I'm working on a registration flow that I'm having difficulty with. I've got a self asserted profile to collect some data, and it's got validation profile that calls a REST endpoint. The REST endpoint passes back, among other things, a claim indicating if there's an error (boolean) and if there is, an error type (string). I've been back and forth with possible solutions, but I haven't been able to figure out how to do what amounts to a case statement - that is, if the error is "Not Found", load content from {notfoundurl} (via a technical profile's ContentDefinitionReferenceId) and display to the user; if the error is "Partial Match", load content from {partialmatchurl} and display to the user, and if everything seems to be in order, allow the user to enter a username and password to register. Is there an elegant solution to this?
Related
I am writing a registration form in React.js using TypeScript and each username that registers will have to register with a unique username. If I have a LoginForm component that takes in all the data from the form, how can I verify in real time that a username is not taken? I have a MongoDB dedicated cluster where every user document is stored, and each user has a username, which is a string, stored in the field "username". Basically, as a user is typing their username, I want to display a red alert that shows "Username is taken" while the username they've typed is taken, and "Username is unique" in green, when the username entered is unique.
I'm not sure how to approach this problem.
The only idea I've come up with: Using the useEffect hook to capture the state of input every few seconds and make an axios call to the database, search for the username, and render an alert. However, I'm not sure if this is the best method because of the number of calls that will be made and possible latency.
Is there a best-practice way to do this? If there is, please point me in the right direction. Ideally, if you could outline a series of steps, i.e. 1. "Make an api call to x every time x happens", 2. ... then that would be helpful.
I am required to create a Java Script but unable to figure on how to proceed as I don't have that much of coding idea in OIM, can someone assist(below I have mentioned the scenario)
Scenario:
In OIM User Attribute Page, there is a User Field: 'Job Code' now we have experienced that there are some issues we are facing.
From the trusted source we are getting the correct data but as soon as it reaches OIM for few users we are getting random incorrect value. Value should be numbers (123456) which is present in the Database too and valid but for few we are receiving values like E?401#q something like this.
We are required to place a check to find users who are having these invalid Job Code entry.
Once detected, we need to trigger a email to the concerned team based on the User Type (Employee or Contractor) for employee it should trigger an email to a respective team and for Contractor we have to trigger to a different team to take action.
So, I believe we have to place two conditions here, can someone assist.
If you believe it only happens during trusted source reconciliation, then you can create Post-Process Handler on User Create/Modify operation to check the value which was posted into the DB as a result of recon event.
From this handler you can do all the things you need to do: mailing, fixing, etc.
For notification purposes I'd recommend to use built-in NotificationService, though it might be bit daunting, if you have little experience in OIM development. As an alternative you can do java mailing.
If you are not sure about the moment, when this "spoiling" happens, you can create a scheduled task, to be executed periodically, which will check JobCode values, to report invalid ones.
I'm sending a mass email though Emma (3rd party vendor) that will contain a link to a landing page. The landing page will be personalized and display some of the user's identifying info (name, title, email). Additionally, there will be a form collecting a few of the user's preferences that will be saved back to that user's record in Emma's database.
The user ID column in the 3rd party's database is incremental so I obviously can't just append that value through the query string otherwise user 522, for example, would get a link such as www.example.com?landing/?uid=522 allowing him (or anyone with the link)cto take a wild guess at other values for uid (such as 523... or 444) and change other users' preferences as well as view their personal data quite easily.
Bottom line is that I'm trying to find a secure way to pass an ID (or other unique value) that I can look up via API and use to dynamically display and then resubmit personal info/data on this landing page on a user-to-user basis.
I had an idea to add a custom column to my list in Emma for a unique identifier. I would then write a script (accessing Emma's API) to BASE64 Encode the ID (or possibly email address, as that would be unique as well) and add that to the list for each user. In my email, I could then pass that to the landing page in for the form of ?xy=ZGF2ZUBidWRvbmsuY29t, but I know this is encoding and not encrypting so not all that secure... or secure at all for that matter.
To my knowledge, there's no remote risk of anyone receiving the mailing having the ability and/or inclination to know what those extra characters in the link are, BASE64 Decode, BASE64 ENCODE another email address or integer an make a request with the newly BASE64 encoded value in order to manipulate my system in an an unintended way.
BUT for the purpose of this question, I'd like to know the "right" way to do this or what levels of security are currently being taken in similar circumstances. I've read about JWT tokens and some OOth stuff, but I'm not quite sure that's possible given that I've got the Emma API to deal with as well... and/or if that is overkill.
What is appropriate/standard for passing values to a page that are in turn used for a form to be resubmitted along with other user-supplied values when giving the user the ability to submit a "compromised" (intentionally or not) form could, at worst, could cause one of their competitors to have bad preference and opt-in saved data in our Emma mailing list?
Security on the web is all about "acceptable risk". You can reduce risk in various ways, but ultimately there's always some risk exposure you must be willing to accept.
Your very best option would be to force users to be logged-in to view the page, and to avoid using any querystring parameters. That way the backend for the page can pull the ID (or whatever it might need) out of the server's session.
Your next best option still involves forcing the user to be logged in, but leave the uid in the URL -- just be sure to validate that the user has access to the uid (i.e. don't let a user access another user's info).
If you can't do that... then you could create random keys/ids that you store in a database, and use those values (rather than uid or email or real data) in the URL. BUT let's be clear: this isn't secure, as it's technically possible to guess/deduce the scheme.
Absolutely DO NOT try passing the info in the URL as base64 encoded data, that's likely to be the first thing a hacker will figure out.
Keep in mind that any unsecured API that returns PII of any kind will be abused by automated tools... not just a user farting around with your form.
To my knowledge, there's no remote risk of anyone receiving the
mailing having the ability and/or inclination to know
^ That's always always always a bad assumption. Even if the result is at worst something you think is trivial, it opens the door for escalation attacks and literally exposes the company to risks it likely doesn't want to accept.
If you're stuck between bad options, my professional advice is to have a meeting where you record the minutes (either video, or in a document) and have someone with "authority" approve the approach you take.
In case anyone needs a working example, I found this at https://bhoover.com/using-php-openssl_encrypt-openssl_decrypt-encrypt-decrypt-data/. It uses PHP's openssl_encrypt and openssl_decrypt, and it seems to work perfectly for my purposes
<?php
$key = base64_encode(openssl_random_pseudo_bytes(32));
function my_encrypt($data, $key) {
// Remove the base64 encoding from our key
$encryption_key = base64_decode($key);
// Generate an initialization vector
$iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc'));
// Encrypt the data using AES 256 encryption in CBC mode using our encryption key and initialization vector.
$encrypted = openssl_encrypt($data, 'aes-256-cbc', $encryption_key, 0, $iv);
// The $iv is just as important as the key for decrypting, so save it with our encrypted data using a unique separator (::)
return base64_encode($encrypted . '::' . $iv);
}
function my_decrypt($data, $key) {
// Remove the base64 encoding from our key
$encryption_key = base64_decode($key);
// To decrypt, split the encrypted data from our IV - our unique separator used was "::"
list($encrypted_data, $iv) = explode('::', base64_decode($data), 2);
return openssl_decrypt($encrypted_data, 'aes-256-cbc', $encryption_key, 0, $iv);
}
I first ran my_encrypt in a loop to encrypt the uid of each member in the list.
$members[$uid] = array('unique-identifier' => my_encrypt($uid, $key));
Next, through the API, I modified each member's record with the new value.
$ret = update_members_batch($members);
That only had to be done once.
Now in my email, I can pass the uid through the query string like this www.example.com/landing/?UID=<% unique-identifier %>, which will look something like www.example.com/landing/?UID= XXXXX2ovR2xrVmorbjlMMklYd0RNSDNPMUp0dmVLNVBaZmd3TDYyTjBFMjRkejVHRjVkSEhEQmlYaXVIcGxVczo6Dm3HmE3IxGRO1HkLijQTNg==
And in my page, I'll decrypt the query string value and use it via the API to get the email address with something like:
$member_email = get_member(my_decrypt($_GET['UID']))['email'];
and display it in the appropriate location(s) on my page.
I think this covers all my bases, but I am going to have a stakeholder meeting to get sign-off. What potential vulnerabilities does this expose that I should warn them about?
I am trying to convert Selenium test to Gherkin. Is there way to implement if statements in Gherkin?
Example : assume the code is written in the below format. I am just writing description as below. Please understand the part after double slash is the actual Selenium code:
// launch the application
// login to application
// navigate to page
String str;
if(str== "XYZ")
{
// verify title
}
//verify text field 1
//verify test field 2
//verify select box
For this I am trying to write code in Gherkin as follows
Given user launches the application
When user login with valid credentials
and navigate to required page
When String str is "XYZ"
Then verify title
And verify text field 1
And verify test field 2
And verify select box
but this code is incorrect because if the str is not equal to "XYZ" we want that title should not be verified but other verification like text field1,2 and select box should be verified.
You don't implement if in Gherkin.
Gherkin is about communication and those you want to communicate with, non coders, don't know what an if statement is. They don't care either.
The solution? Two scenarios to cover both cases.
Ideally, this level of detail would not be in your Gherkin scenario. The best approach is describe business use cases, not low level details. This is what Gherkin is designed for: communicating with non-technical stakeholders so that you can work out if you are building the right thing in the first place. Here is what I would write:
Given the user is logged in
And the user is on the required page
When they enter data that requires the optional fields to be validated
And they enter invalid data in the optional fields
Then the form shows an error on the optional fields
The low level details don't matter (that the string is specifically "XYZ" or that it is the title field is not important), so these should be hidden in the step definition and/or unit tests.
In order to continue to check the other fields, you can just add another step after this:
When they enter invalid data in all of the other fields
Then each other field has an error message attached to it.
Again, there is no need to specify the actual fields, or separate them into their own steps. The idea is to express the high level business value of the scenario, i.e. that the form is validated when it should be.
The advantage to keeping things high level is that when the form changes (as it eventually probably will), then this scenario can remain untouched. Which is correct as the business case is the same: it should validate when it's supposed to. All the changes will be in the step definitions. This means that there is no reason to have another discussion with your stakeholders about whether your scenarios are still testing the right thing.
You can write the scenario, somewhat like this:
Given the user launches the application
When user login with valid credentials
And navigates to required page
Then he should see the page datails
Inside the Then step you manage all the logic.
Then(/^he should see the page details$/) do
if condition
...
else
...
end
end
Gherkin is not a programming language to use if or else conditions. It is a part of BDD framework, that is implemented, to make the stakeholders and other non technical resources understand what the test process is about. Hence, it is always recommended, you keep the gherkin as simple and as generic as possible.
Strictly speaking you should create an alternative statement along the lines of:
Given user launches the application
When user login with valid credentials
and navigate to required page
When String str is NOT "XYZ"
What I'm trying to do is send an email when a particular content type is created in Orchard.
What I did was create a workflow that detects when a "Practice" type is created and send an email.
Initially I hard coded everything (email address, subject and body). I am getting an email every time a "Practice" type is created.
I then tried using tokens to get real values. Initially I tried..
{Content.ContentType} and
{Content.Id}
Those seem to be working. The ContentType is "Practice" and the Id is the correct value.
The Practice type has a field called "ContactEmail", but I can't seem to get that value to show up. Here are the different variations I've tried...
{Content.Fields.Practice.ContactEmail}
{Content.ContactEmail}
{Content.Practice.ContactEmail}
but it's always blank (testing by putting these fields in the email body).
Any suggestions on how to the the "ContactEmail" value from a Practice?
Thanks!
Additional info...
The Practice part is created from a module (i.e. migration, model, etc.). What I think I may have to do is create a token provider for the Practice part. Does that sound right?