I'm implementing OAuth 1.0a with the OAuthorize library. I'm following the example provided by the library.
I'm hosting my app at Heroku. Using the test client I'm able to GET a request token, and use it to /dialog/authorize:
Hi Bob Smith!
Samplr is requesting access to your account.
Do you approve?
When I press Allow, I get a Cannot POST /dialog/authorize/decision.
I've registered the endpoint in app.js:
app.post('/dialog/authorize/decision', oauth.userDecision);
Either I am missing something silly from the OAuthorize example or there is a fault in the way I'm handling the transaction.
dialog.ejs:
<form action="/dialog/authorize/decision" method="post">
<input name="transaction_id" type="hidden" value="<%= transactionID %>">
<div>
<input type="submit" value="Allow" id="allow">
<input type="submit" value="Deny" name="cancel" id="deny">
</div>
</form>
For me, the issue was that I didn't provide a proper callbackURL in server.userAuthorization callback.
see https://github.com/jaredhanson/oauthorize/blob/master/examples/express2/db/accessTokens.js#L10 and https://github.com/jaredhanson/oauthorize/blob/master/examples/express2/oauth.js#L152
Related
A bit naive question. I am implementing OAuth server 2.0 with grant type = Authorization code grant. Here's what I have done
1) Created 2 endpoints as /login and /token
2) Created a login page with html as
<html>
<form action=\"/login\" method=\"post\">
<div class=\"textcontainer\">
<label><b>Sign in</b></label>
</div>
<div class=\"emailcontainer\">
<input type=\"text\" placeholder=\"Enter email\"
name=\"uname\" required>
</div>
<div class=\"passwordcontainer\">
<input type=\"text\" placeholder=\"Enter Password\"
name=\"psw\" required>
</div>
<div class=\"signincontainer\">
<button type=\"submit\">Sign in</button>
<input type=\"checkbox\" checked=\"checked\"> Remember me
</div>
<div class=\"container\" style=\"background-color:#f1f1f1\">
<span class=\"psw\">Forgot password?</span>
</div>
</form>
3) The above page will be displayed when client sends
GET
/login?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&state=STATE_STRING&scope=REQUESTED_SCOPES&response_type=code
4) I will save the state and redirect URI and the html page is displayed.
5) When user enters email and password and clicks submit button, then a POST will be issued to my server as POST /login and I will fetch the email and password from the request and verify.
Now the problem is I am not able to figure out a way to know if this POST has come from the same client who has called the previous GET.
Is there any way/html trick I can do to resend the state again in my submit button post? Is saving client IP the only way?
I understand the POST /token so that part is clear.
Thanks
Sammy
You can generate a unique identifier (GUID) on the server, before sending the form.
Then put it into the form inside a hidden input :
<form>
... your code
<input type="hidden" value= "<%= <your identifier> %>">
</form>
Then this unique value will be returned to you in the POST.
the way you insert the identifier depends on your programming language, I used C# an the above example.
I'm trying to make a fix to a moneris website, but I have to change the mode of moneris to test to test the changes before pushing in production.
I'm trying the code on the example page as is and got an error. "Invalid store credentials."
<FORM METHOD="POST" ACTION= https://esqa.moneris.com/HPPDP/index.php >
<INPUT TYPE="HIDDEN" NAME="ps_store_id" VALUE="AF4Fs1024">
<INPUT TYPE="HIDDEN" NAME="hpp_key" VALUE="Hsjh4GSr4g">
<INPUT TYPE="HIDDEN" NAME="charge_total" VALUE="1.00">
<!--MORE OPTIONAL VARIABLES CAN BE DEFINED HERE -->
<INPUT TYPE="SUBMIT" NAME="SUBMIT" VALUE="Click to proceed to Secure Page">
</FORM>
So if this is not how you can make a test payment to test the process, how can you?
PS: Seems there's no moneris tag.
You need to goto the developers page of Moneris and create a test environment first Developer Page
After creating the test store you'll need to input the store id and hp key in the values of the form you posted.
I built a simple REST FULL API with NodeJS.
When it comes to HTML code, I do have :
<form method="post" action="/registry/api">
<input name="id" type="text" value="6" readonly>
<input name="name" type="text" value="TEST name">
<input name="description" type="text" value="TEST desc">
<input name="approved" type="checkbox" checked>
<input type="submit" value="Update">
</form>
But if I go in the console, erase 'readonly' and change this id from '6' to '7', my API indeed receives the bad id and update the bad row in database.
How can I fight this ?
Your API should implement some kind of authentication and authorisation layer. One way to do this is to pass a token along with the request (e.g. in Authorization header), so you will know on the backend side, who is the user requesting this action. Then you can simple check whether given user is permitted to do such an action (with given id).
You can take a look at this blogpost, which describes this pattern using JWT (JSON web tokens):
https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens
I currently have a login form on a public, unprotected http page. Upon login I want the page to redirect to a secure https page. I am receiving this error screen when I try to login however:
I'm 90% sure my syntax is accurate. I have this exact form as a login page elsewhere on the site. This implementation is for a drop down box that enables the user to login. Here is my form for reference. Any help is appreciated, Thanks.
<div class="login-options">
<form id="login" name="j_security_form" action="<%out.write(Dropdown.getXML("https://www.xxx.com/public/j_security_check")); %>" method="post" accept-charset="UTF-8">
<strong>Account Login</strong><br>
Username:<br>
<input type="text" name="j_username"><br>
Password:<br>
<input type="password" name="j_password"><br>
<br>
<input type="submit" value="Login"><br>
<br>
New users register here<br>
Forgot password?
<input type="hidden" name="auth_mode" value="basic">
<script>
var newloc = document.location.href;
newloc =newloc.replace('index.jsp','index.jsp');
document.write('<input type="hidden" name="orig_url" value="'+newloc+'">');
</script>
</form>
</div>
Might be because you're trying to directly reference the url for j_security_check. I would try referencing a page that requires login creds, then it'll redirect to the secure page once it sees that there are adequate credentials.
I am building a website for a not for profit. I had the treasurer of the charity create a PayPal account for the charity and they have the PayPal login information.
I am trying to follow best practices for security and for this reason I, as the programmer, should not need to have the ability to login to their PayPal account. If for no other reason than if someone screws with the account or diverts money they will not put me on the list of suspects this seems to be the best way.
What I do need to do is put a donate button on their website. Normally one would simply login to PayPal and PayPal will generate the HTML code for you. If the client were proficient I could have them do this and email me the code snippet, but such is not the case.
What is the minimum amount of information I need from the treasurer, the account number? Also what is the easiest way for them to get me the information I require?
You should only need the email associated with the Paypal account receiving the donations to Create a Donate Button.
The above link will generate the following markup for you:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_donations">
<input type="hidden" name="business" value="josh#example.com">
<input type="hidden" name="lc" value="US">
<input type="hidden" name="item_name" value="Stackoverflow">
<input type="hidden" name="no_note" value="0">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="bn" value="PP-DonationsBF:btn_donateCC_LG.gif:NonHostedGuest">
<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>
The only line you will have to alter is the business input, which will be the Paypal account recipient.