A bit naive question. I am implementing OAuth server 2.0 with grant type = Authorization code grant. Here's what I have done
1) Created 2 endpoints as /login and /token
2) Created a login page with html as
<html>
<form action=\"/login\" method=\"post\">
<div class=\"textcontainer\">
<label><b>Sign in</b></label>
</div>
<div class=\"emailcontainer\">
<input type=\"text\" placeholder=\"Enter email\"
name=\"uname\" required>
</div>
<div class=\"passwordcontainer\">
<input type=\"text\" placeholder=\"Enter Password\"
name=\"psw\" required>
</div>
<div class=\"signincontainer\">
<button type=\"submit\">Sign in</button>
<input type=\"checkbox\" checked=\"checked\"> Remember me
</div>
<div class=\"container\" style=\"background-color:#f1f1f1\">
<span class=\"psw\">Forgot password?</span>
</div>
</form>
3) The above page will be displayed when client sends
GET
/login?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&state=STATE_STRING&scope=REQUESTED_SCOPES&response_type=code
4) I will save the state and redirect URI and the html page is displayed.
5) When user enters email and password and clicks submit button, then a POST will be issued to my server as POST /login and I will fetch the email and password from the request and verify.
Now the problem is I am not able to figure out a way to know if this POST has come from the same client who has called the previous GET.
Is there any way/html trick I can do to resend the state again in my submit button post? Is saving client IP the only way?
I understand the POST /token so that part is clear.
Thanks
Sammy
You can generate a unique identifier (GUID) on the server, before sending the form.
Then put it into the form inside a hidden input :
<form>
... your code
<input type="hidden" value= "<%= <your identifier> %>">
</form>
Then this unique value will be returned to you in the POST.
the way you insert the identifier depends on your programming language, I used C# an the above example.
Related
I'm trying to make a fix to a moneris website, but I have to change the mode of moneris to test to test the changes before pushing in production.
I'm trying the code on the example page as is and got an error. "Invalid store credentials."
<FORM METHOD="POST" ACTION= https://esqa.moneris.com/HPPDP/index.php >
<INPUT TYPE="HIDDEN" NAME="ps_store_id" VALUE="AF4Fs1024">
<INPUT TYPE="HIDDEN" NAME="hpp_key" VALUE="Hsjh4GSr4g">
<INPUT TYPE="HIDDEN" NAME="charge_total" VALUE="1.00">
<!--MORE OPTIONAL VARIABLES CAN BE DEFINED HERE -->
<INPUT TYPE="SUBMIT" NAME="SUBMIT" VALUE="Click to proceed to Secure Page">
</FORM>
So if this is not how you can make a test payment to test the process, how can you?
PS: Seems there's no moneris tag.
You need to goto the developers page of Moneris and create a test environment first Developer Page
After creating the test store you'll need to input the store id and hp key in the values of the form you posted.
I built a simple REST FULL API with NodeJS.
When it comes to HTML code, I do have :
<form method="post" action="/registry/api">
<input name="id" type="text" value="6" readonly>
<input name="name" type="text" value="TEST name">
<input name="description" type="text" value="TEST desc">
<input name="approved" type="checkbox" checked>
<input type="submit" value="Update">
</form>
But if I go in the console, erase 'readonly' and change this id from '6' to '7', my API indeed receives the bad id and update the bad row in database.
How can I fight this ?
Your API should implement some kind of authentication and authorisation layer. One way to do this is to pass a token along with the request (e.g. in Authorization header), so you will know on the backend side, who is the user requesting this action. Then you can simple check whether given user is permitted to do such an action (with given id).
You can take a look at this blogpost, which describes this pattern using JWT (JSON web tokens):
https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens
I currently have a login form on a public, unprotected http page. Upon login I want the page to redirect to a secure https page. I am receiving this error screen when I try to login however:
I'm 90% sure my syntax is accurate. I have this exact form as a login page elsewhere on the site. This implementation is for a drop down box that enables the user to login. Here is my form for reference. Any help is appreciated, Thanks.
<div class="login-options">
<form id="login" name="j_security_form" action="<%out.write(Dropdown.getXML("https://www.xxx.com/public/j_security_check")); %>" method="post" accept-charset="UTF-8">
<strong>Account Login</strong><br>
Username:<br>
<input type="text" name="j_username"><br>
Password:<br>
<input type="password" name="j_password"><br>
<br>
<input type="submit" value="Login"><br>
<br>
New users register here<br>
Forgot password?
<input type="hidden" name="auth_mode" value="basic">
<script>
var newloc = document.location.href;
newloc =newloc.replace('index.jsp','index.jsp');
document.write('<input type="hidden" name="orig_url" value="'+newloc+'">');
</script>
</form>
</div>
Might be because you're trying to directly reference the url for j_security_check. I would try referencing a page that requires login creds, then it'll redirect to the secure page once it sees that there are adequate credentials.
I am building a website which utilizes paypal payment system and I came up with one security challenge issue:
I have the following form from paypal IPN:
<form class="form-horizontal" action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="ABCDEFEGDEDS">
<input type="hidden" name="on0" value="Balance">
<label>Amount</label>
<select class="form-control" name="os0" id="deposit_paypal">
<option value="1000">$1000.00 USD</option>
<option value="2000">$2000.00 USD</option>
</select>
<input type="hidden" name="custom" value="<?php echo $user->id; ?>">
<input type="image" src="https://www.paypalobjects.com/ru_RU/i/btn/btn_buynow_SM.gif" border="0" name="submit" alt="PayPal">
<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
I wanted to know which user has made the transaction. Searching the internet, I've found that I can create a custom field as I did above. The reason I track the user is I should add balance to his virtual account after purchase completed.
But the problem is: What if malicious code(javascript malware) just changes the user id in the custome form field to 4?
The balance will be added to that user which has the id of 4 not previous one.
Ok. One would recommend me inserting the form data to db before sending to paypal for later comparison.
Second problem arises. What if the user just exits the paypal page without completing the order after pressing the submit button? This is something I cannot track since paypal does not belong to me and it opens in other page.
Please, any other solution to these issues? I want some best practice where I can track securely which user has made the purchase through paypal IPN.
You could store the data in your database within a temp table, then once the IPN completes you can move it over to the permanent table. Set up a cron job or scheduled task to go through your system every 24 hours or so and delete any records that have not completed in that time.
I'm implementing OAuth 1.0a with the OAuthorize library. I'm following the example provided by the library.
I'm hosting my app at Heroku. Using the test client I'm able to GET a request token, and use it to /dialog/authorize:
Hi Bob Smith!
Samplr is requesting access to your account.
Do you approve?
When I press Allow, I get a Cannot POST /dialog/authorize/decision.
I've registered the endpoint in app.js:
app.post('/dialog/authorize/decision', oauth.userDecision);
Either I am missing something silly from the OAuthorize example or there is a fault in the way I'm handling the transaction.
dialog.ejs:
<form action="/dialog/authorize/decision" method="post">
<input name="transaction_id" type="hidden" value="<%= transactionID %>">
<div>
<input type="submit" value="Allow" id="allow">
<input type="submit" value="Deny" name="cancel" id="deny">
</div>
</form>
For me, the issue was that I didn't provide a proper callbackURL in server.userAuthorization callback.
see https://github.com/jaredhanson/oauthorize/blob/master/examples/express2/db/accessTokens.js#L10 and https://github.com/jaredhanson/oauthorize/blob/master/examples/express2/oauth.js#L152