I am working on a web app that is to be used in an industry with strict compliance requirements, the one I am having trouble with is on signing off something, the user needs to re-input their credentials and it needs to be from the user and not a password manager.
I have tried to implement autocomplete=off and other versions of that as well as changing the type of the password field and it still activates the auto-fill dialogs.
Has anyone managed to overcome this problem at an enterprise scale?
Posting here for others that autocomplete="current-password" seems to suppress the dialog just in chrome
Related
I have a problem with a DocuSign flow on staging environment. After signing a document and clicking on continue button I have an error:
This authentication mode is not supported: NONE
It's a little bit strange because on production I have the same code and everything is working fine. I'm using different docusign account but both accounts (demo and production) have same settings.
Besides this, there are also a small differences in docusign flow buttons (staging vs production).
After signing the document, instead of "continue" button there is a "finish" button.
Staging used to work fine and looks like production for a long time but few days ago that changed. Do you know why there are differences between these two environments and how to fix staging?
The error you are seeing is mentioned in this article with the solution, please have a look
https://support.docusign.com/s/articles/000043153?language=en_US
As discussed in the support article, Standards Based Signing often requires signer authentication. Your signing request did not included a needed authentication step, that's an error.
Regarding:
Do you know why there are differences between these two environments
Yes, DocuSign works to improve its products. The demo ("staging") environment is used as a final test for new releases before they're installed on the production systems.
The UX changes you noticed will soon be implemented on the production systems too. In some cases, UX changes are only made for selected account plans (eg web purchased accounts vs enterprise accounts).
I would like to develop a new web-app in node.js (using express). I am relatively new to node.js world, so I assume there are frameworks that I am not familiar with.
Is there any framework (like Spring for Java) that manages authentication (and save the trouble from the developer)? Or each developer has to write this code over and over again?
Login/Logout is not all. There are other flows:
registration (create account),
forgot-password (and then set new password),
locking/unlocking an account,
change password
and I think I have covered all flows.
I know that each application has its own UI, forms, maybe with its logo, but the flow itself is similar for most applications.
In addition, I know that it is not that hard to implement, but it could be great to have some kind of tool / framework / infrastructure which implements the flows.
Is there such a tool/framework which helps applications' developers and implements these flows?
I've searched this issue but could not find anything.
Thanks!
Long ago I have developed authentication-flows for Java over Spring, and recently I wrote authentication-flows-js.
It is a module that answers most flows - authentication, registration, forgot-password, change password etc., and it is secured enough so applications can use it without the fear that it will be easily hacked.
It is for node.js applications (written in TypeScript) that use express. It is an open source (in GitHub). A release version is on npm, so you can use it as a dependency in your package.json.
In its README (and of course in the npm page) there are detailed explanations for everything and if something is missing - please let me know. An article will be published soon (I will add a link as a comment).
You can find here an example for a hosting application.
NOTE: I have heard comments like "It's not so difficult to implement". True.
But you have to make sure you take care of all cases. For example,
what happens if a user tries to create account that is already exists?
what happens if a user tries to create account that is already exists
but inactive? what about the policy of the password? (too long/too
short/how many capital etc.) what about sending the email with the
activation link to the user? how you create this link? should you
encrypt it? what about the controller that will receive the click on
the link and activate the account? and more...
I am a developer which working on security related area.Recently I
met a little problem. If I got a app such as android .apk or IOS .ipa.
How can I check whether it has malicious actions?
The first thought came to my mind is to check its manifest. To see
which kind of permission it has requested. But this general method can
not detect some actions such as record the screen snapshot or record
user tap position on screen.
Then I switched to search how app store and google play check the
app which submitted by developers. Turns out that they first check the
certificate or signature of the app to make sure it has been published
by trusted organization. Then statically check the system permission
that the app requested.
I guess there must be some in-depth detection method or theory
which used by google and apple to make sure their app is safe to
download. Can anyone provide me some useful information or website
link that I can learn from?
Thank you.
I'm making an app and I plan to have some cloud happening with it, but I do not want to create a user data base and have the users need to remember their username and password.
Since it will be distributed through the chrome app store it's basically guaranteed that the user will have a google account. All I want to do is:
Get the user's email through the google account stuff. If I get it through there, well then their email is all the authentication I need to get that user's data.
If I end up putting the application on something other than chrome browser, I'll just have the user use their email to request a validation link, and then I'll send them a validation code for that account, they put the validation code into the application, it takes that as a verified user, so that's secure and easy as well.
EDIT: I'm looking into this. So far I have:
OAuth 2
Google API
But I have a problem that I don't know what to set as my javascript origins in the Google API and there isn't too much info on this abroad. If anyone can tell me what javascript origins I need to set for a chrome extension to access google api it would be a great help.
PS: Thanks for down vote, this is why I love resorting to stack exchange.
Hmmm, I think the only reason this was voted down is the fact that this question may be been asked somewhere on the site already (but I'll help you and give give a 1up).
So what you are wanting to use the Google OpenID. You will have to register your application with Google so they can provide OAuth2 tokens for you application. I have not done this with Google but with other services and it is pretty easy, just search around.
In terms of obtaining OAuth2 for your application in the chrome extension - this can be a pain since the extension is sandboxed and Google's example uses OAuth not OAuth2.
Here is solution I host on GitHub for this - I also use this in my extension GitHub Repositories:
https://github.com/jjNford/oauth2-chrome-extension
Hope this helps in some way. Don't get discourages with StackOverflow, it is a great resource with many great contributors.
Good luck!
I had to up vote you too as I'm tracking down a related issue so here is what I've found that may help.
According to these directions - http://code.google.com/p/google-api-javascript-client/wiki/Authentication - "In the "Authorized JavaScript Origins" box, enter the protocol and domain for your site." This should be the protocol (http:// or https://) followed by any optional subdomain followed by your domain name and no trailing slash. Nothing after the domain name.
This prevents certain kind of security attacks, see: http://en.wikipedia.org/wiki/Same_origin_policy.
There are some related questions here that I found that may help:
Problems with Google Picker API and selecting Google Drive items and google apis console 'Javascript origins'.
Now with all of that said, I am still trying to track down what values to put in there for one of my sites hosted as a Google Site, as none of the obvious values are working for me. So there may be some subtlety there that I have missed in this explanation.
I want to display photos stored in the phone , and I use the FileConnection and the openInputStream stuff. The problem is that there are many questions that I must accept when launching the program ; they are all about access to the file system or a particular file. So how to "skip" these questions , that is accept all of them programmatically, so they do not appear when launching the application ?
Basically this type of alerts asking for security purpose. Because you are using FileConnecion(JSR-75).
In this purpose, You have to signing your application with 3rd party providers like Verisign or Thrawte or Java Verified. It will be cost.
If you are facing this issue on the emulator, go to preferences and MIDP tab, set the application domain to Trusted and set permission as "Allow Always". For more info, see this MIDP 2.0's Security Architecture...
Signing sites are,
Thawte
Verisign
Java Verified