It seems like OAuth.io providers (all here: https://github.com/oauth-io/oauthd/tree/master/providers) are static files; and the thing with GitHub Enterprise is, the domain name is not github.com, but something different for each customer. Is there a way to make OAuth.io work with a provider whose domain name is always different, such as for the GitHub Enterprise use case?
Take a look at Shopify provider implementation which have the same problematic
https://github.com/oauth-io/oauthd/blob/master/providers/shopify/conf.json
We added a parameter shop
"parameters": {
"shop": "string",
...
}
This parameter is configurable in OAuth.io when setting API keys:
and this parameter can be reused in URLs:
`"url": "https://{shop}.myshopify.com",`
Feel free to make a pull request if you have the time to add Github Enterprise to the list of OAuth providers !
Related
Background
I am working on a custom theme for my WordPress site which I would like to manage from a private GitHub repo. (This theme will never be pushed into the WordPress market place) The general idea would be that I use the repo to manage the code and then once I tag a new version, the tag would trigger an update for the WordPress theme.
I have this pattern working using the following as a template:
https://github.com/krafit/wp-gitlab-updater
(Yes, I know the repo is for Gitlab and not GitHub)
Since my repo is private, I will need to generate a user token to allow the theme to be updated. And because the user token is capable of accessing all my private repos, the idea of sharing the user token with another plugin is discomforting from a security standpoint. (Meaning, I'm uncomfortable using a plugin like: https://github.com/afragen/git-updater)
Question
The problem is that GitHub has deprecated the use of access_token as a query string parameter, so all tokens must be sent over as an Authorization header.
How do I add an authorization header to the request WordPress sends to download the artifact?
What I've Tried
When I check for new tags I use the code:
protected function fetch_tags_from_repo( $git_url, $repo, $access_token ) {
$request_url = "$git_url/repos/$repo/tags?access_token=$access_token";
$args = [
"headers" => [
"Accept" => "application/vnd.github.v3+json",
"Authorization" => "token " . $access_token
]
];
$request = wp_safe_remote_get( $request_url, $args );
return $request;
}
This works without any issues. However...
During the pre_set_site_transient_update_themes hook I return an object that looks like:
$transient->response[ $theme['name'] ]['theme'] = $theme['name'];
$transient->response[ $theme['name'] ]['new_version'] = $latest_version;
$transient->response[ $theme['name'] ]['package'] = $theme_package;
The problem is, I have no way of adding an Authorization header to the transient response object. Therefore, when WP later tries to download the artifact, it fails.
Note: The $theme_package string is a URL which looks like:
$theme_package = "$git_url/repos/$repo/zipball/refs/tags/$latest_version";
Any support appreciated, thank you!
Honestly, this problem has been exhausting and enough is enough...
Answer
Eject from GitHub and use Gitlab because they still support access_token as a header. They have unlimited free private repos <5gb storage.
If you are planning to distribute the private repo with a license I recommend you not to expose your access credentials in the script.
Instead you should use the GitHub PHP API together with a SSH Key that you setup in your repo settings or a GitHub App with access permission granted on your repo.
Here is a solid SDK to start from:
https://github.com/KnpLabs/php-github-api
Alternatively as you suggested it in your answer, a third party service could be used to manage the credentials on your behalf.
Gitlab is a nice generic and low cost option but if you are looking for something dedicated to Wordpress development I recommend WP Package Editor (WP2E)
Among other things the service uses a registered GitHub App to pull the latest version from public / private GitHub repositories:
https://github.com/marketplace/wp-package-editor
This is quoted from the documentation regarding how it is implemented with GitHub:
For a script to be successfully imported to the library of repositories and later be synchronized as an installer dependency there are 4 conditions :
The GitHub App must be connected to a WP2E account
The “read-only” access to the repository must be granted to the WP2E GitHub App
The script must be a valid WP theme or plugin
The repository must have at least one “release” on GitHub
Note: In order to synchronize with the GitHub account/repo the GitHub App should be integrated via the saas panel ( not directly via the GitHub Marketplace )
I created a presto custom password authenticator plugin (internal) by making a copy of the LDAP plugin and modifying it. You can see that code here: https://github.com/prestodb/presto/tree/master/presto-password-authenticators/src/main/java/com/facebook/presto/password.
I created copies of the Authenticator, AuthenticatorFactory, and the config, and modified them to basically just take a user/password from the config and to only allow that user in. I also put the new class in the PasswordAuthenticatorPlugin registration code.
I can see the plugin loading when presto is started, but it doesn't appear to do anything despite no errors being present. What am I missing?
Note: I had already found a solution to this, I'm just recording it on SO as I originally came here and found no help.
To make a custom password plugin work, you actually need HTTPS enabled for communication with the coordinator. You can actually see this recommendation at the bottom of their documentation:
https://prestodb.github.io/docs/current/develop/password-authenticator.html
Additionally, the coordinator must be configured to use password authentication and have HTTPS enabled.
So, the steps to make it work are:
Make sure your main config.properties has "http-server.authentication.type=PASSWORD".
Make sure you add a password-authenticator.properties next to config properties with content like the sample in the link above. But make sure you use your string from your authenticator as the name, and that you add your configuration properties instead (user name and password).
Set up a JKS store or a real certificate (some instructions here from Presto for JKS: https://prestodb.github.io/docs/current/security/tls.html).
Add SSL config to your config.properties.
http-server.https.enabled=true
http-server.https.port=8443
http-server.https.keystore.path=/etc/presto-keystore/keystore.jks
http-server.https.keystore.key=password123
Set up your JDBC driver to use the same key store.
I wrote up a blog on it with a bit more detail as well if any of that doesn't make sense. But after doing all this, you should find that it does require a password and it does enforce your plugin.
https://coding-stream-of-consciousness.com/2019/06/18/presto-custom-password-authentication-plugin-internal/
I use the Zoonman LinkedIn API PHP SDK to get information about companies an authenticated user is an admin of, using this bit of code:
$profileCompany = $client->get(
'companies',
['is-company-admin' => "true"]
);
This worked perfectly with API version V1. However, with V2, it gives a 400 not found error. I came across this: Organization Lookup API but not exactly sure if this is the right endpoint, as there is no API call to exactly do what the above code snippet does.
Could someone please help with the right endpoint?
If you have the access token from the user this is possible in v2 of the LinkedIn API. See:
https://developer.linkedin.com/docs/guide/v2/organizations/organization-lookup-api#acls
The full URL for the basic request would be:
https://api.linkedin.com/v2/organizationalEntityAcls?q=roleAssignee&role=ADMINISTRATOR&state=APPROVED&projection=(*,elements*(*,organizationalTarget~(*)))
With paging:
https://api.linkedin.com/v2/organizationalEntityAcls?q=roleAssignee&role=ADMINISTRATOR&state=APPROVED&projection=(*,elements*(*,organizationalTarget~(*)))&start=[...]&count=[...]
And you probably want the organization logo urls as well:
https://api.linkedin.com/v2/organizationalEntityAcls?q=roleAssignee&role=ADMINISTRATOR&state=APPROVED&projection=(*,elements*(*,organizationalTarget~(*,logoV2(original~:playableStreams,cropped~:playableStreams,cropInfo))))&start=[...]&count=[...]
For linkedin-api-php-client see also:
https://github.com/zoonman/linkedin-api-php-client/issues/31
From the docs
Please note the following changes when migrating your app from v1 of
the LinkedIn API Platform:
Company Pages and Showcase Pages are now
surfaced as Organization and Brand resources, respectively. Both
resources are considered "Organizational Entities," and share common
fields and similarities in how data is accessed.
URNs uniquely
identify organizational entities, and can be generated with existing
company or showcase ids:
Organization: urn:li:organization:{company id}
The above code make call the rest api "List all companies that the member is an administrator of". It does not seems have a direct equivalent API available in v2.
Organisation lookup/search APIs seems nearest alternative.
Hope this helps.
I have a 90-day trial and I am registered at (Evaluation 2018-06-29).
But when I request with my correct copied app id and app code I get the below error.
{
"response": {
"_type": "ns2:RoutingServiceErrorType",
"type": "PermissionError",
"subtype": "InvalidCredentials",
"details": "This is not a valid app_id and app_code pair. Please verify that the values are not swapped between the app_id and app_code and the values provisioned by HERE (either by your customer representative or via http://developer.here.com/myapps) were copied correctly into the request.",
"metaInfo": {
"timestamp": "2018-08-15T18:52:35Z",
"mapVersion": "8.30.86.153",
"moduleVersion": "7.2.201832-36299",
"interfaceVersion": "2.6.34"
}
}
}
Can anyone help, especially someone from here api developer support team?
Go into your account projects and add a new project explicitly for the Freemium plan. Then you should be able to generate a new JavaScript/REST App ID and App Code. If you are using one of the mobile SDKs you would generate a new id / code there as well.
(1) Copy and Paste
I'm not certain this is what may be happening for you, but one of my codes had a leading underscore and it was very easy to copy and paste it incorrectly into my source code.
(2) Domain Protection
Also make sure that if you checked "Secure app credentials against a specific domain" that you are calling the routing service from the same domain.
(3) Shell Interpolation
Without more detail about how you are making the calls to the routing service (curl, postman, javascript, ios, android, etc.) it may also indicate where to offer advice.
For example, if you are using curl make sure your parameters have surrounding quotes as & will be interpreted by a shell such that ?app_id=your-app-id&app_code=your-app-code is not interpreted properly. That could generate the response you saw as the shell took your app_code parameter away before curl could make the request only passing the app_id.
It appears that I can only have one Top Level Domain (TLD) associated with one firebaseapp SSL hosting. Is that true?
For example, I'd like https://x.example.com to go to my https://x.firebaseapp.com and https://y.example.com to go to my https://y.firebaseapp.com
When I try I see: (see image below) (I'm using https://city.tidalforce.org/ for a different firebase app at https://cityregister.firebaseapp.com/ but I'd like to use the same domain for another app with another full name such as https://y.tidalforce.org
Is this possible?
In short no, although you may be able to host different apps in different subfolders like https://example.com/x, https://example.com/y and if they have javascript router for example, if you are using Angular for front-end and using Angular-router or something you will nee to provide appropriate rewrite rules like:
"rewrites": [ {
"source" : "/x/**",
"destination" : "/x/index.html"
},
{
"source" : "/grid/**",
"destination" : "/grid/index.html"
} ]
to rewrite url requests from that folder to route correctly.
Hope it helps :)