Hello I'm developing a web app where the user needs to verify that they are the "Owner" of the website. I know there is code verification but how would I check if that verification is on their site without over complicating the verification method?
Also, I'm thinking about giving the site owner an hour to verify, how would I automatically detect if the hour is over and be able to delete them from the database?
The way Google or Yahoo do this is to require the webmaster to create a file with a special cryptic name (the file length can be 0), which is generated by Google/Yahoo. Could be something like "dsaa6fd4sgfdsf324gd.html". So you generate such a unique (name) string for each websit eto be verified, store it in the DB, and then you go and try to GET it from that site. If the GET succeeds you can set "verified=true" in the DB for that site and file name.
To answer the 1hr question we'd have to know what technology you are using. There are many options to run timed background jobs from a web application. Usually you write the job details into the database, and have a background daemon check the DB periodically and execute any pending jobs. You could tell it (that daemon) to execute a job one hour later to see if the file (see above) exists. Well, you have to do it that way in any case, it's no use simultaneously telling the webmaster to create that file and check for it right away :)
Related
I am pretty sure my understanding is correct but since I cannot find any Google documentation that explicitly highlights this I wanted to ask here.
Per https://developers.google.com/apps-script/guides/triggers/installable:
Installable triggers always run under the account of the person who created them.
And we know that when you create a trigger it will ask to authorize for all the scopes the script uses.
Then, that means that anyone with edit access to the script could leverage the Google identity of the user used to create the trigger to access the scopes the trigger is authorized for.
For example:
User 1 creates a Google Apps Script that uses GmailApp to send an e-mail
(i.e. GmailApp.sendEmail("one#example.com", "test subject", "email body");)
User 1 creates a trigger to run said script every hour and authorizes it with the appropriate GmailApp scopes
User 1 gives User 2 edit access to said script
Now, User 2 can go into said script and make changes to the code and access User 1's Gmail account. For example, user 2 could change the code to:
var emails = GmailApp.search("search string to find sensitive emails")
// use GmailApp.sendEmail to forward those details to someone else like User 2
All they would have to do is make changes to the code and save; they wouldn't need to re-create the trigger since it already exists. And the next time the trigger runs it would run the newer/updated code.
I was able to confirm this behavior by creating a test script on one of my accounts and giving another account edit access.
So my question is, what is the official/recommended way to mitigate this risk? The obvious answer is to not give anyone else edit access but what if that is not an option -- what if for support purposes multiple people need to be able to access the script, then what?
As you say, the only official/recommend way is to limit editing access to trusted persons.
In your particular example, User 1 could have chosen MailApp instead of GmailApp. The two seemingly redundant services are available separately because MailApp has very limited privledges exposed compared to GmailApp. (For instance, User 2 cannot search the victims Gmail with the MailApp service.)
You can collaborate while avoiding giving direct access to your script file using clasp and git. Only you push with clasp to the script. Everyone else submits changes through git. You can setup the system to be fully automatic (i.e. a git push triggers a clasp push) or manual (i.e. you review all changes first), bit either way you have good records of who did what, when with git.
There's inherent trust when you provide edit access to the script project. You either trust the person or don't trust them. There's no inbetween.
Some "theoretical" ways you may still protect the data:
Create and use different Google accounts.
Install Triggers at the specific deployment/not at Head:
Possible only if done manually. Installable triggers created programmatically can only be used at Head
When you deploy a web-app/api, You can deploy it a specific version.
This deployment version can then be provided, When you create a new trigger for a project here.
There is no need for a working web-app/api. We're only looking to get a deployment id.
In this way, even if user changes the script, your trigger will only run at the old version deployed.
Deployed versions can be seen at Publish> Deploy from manifest.
As the previous answer states, git would be a better call.
For all practical purposes, any data you share with a malicious entity should be considered compromised.
Does IBM Domino track the last login date for web users(UserName/Password and internet certificate)? I know the access logs contains this information but wanted to know if there may be something built into Domino (maybe in Address Book). Trying to come up with a method to disable web accounts that have not accessed a domino server in a specified time period.
Thanks,
Kev
The User Activity area in the Database Properties picks up from the log.nsf, which is where this information is stored. But, typically, the log.nsf will only have a few days' worth of information. When I've had this requirement before, I've manually captured it via a custom login page or an initUser function I've had in applications.
One of the easiest solutions is to trigger an action from a live web page that generates a database.nsf?openagent event.
like:
or
Ideally you've use the openagent to print a content type and a response, but if you don't browsers do pretty well with invalid responses from servers.
inside your "myagent" you will have the users name available to you to write it to a document.
Your next challenge will be in getting the agent to trigger, but, not too often, ideally only on login.
When a user uses a custom login form it submits the username/password and redirection url in POST method. You could change that to ...?openagent&nexturl=/blablabla.nsf
Your tiny little agent would run one and only one time upon login and update a document in a your custom logging database.
That's a developer's solution.
There are also admin solutions. The server does keep track of active web sessions, but, it does not drop them into the log.nsf like it does upon session ending for a notes session. I don't think it would be too much work from an admin standpoint to get that information there are a lot of event triggers available to you. It's just been way too long since I worked on any server that anyone cared about statistics.
I have an app that sends SMS's out to a bunch of people. Those messages contain links. They are not using any link shorteners or any other service. They link back to my site. The links themselves are randomized strings, which are stored in my db, which are associated with an action. (Click "yes" or "no" link and the db tracks what you chose.) For ALL users, this works perfectly. With one user - and it's always the same user, as soon as the cron job runs, which triggers this event, his "vote" comes in. This is without him clicking or even seeing the message sometimes.
So, the question: has anyone ever seen or heard of a cell provider or a messaging app or similar that "clicks" links as part of some process before sharing the content with the user? I can't see ANYTHING in the code that would single him out so I'm thinking it has to be something in between when the message goes out and he does what he does. Especially because the timestamp is also always within seconds of the cron job running.
Sending an SMS can sometimes go through multiple carriers before reaching an end destination. As such, providers may be "handling" the content in this case.
The best thing to do would for any cases of this in the future would be to write support for further investigation.
I'm interested in selling e-books on my site that will come packaged as a ZIP file. I've got the purchase process all hooked up using Stripe's Checkout feature. Once I make a test purchase it's sending me to my "Thank You" page and creating the new customer (cia Stripe_Customer::create) and charge (via Stripe_Charge::create).
How can I offer a download link on this page that can't then just be passed around to anyone else? Is it safer to just ask for their email address and email the ZIP to them?
The best thing to do would probably be to create a download token object in your database, and to have that know about the user and the creation time. Then, the user's download link can be something like download.php?token=f136803ab9c241079ba0cc1b5d02ee77.
When download.php sees a token, it can 1) make sure that it's valid, and 2) that it's being used within n minutes of when the token was created. (And maybe that it's been used fewer than 10 times, or something like that.)
Obviously, this means that the user can't redownload his/her ebook -- you'll need some way of regenerating/reissuing tokens if you want to support that use case.
I have a web application that monitors farms in certain areas. Right now I am having a problem of performing automation with some of the tasks.
Users of the web application can send reports or checkins using keywords. If the reports or checkins correspond to certain keywords, for example "alert", I need the web application to send an alert to the user via email using that web application. But that alert must be sent two weeks after the date of the report received, and to that particular user only.
Would it be possible to use cron to perform this? If not, can anyone suggest me a workaround?
A possible approach you might consider is to store an entry in a database for each of these reminder emails you need to send, at the time your user does whatever action in your application that determines the need to send that email exists. Include the recipient, the date to be sent, and the email content as content you store for each entry. Schedule a single cron job to run periodically to process these database records by due date, and populate an email template to be sent out. You can then either delete the database records, or a better option, include a column that indicates they were sent and mark them as sent.
It would help to provide which technology stack you're operating on and what the application is developed in. Others might be able to point you to technology specific approaches or pre-built plugins/extensions that already do this for the situation you're in, to help you avoid the need to write your own code for the solution.