Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 8 years ago.
Improve this question
I would like to use the Users API to create new users in TrueVault but it requires an Authorization header with the encoded API KEY. I am unsure about which API key to use for this purpose and where to get it from? Also, Should this be hard coded into the mobile app I'm creating?
Thanks
You can create an initial full access User using the console. https://console.truevault.com -> Users -> Create New User. Upon creation, clicking into the User should show the API Key. This User will have full CRUDA privileges on all resources, so it's unsafe to use this User's API Key for an application.
In order to create a User with limited privileges, you should not create a User through the console. You can use the API Key of one of the Users created in the console to create another User using our Users API. Check out https://docs.truevault.com/Users.html to see how to do so.
We recommend using environment variables to represent API Keys or any other sensitive data in your application.
Related
This question already has answers here:
Can I really not ship open source with Client ID? [closed]
(2 answers)
Closed last year.
I'm using Google's Perspective API and have an API key. I've restricted this to the specific domain I'm going to be using, but I would like to know if it's safe to release the key in my code? As this would be in the client's browser I don't want to make a backend just for that, but I will if necessary.
Essentially: Is it safe to share a domain restricted API key?
I do not think it is safe. Google does not recommend it. You can check the official article for the best practices.
"Do not embed API keys directly in code: API keys that are embedded in code can be accidentally exposed to the public, for example, if you forget to remove the keys from code that you share. Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application's source tree."
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
We're creating a new web app based in Node. As many apps do, we would like to restrict the number of users who sign up, so we can test and scale up smoothly. So, people would sign up (with an email address), and then when a batch of users are released (either manually or automatically), that batch would receive an email that would allow them to sign up.
I've seen this process a number of times on the user side, but have never been involved with building a beta queue system, so I'm not sure the best way to approach this from a architecture / code perspective. Some specific questions might be:
What would be the flow for signup from a Node perspective?
What might be the underlying data model?
For "time-released" or batch releases of users, what might be the best way to manage that or trigger it?
Are there are node modules that might help with this?
Any help appreciated.
I implemented something like this in a .Net / SQL Server setup.
Basically, the user table had a flag indicating that that user was a beta user and allowed access.
Then I modified the user authentication module to return a different error message indicating that the were signed up but they couldn't access the application yet. This would only show if they successfully authenticated like normal. You could also send them to a different landing page so it doesn't look like they used the wrong credentials.
Next you can provide an admin interface to kick off a script to set the beta flag on a batch of users. This should also trigger some type of notification to let the user know they have access.
For time released options, you could have something else trigger the batch script to set the flags, or have a monitor service that finds any users without access that signed up over X days ago.
I think a lot of this would need to be customized based on your application and when you want to release beta users. There are also some services out there that allow single sign-on and gather analytics about your beta users if you want to see more information without having to roll your own.
Hope this helps. It would be nice to see an actual module you could drop in and configure with your specific database, user model, and authentication / signup process.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Anyone can explain about this question ?
If the actors who will be using the applications are not determined before
the creation of application, which of the following will happen? Select any
two choices.
a. We will be unable to create reports and dashboards
b. Unauthorized users can access sensitive data
c. There will be no room for scaling the application to large users
Thanks,
I don't think this question is one StackOverflows' rules would consider good. Did you copy it from some certification exam maybe? ;) It's not exactly programming problem-related.
I'll flag it for mods but also try to attack it :P
An app is not much in SF world. Set of (default) tabs, that's it. If an user has no access to app that mentions tab XYZ it doesn't mean he can't access the tab from "all tabs" menu. The more important thing is the security setting on the object that says:
tab hidden - meaning user with this profile is not even aware such object exists in the database, even if he has "Read" permission ticked
default off - accessible in "all tabs" menu
default on - visible by default in given app if said app is selected
a. We will be unable to create reports and dashboards
No. Sysadmin will be able to see all data (and thus create reports) even if none of the apps includes this tab. What they talk about in this answer is controlled by object's "allow reports" checkbox (and if it's not ticked even being a sysadmin cannot help you). Normal users won't be able to make reports/run exisitng ones on given objects without having at least "Default off" + "Read" permission on the object in their Profiles.
b. Unauthorized users can access sensitive data
Yes? I can imagine this happening - you don't know which Profiles should access given object, you give Read access to all users, funny things happen. But then - by default nobody can see the data except people with "View all/Modify all" (like SysAdmins) so it's a bit weird answer. You'd have to explicitly go to each Profile and enable access...
c. There will be no room for scaling the application to large users
I don't understand this answer so I'm going to go with "no, bullshit" :D You can always grant access to given app (or object) per profile or even permission set if you have to, I don't see how this can become an issue...
d.
I'm missing 1 more answer, are you sure you copied complete question? I've never seen a SF exam question with less than 4 answers...
Disclaimer: I've never seen similar question on my exam or any practice exams. I've passed 201, 401 and 501 tests.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed last month.
Improve this question
I'm working on a small web project with a friend. It involves a lot of MySQL queries, so I've created a ConnectToDatabase() function that connects to the server and selects our database.
It looks something like this:
function ConnectToDatabase()
{
mysql_connect("db.myawesomehost.com", "Bob", "correcthorsebatterystaple");
mysql_query("USE BobDB;");
}
It feels really bad to hard-code our credentials like this. I can't think of any other way to handle it, though. Putting it in a constant doesn't really solve anything, and hiding it away in some text file just seems ridiculous.
Should I even care? How is this handled in large projects with tons of people?
Factor it out into a separate config file. For one, it'll let you at the very least set some variable like "DEBUG_MODE" that will switch out your production credentials for your test environment ones. You can optionally not keep the separate file under version control if you like, or keep one with dummy credentials in your code repository so that users have to supply their own credentials instead of having access to global ones.
You should not hard code any credentials. Best thing is to read from a configuration file and cache them. Even in that case you better not put credentials in clear text - we need to encrypt the credentials in configuration files. At WSO2 all the credentials we read from configuration files are kept encrypted and use an approach called Secure Valut [a generic approach] to read those encrypted credentials and provide in clear text to the required application...
Thanks...
Typical rails configuration has usernames and passwords stored in a file.
It seems reasonable to split them out so that you can share code without sharing machine specific information. This is useful for multiple developers who have more than one user for their dev DB.
Reading from a file shouldn't be that much of a burden, particularly a file of some format: xml, json, yaml, ...
As the other answers suggest, most large projects hard code the username and password somewhere in the project, usually in a configuration file. I have never seen any that do it another way, however in the specific case that non-logged-in users do not need database access, it is possible encrypt the DB credentials and use everyone's password as a passphrase to decrypt them. Another drawback is if the user forgets their password, they won't be able to recover it without admin intervention and all existing users would need their passwords to be reset.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I am working on an online video training website and i want to make secure my videos so that no one can download the videos. Can any one help me how can i restrict video download, i have tried different HTML5 and javascript players but none of these are providing this feature.
You can store the video files outside of the web root or inside a restricted directory. A user logs into the web application normally. Then you have a server side script that checks the users permissions and opens the file for the user.
Alternatively if there is no login then the player can request a token from the web application. This token is then used to access the file only once. This is the best you can do, of course an attacker can still save the file. A user will always be able to do this until the end of time, because thats how the Internet works.
you can create the file name longest enough as permitted by server (applies to photos as well)...cannot be saved even from a smart phone...make sure the file name long enough. Then use this encrypter:
http://www.dynamicdrive.com/dynamicindex9/encrypter.htm
Blend in the new code into your html.
Finally use additional scripting to disable right click (search internet for this free script).
Stream the video.. Hide the root from the server there's many ways to do that. Encrypt the file do all the right clicks off when over the stream. And for the end choose a very rare format! A normal user will give up. An advanced user will get it no matter what!