%}&password={%password%}&next=%2Fadmin%2F
here is the html response i got:
<div id="summary">
<h1>Forbidden <span>(403)</span></h1>
<p>CSRF verification failed. Request aborted.</p>
</div>
<div id="info">
<h2>Help</h2>
<p>Reason given for failure:</p>
<pre>
CSRF token missing or incorrect.
</pre>
<p>In general, this can occur when there is a genuine Cross Site Request Forgery, or when
<a
href="https://docs.djangoproject.com/en/1.8/ref/csrf/">Django's
CSRF mechanism</a> has not been used correctly. For POST forms, you need to
ensure:</p>
<ul>
<li>Your browser is accepting cookies.</li>
<li>The view function passes a <code>request</code> to the template's <code>render</code>
method.</li>
<li>In the template, there is a <code>{% csrf_token
%}</code> template tag inside each POST form that
targets an internal URL.</li>
<li>If you are not using <code>CsrfViewMiddleware</code>, then you must use
<code>csrf_protect</code> on any views that use the <code>csrf_token</code>
template tag, as well as those that accept the POST data.</li>
</ul>
<p>You're seeing the help section of this page because you have <code>DEBUG =
True</code> in your Django settings file. Change that to <code>False</code>,
and only the initial error message will be displayed. </p>
<p>You can customize this page using the CSRF_FAILURE_VIEW setting.</p>
</div>
Unfortunatley ZAP doesnt currently support the automatic regeneration of CSRF tokens when authenticating.
A way around this is to record a Zest authentication script - make sure that you start by requesting the page token that generates that token.
Recording Zest scripts is covered in this FAQ (which is otherwise unrelated): https://github.com/zaproxy/zaproxy/wiki/FAQreportFN
Feel free to hassle us about supporting ACSR toeksn when authenticating on https://groups.google.com/group/zaproxy-users :)

sending html content in email body(emailBlurb) docusign api

I am trying to send html content in my emailBlurb for sending email for document signature by using the following code portion :
DocumentSignatureRequest documentSignRequest = new documentSignatureRequest();
String blurb = "Testing html email content : <b>Bold content</b>";
documentSignRequest.setEmailBlurb(blurb);
But the emails I receive from this contain the whole string, instead of using the with the <b> instead of bold text. So, I looked at the docs provided by docusign and it indicated for looking at the 'email resource file' in the docusign account. In the file i found the portion :
<td class="MainStyle" colspan="2">
<p>[[EmailBlurb]]</p>
<p>[[RecipientNote]]</p>
</td>
I am guessing the 'emailBlurb' I am setting is being used simply as a string and thus the html tags are just being displayed as is.
So my question, what are my options with finding a way around this. I know an option is to edit the resource file, but are there any other better options. For instance, any settings or tags in the resource file around the [[EmailBlurb]] or if it can be done from my code? Please help.
It's possible to insert raw html into the notification emails however this is not a self-service option. You need to reach out to your DocuSign Account Manager or their Support to have the option enabled in your account.

How to include parameters in url using nodejs+jade?

In jade I have two hyper links that both jump to same page, for example:
a(href='/signup')#create-account Create Student Account
a(href='/signup')#create-admin Create Teacher Account
If I want a variable send to '/signup' url and do some processing using that variable, what should I do?
Any help will be appreciated.
It depends on whether you will make your app to be RESTful or not.
Saying you would like to be Restful.
To create an admin you should make a POST to the url /admin.
Respectively to create an account you should post to the url /account.
This is if admin and account are different resources. If it is the same recourse you should post to the original recourse and with the posted data, make the decision what to save where.
jade form:
div.loginbox
form(name="login", action="/signup", method="post")
input(type="checkbox" name="admin")
input(type="text", name="user")
input(type="password", name="pass")
input(type="submit", value="login")

Symfony security and twig Render funcion

I have this scenario.
My site has a secured part. Security is, I think, correctly configured.
If I try to open a secured URL from browser, I am asked to type username and password.
Symfony profiler shows correctly user context after logon
The homepage (root route) is not secured (the profiler shows here the anonymous context)
Now the problem:
If, in the twig template of the homepage, I put something like this
{{ render(path('secured_route')) }}
the content of the secured route is rendered!
I expected to get some kind of exception or the login window!
Is this a bug or am I missing something?
When rendering a controller this way, you're bypassing the router, so securities related to routes are bypassed too.
The best you can do is to restraint your controller to logged-in users using the #Security annotation:
/**
* #Security("has_role('IS_AUTHENTICATED_REMEMBERED')")
*/
By using "render" from twig you are skipping the security checks related to routes, if you don't need to get the content in the anonymous context, you could check the role from Twig before rendering the controller, something like:
{% if is_granted('ROLE_USER') %}
{{ render(path('secured_route')) }}
{% endif %}

Resources