I have an action that retrieves some data from the DB and then I wanted to check that the data it have received is correct before it continues on with authentication. I am using invite codes to allow people to log into a public site that is for private corporate use only. I am able to get the data just fine, but the aftermodel is firing before the request is completed. I am making a call to an azure mobile service and the call is still in pending (according to chrome) when the aftermodel is firing off. Seems like it hasn't received the data at that point.
What is the best method to get this verification working properly? Once it verifies it would then allow them to log in with an external provider.
Please, look at this discussion: Ember authentication best practices?
If you don't need an Auth engine, then you could implement "verifying data" in beforeModel hook. Why beforeModel? Because if data is not correct, then app should redirect user to another page, and beforeModel is made for this logic: http://emberjs.com/guides/routing/preventing-and-retrying-transitions/#toc_aborting-transitions-within-code-model-code-code-beforemodel-code-code-aftermodel-code
Related
I'm have built an app that the user save package tracking numbers and then when tapping on them the app sends a request to the parcel provider and gets back the tracking info. Pretty simple.
What i want to do is to create a backend server that stores the user's tracking codes and checks them at regular intervals. When the status change then the user gets a push notification.
My thought is to use a Nodes.js server with a MongoDB database but i'm stuck how to implement the tracking code monitoring on the server. Should i use a timer? Is there a better/simpler approach for this?
So i am making a social media like site where i use react for frontend and expressjs for backend...
I was using public api till now but now i need private api to control some login info. So, i cannot understand how to do it. Because the link where it will request can be viewed by doing Ctrl+Shift+I and can be used by anyone
I still have methods to do but just wondering, if any way to know where does the request comming from
Let assume that the api site is api.some.site and the main site is some.site, so the request should only come from some.site else send 404 response and i need to do it with expressjs...
I don't know how to do it but I wanted to give you some information to think about. If you want people to be able to log in, on your site. That api end point has to be unprotected, because a logged out person does not have any credentials yet. When logged in the user would be able to access protected end points right? End points like password change of viewing specific pages. So all the data an user should or should not have access to should be handled by the server. You website is only a mechanism to make your data look pretty and easy to handle. So in a way you shouldn't care about people using your open end points from another location because their open anyways.
Authentication should never be handled client side. It should always be handled by a server.
This is my opinion, hope it helps. Sorry if it's not what you are looking for
So the problem i am having is that i'm scared someone will flood my mailchimp account with trash email addresses. I'm currently working on a website where we will do a sign-up for emails. The website is build in Vue.js and uses Axios to call a Azure Logic App. The post towards the logic app contains a json with an email address inside.
What's particularly scaring me is that someone would be able to paste the javascript code from the button onto the console and just flood the logic app.
Logic App actions costs money and flooding it would cost me money and a datalist full of trash email accounts.
Would someone know if you're able to restrict Logic apps and check if there has been a request made already from that specific user agent? Creating a database just to save this data seems unnecessary and would also cost you like 23euro a month on azure.
I'm constantly trying to think about solutions but vue.js handles everything client sided. I Expect to create a email form that submits to an Logic App endpoint but that can't be flooded by a single user or bad actor.
Any help is welcome. And as always thanks in advance !
I am afraid logic app have no proper way to handle scenario.But I think it will be a workaround for you :
On your JS static front-end, you can implement a timer to make sure your logic app endpoint can be called i,e one time per 60s from your front-end. What's more you should obfuscate your JS code to make sure your code logic can't be modified easily.
However, this way not works if attacker runs numerous of your front-end instance to call logic app endpoint. So for this scenario , the best way is implement a backend to block malicious calls .
Good day,
I'm having trouble calling DSAPI methods via SOAP ( C# Integration ). I keep getting 405 Method not allowed errors. So far I've tried calling the RequestTemplate and CreateEnvelopeFromTemplates methods, both of which fail. I was able to successfully retrieve the DSAPIServiceSoapClient object and also successfully login via the login method of the credential API. If you need more information, i'm ready to provide them. Thank you.
You're succeeding with the login, which is good.
My guess is that the other calls are not well formed. Perhaps they're missing the right base url (which you receive from the login call).
Are you switching to the different base url for your subsequent calls? (Different server name?)
I suggest that you try the API logging feature and see what it reports. It enables you to see a log of your API requests. See the Request Logging article for the classic DocuSign experience, or the new DocuSign UI.
i just needed to add the in the X-DocuSign-Authentication http header whenever i try to get a DSAPIClient object.
I'm making a REST backend for private use of our frontend, they will both be in the same server.
The problem is that I'm worried about security issues, I don't want a attacker to use the API directly, either by JS or by using other REST client.
Lets take this service as an example
http://myserver:8080/something/webresources/film
That's a service that allows to GET, PUT, POST, DELETE I want that only the frontend be able to use it, otherwise since anyone can see client-code it would be easy to get the endpoint and start putting or getting data. I do have BASIC AUTH so they would have to register and if they did something wrong I would be able to see who did it, but that doesn't solve the problem.
I could implement access control so that a user only could get/update/delete their own movies, but I would have to do that for every REST service(I have over 100 by now), plus I might need to actually get others movies
This is my first public project, I am really lost.
You can do it through your web server. I'm using Nginx. I have an if statement that checks the $http_referer. If it returns nothing, or the value returned is not my application/frontend page (meaning someone is trying to hit the api directly), it'll return a 403 forbidden page.
If your application doesn't send out emails to your users don't worry about the following: I added a block to allow access to my static images as the only exception, as my application sends out emails with images and I don't want them to break.
That's it. Problem solved. No one has access to my api except my frontend page/application, unless they can forge the $http_referer to match my domain which if they can do that then they deserve to break in.
Your only option to call the REST API from server side. You cannot hide from the users what's going on in their browser... You can have a layered application, so the frontend layer can call the backend layer on the server while the client can see only the frontend. (Check the layered system constraint.)