Im making an app for some form, and im colleting some not sensitive information.
I need to make an automatic report from a server, calling directly to report to download information, but im not being allowed to make the call because is being enabled automatically with antiforgerytoken, so if I make a get request from the server to a controller/action, im receiving an error, but if I make the call throw $2sxc(XXX).webApi, is working.
How i can make the 2sxc api call without antiforgery token
Please help
That's simple - just make sure you have [AllowAnonymous] on your class.
You can find working examples in the Mobius Forms app.
See also: https://docs.2sxc.org/web-api/specs/webapi-security.html
and https://docs.2sxc.org/net-code/web-api/custom-web-api-security.html
Related
I have an app in xamarin forms, and I need to implement Google authentication. In my Google API, I have OAuth credentials using Web Application.
The problem is in the Authorized redirect URIs: when I configure the URI using the https, I can choose what account to log in to. After choosing the one I want, I get this error:
Seeing some Youtube videos, I´ve seen that I need to use HTTP instead of HTTPS, but when I try to use this way, I get this error BEFORE I get the Google user´s accounts lists:
So I´m sticking in it and can´t authenticate the user.
I´m using Xamarin Forms, and on the app, there´s no exception thrown.
The redirect URI (where the response is returned to) has to be registered in the APIs console, and the error is indicating that you haven't done that, or haven't done it correctly.
Go to the console for your project and look under API Access. You should see your client ID & client secret there, along with a list of redirect URIs. If the URI you want isn't listed, click edit settings and add the URI to the list.
Note that updating the google api console and that change being present can take some time. Generally only a few minutes but sometimes it seems longer.
I have an existing ASP.NET website with a login. The login procedure is not trivial, because of routing to different front ends on different servers based on which user logs in. There is also some communication/login going on to a classic ASP website.
Now I want to start to decouple the first step of the login procedure using a tiny Angular2 app. Basically this should just collect the user and password and leave the login validation etc. to the existing ASP.NET logic. So from my naive point of view, this is the same as filling out user and password on my existing ASP.NET page and clicking the submit button.
I know that I can make http requests using angular2 and have successfully done so calling SOAP based web services which are part of the login validation process.
I have the idea that I can somehow fake the http request which is executed when submitting the login form in the existing ASP.NET page. But as far as I understand it right now, even if I could make an http request to my login.aspx site the response I would get would sit in my Angular2 obervable as text whereas I would like to leave my Angular2 app and "simply use" that response.
I am not even sure what questions to ask ... but how do I do that?
What have I not considered?
Some options I have:
It would be possible to change parts of the existing ASP.NET page(s).
I think it would be OK to open a new browser tab in which the existing ASP.NET app would be displayed.
We need to use static method's to make Ajax calls.
I didn't really understand the whole picture, but I know that you can load an ASP.NET partial view from an Angular2, or even make an http call to an ASP.NET Controller to get your data.
So I don't really understand your problem there, since the question is not clear, but you could make an http call to an ASP.NET Controller that would manage calls to your different WebServices.
Some clarifications would be helpful for a more detailled answer.
I'm doing an application for android, iOS and Windows Phone using Xamarin.forms.
I need to implement login with most common social for all platforms and I have found on web Restsharp.Portable.
I'm having trouble to understand how to use the library (it was correctly imported) for OAuth2 request.
Does anyone have any example or guide that could be helpful?
I struggled with restsharp.portable due to the lack of documentation.
Instead I used the redirect URL as a way of getting the code generated after the user gives permission needed to request the access token.
I gave the browser the correct adddress for the login/permission screen and for the Redirect I set to a made up address (http://madeupaddress.com) and on the Navigating event of the browser checked if the url started with my made up address, if so, I cancel navigation, closed the browser and take the token from the URI.Query parameters found in the navigating event parameters (or named differently depending on control/platform). I thenapply for the access token using the code via Microsoft HTTP Client.
This was for Windows Phone 8.1.
Thanks go to Vittorio Bertocci
I ended up using Microsoft Httpclient for the access token.
I'm writing a web application (that is not to be published by Intuit on their App Center thing) to interact with QuickBooks Online (QBO) for syncing purposes, using VB.NET and ASP.NET. I'm having a hard time understanding how to do this exactly or where to start. What I understand this this:
User accesses your web application and the "Connect to QuickBooks" button (that Intuit requires for In-App authorization) is displayed.
Before the button is clicked you send a HTTP request to get OAuth request credentials using your consumer credentials.
Once the user clicks the button they get redirected to QuickBooks Online (QBO) where they can sign in and then authorize access to a certain company, giving you authorized request credentials.
QBO then redirects back to your site indicating you have authorized request credentials in which you send a HTTP request to get access credentials.
Once you have the access credentials you are basically free to interact with the QBO V3 API.
Using the access credentials you can then construct HTTP requests that send a particular HTTP method with XML/JSON in the body to perform a corresponding CRUD operation in QBO and QBO sends a response to indicate whether it was successful or not.
When your application is done interacting with QBO you simply make sure the access credentials are stored somewhere safe and let the user continue on with their life.
(Side Question: Is this correct or did I miss something or misunderstand something?)
My main question: Do you, as the app developer, even need to construct these HTTP requests or do you use their SDK or something completely different and I'm just not getting it?
I've tried to figure this out but it sounds like you're supposed to construct this all from scratch but then I look in their SDK and they have classes for all the different entity types but then their serializer doesn't serialize correctly and they talk about their DataService class and how you use that to send objects over and using some JavaScript files they host that I have only seen referenced but not explained by them, or anyone really, and information I do find seems to be outdated/deprecated and ya...
Maybe it's just that I'm new to web development and all this is way over my head right now, which very well could be.
(Off-topic-sorta: Is it me or is their site ridiculously broken? It just seems like a lot doesn't work correctly or things are just hard to navigate and find...)
Anyways, thanks for any help anyone can offer. If I need to give more details or ask a different question or something, just let me know. New to this and it's harder than I thought to ask things haha.
My main question: Do you, as the app developer, even need to construct
these HTTP requests or do you use their SDK or something completely
different and I'm just not getting it?
This is entirely up to you, the developer.
If you want to roll your own and construct your own HTTP requests, you certainly can. You almost certainly will still want to use a pre-packaged OAuth library, as OAuth is not trivial to implement.
However, you could also certainly use an existing code library/DevKit too, in which case the library/DevKit will construct the HTTP requests for you.
The DevKits should contain example code to show you how to actually do this stuff, so that might be your best place to start.
You are on right track.
First of all you need to register with IPP to get
ConsumerKey,ConsumerKey secret and Application ID.
https://developer.intuit.com/docs/0025_quickbooksapi/0010_getting_started/0020_connect/0010_from_within_your_app/implement_oauth_in_your_app
if user don't have access token then 'connect to quickbooks' button shows up otherwise you can make it hidden.
request code : https://github.com/IntuitDeveloperRelations/IPP_Sample_Code/blob/master/QuickbooksAPI/DotNet/WebForms%20application/QuickBooksApiDotNetWebFormsSampleApp/OauthGrant.aspx.cs
access code : https://github.com/IntuitDeveloperRelations/IPP_Sample_Code/blob/master/QuickbooksAPI/DotNet/WebForms%20application/QuickBooksApiDotNetWebFormsSampleApp/OauthHandler.aspx.cs
After getting accesstoken, accesskey secret and realmID (companyid) save that to your database.
make sure to encrypt.
so next time same user connect to quickbooks they don't need to go through all of the above steps.
OAuthRequestValidator oauthValidator = new OAuthRequestValidator(accessToken, accessTokenSecret, consumerKey, consumerSecret);
ServiceContext context = new ServiceContext (appToken, companyID, IntuitServicesType.QBO, oauthValidator);
https://developer.intuit.com/docs/0025_quickbooksapi/0055_devkits/0150_ipp_.net_devkit_3.0/0002_synchronous_calls/0001_data_service_apis
I am looking for a good example for the Facebook C# SDK authorization flow. I am upgrading to version 6 of the SDK and I am having trouble understanding the new flow. I am using the following components:
Asp.net MVC3 Web application
Facebook C# SDK v6
FB Javascript SDK
I am trying to pass the access_token from the FB Javascript SDK to the server for further use.
This flow is outlined in the new documentation at:
http://csharpsdk.org/docs/web/getting-started
I have a the following questions:
Why are they passing the access token in a post vs parsing it out of the cookie.
Don't we need to verify the signed request at the server side before trusting the access token?
First you to have to Follow the conventions that Facebook Javascript SDK is giving to work it with C# SDK.
Answers.
1. Javascript SDK need post back of the page after login in to Facebook. You thoughts are right about getting token from cookie but think what if cookie is disable on browser? Posting access token is the best choice in both cases.
2.Access token already encrypted by Facebook so you dont need to worry about them. If you want more security then you enable encrypted access token in you app settings.
See http://developers.facebook.com/blog/post/572/.
Another thing is that if somehow somebody pass the invalid access token(XSS attack) in post back then also you don't need to worry because access token is validated on Graph API servers, so there less possibilities to effect your Facebook account. You can also enable HTTPS of site to make it more secure.
That's all what I have.
Thanks
Happy Socializing.. ;)
Dharmendra.