Debug WeChat OAuth2 in localhost testing environment - wechat-miniprogram

I would like to implement a web application for a company in China. I need to use WeChat mini-APP to make the sign-up/login straight-forward.
Please correct my assumptions if I am wrong:
To implement the login of the website from WeChat, I need to use the OAuth2 protocol
I also need to create a WeChat developer account under a real name (need ID card or business registration stuff) if I want to diffuse the application
I also need to register a domain name to WeChat so that they can allow OAuth2 authentication to this domain name
Question: can I still use my localhost virtual machine to develop my server?
(I didn't try but I assume WeChat will reject to create an OAuth2 token for localhost 127.0.0.1)
Or do I need to have a development domain name with a development server available from the Internet so that I can debug the OAuth2 authentication?
EDIT 1: I tried to send a HTTPS POST request https://127.0.0.1:8080 and I got an error linking to this URL
https://developers.weixin.qq.com/miniprogram/dev/framework/ability/network.html
EDIT 2: I tried to send a HTTPS POST request https://192.168.1.148:8080 which correspond to my dev computer and I got the error VM17415:1 Cannot send network request to localhost. (My test phone and computer both connected to network 192.168.1.x trough WiFi)

The documentation is available in English on the official WebSite [1]. It is written: network APIs allow communication with LAN IP addresses. So basically, if the phone is connected to the same network as the virtual machine (i.e. WiFi), one should be able to send any kind of HTTP/HTTPS request properly.
Note that the development environment WeChat DevTools block this feature by default. In order to enable it, the user should open the Project Settings and check the box 'Does not verify valid domain names, web-view (business domain names), TLS versions and HTTPS certificates.'.
[1] https://developers.weixin.qq.com/miniprogram/en/dev/framework/ability/network.html

Related

HTTPS React app inside intranet still shows as untrusted

We have a Node.js application with React frontend for warehouse management. One of the features of the app is a real-time QR code reader (Which requires webcam access that is only available if the website is running under a secured connection).
This application is accessible only inside the intranet network (eg.: 192.168.157.12:80) and has no domain. I know after some research that the way is to obtain a self-signed certificate and I already did that successfully.
The problem is that it shows on the client-side as an "untrusted" certificate and require the user to confirm/bypass a bunch of warning to access the app - this is a no-go for us because a lot of the users are not tech-savvy and it presents a significant issue.
Is there any way to show the self-signed certificate as fully valid inside the local network on Windows PC and Android tablet with chrome browser and not bother the user with any warnings and alerts?
If not, can you please suggest any other method how to handle this?
Thank You.

IIS 8- Cannot login to website in IIS using Windows authentication when accessing by ip

Dears,
Kindly note that I have a website deployed on IIS 8 in windows server 2012.
When trying to access the website using the host name, the login popup appears and when entering the windows credential, I can enter to the website successfully,
When trying to access the website using the IP address, the login popup appears and when entering the windows credential I cannot log in, and the pop appears again, trying more it returns the same behavior when canceling the popup it gives me the below error:
HTTP Error 401.1 - Unauthorized,
Please note that the "Anonymous Authentication" is enabled using the IUSR identity, and the Windows Authentication enabled with the NTLM and Negotiate providers and the NTLM is first.
I am trying to fix this issue by edit the registry value BackConnectionHostNames and DisableLoopbackCheck following steps in the below article from Microsoft
https://support.microsoft.com/en-us/help/896861/you-receive-error-401-1-when-you-browse-a-web-site-that-uses-integrate
and still not working
Thank you in advance
Consider the differences between navigating by hostname and navigating by IP to your server. Use command prompt and do a tracert IP vs tracert hostname. The difference is by hostname, it resolves your request through the domain name services (knows who you are and who the server is on the domain). By IP, it skips the domain name services and goes directly to the target computer. The network doesn't need the DNS if you use the actual IP address, as the DNS is used for resolving names into IP addresses.
I believe you can directly put the domain name in your code so it knows where to look without relying on the DNS to automatically authenticate (although I haven't done this). Otherwise, let the domain name services resolve the user automatically by authenticating the requestee (the user) to the host (by name) when using the hostname.
Let me know if that makes sense.

Block Facebook access on mobile devices from router

I am trying to block all traffic from a Facebook app, iOS and Android, on a particular network. I can block web access, meaning if a user tries to log in to www.facebook.com from a computer, the router will detect and block it. The user won't be able to have access.
However, mobile apps go through just fine on the same network. I need to prevent users from using the Facebook app on their phone. How do I do this?
I was thinking of using WireShark to see what URL the phone app is connecting to and blocking that URL. I'm sure this is fine, but is there a baseURL I can block which prevents mobile users from accessing Facebook? Is there a list of Facebook URLS I can block which prevent app access?
Whatever tool you are using on the router, I am sure must be supporting pattern matching while filtering packets.
So I suggest you can block all traffic for
*.facebook.com and *.messenger.com.
Having said that it is probably not enough to just filter HTTP packets based on URL. There are ways of circumventing this using VPNs or proxy websites.
You should consider blocking all outgoing traffic on ports other than 80 and 443.
Similarly other protocols like ICMP or UDP too because they can be used to tunnel VPN connections.
I am saying this because we have applied all these methods to get unrestricted access at uni. :)
Probably you can use a proxy server like squid to control the traffic better.

Node JS internet gateway/captive portal like used in public WiFi hotspots

I want to build a node js internet gateway/captive portal. So I can have a user 'authorize' his mac address or ip address if the mac address is not possible like used for wifi hotspots
So what I have in mind is node can have a dhcp server and it gives its ip address as the gateway. So if the user loads a page on the web browser it gives them an authentication screen and they can then log in and the gateway can then route its packets correctly.
How can I do the authorization step with node.js so if they're not logged in it presents a log in page & if they are to route the packets correctly?
You need couple of pieces to put this together.
#1: http proxy - If you can run a DHCP server and assign IP addresses, then you can run and http-proxy to capture all internet traffic.
#2: You'll then need to add authentication logic to this proxy which can check for a cookie, magic packet, token or something that verifies access and lets them through or redirects to login page.
node-http-proxy is a very popular and flexible node http proxy server that you can easily add your own logic to.
node-http-auth-proxy is another such project with an example of how to handle authentication built in.
Having a proxy also allows you to whitelist/blacklist sites/IPs, something you may wanna do based on your target audience.

How can I get information about the users network when he tries to authenticate towards my IIS?

I want users, when they are in the workplace (e.g. on the LAN), to authenticate themselves with their regular username and password. Auto-login is disabled.
However - logging in from outside the LAN should trigger a 2-level authentication (like SMS, mail or similar). How can we get information about the users network when they try to log in to the application from outside the LAN?
NB - it does not matter if you have AD user and pwd. If you are on the outside you have to trigger the 2 level auth.
NB2 - we do not want any client-side scripts running, so this must be something coming with the initial request
Technology: IIS 7, ISA 2006, .Net 4, MS Sql 2008 server.
Question also asked here: https://serverfault.com/questions/354183/what-2-level-authentication-mechanism-is-available-that-can-differentiate-if-the
Information why ISA server remove the information I need: http://www.redline-software.com/eng/support/articles/isaserver/security/x-forwarded-isa-track.php
If it's reasonable, don't expose your web server to anything outside of your LAN -- require VPN access.
If that isn't reasonable, you should be able to use the REMOTE_ADDR variable to determine the source of the request. Whitelist your LAN as single-factor and require everything else to be multi-factor. Depending on the scenario, the server variables will be similar to either
Context.Request.ServerVariables ["REMOTE_ADDR"]
or
Request.UserHostAddress()
If you have a proxy in the way, make the proxy tag the originating IP source in the headers and read the request headers to determine the external IP.

Resources