I need to generate a authentication token to secure stream from the Wowza CDN. I like to do this in server base javascript. I'm working on Domino 10 xpages server and working with videojs. Looking for how to get started and any sources that would help.
The Wowza authentication token seams to be an Hash hmac of the information that is needed to authenticate the user.
According to this
https://www.wowza.com/docs/protect-a-wowza-cdn-on-fastly-stream-target-with-token-authentication-in-wowza-streaming-cloud
This is an example how to create these using Javascript
https://www.jokecamp.com/blog/examples-of-creating-base64-hashes-using-hmac-sha256-in-different-languages/#js
Related
I have an application who consist of a Node.js backend hosted on AWS and an Angular 2+ frontend. I am using the facebook graph API on the backend, however, when it comes to uploading things to facebook I'm getting into trouble.
If I want to upload a file, I need to upload it to my backend before, which will put it in an S3 bucket and then upload it from my backend to facebook. This seems to be a little heavy for me and I am really suspicious that it is the correct way to do it. Also, Facebook provides a javascript API that allows us to upload a file from a client to its platform, which seems less heavy.
Right now, I see three solutions:
Continue doing everything on the backend
Only do upload operations on the client side using the javascript SDK, and everything else on the backend
Do everything from the frontend using the javascript SDK
For me, the best solution would be 2. What are your opinions? Is there other solutions?
If the file is created on the client, there is no need to send it to the server - you can just directly upload it to Facebook instead. Although, if you need to store it on your own server anyway, you can do that first and let the server handle the upload to Facebook - uploading an URL of an image to Facebook is the easiest way. If you don´t need the image on your server, this may help you:
https://www.devils-heaven.com/facebook-javascript-sdk-photo-upload-with-formdata/
https://www.devils-heaven.com/facebook-javascript-sdk-photo-upload-from-canvas/
If the file is on the server already, there is no need to send it to the client before uploading it to Facebook. In that case, i would do the upload server side. If it´s about the security: There is absolutely no problem in sending Access Tokens to the server. You can just use the JS SDK for login, send the Token to the server and do the upload on the server. Just use appsecret_proof: https://developers.facebook.com/docs/graph-api/securing-requests/
If you are using your end user identity on Facebook there is no benefit to use the backend here (except the fact that you need less Javascript on the page).
Your user Facebook credentials must never be sent to the backend, therefore do the upload to Facebook on client side using Facebook SDK.
Doing it from client side also save you the infrastructure cost on the backend.
How can I authenticate my api access to insert new events to my google calendar without OAuth? I'm writing a node script without any front end/website and everywhere seems to recommend using OAuth with a redirect to your website...
The best solution I have come up with is write a secondary application purely to listen for that redirect and save the auth code returned.
Any suggestions would be greatly appreciated!
I think it was designed that OAuth be used to handle authentication and authorization when you're using Google APIs. You can read that from the Using OAuth 2.0 to Access Google APIs.
Google APIs use the OAuth 2.0 protocol for authentication and
authorization. Google supports common OAuth 2.0 scenarios such as
those for web server, installed, and client-side applications.
If you're using NodeJS for Calendar API, you can try the Node.js Quickstart. You'll be needing the following:
Node.js installed.
The npm package management tool (comes with Node.js).
Access to the internet and a web browser.
A Google account with Google Calendar enabled.
I am creating an application and native apps which shall access a bunch of RestFul Webservices. We are already using HTTPS to secure the API, but wanted to understand if we still need something like an API Key or OAuth Key to authenticate the data
Encryption and Authentication are two separate things. Encryption merely prevents outside parties from snooping the transmitted data. You need Authentication if you want to control who has access to which resources using the API.
We would like to require authentication against an LDAP directory for accessing streaming video content from our Wowza Flash server. The credentials would preferably be entered via the Flash player itself.
Wowza forum posts suggest using examples of MySQL database authentication backend code as a starting point for developing an LDAP auth backend. And examples exist for modifying an existing Flash player to challenge the user for credentials on play. But all examples I've found show the credentials being passed as query string parameters in the connect string, ex:
netconnection.connect("rtmp://[wowza-address]/[app-name]?user1&pass1");
This article suggests a much more complicated solution to avoid passing credentials in the clear, involving authenticating before streaming, setting a cookie that is specially formulated for reauthentication, grabbing the cookie in the Flash player and passing it to Wowza.
Has anyone seen a solution like this that would pass the credentials for LDAP authentication over a secure connection?
Setup SSL for you Wowza server and change your URIs to read
rtmpe://....
then you can use the method you described. Anything you try without SSL is vulnerable to man in the middle attacks.
We have an API for our local search website, which is used on our Mobile Apps.
Currently,
The API is not public
No user data is provided in the API
is running over http
I want to secure our data which is sent over the API. I have done some research, and looks like Oauth is the way to go
Is Oauth the right way to do it? (we'll currently use 2 legged oauth but in future if we need user permission we'll move to 3 legged oauth)
Do we need https for the API? Would a self signed certificate work fine?
Oauth's best suited for scenarios that involve a third party (Provider). For example: sign in with Facebook.
If the user has to login to your service to access the API, you can use basic authentication. (Attach credentials to Http header over Https)
Finally: Yes you need Https. And a self-signed certificate can work if you control the client and the server. For example for Android you can import your certificates):
http://developer.android.com/training/articles/security-ssl.html (Self-signed server certificate section)
However, if you are creating a web client, user would get a warning for untrusted site.