I submitted an app review on the google store and it prompted me that HostnameVerifier is not safe,As shown here is my code, I don't know where is the problem
Can anyone help me with this HostnameVerifier is not safe
Related
When I access to my telegram-bot, after some time, it requires user authentication with the text:
"Stand by...
Hi there!
Before We Can Continue We Need To Verify That You're a REAL User"
When this message appears it seems session is closed, and the user can't receive Bot notifications, until user authenticates.
I can't understand why this authentication is required if I am storing each user telegram_id.
Your bot token might have exposed on git.
You need to change the token.
Instead of hard coding it in the code, pass it as an environment variable.
Just had the same issue!
I guess, someone scraped my bot-token from public repository and tried to steal my account. NEVER leave your bot-token in public rep!!!
Detailed description for others to find this thread:
Bot sent, what it was programmed to do and then
"Hi There!
Before We Can Continue We Need To Verify That You're A REAL User"
Telegram sent me login code -> I entered it (yeah, I'm dumb)
Bot printed
"Please reply with your 2FA (Two Factor Authentication / Two Step Verification) code"
then
"Timeout has been reached , pleaase try again."
(I like the pleAAse part, where you understand it was totally fake)
Telegram said it was
Device: Android
Location: Bulgaria (IP = 185.95.157.122)
I discovered what was wrong!
Lev Vasilyev answer made me think if somebody was able to get my bot_token. So, I changed it. And, the authentication message no longer appeared.
It´s important to get into telegram allowed devices, and delete not authorized accesses.
My bot has ""Stand by... Hi there! Before We Can Continue We Need To Verify That You're a REAL User" too.
When I proceed and send authentication code and sms from Telegram was received I had been authorized as Samsung Galaxy s20 5g from Seychelles ip adress which was not mine... This was very strange. If anybody had that experience please post your answer too. Maybe somebody had stolen my bot ...Sorry if my English not very correct and nice. I hope you understand.
I had the same problem, changed the Token and resolved the problem. I needed set the webhook again to work.
All replies are correct:
your token has been stolen and used by hackers, once you enter your credentials - you will see unknown sessions in your telegram.
Change token via BotFather and do not publish it in public places.
If you have already put your cred's to the telegram bot - you need to change the password immediatelly.
i would like implement OAuth 2.0 Client Credentials Flow (2-Legged), but as mentioned here : https://learn.microsoft.com/en-us/linkedin/shared/authentication/client-credentials-flow or https://developer.linkedin.com/docs/v2/oauth2-client-credentials-flow.
It's written : "Your application cannot access these APIs by default. Contact us to have your application granted permission to use this flow."
I don't find any contact (I tried linkedin support, they sent me on stack overflow..), does anyone has already done this setup ?
Thanks :)
I am in a similar boat and it seems that you will have to apply for further permissions on their partner programme page: https://developer.linkedin.com/partner-programs
I know this may be a bit of a late response but other developers stumbling across this may benefit from this answer.
I have an app that is protected by google-oauth (3-legged OAuth) at the nginx-level (using https://github.com/cloudflare/nginx-google-oauth). As you may know, it requires the user to be logged in or manually login to a google account using the browser.
I'd like to access this same protected app through the CLI/programatically. It's true that nginx-google-oauth provides some means that make it easy to do that: the _token_curl endpoint prints outs the headers ready to be used with curl. The problem though is that that token has an expiration date and to get it I need to be logged in or login manually to my google account.
I'm wondering if I could use a Google Service Account (2-legged OAuth) to access the google-oauth-protected app? I've searched around in the documentation (https://developers.google.com/identity/protocols/OAuth2ServiceAccount) and from what I understood, it's only meant to access Google APIs.
Could someone shed some light on the subject? Thanks!
Just for anyone else finding this, the question was answered on GitHub and it is not supported by nginx-google-oauth:
https://github.com/cloudflare/nginx-google-oauth/issues/21
I am thinking of using a QR code to login to a website. This way a user doesn't have to enter a user id/password.
users goes to a website.
the website need autorisation.
the website present a QR code.
the user scans the QR code with his/her phone.
Somehow the originating website gets confirmation that the QR code was scanned by a known phone.
Now the website knows the user and the user is logged in.
This is safe because the phone is known to the site.
If needed the user can protect the phone with a PIN code or other locking system.
Does anybody know if somebody has already build such a system?
Some code would be nice :-)
When logging in to a site, the web server sends the
PC browser a QR code that encodes a cryptographic challenge; the user
takes a picture of the QR code with his cell phone camera which re-
sults in a cryptographic response sent to the server; the web server then
logs the PC browser in.
Excerpt from: Secure, Consumer-Friendly Web Authentication
and Payments with a Phone
The have some real code too: https://github.com/Mobisocial/Snap2Pass
Because there are some challenges with sending data from the server to the waiting client, i.e. the page that showed the QR code we made www.qrpu.sh
This will just make some of the infrastructure easier, but the logic of the authentication is the same as in the answer from pods
It's a bit old discussion but I was looking for a solution to this kind of problem and I found this:
qrlogin
I am implementing Facebook login on my website. I am creating an asp.net user as well with the Facebook users details. This way I can control login in people to my site using .NET membership regardless of whether they are a Facebook user or not.
The problem I am facing now is security. When a user logs in with Facebook I am calling a webservice with their facebook details, if the user exists on the system (by their facebook userid) then I log them in. However as it stands anyone could call the webservice with someone elses facebook id and it would log them in (if that user existed on the system). Is there something that I can use to link the facebook user with my asp.net user that is only accessible to that user, such as an access token. It also needs to be something which does not change? Does facebook send back such a thing in the response object?
Any help or suggestions are much appreciated.
Thanks
Yes, we can get that profile data from Facebook. Using that requestAccessToken Url you can get that access token.
requestAccessTokenurl="https://graph.facebook.com/oauth/access_token?client_id={0} redirect_uri={1};client_secret={2};code={3}"
Also we can get the Profile Data using this access token
requestProfileUrl="https://graph.facebook.com/me"
please see this link- http://easyoauth.codeplex.com/
you can download the source code also :)
We have implemented for Facebook, Twitter, LinkedIn, Google using this framework. It is very straight forward. I can help you how to do this.
Thanks