Situation:
I have opencart 2v, and have controller in admin to import products from CSV.
I want to add this controller to cronjob (to run once a day).
But all direct links to admin must be with active token to access.
Is it possible to create token for that job with no expiration date?
url example:
domain.com/admin/index.php?route=import/products&token=cd5f88550277ecbe4bce3a823ac68566
So the answer: just create in index.php checker and if it's valid run your controller.
Related
I am looking into using Keycloak to give some users special permissions.
The permissions will need to have a limited validity.
My current idea is to set special user attributes, for example ALLOW_PERIOD_1='2022-01-01:2022-02-01' and ALLOW_PERIOD_2='2023-01-01:2023-02-01'
We will add a mapper to add claims based on the user attributes.
In the application the claims in the token will be checked and allowing this user only access in January 2022 or 2023.
I have 2 questions about this:
Is this the right way to manage temporary access per user?
Perhaps there is a simpler way to achieve the same.
Is this secure?
Can a user set its own custom attributes via the Keycloak pages?
For example, we have added the custom attribute middleName to our registration page by simply adding a form-variable "user.attributes.middleName" to the registration form.
Can any user add "user.attributes.ALLOW_PERIOD_1=2022-01-01:2030-01-01" to a POST to one of the keycloak pages and give himeself access?
Thanks for any advice,
Rob
I am using the the oauth2 library to impersionate a service account with a user in order to access the google api in the context of that user similar to this example:
function getService() {
return OAuth2.createService('GoogleDrive:' + USER_EMAIL)
// Set the endpoint URL.
.setTokenUrl('https://oauth2.googleapis.com/token')
// Set the private key and issuer.
.setPrivateKey(PRIVATE_KEY)
.setIssuer(CLIENT_EMAIL)
// Set the name of the user to impersonate. This will only work for
// Google Apps for Work/EDU accounts whose admin has setup domain-wide
// delegation:
// https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
.setSubject(USER_EMAIL)
// Set the property store where authorized tokens should be persisted.
.setPropertyStore(PropertiesService.getUserProperties())
// Set the scope. This must match one of the scopes configured during the
// setup of domain-wide delegation.
.setScope('https://www.googleapis.com/auth/drive');
}
As you can see, I am storing the bearer token in the Userproperties and I am wondering if this has some security implications.
Can the user access this token somewhere (afaik there is no UI in the Gsuite for that?)
What can the user actually do with this token (I think it will expire in 1 hour right?)
From the discussions on the comments, I would like to propose the following answer as the current answer.
Q1
Can the user access this token somewhere (afaik there is no UI in the Gsuite for that?)
A: When PropertiesService.getUserProperties() is used, the user can retrieve the saved values on only the same GAS project. And, it seems that the values cannot be retrieved with the Google APIs and UI. Ref
Q2
What can the user actually do with this token (I think it will expire in 1 hour right?)
A: At Google, the default value of expires_in of the access token is 3600 seconds. About this, you can check this using the following curl command.
curl "https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=###"
Q3
if the user somehow can retrieve this token somehow and use this for getting access to services he should not have access to.
A: For the standalone GAS project, when the users have no permission for writing the script, the users cannot directly see the access token (In this case, users cannot use the log.), while the script can use the user's access token.
Note:
Above situation is for July 10, 2020. Google Apps Script and Google APIs are growing now. So these specification might be changed in the future update. Please be careful this. When I could confirm the specification was changed, I would like to update this answer.
I would like to create a script to be scheduled in a .bat file that automatically links to google contacts and creates contacts read in a Mysql Database.
I would like a system that does not require any user action.
I know that service-account exist but I have no idea how to create the program. Do you know how to do it?
I hope you can give me a hand.
For the moment, I wish you a good day.
This can be done in three steps if the user is not part of G Suite.
Authenticate the user using OAuth with access_type = offline.
Save the generated Refresh Token.
Use the Refresh Token to generate a new Access Token and then update the account's contacts. The Access Token will be valid (default) for 3,600 seconds.
If the user is part of G Suite, then enable Domain Wide Delegation on a service account and impersonate the user.
I am setting up a static website on Azure Storage that will basically be a single page where a user must fill in a value and then press a button. I generated a SAS that expires after 24 hours, but the other part I am struggling with is to limit access to the generated URL to a single-use only.
I've tried reading through the Azure docs on Microsoft's site but I couldn't find a way to do it
Basically I expect a user to click on the link and it should take them to the html page. But if they try and click on it a second time, it should throw an error saying that they cannot access the page or just give like a 403 response
It is not possible to define a SAS URL with number of times it can be used. As long as SAS token associated with the URL is valid, a user will be able to use that URL.
For this, you would need to use some kind of middleware. Essentially instead of taking user directly to SAS URL link, you take them to a separate link with a unique token. When the user lands there, you check if the token has already been used (by looking up in a database) and then take appropriate action i.e. either allow the user to the final destination or deny access.
I'm using Symfony 2.4 with FOSUserBundle.
Admin user has ability to switch his security token to one for any other user, so he can log on any account in the system. I've did it with following code:
$newToken = new MyOwnToken($adminId, $user, null, 'main', $user->getRoles());
$this->get('security.context')->setToken($newToken);
MyOwnToken extends regular UsernamePasswordToken, holding additional adminId field (for reference to original admins account).
When admin logout of regular users account, security token is unset and he is redirected to the login page. I would like to change it a bit: instead of logging out, I'd like admin to get log back in his administrative account.
My question is: what do I need to prevent logging out if some of conditions are met (like current token is instance of MyOwnToken), and switch token to another instead ?
You should use different approach all together. It is called 'impersonating' users and described in documentation here - http://symfony.com/doc/current/cookbook/security/impersonating_user.html