I'm trying to post a username & password from an HTML form to a protected folder on a website? Is this possible? I thought I just pass in a syntax in the URL like the below but not having any success
http://username:password#theurlofthesite.co.uk
I'm still getting the alert pop up asking for the username and password? I need to be able to auto log the person in..
Hope someone can help? Thanks
If you login via a HTML form, then this won't work. This is only for HTTP authentication, which is something else completely different.
I don't think many (any?) browsers support being opened to post data. Which leaves you hoping that the site accepts GET based logins (and they should be shot if they do.).
The address part of the URL is parsed by your web server, so the code which handles the HTML form never sees it.
If you want to pass parameters to a form, you must use url?field=value&field2=value2. This only works with forms that use the GET action. For POST, you need a program to generate an encoded document and upload that.
In both cases, your user name and password are broadcasted as plain text on the Internet, so the account will be hacked within a few hours. To put it more clearly: There is no way to "protect" the data in this folder this way. This is like adding a door with four locks to your house and keep the keys on a nail in a post on the street next to the door.
I did exactly what I did in the question and it works on all browser except Safari on a Mac
Related
I know this sounds very similar to other questions, but it's a little more confusing. The person I'm making the website for wants to make an ordering system, in which you pick your product, then when you click the order button, it sends an email to him. I've tried using an 'a' tag with a href of mailto, but that opens your mail system, which isn't what I want.
If any of you guys have used J-lab test prep, at the end of your session, you can email your results to your teacher with the click of a button, without opening your mail client.
Edit:
I realized I probably need a server for that to host the email, does anyone know how to make that type of back-end?
Thanks in advance!
I am importing/creating drafts in Gmail using the Gmail API. After creation I'd like to redirect the user to the Gmail UI with the opened Draft in the composer window.
I made it work properly for https://mail.google.com/mail/#drafts?compose=[MESSAGE ID]. Other urls I found here also worked well. Gmail is doing some redirects and eventually the composer window is opened with the draft.
Now my issue:
If the user has not enabled "Conversation view" this will not work at all. The redirect will then result in https://mail.google.com/mail/u/0/#drafts?compose=new and only an empty, new composer window is shown and a new draft is created by the UI.
If I open the draft directly the ID-format is different. https://mail.google.com/mail/u/0/#drafts?compose=hJzgZpSqgLQcCWgZqnlNRzRBfMbjZVnZklzvcFxhQCdwT... and I have no idea if this format can be generated somehow.
Does anybody has an idea or experience to also make it work with this UI setting. How I can force Gmail to load the draft into the composer window?
Thanks in advance.
If you have Email Threading > Conversation View enabled
Make use of the following URL
https://mail.google.com/mail/u/0/#inbox?compose=DRAFT_MESSAGE_ID
If you have disabled the Email Threading > Conversation View option
Make use of the following URL
https://mail.google.com/mail/u/0/#inbox/DRAFT_MESSAGE_ID
Additional information
The main difference between them is that the first is treated as a conversation while the second example is not.
You can use #drafts instead of #inbox in the URL.
The number after .../mail/u/ is the session you have opened
You can retrieve the DRAFT_MESSAGE_ID by making a request to the API
You can approximately generate the compose ID by yourself, there are some examples out there (not recommended). I strongly recommend you to use the DRAFT_MESSAGE_ID instead.
This appears to still be an issue the one solution I did find was that you can find your draft directly (even though it would be the last draft) and go through multiple accounts by redirecting to
https://accounts.google.com/AccountChooser?authuser={user account}&Email={email account}&continue=https://mail.google.com/mail/#search/rfc822msgid:CAMU-31NcJCVHyGNsAycRKfuS0nMonoaZ6wFMD90Sej996qjuPQ#mail.gmail.com
You need to get your message id toi replace the area from <> from your draft. So you'll have to create the draft first. Get the google message ID, then use that with messages/get to get the Global Message Id (also referred to as message id) and then use that with a search. At this point you'll open a page with a search to a single draft but it will not be opened. Your users will have to click on the one message. Unfortunately there does not seem to be a way to have the good way work for conversation view, and this way work for non.
I tried many different URLS and nothing worked. As noted in the original question, it might work that you could link to the full URL but I see no way to get that. If you spend long enough working with an email you'll even find that ID changes so they aren't even stable within a single day.
Another solution that could work is as explained:
https://mail.google.com/mail/u/0/#inbox/DRAFT_MESSAGE_ID
But as noted this does not open the draft on the first time you go there. It seems you have to travel to that link 2 times in a row to get the message to appear. I guess you could go to the page maybe inject some javascript to go to the page again but I don't know how to do that.
I have an API function that verifies a user's email but I dont really know what to do next. I want to redirect the user to an HTML page that says "your email has been verified" but I don't know if I should use res.sendFile() or res.redirect().
I tried both of them but res.sendFile doesn't work when I include images because if the API is /user/verifyEmail, any images I include in the HTML have src=/user/myimg for some reason and therefore they aren't sent or dislayed. I then tried res.redirect() with the HTML page placed in my apps static files and this works (with the images too) but it just feels wrong because anyone can open this page if they go to myapp/verification.html since the file is in the static folder.
What is the right thing to do here?
You can resolve this concern by adding middleware for securing that routes
but it just feels wrong because anyone can open this page if they go to myapp/verification.html since the file is in the static folder.
In conclusion, res.redirect() is the right thing to do here.
You have to set unique value in your path like
www.xyz.com/verification/unique_value
unique_value define that which user verify this page (you can encode user id and set as unique_value)
then you can use GET api for www.xyz.com/verification/unique_value this path
You can decode in api nad check it's user or not if it's user then you can display page(res.render()) else redirect to home page (res.redirect())
I'm creating a script that grabs all the shipped items from Amazon and notifies me.
Authentication is needed to see the products though.
I've already tried sending a post request through "request" which returns an error because of the cookies and extra parameters needed.
It would be easy using cheerio afterwards to get the data if the authentication works.
Does anyone have any idea on how we can authenticate successfully?
The link from the email is: https://www.amazon.com/ap/signin/185-3199906-8918341?_encoding=UTF8&accountStatusPolicy=P1&openid.assoc_handle=usflex&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.max_auth_age=0&openid.return_to=https%3A%2F%2Fwww.amazon.com%2Fgp%2Fyour-account%2Forder-details%2F185-3199906-8918341%3Fie%3DUTF8%26eoid%3D1%253A1%253Arv%252FYwjiYmnOZY9MYltVnDyf2l6p5pMkMx9deoUeiiw%252FKpPrtZrWqs5l1GGQPVb%2520qaJqHXyCkPEpLZnmDZamKkVDWhtu3dKlW5Gx7Uvxtzs0xlPJ25vduijJrPpHt79P%2520RRZHopOtAyOP4s82VLoeeiDQgq%2520FCP540H%2520UYAV7goZQxB29WObWAVh8VveTwEeWenY3sTx8ZI9%252FBLM2BSqS3IUIURW8mzMnAB9t7wglUiAcoR%252FcUhSIx%25201eNV4MspVAp7fLkeANag72BxgmsjFfRhnsxfji1VhZXLawqFeK9SBnvbUfkNWUC%2520IXWh6VcuoStBG3x%2520ZUkzGHw1ORi4J%2520Hg%253D%253D%26orderID%3D105-6914722-5422613%26ref_%3DTE_simp_on_T1&pageId=webcs-yourorder&showRmrMe=1
You cannot guarantee any of the form input values of the sign in page. So you must also scrape the login form.
Here is the process:
In your server, make Request to the URL in your question
Using Cheerio parse the DOM and grab all of the form fields from "#ap_signin_form".
Add in your data (Username/Pass) then make a POST request to the form action "https://www.amazon.com/ap/signin" (This should also be scraped)
Hopefully that will get you past the login screen. You will need to ensure all future requests pass the cookies set from login.
Now this kind of thing is clearly against most TOS's so I would urge caution in doing this kind of thing often.
I am working on a web application which allows users to share stuff on a web-page by clicking on an 'email to friend' link; similar to what extole is doing here
http://www.american-giant.com/mens-heavyweight-full-zip-hooded-sweatshirt-product.html
on this page if you click on the email icon near "REFER & GET $15", you will see a pop-up where you can enter your own email and a friends email and can edit the subject of the email. When you click send the data is sent to the backend as json. They are using a plain simple url to do this i.e. http://refer.american-giant.com/v2/share.
The problem for me is that somehow spammers got hold of my url (can't mention here) and now they are using it to spam others by using some sort of a script. What I did is I placed a check in the backend api to block an ip if more than 5 share requests originate from it, but it seems that the spammers have a lots of ips (more than 30,000 from what I counted in my logs) so they are still able to send lots of email. One possible solution is to use a captcha to thwart the spamming script. But I am curious that how extole is doing it. They aren't using any captchas; and they are famous too, so it is unlikely that spammers don't know about their publicly accessible api. Can any one shed some light on this?
Note:
1. I am using a third party email service to send the emails.
2. Users are not required to sign in as this defeats the purpose of sharing on a simple website
3. Users can edit the subject and body, thus these are sent to the api call and this is what allows the spammers to abuse the api with their own stuff.