I want to know the API connection from Wordpress.com's site to my system which have REST API.
Can I develop server side script which access to my API server?
This script contains api secret which should be revealed, so I don’t want to develop as client side script like java script.
We have a system which have some information, I want to develop the script which access our API and get info and show on the wordpress.com site.
Search in google, but I'm not sure.
Related
As a developer using Google API, I received the email "Migrate to the new Google Identity Services library". Our application has both Web-based and client solutions. We use Google Sign-In JavaScript library in the Web-based solution, which needs to be migrated. Our client solution calls the GetAuthorizationUrl() method of OAuth2ProviderForApplications in Google API .NET library to get the authorization URL and launch a browser window with the URL.
Is the URL from the .NET library affected by this migration?
I compared the URLs in the windows launched by both Google Sign-In and GIS and those from the .NET library. There seemed to be some difference:
GIS:
https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?...
Google Sign-in Javascript:
https://accounts.google.com/o/oauth2/auth/oauthchooseaccount?...
Google API .NET library:
https://accounts.google.com/o/oauth2/auth?...
#2 and #3 are currently used in our system. When upgraded from Google Sign-in (#2) to GIS (#1), the authorization URL has "v2".
Is the "non v2" version of the authorization URL endpoint (#3) still valid after migration? As we will keep getting this non-v2 URL from the .NET library, it is important to make sure it is still working to avoid our service interruption.
I am using firebase admin sdk on the server to generate sign in links and send them out via custom SMTP api.
I just glanced at https://firebase.google.com/docs/auth/limits and I am well within these, but I believe there is nothing stopping a malicious third party from creating/requesting sign-in links via front end code. Is there a possibility to disable this functionality so it is only available to admin acc?
Additionally, I'd like some emails (i.e. multi factor enrolment) to not be possible, but again, given that someone can obtain some of my firebase front end details, they technically can send these?
You can restrict the API key from accessing an API (e.g. Identity Toolkit) but not disable a single method of the API for client.Sign up and delete user can be (that requires upgrading to Identity Platform) .
Firebase generates an API key when you add a web app. You can either update that or create a new key from API Credentials console.
You can then restrict what the API key in Firebase web config has access to:
However, Firebase Auth Client SDK will not work as Identity Toolkit is not selected. You'll have to proxy the requests through your backend and use a different key that can be used from your server's IP only.
Firebase Admin SDK will still be functional as usual so you can use that to perform other operations like updating/deleting users. You'll just have to write APIs on your backend for what could have been done using client SDK directly (or use Admin SDK when possible).
It might be a lot to update and I would not recommend unless you are facing rate limiting issues where Firebase Support should be able to help.
How can I go about creating an https form and getting input from there into dataverse without having an app created on Microsoft.
you will have to create application user in Azure to use dataverse API
Step by step to connect to D365 with a client_secret to use APIs
This is one example of how to consue dataverse API using Application user in python
There are numerous other example of consuming dataverse API, bascially you will need to authicate and get Token and then accees API
I have a simple web site hosted in Firebase and it is making AJAX calls to REST API endpoints in GCP Cloud Run.
I would like to limit these endpoints only to the calls coming from this site hosted in Firebase. Any call coming from any other origin should not be able to use the endpoints. What is the best way to do this?
When I was not using GCP Cloud Run, I was doing a host check on the API side to make sure that request is coming from my client but now with Cloud Run this is not possible. What else could be done?
Please note that the web-site hosted in Firebase is very simple and do not do any user authentication.
Challenge: Restrict access to a Cloud Run service to a single web application, without relying on:
Restricting access to the web application
Imposing authentication on users
This difficulty is not specific to Cloud Run. It's a general challenge for static sites backed by APIs, and a reason why many sites have authentication. As mentioned in the question comments, a server-side "host" check is not a meaningful security layer, as everything in the HTTP request can be faked. I strongly recommend you not worry about keeping your API private or add user authentication to keep the system simple and access accountable.
If that's not possible, you can still take the authentication approach by creating a single user, embedding the credentials in the site, and rotating them regularly (by redeploy to Firebase Hosting) to prevent credential theft from having indefinite access to your API. Having Firebase Auth in the middle is better than a simple API key because it prevents replay attacks from accessing your API.
I know that we can use a Firebase backend function to send an HTTP request to Google Apps Script and receive it using "doGet()".
However, is it possible to call a Google Apps Script function from Firebase without sending an HTTP request (since it's part of the same Google account)?
My concern is with security, where one may be able to guess/sniff the right URL/parameters and then execute the Google Apps Script function (which makes a purchase). Alternatively, there may be a proper way to secure GAS web apps.
There are quite some details missing. But I think you're asking of a Google Cloud Functions/Cloud Functions for Firebase can call into an Apps Script web app or a Apps Script REST API. The answer is that they indeed can invoke those URLs (if they're publicly accessible and fall within your quota).
But that is no more security risk than that any browser can invoke these URLs. The security should not come from knowing or being able to call the URLs. If you want to secure an API, you should implement proper security on it. For more on see Authorization for Google Services in Apps SCript