Firebase: stopping spam to my database - security

I have a webapp in which preferably I would like users to be able to interact with without having to sign up. Although there are many features, let's consider one: clicking a "like" button - I would like users to only be able to click "like" once. Without user accounts, my Firebase is open to spam (someone could get the url to my Firebase and constantly submit data to my database; the only thing that prevented this was client code, but the spammer could easily bypass it by running their code elsewhere).
So I considered Firebase's anonymous accounts feature; each anonymous account would only be able to vote once during their session and I would store votes on user local storage. This too can be bypassed if a spammer constantly makes a new anonymous account and clears their storage. In fact, they wouldn't have to clear their storage as the storage check occurs in client code, which is easily bypassable.
So now I am considering Firebase's email account feature. As I was coding it, I realized what stops a spammer from entering a ton of fake email addresses? This could fill up my db quick with unnecessary accounts and also could lead to spam of the "like" button. Does Firebase check if the email is valid? Would Firebase send a confirmation email that the user would have to verify?

Firebase provides email verification feature. Send Verification code to user's email id.
You can use it to verify the user's email. It will send a unique token to the user's email. Firebase authentication sets a flag for email verified. You can check it on your landing page and if it's set to false do not allow user to perform any task. Unless the user clicks on that token, the flag will remain set as false.

Related

Service account to send Docusign eSignature requests

I've signed up for a developer account with Docusign. We have about 15 users that access a Windows Forms page from another program where they fill out the proper information and click a button that calls a NET Core Web API which creates an envelope and sends to the signer. Those 15 users don't have accounts in Docusign and don't need them to. I want to use one admin or service account that will send and receive the emails, but I can't figure out how to do this.
I used my name for the developer account and now all my (test) Docusign emails show they are from me and once the signer signs, my email receives the signed documents. I've tried creating another "Admin" account, but I don't see any way to associate that user as an "API User". When I try using that user's GUID as the ImpersonatedUserID, my RequestJWTUserToken request comes back with "consent_required". But, when I go to the link I just get an error with "The client id provided is not registered with Docusign".
Everything in the Web API is working perfectly except for the emails showing they are from me and then the signed docs coming back to my email. This should be an easy thing to change the user, but apparently it's not, or I just can't figure it out.
You were on your way to fix this, but didn't follow through.
Create new user (you did it)
Find the new userId (you did)
Update JRequestJWTUserToken (you did)
Consent error - expected, the new user did not consent.
Obtain consent. You need to have a URL built correctly like this to do this:
https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature%20impersonation&client_id=7c2b8d7e-xxxx-xxxx-xxxx-cda8a50dd73f&redirect_uri=http://example.com/callback/
Once you do 5, you need to log in with the same new user account you created (you may be automatically logged in with your original developer account, so log out) and provide consent.
Then step 4 will work just fine.
https://developers.docusign.com/platform/auth/consent/obtaining-individual-consent/

Maintain document signing progress when using JWT grant

Building an app where I have to generate documents for users to sign (where the users are not employees that are part of the docusign account). Based on the docs here: https://developers.docusign.com/platform/auth/, I should be using a JWT Grant for authentication.
My question is: when any user opens up the document to start signing, is there a way to maintain the progress that the user has made while keeping embedded signing? I've seen the "Finish Later" button, but that sends an email to the user.
The status of the signing for the specific user is maintained by DocuSign. If they go back to sign again, they'll see whatever progress they made so far. In order for you to do that, you'll have to call the same API to generate a new embedded signing URL for the same user, just the same way you did the first time. You can completely avoid having any emails sent to the user if that's what you want.
Final comment - all of this has nothing to do with JWT. You can use JWT or use Auth Code Grant and the rest is the same.

Dedicated Services Account and Embedded Sending Experience

We are using the EnvelopeView: CreateSender endpoint on the server side and are authenticated under a service account we have dedicated for this process. Ultimately, we send a URL such as https://demo.docusign.net/Member/StartInSession.aspx?StartConsole=1&t=<GUID>&DocuEnvelope=<ENVELOPEID>&send=1 back to the end user to pick the signers, and populate tags.
All works fantastically, however, we were hoping to make it so the user can only see and populate the information for this single document. Currently, once the user clicks the link they are essentially authenticated as our backend service account and if they open another tab in their browser and go to (https://demo.docusign.net) they can see all documents and even change the password of the account if they wanted.
Is there a way to restrict this in any way? Would the experience be different if purchased an “API” account not tried to use an actual user account on the backend? Yes, we know about OAuth, but we don’t really want to impersonate the sender and prefer to keep a dedicated service account.
An "API" account would give you the same issues as dedicating one of your current users as a "Services Account," so I don't think that's a solution.
Instead, I suggest that you move all of the functionality that's needed upstream into your app. That way you will not need to present the Sender view to your users.
Your app can enable your users to:
choose who the envelope will be sent to
choose/edit the email messages, etc
choose the documents that will be sent
etc
If you have preset templates that include the document tabs/fields for the signers then there is no reason for the sender to deal with the sending screen for picking the tab/field locations on the documents.
This type of app will also give a smoother user experience to your users since they'll stay in your app rather than bouncing over to DocuSign for part of the task.

How to integrate Google or Facebook login with my database?

I want to understand how to integrate auth of Google or Facebook with my database.
I have a login system with email and password, users table and messages table for that represent messages of users.
When someone registers, a new user with userID is created.
When a user login to the system with email and password he gets an auth token,
and for each action the user makes, like POST or GET requests for fetching or creating a new message, he sends the token he got and the system finds the userID by this token, and then finds his own messages.
Now I want to add Google and Facebook login, how should I do it now?
I can get from each of them a token. but the user isn't actually exists in my user table, so when I search the user by his token, I won't get anything, because he is not exists in the user table, and when I want to insert him to this table, I need to fill the password field there but I can't get it from google.
What should be the approach to do thing like this?
Thank you.
When they first login, you can request their email from Facebook or google, the user will give your application access to see their email address.
At this point you could create a new user with that email and add a flag to say they came from facebook/google.
The rest works as normal, they would get a token from your application and so on.
In case they come back and login again, you don't need to register them as they are already in your database.
In case you need extra info from them, (more then just the info you can request from facebook/google) you could redirect them to a special form, for their first login.

Secure way to send "reset password" link

I'm developing an web application using Django.
Currently I am working on sending "reset password link" thorough email (amazon simple email service - SES)
The mechanism I used, is the same with the answer of "simeonwillbanks" below link
Secure ways to reset password or to give old password
Give users a reset password option.
This option saves a unique token for a user. The token eventually expires (hours, day or days).
A link is emailed to the user which includes the token.
User clicks on the emailed link.
If the token exists and isn't expired, the link loads a new password form. If not, don't load the new password form.
Once the user sets a new password, delete the token and send the user a confirmation email.
What I worry about this, I am not sure this way is safe in terms of security. What if the email is captured by a hacker?
I tested on several major websites how they care this.
get an "reset password" email and copy the link.
give the link to other and see if he can change password on my account.
From this test, I figured out that somebody else also can change my password only with the link.
If I cannot do anything on the link, is there way to make email more secure?
like as the mechanism of ssl(https) on website?
Thanks!
It's somewhat secure, though is toast if the user's email was compromised.
I prefer using an HMAC in the URL, which avoids storing tokens in the DB.
If you include the user's IP address in the URL, and in the HMAC, you can be sure the reset link click came from the same computer (router actually) that requested the reset, and that it can't be shared.
Instead of the IP, you could set a device cookie with the username/email and an HMAC, and then check this when the reset link comes in from the email.
The system should ask the user the answer to a secret question after he clicks the link. Even better, send an SMS to his mobile with a short random code and ask for that. This is called https://en.wikipedia.org/wiki/Multi-factor_authentication
Then show the change password form (over HTTPS of course).
While we're here, you should display the same "success" message whether or not the user has an account, to avoid user enumeration attacks.
Also, use a localhost MTA relay or asynchronous email so that a hacker can't tell whether you sent an email (a slow response would indicate that a user exists).

Resources