I am attempting to validate an email but when I follow the mailgun docs and have code such as follows
https://documentation.mailgun.com/en/latest/user_manual.html#email-validation
EMAILPUBLICVALIDATIONKEY = 'my sexy key'
def validateemail(emailaddress):
return requests.get(
"https://api.mailgun.net/v3/address/validate",
auth=("api", EMAILPUBLICVALIDATIONKEY ),
params={'address': emailaddress}
)
I get the response
["{"Error":"exposed account credentials"}"]0: "{"Error":"exposed account credentials"}"length: 1__proto__: Array(0)
I haven't actually gotten this error in MailGun before. But I'm assuming exposed account credentials means that your API key got exposed and they deactivated it in order to try to protect you.
Kinda unrelated, but GitHub recently released a feature where they will scan commits for API keys and tokens and notify the company that it was exposed. Doesn't look like as of posting this MailGun is on that list, but there is also a slim chance since it's in beta that list hasn't been updated. https://help.github.com/articles/about-token-scanning/
This is most likely due to exposing a Mailgun API key on Github. I had the API key in a file and commented it out but still got flagged. If you file a ticket on Mailgun, a reply will be sent with these instructions:
Due to the compromise, you will need to take a few steps to secure your Mailgun account:
- Remove the repository from Github or making the repository private. A new commit will not overwrite the previous commit history which contains the password.
- Please log in to the Mailgun Control Panel and reset your Mailgun account password. Click your email address in the top right, "Edit Account Info" -> "Password Change" section.
- Enable 2 Factor Authentication. Click your email address in the top right > Security > Two-Factor Authentication section.
- Reset your Mailgun API key. Under "Account Settings" -> "Security" click the refresh symbol to generate a new API key.
- Reset your SMTP credentials. Go to the "Domains" tab and repeat the following process for each domain listed in this view.
I don't THINK Mailgun was on that list. But they could have been added.
It is official now (May 23rd, 2019): "Token scanning"
Token scanning is now generally available in all public repositories.
Additionally, token scanning now supports detection of new token types from Alibaba Cloud, Mailgun, and Twilio.
The full list is on "About token scanning".
See more at "Token scanning".
You need to go to your Mailgun account, a banner will say that your account has been suspended, then you have to contact support to unlock it
Related
I am new to firebase and I am trying to handle firebase user authentication in React.js. I did manage to create users with email and passwords. But, now I would like to send the user an Email link to reset their password.
My code currently look like this.
// This line of code belongs to the top
import { auth } from '../firebaseConfig'
//This part goes under the React component
<p onClick={async () => {
try{
await sendPasswordResetEmail(auth, // My Email Id)
alert('Password reset link has been sent to your email')
}
catch(err){
alert(err)
}
}}
>Forgot your Password ?</p>
However, I do not get any error messages and I do get the alert message that says "Password reset link has been sent to your email." Unfortunately, I didn't receive any email. Note that I have given my own email id as the parameter for testing purposes.
firebaser here
Did you check your spam folder? We recently see a lot of the emails from Firebase Authentication ending up in the user's spam folder or being marked as spam in a system along the way. This is being tracked in this status message on the Firebase dashboard and in public issue #253291461.
To reduce the chances of the messages getting marked as spam, consider taking more control of the email delivery yourself.
As a first step, consider using a custom domain with your project. Email that comes from a custom domain has less chance of being marked as span.
As a second step, consider setting up your own SMTP server.) for delivering the email, so that the emails are not being delivered from Firebase's shared infrastructure anymore.
While these steps are more involved, they typically will drastically reduce the cases where the messages from Firebase Authentication are marked as spam.
Full Guide Based on Frank's Answer
Firstly create a new email account you can use to relay the Firebase emails through the SMTP server with. I personally chose Gmail, but I tested with Outlook and it also works.
You can now find an SMTP server host that will work for your scenario. If you're sending less than 1000 emails per month you can find free and reliable hosts. I chose SMTP2GO's free option.
Now you've found the SMTP host, add the email address you've chosen as a single sender email (note that if you do own a domain, you can alternatively use that to send emails).
Note that you will have to verify the email, usually by your host sending a link to the email's inbox. Make sure to check spam.
Once verified, navigate to where you host allows you to add SMTP Users and add a new user. This will allocate an SMTP username and password.
Navigate to the Firebase console, and choose the Authentication option from the sidebar (within the Build product category).
Go to Templates → SMTP Settings and enter the details of your SMTP server. The username and password fields are to be filled with the SMTP user login you created in the step above.
It is better to use TLS, but I believe SSL should work too but it is untested.
Click save, and you're all set up - but there may still be steps to perform depending on your email provider.
Provider Specific Steps
If the emails are being sent to an account managed by Google you will have no issues with your emails being quarantined by anti-spam policies and it will work immediately.
If you are using Outlook, you will have a different problem on your hands. Outlook's built in defender will most likely have auto-quarantined your email under multiple policies - that bit is important.
These policies are likely to be both spam and phish policies. If you unblock one of them, the other will catch it and re-quarantine.
Unblock both policies for the email address, and test. You can see the status of quarantined messages in Microsoft 365 Defender app under Review → Quarantine. Please note that you will need to be an administrator to add global allow policies to your email accounts.
If this still doesn't work it is likely that your company has an additional external filter (as mine did), and you will have to add the IP's manually to the Tenant Allow/Block Lists spoofed senders tab.
I have just today realised that the authorisation emails sent from my perfectly legitimate Firebase backend are being flagged as malicious by Microsoft Outlook's "Advanced Threat Protection"
There is no reason for this other than perhaps it was flagged during development due to me sending myself repeated confirmation emails in order to test the functionality.
This warning does not show up in regular hotmail/outlook accounts, but I am an Office 365 subscriber so it appears as though I am lucky enough to get this "advanced" protection which protects me from my own completely non-malicious website.
Should I contact Microsoft or Firebase for a solution?
Thanks a lot!
Update: I contacted Firebase support and received the following:
My name is XXXX from Firebase Support, thank you for reaching out to us, problems on Microsoft services such as this “Advanced Threat Protection” is not in my area or expertise, I would suggest to open a ticket with Microsoft for this issue, I see that there is already a topic on Stack Overflow, please be sure to check other Firebase community channels as well.
I understand that this isn't Google's problem to solve, but it would seem any Firebase app using email verification is going to run into trouble with Microsoft email systems. Which is a lot of corporate and government systems...
Any suggestions on how to get some attention paid to this from either Google or Microsoft?
Cause
This error is caused by having inconsistent domains in the email. By default, user management emails link to the default action handler, which is a web page hosted at a URL in your project's Firebase Hosting domain ([project].firebaseapp.com), rather than the the same domain you may be sending emails from (veritification#yourdomain.com).
Solution
Make this “action link” go directly to your website. This will solve the outlook warning, and also make it less likely you'll end up in spam filters in general. On your website, you have 2 options for how to handle the actual validation.
Both solutions below require your domain to be authorized.
This can be done under Authentication -> Sign-In Providers -> Authorized Domains
Option 1 - Use Custom Email Action Handlers (Hard option)
You can setup a custom email action handler so that these actions take place directly on your website, rather than on the firebase hosted page. This is a more integrated experience.
This can handle
Resetting passwords
Revoking email address changes—when users change
their accounts' primary email addresses, Firebase sends an email to
their old addresses that allow them to undo the change
Verifying email addresses
1. Create your custom email handler page
custom email action handler page - firebase docs
2. Update Email Template In Firebase
This can be done under Authentication -> Templates -> Email Address Verification -> Customize Action URL
Option 2 - Just Redirect (Easy option)
Link the email back to a page on your website, that will immediately perform a javascript redirect to the [project].firebaseapp.com authentication page, carrying through the URL parameters required to perform necessary verifications and changes.
For Example
action url for email template: https://www.yourdomain.com/account-action (firebase will attach the appropriate params to the url automatically)
Javascript redirect on your website goes to ”https://project-name.firebaseapp.com/__/auth/action?” + params
I recommend ensuring you implement the continueUrl in your verification email delivery so that the user can easily get back to your website.
If you're using Firebase hosting, and you're serving from their built-in your-project.web.app address, then you can simply use the other built-in, your-project.firebaseapp.com, as your site address instead -- no configuration needed.
The .web.app address is a bit sexier, but the various action emails are actually sent from the .firebaseapp.com, and Outlook is suspicious of the mismatch. Having users originate from the .firebaseapp.com address solves the issue.
I opened a GitHub issue about this: https://github.com/firebase/firebase-js-sdk/issues/5021][1]
in console firebase, in the menu Authentification -> Templates
There is a sms verification template :
%LOGIN_CODE% is your verification code.
How to change this message template?
firebaser here
Neither the email verification template nor the SMS verification template can be modified. You can select the language from the Firebase console, however this is a per project setting and you can't modify the templates.
We understand that changing the template would allow you to tweak the user-experience of your app, but we don't allow this to prevent abuse of the service.
Update 1 year later, still a no go, but I received this back from support
The Firebase SMS Authentication message content will depend on the
platform you are requesting that message from. Here is a list of the
possible variations you may get:
iOS and Android - The SMS messages draw the app's name from the App Store / Play Store. One an app is published, the correct name
should start appearing. There may be a small delay (a week or two at
most).
Web - It will always use the domain that the SMS is requested from. To modify it, you can setup a custom domain.
iOS (using Recaptcha) - Phone authentication on iOS will show the project's url instead of the app's name in the verification
SMS when using the reCAPTCHA flow. This is expected behavior. The
reCAPTCHA flow was added for cases where an APNS token is not
available (including on real devices). If APNS is not correctly
configured, a real device will default to the reCAPTCHA flow.
Unfortunately, neither the email verification template nor the SMS
verification template can be modified. You can select the language
from the Firebase Console, however this is a per project setting and
you can't modify the templates.
We understand that changing the template would allow you to tweak the
user-experience of your app, but we don't allow this to prevent abuse
of the service. I hope this clears your consults about this topic. If
you happen to have any more questions, please, do not hesitate to
write back!
Meanwhile you cannot change the content of the message, you can change the app's URL mentioned in the SMS.
Go to Authentication > Sign-in Method > Authorized domains and add your own domain website.tld
Now edit the Firebase config object (in your source code) and update the authDomain key to the domain you linked earlier.
Send a new test message, you're good to go.
As per Firebase Support the %APP_NAME% should be shown in your firebase settings wherein the %APP_NAME% is called after Public-facing name in public settings.
EDIT:
I checked first where is the location of "localhost" and wherein i found on "Authentication>Sign-in method" then under 'authorized domain' you will find "localhost" in order to change the localhost you need to add a new domain.
Note:
be careful on deleting localhost to your authorized domain. It will take time to function OTP request.
This one helps;
Go to Authentication > Sign-in Method > Authorized domains and add your own domain website.tld
Now edit the Firebase config object (in your source code) and update the authDomain key to the domain you linked earlier.
I am writing an API.AI app with Google Actions (will run on google assistant and google home). The app should be able to read\add events to the user's google calendar account.
The backend is Google Cloud Functions, and I enabled the Calendar API in the developers console.
The flow the user should experience is something like this:
User: "Hey Google, when was my last meeting with Anna?"
Agent: "Your last meeting with Anna was two days ago"
User: "Set a meeting with Anna for the tomorrow"
Agent: "Ok. Meeting is set"
How should I build the authentication process to grant the app access to the calendar?
Update, 8 Nov 2017
As of about 4 October 2017, Google updated their policy to explicitly forbid this. Around the same time, they also took technical measures to prevent this.
The portion about enabling the Calendar API is still correct, although insufficient to do what the original question asked.
Original Answer
Broadly speaking, the auth tasks you need to do are in four parts:
Configure your project (in the cloud console) so that the Calendar API is enabled and that the OAuth2 client is correctly configured.
Configure the Action for account linking in the action console.
Configure the Actions on Google Integration for your API.AI Agent to indicate that sign-in is required.
When API.AI calls your webhook to fulfill an Intent, it will include an auth token as part of the JSON. You can use this token to make calls to the Google APIs you need.
Configure Cloud Project
You need to configure your cloud project so that it has access to the Google APIs you need and setup the OAuth2 Client ID, Secret, and Redirect URI.
Go to https://console.cloud.google.com/apis/dashboard and make sure you have the project you're working with selected. Then make sure you have the APIs you need enabled. (In this case, the Calendar API)
Select the "Credentials" menu on the left. You should see something like this:
Select "Create credentials" and then "OAuth client ID"
Select that this is for a "Web application" (it is... kinda...)
Enter a name. In the screen shot below, I used "Action client" so I remember that this is actually for Actions on Google.
In the "Authorized Redirect URIs" section, you need to include a URI of the form https://oauth-redirect.googleusercontent.com/r/your-project-id replacing the "your-project-id" part with... your project ID in the Cloud Console. At this point, the screen should look something like this:
Click the "Create" button and you'll get a screen with your Client ID and Secret. You can get a copy of these now, but you can also get them later.
Click on "Ok" and you'll be taken back to the "Credentials" screen with the new Client ID added. You can click the pencil icon if you ever need to get the ID and Secret again (or reset the secret if it has been compromised).
Configure the Action Console
Once we have OAuth setup for the project, we need to tell Actions that this is what we'll be using to authenticate and authorize the user.
Go to https://console.actions.google.com/ and select the project you'll be working with.
In the Overview, make your way through any configuration necessary until you can get to Step 4, "Account Linking". This may require you to set names and icons - you can go back later if needed to correct these.
Select the Grant Type of "Authorization Code" and click Next.
In the Client Information section, enter the Client ID and Client Secret from when you created the credentials in the Cloud Console. (If you forget, go to the Cloud Console API Credentials section and click on the pencil.)
For the Authorization URL, enter https://accounts.google.com/o/oauth2/v2/auth
For the Token URL, enter https://www.googleapis.com/oauth2/v4/token
Click Next
You now configure your client for the scopes that you're requesting. Unlike most other places you enter scopes - you need to have one per line. (In this case, you'd also add the correct scope you need to access the user's calendar.) Then click Next.
You need to enter testing instructions. Before you submit your Action, these instructions should contain a test account and password that the review team can use to evaluate it. But you can just put something there while you're testing and then hit the Save button.
Configure API.AI
Over in API.AI, you need to indicate that the user needs to sign-in to use the Action.
Go to https://console.api.ai/ and select the project you're working with.
Select "Integrations" and then "Actions on Google". Turn it on if you haven't already.
Click the "Sign in required for welcome intent" checkbox.
Handle things in your webhook
After all that setup, handling things in your webhook is fairly straightforward! You can get an OAuth Access Token in one of two ways:
If you're using the JavaScript library, calling app.getUser().authToken
If you're looking at the JSON body, it is in originalRequest.data.user.accessToken
You'll use this Access Token to make calls against Google's API endpoints using methods defined elsewhere.
You don't need a Refresh Token - the Assistant should hand you a valid Access Token unless the user has revoked access.
If you're using Google Sign-in as your login provider, you can request access to the calendar scope as part of your OAuth flow.
The public policy states:
"Don't request any OAuth scope from Google unless the user is signing in to your service using Google Sign-In."
For some reason, my firebase project apikey associate with database changed. I can still create another api key, update into the application.
But when user try to reset password, the link use the old key and lead to "Your request to reset your password has expired or the link has already been used" (I think I read this problem somewhere and now I found the reason).
Is there anyway to update new api key for an existing firebase project?
Thank you
Somehow, my original apiKey was recovered. You can find the original key (which were deleted from console.google.com) associated with the application on the main firebase page, through
Overview > Project settings > GENERAL
Basically, when users requested to recover the password, firebase will send an email with recovery link. If you have a look at the link, you will see the API included in the link is the one that no longer exists.
I recommend you to contact firebase support. I don't have an official way to solve the issue but here is quick I can think of, following as
Create new API at console.google.com > choose your firebase project
Create a page with a function that can read URL parameters. Make it receive firebase recovery password URL and replace dead API with new
one, then redirect you to new firebase recovery password URL
Edit email template by adding the page you created on step 2, with firebase recovery full URL as a parameter
To be more accurate, here is an example.
I have my project called "MyFirebaseProj", my domain is "example.com"
I go to console.google.com, choose "MyFirebaseProj", on API Manager panel, choose Credentials > Credentials. Click on Create credentials > API Key. So I got a new API key call "MyNewLongAPI".
I created a recover-password.html password and have this javascript function https://codepen.io/hieunc229/pen/mWwVbv (this one will read the firebase url, get oobCode and generate new URL). Edit the javascript so it will redirect the user to new URL. Upload this one into my host (mydomain.org/recover-password.html)
On Firebase console, Authentication > Email Template > Reset Password. Change the link to something like
<a href='http://example.com/recover-password.html?url=%LINK%'>%LINK%</a>
Then save it
Now when user go into your recover password page, they will be redirected into firebase url with new API and it should works
Hope it helps!
If anyone run into the same issue, as I get in touch with Firebase team and they are investigating about it. Currently there haven't been a way to help it.