I'm developing a bookmark extension which communicate with my own web app. The user can install the extension on browser like Firefox and login. Currently I send the data per ajax to the server and check. I know this is not the secure way. I read about OAuth2, but this is only if I need data from a third part. Is there a good practice?
Based from this thread, you should always use OAuth 2.0 for authentication within extensions. You may check this article for the Security and Privacy: Best Practices on Building a Chrome Extension.
Related
I would like to develop a new web-app in node.js (using express). I am relatively new to node.js world, so I assume there are frameworks that I am not familiar with.
Is there any framework (like Spring for Java) that manages authentication (and save the trouble from the developer)? Or each developer has to write this code over and over again?
Login/Logout is not all. There are other flows:
registration (create account),
forgot-password (and then set new password),
locking/unlocking an account,
change password
and I think I have covered all flows.
I know that each application has its own UI, forms, maybe with its logo, but the flow itself is similar for most applications.
In addition, I know that it is not that hard to implement, but it could be great to have some kind of tool / framework / infrastructure which implements the flows.
Is there such a tool/framework which helps applications' developers and implements these flows?
I've searched this issue but could not find anything.
Thanks!
Long ago I have developed authentication-flows for Java over Spring, and recently I wrote authentication-flows-js.
It is a module that answers most flows - authentication, registration, forgot-password, change password etc., and it is secured enough so applications can use it without the fear that it will be easily hacked.
It is for node.js applications (written in TypeScript) that use express. It is an open source (in GitHub). A release version is on npm, so you can use it as a dependency in your package.json.
In its README (and of course in the npm page) there are detailed explanations for everything and if something is missing - please let me know. An article will be published soon (I will add a link as a comment).
You can find here an example for a hosting application.
NOTE: I have heard comments like "It's not so difficult to implement". True.
But you have to make sure you take care of all cases. For example,
what happens if a user tries to create account that is already exists?
what happens if a user tries to create account that is already exists
but inactive? what about the policy of the password? (too long/too
short/how many capital etc.) what about sending the email with the
activation link to the user? how you create this link? should you
encrypt it? what about the controller that will receive the click on
the link and activate the account? and more...
I'm currently trying to place the docusign console onto my website. My current method is using an iFrame but I'm wondering if that is secure and the optimal way of doing it. I was also wondering if the docusignAPI has a solution to that implemented already because I couldn't find one after playing around on the website with various code sources.
Preferably, users would be able to go to some part of the website, view the contract or document they need to sign on the website without having the leave the website. This includes viewing the document on the website as well such as using an iFrame allows.
Using iframes to host DocuSign embedded signing is not a good idea for a few reasons.
Typically to have a good experience it is recommended to use a large window.
Security Concerns. The users of your app wouldn't be able to see the DocuSign URL as well as the green check to know they're using a secure website which should make them feel more confident about using your integration.
Whats the best way to connect a chrome extension to the Amazon MWS API's?
Should I store the credentials inside the javascript files?
How would I encrypt the credentials?
Thanks
I have done this a few times with various clients, whether they be web apps, or windows, or IOS clients. Doesn't matter, you create an API that your front ends will call and your API handles all the communication with MWS, hiding your access and secret keys from the client.
I used to use a chrome plugin that talked to MWS to get pricing info. I wanted to figure out how they did it, so I looked at all their javascript and figured it out, including their keys. They quickly released a new version that called back to their servers, essentially following the method I describe above.
I am adding a webchat(connected to bot framework) as extension in google chrome. I need to capture windows user details by javascript.
Nope, there's no API that can do it. You're welcome to see the list yourself.
There are 2 ideas that come close:
chrome.identity API can provide you the details of the Google user if the user is signed into Chrome - if you just need some sort of identifier. You'd need "identity" and "identity.email" permissions and would need to call chrome.identity.getProfileUserInfo. Interestingly, that produces no permission warnings.
Native Messaging allows you to create a Windows binary that your extension can talk to. Obviously, a native application can do whatever, including getting the signed-in user details, but that requires users to install another component from outside Web Store. In short: it's a big hammer that's likely not worth it for just this.
I am doing SSO integration in my project. Where my PHP application is hosted in linux environment with Apache server. I am currently trying to implement LDAP module and getting success when entered username and password.
But I need to know how I can implement autologin function if my website application client is using Windows OS and IE or other supporting browsers.
Kindly advice. Thanks in advance.
For doing the LDAP implementation you can use the php ldap library
http://php.net/ldap , I use it for my projects, but sometimes is a little tricky.
In the other hand, in able to do an autologin, the browser is the one that must pass the login information to your page(php) to be able to perform some kind of authentication. So to be honest, autologin is not possible it will be a very bad security risk to be able to get user credentials via a browser.