How to resolve shopify public app session conflicts - node.js

I have created a simple embedded public app in shopify using node js for test purpose. It works properly .
while i opened two stores in same browser's different tab . I faced the issue of session clash.
For example shop domains store1.myshopify.com and store2.myshopify.com were opened in same chrome browser. First i opened store1 it worked properly . Then i opened store 2 it changed the store1 app's session values. Now in both stores app displayed store2 record.
I dont know how to handle this . Please guide me how to resolve this issue.

It is simple. When you get an incoming request, you can compare the active session store name to the incoming store name. If they differ, you have to close the session, and re-open it for the new store.
Since your App issues a single cookie key for all shops, any open browser tabs would share this, hence the need for you to close/open connections based on the information coming in from the tab.
Note that when you close one session, it means that when you use the tab with that now closed session again, you'll re-authenticate. This means your customer may or may not send in the shop name (especially if your App views have XHR calls without the shop name as a parameter). So be careful there. That can be tricky to handle well.

Related

Gmail - Link to Draft in non-conversation view

I am importing/creating drafts in Gmail using the Gmail API. After creation I'd like to redirect the user to the Gmail UI with the opened Draft in the composer window.
I made it work properly for https://mail.google.com/mail/#drafts?compose=[MESSAGE ID]. Other urls I found here also worked well. Gmail is doing some redirects and eventually the composer window is opened with the draft.
Now my issue:
If the user has not enabled "Conversation view" this will not work at all. The redirect will then result in https://mail.google.com/mail/u/0/#drafts?compose=new and only an empty, new composer window is shown and a new draft is created by the UI.
If I open the draft directly the ID-format is different. https://mail.google.com/mail/u/0/#drafts?compose=hJzgZpSqgLQcCWgZqnlNRzRBfMbjZVnZklzvcFxhQCdwT... and I have no idea if this format can be generated somehow.
Does anybody has an idea or experience to also make it work with this UI setting. How I can force Gmail to load the draft into the composer window?
Thanks in advance.
If you have Email Threading > Conversation View enabled
Make use of the following URL
https://mail.google.com/mail/u/0/#inbox?compose=DRAFT_MESSAGE_ID
If you have disabled the Email Threading > Conversation View option
Make use of the following URL
https://mail.google.com/mail/u/0/#inbox/DRAFT_MESSAGE_ID
Additional information
The main difference between them is that the first is treated as a conversation while the second example is not.
You can use #drafts instead of #inbox in the URL.
The number after .../mail/u/ is the session you have opened
You can retrieve the DRAFT_MESSAGE_ID by making a request to the API
You can approximately generate the compose ID by yourself, there are some examples out there (not recommended). I strongly recommend you to use the DRAFT_MESSAGE_ID instead.
This appears to still be an issue the one solution I did find was that you can find your draft directly (even though it would be the last draft) and go through multiple accounts by redirecting to
https://accounts.google.com/AccountChooser?authuser={user account}&Email={email account}&continue=https://mail.google.com/mail/#search/rfc822msgid:CAMU-31NcJCVHyGNsAycRKfuS0nMonoaZ6wFMD90Sej996qjuPQ#mail.gmail.com
You need to get your message id toi replace the area from <> from your draft. So you'll have to create the draft first. Get the google message ID, then use that with messages/get to get the Global Message Id (also referred to as message id) and then use that with a search. At this point you'll open a page with a search to a single draft but it will not be opened. Your users will have to click on the one message. Unfortunately there does not seem to be a way to have the good way work for conversation view, and this way work for non.
I tried many different URLS and nothing worked. As noted in the original question, it might work that you could link to the full URL but I see no way to get that. If you spend long enough working with an email you'll even find that ID changes so they aren't even stable within a single day.
Another solution that could work is as explained:
https://mail.google.com/mail/u/0/#inbox/DRAFT_MESSAGE_ID
But as noted this does not open the draft on the first time you go there. It seems you have to travel to that link 2 times in a row to get the message to appear. I guess you could go to the page maybe inject some javascript to go to the page again but I don't know how to do that.

How to implement logic based on external redirects?

I'm building a website for a client (real estate), and on the website are links to a different website (adverts for properties). My client routinely activates and deactivates these adverts when he rents out a certain property.
The hrefs on my links look something like this:
<a href="https://domain.xx/estate/idxx/des-crip-tion-xx-xx-x-xx/">. If the advert is indeed active, it just takes them to the advert. If it is not active, however, the website in question redirects the user to https://domain.xx/estate-for-rent/city/, effectively sending the users to my client's competition.
I wish to implement some logic where, before handing the users over to the other website, the server checks to see if it is redirected to https://domain.xx/estate-for-rent/city/, or some similar logic, and if so, uses preventDefault, or something, and notifies the user that the advert is not available instead of sending them to the other website.
I wonder if I can use the fact that only if the advert is active does the resulting url in the users browser window (after they've been directed to the other website) match the url in my href. Can i somehow get the server to try to access the url in my href, and have it see where it gets redirected, and then do something based on that? On the back-end, I'm running NodeJS with Express by the way, and if it matters, I'm relying heavily on EJS for templating. Thanks in advance for any help!
This sounds more like a problem you could solve on the client as opposed to the server. For example, at a high level here's how I would do it:
Handle the click event for each link (really simple to do a catch-all with jQuery)
Fire off a HEAD request via AJAX to the destination URL (this would be much more efficient than a GET but depends on the external service supporting this verb)
Use the status code to determine what to do next (e.g. 2xx allow redirect, 3xx pop a message and block)

MS BotFramework Temporary token issue in WebChat URL

I have developed a chatbot using Microsoft BotFramework and node.js and deployed it in webchat. As per this documentation, it is written that the bot's secret 's' can be replaced with a temporary token 't' which is valid for one conversation only.
But the problem is the life span of this token is 30 minutes and within this time window, if some intruder accesses the entire URL: "https://webchat.botframework.com/embed/YOUR_BOT_ID?t=YOUR_TOKEN_HERE&userid=some_user_id" then it is just a child’s play for him to get all of the user’s data because it mimics the chat of the actual user in the other machine.
Is there anything in the BotFramework (apart from DirectLine) that can be done that restricts the URL with the same token to be opened in another machine?
There is an issue on GH which is facing the same event with you, and with the comments, we can found that this situation will not be changed currently.
However, we can get some hints from the comment:
Ultimately, you can't hide the secret/token from clients.
If you want to remove it from the URL, you can host the JS control on your own.
If you want to remove it from page source, you can pass the value in a cookie >and read it in JS in your webpage.
However, in all cases, the value will be available in memory.
I think you can build another simple web site yourself as the bridge from the iframe and yout bot application. You can restrict your user whether is unique in this website's session. And also you can verify your user before instantiate the Bot WebChat.

How to track last login date for IBM Domino web user?

Does IBM Domino track the last login date for web users(UserName/Password and internet certificate)? I know the access logs contains this information but wanted to know if there may be something built into Domino (maybe in Address Book). Trying to come up with a method to disable web accounts that have not accessed a domino server in a specified time period.
Thanks,
Kev
The User Activity area in the Database Properties picks up from the log.nsf, which is where this information is stored. But, typically, the log.nsf will only have a few days' worth of information. When I've had this requirement before, I've manually captured it via a custom login page or an initUser function I've had in applications.
One of the easiest solutions is to trigger an action from a live web page that generates a database.nsf?openagent event.
like:
or
Ideally you've use the openagent to print a content type and a response, but if you don't browsers do pretty well with invalid responses from servers.
inside your "myagent" you will have the users name available to you to write it to a document.
Your next challenge will be in getting the agent to trigger, but, not too often, ideally only on login.
When a user uses a custom login form it submits the username/password and redirection url in POST method. You could change that to ...?openagent&nexturl=/blablabla.nsf
Your tiny little agent would run one and only one time upon login and update a document in a your custom logging database.
That's a developer's solution.
There are also admin solutions. The server does keep track of active web sessions, but, it does not drop them into the log.nsf like it does upon session ending for a notes session. I don't think it would be too much work from an admin standpoint to get that information there are a lot of event triggers available to you. It's just been way too long since I worked on any server that anyone cared about statistics.

What does a browser session mean in the context of chrome extension

Please note, this question is not about client-server sessions. It's about Chrome session.
I'm reading this article about tabId and it states that:
Tab IDs are unique within a browser session.
What is browser session here? Does the session begin when I open a browser and ends when I close it? Is there a way to track tab across sessions?
What is browser session here? Does the session begin when I open a browser and ends when I close it?
That's correct. It means a tab will preserve its ID only until you close the browser.
Even if the browser is configured to reopen the previews windows on startup, they will all have a different tab ID and window ID.
Is there a way to track tab across sessions?
Yes, with the tabs permission! Mostly.
The IDs will be different but you can query all the open tabs and windows and you will receive the position of a tab in a window (e.g. first tab in window 2) together with its URL. You'd have to regularly query and save this data via chrome.storage.local.set()
You can then compare this piece of information to the data you stored before closing the browser and match them to each other. For example you receive tab on position 1, with URL xyz, in a window with 3 other tabs, you can find a tab with the same details in your storage.
The "mostly" part: If the user has 2 windows with 1 tab, both pointing to the same page, you won't be able to tell which is which.

Resources