look at this scenario : in my app I get the form in html of a website
that form displays customer info
now I can parse the form and get customer info
Or I can use a web service (SOAP or whatever) and get the same information
What is the difference?
On a general level, a website is displayed to a user in a browser making it consist of GET request through HTTP/HTTPS. A webservice is one that responds to more than just GET requests (eg. POST, PUT, DELETE). This means that a user can interact with data remotely. Like adding your post to stackoverflow.com, that meant you sent a POST request where stackoverflow can store the data contained in this post in some remote location, like a database.
Web service is a solution to integrate systems and comunications between different applications. Your app is a way to interact with this Service.
Related
I have created login and signup end-points on node-js, using react-js created necessary form and field for login and signup and on submit of form, posting the data to the server and getting a proper response. And under network section inside the browser, users can able to see the endpoint and the data ( username and password ) provided by the user.
Is there any possibility to hide the request and the data from the users. In the same way, I want to hide a few API requests from the client aprt from login and signup. Like profile update, organization details and profile create/update/delete, permission create/update/delete
FYI kindly access the link provided below :
https://drive.google.com/open?id=1bbrsOQlE4159CMm2P0ktzNf6SfCd3h0F
Hiding requests under network tab is not advisable. Instead you can secure your request data using some sort of encryption library like bcrypt. with the help of libraries like this you can encrypt your passowrd before sending it to the server, that way you wont be exposing sensitive data to other people. And on server side you can decrypt the data again using the same library.
This should not be possible as far as I'm aware. Most of the dev tools built into chrome are not able to be manipulated by the browser. This would be to ensure a level of integrity between the user and the website. If you could hide network requests it would be catastrophic, allowing a website to send anything in the background without you knowing.
Facebook also sends your data through to the server in plaintext form.
Pausible Gif
Because of this functionality VPNs exist to encrypt the payload when going to the server. This is the data/network request that people intercept on public wifi's to gain your information (A brief explanation, research more if you're interested)
I need to edit request before sending it to endpoint.
Using Web Demo integration I'm able to send request to the endpoint.
But I can't edit the request in order to provide some extra data to request. Extra data is stored in localStorage so I need to do this in javascript.
I've already connected the agent to an endpoint that handle the request using fullfillment. The problem is that request misses data I can retrieve only from the browser. From fullfillment I can set headers and basic auth but statically and it is not enough.
So I need to add a step in request building/sending:
User write or tell something to embedded chat (Web Demo integration)
Dialogflow recognize intent, params, generate the request.
Additional step: Update the request in javascript
Forward cutomized request to the endpoint
Maybe it's not possible using Web Demo integration. In Documentation can't find a way to just send string or audio in order to receive the generated request.
First of all you will need a custom chat integration, not the default Dialogflow one. Something like Smooch or Kommunicate. The default web demo should only be used for testing your bot. There is NO way you would want to use that in a production environment.
I would save whatever is in the local storage in a database such as Firestore. Once that data is in the database you can use it to modify your request in your fulfillment.
So what I would do:
Have a way to identify a user and save its local storage to the database (as soon as someone clicks on your chat window or opens the chat window)
Once an intent is triggered you check which user is contacting you (through the way that you identified the user) and get all data from the database
Request the data in your fulfillment server
There is no other way in which this is possible. You can't change requests before your query hits Dialogflow.
In my testing, I used a web proxy to get thru the firewall here so I could send envelopes. Now I will no longer be using the proxy. Do I need to log in for each web request ( like getting the templates, creating an envelope, etc )? The way we will use docusign is like this: a client consultant will see 3 documents that need to be sent to user X. So they will create an envelope with the 3 documents and send it out. They only need to connect to Docusign for a few rest calls and then they're done. The client consultants will connect to Docusign a few times a day, maybe no times a day if there are no documents to send. I'm assuming that I should go out and see if I can connect to Docusign without a problem before attempting to send out an envelope. What workflow are other people using in similar situations? Thanks for any advice.
I think a short answer here is that every API call you make requires a form of authentication provided, whether it is username/password or an oauth token passed in the appropriate x-header in your API request. I doubt your proxy was adding this on your behalf, so IMO I do not see what you will be gaining/losing by removing the proxy.
I am building out a registration system using PayPal Hosted Pages. From what I understand I can use the Silent POST feature to let my application know when a successful transaction has occurred on the hosted checkout page. I worry that it will be possible to spoof this POST request and manipulate my application into thinking a transaction was successful.
Example:
When a user checks out they are redirected to a URL like
https://payflowlink.paypal.com/?MODE=TEST&SECURETOKENID=XXX&SECURETOKEN=YYY
They can copy XXX and YYY and use an application like cURL to send a POST request to my application endpoint, thus tricking into thinking there was a successful transaction.
Is there a preferred method of securely handling silent POST requests to prevent this scenario? Is there a better method altogether of notifying my application of a successful transaction?
You can use a userid/and matching secure key as well as a date stamp, that way, only a random generated secure key, and a user id can be used, for a given time frame (usually couple minutes)...
I want to retrieve a list of recent photos with a given tag to display on a website in a very simple gallery.
For that, the doc says I need an access token. However, it seems that the only way to authenticate against Instagram is through OAuth; which involves sending the user to instagram and allowing my application access to their basic data. However, I don't want my users to do anything; I'd like my application to authenticate against Instagram for me and then retrieve the data I want.
Sounds simple, but all online documentation seems to end up in "Redirect your user to...". And I find no sensible ways to do this programatically; it's all about sending users away, letting them authenticate, and then receiving the access token afterwards. I could of course scrape the HTML, parse the forms (for example, the unique-per-session csrfmiddlewaretoken field which needs to be posted along with login requests etc) and let my server side application pretend to be my own user and login/authorize the app, but that doesn't seem like the way to go.
I could also just authenticate manually in the browser, pick up the auth token and paste into my application; but as the doc says: "do not assume your access_token is valid forever." - so I'd like this to be fully automated.
If I try to create a WebClient and POST to https://www.instagram.com/oauth/authorize/?client_id={clientId}&redirect_uri={redirectUri}&response_type=code&scope=basic it just returns a 403 Forbidden which is of no use. (For what it's worth, I'm using C# and have found instasharp, but this problem is not tied to any given platform...)
Am I completely overlooking something, or am I right that server side authentication against Instagram has become really complicated? Most other social media platform API's I've touched lets me get some form of authentication token just by posting a combination of the application id and secret.