I am using Botkit to create a Slack bot. This bot will make calls to another service which requires different credentials. I would like to let the user securely store & retrieve this other service's credentials using their Slack credentials. I would also like to make sure that only the user is able to decrypt these credentials.
I considered and tried searching for some of the following options, but have had no luck:
Store the API key in some secured storage in Slack linked to the user.
Encrypt the API key using the Slack user's credentials and store it on the Botkit Mongo DB.
What is the best way to securely store and retrieve this second key?
No. The Slack API does not provide any functionality of securely storing API keys for 3rd party services. You have to implement that yourself in your app.
Related
I'm trying to create an API for our app using Express.js endpoints that connect to our Firebase Cloud Firestore database. A main component of responding with the requested information securely is authentication, and we want to be able to make it as straight forward to the users as possible. For example, by them simply sending an API secret key on their requests.
My issue is that all of the authentication mechanisms that Firebase seem to provide require that the client is authenticated with the Firebase SDK, which would be uncomfortable for us to ask users to install.
In short, is there any way that they can either create a firebase token without the SDK or for us to authenticate them securely with an API key on our end? Note that the connection to our API would only be done through our user's back ends, never front end clients.
Thanks!
See:
https://firebase.google.com/docs/auth/admin/create-custom-tokens
Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method.
To achieve this, you must create a server endpoint that accepts sign-in credentials—such as a username and password—and, if the credentials are valid, returns a custom JWT. The custom JWT returned from your server can then be used by a client device to authenticate with Firebase (iOS, Android, web). Once authenticated, this identity will be used when accessing other Firebase services, such as the Firebase Realtime Database and Cloud Storage. Furthermore, the contents of the JWT will be available in the auth object in your Firebase Realtime Database Security Rules and the request.auth object in your Cloud Storage Security Rules.
You can create a custom token with the Firebase Admin SDK, or you can use a third-party JWT library if your server is written in a language which Firebase does not natively support.
I'm developing a chrome extension using maps API which autofills the address in the address fields of the current page. For testing purpose, I'm currently using my own API key. But I see using this API key I can hit only 25000 requests per day. So I thought of using the user's API key, whoever uses this extension. Using OAuth, I can get the user's consent for accessing his information but can I get his API key and use it that way? I have set up a server so that I can store the user's API key to be used again. Also for the user' consent, I use my API key and client id. Is it possible?
We have a situation where our users will be logging into Paypal and then paying other people from their Paypal account via our dashboard. We have the connection setup to retrieve refresh & authTokens for them via simple-oauth2 module. What I don't see is how to utilize a token in the Paypal Node SDK. It seems to only support client id and secret configurations.
Is there a way to utilize the paypal.configuration with an authToken instead?
Should we be using the REST APIs directly instead of the SDK?
You cannot directly transfer amount to other people account.
You firstly need to transact it into your own buisness account and then you can transfer it to any other person account.
I am working on an application in which i need to authenticate user. I am using firebase for database. I have used node.js for getting data from firebase. Now all i want is to create login page and in that i need to authenticate user by their email address and password. And i want to use the same method how i am fetching the data that is using node and i don't want to use angularfire for the authentication. Is it possible to perform? If it is can you please share how can i accomplish that?
Authenticating from a server-side process with the Firebase 3.x SDK requires the use of a service account. From the documentation:
When you authenticate a server, rather than sign in with a user account's credentials as you would in a client app, you authenticate with a service account which identifies your server to Firebase.
If you want to custom handle the authentication of your users, you'd create a custom token for your users on the server and then have them pass that to Firebase.
In general I'd recommend reading this article about common application architectures when using the Firebase Database.
I am developing REST API Server in Node.js and it is almost Ready. Now I am trying to implement Authentication to API server. I decided to use OAuth2 for this. I think I will be Using grant type password, as most of the Apps that will use my service will be under my control.
There are some modules available https://github.com/jaredhanson/oauth2orize, I am confused on storing access token for the authorised users and mantaining sessions. As this is REST server do i need to mantain the Session, Or should i just store active tokens and related users to db and check for each request if they are valid or not?