I am using PayPal Express Checkout in my project and I am using my Sandbox testing account to test the PayPal in the development environment.
I am using my Business account I get from PayPal website. Now I want to go live,
what should I do before I go live?
Some said that I should ONLY remove sandbox from my PayPal links, it didn't seem to work with me.
Others said that I have to create an app, but then they will give me client-ID and Secret.
Where should I place them?
because sandbox testing accounts gives me three API credentials USER, PWD, & SIGNATURE
from where I can get my live credentials for USER, PWD, & SIGNATURE
Login to this URL with your live PayPal account: https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-api-run
It will drop you directly into the page that displays your username, password, and signature (with little "show" links for each one).
The long way to get there is to login to www.paypal.com, click into your profile, and look for "API Access".
Related
I am currently developing an angular+ionic app. Everything is working ok but I got a question with the forgot password workflow: sendPasswordRestEmail -> user clicks link -> user fill form -> user submit form -> password and oobCode send with the firebase auth api, which I am accessing through angular fire package.
As I said everything is working as intended. The only "issue" I see is that firebase not only sends password reset email to user that created their account with an email/password but also users that are using an external provider like Google ( sign in with google). I havent test login with Facebook at this point but it is happening with google provider. I just want to make sure if this is the intended workflow or something may be wrong... a bug or something? before I post an issue on github, because even though the user can "change its password" when using an external provider, it is having no effect on their external account(gmail account) which of course should have no effect.
Sending a password reset email from Firebase allows the user to reset the password on their Firebase Authentication account. It has nothing to do with the password they may have with any social provider associated with that account.
I have read the functions docs and the authentication codes on the firebase website, but I have no clue if it will be secure or not. I've read the whole of this doc: https://firebase.google.com/docs/auth/custom-email-handler
They seem to do all the verification on the website but I can't find the verifyPasswordResetCode(actionCode) function in the node.js doc so what way would you go around this?
Basically, if the user forgets their password/needs to verify their email I want the user to go to my website (I've already configured the custom action URL that is sent when the user requests to reset their email to go to 'mywebsite.com/auth/action/.../'. I know that the my front end (IOS App) needs to verify the code and then In my functions (that's hosted on my website) I need to reset their password, but how would I securely transfer information from the email to my app, to my website with the function to reset their password with the action code. Or can I do it all on my website instead of where they input their new password on the website? I'm guessing using dynamic links?
Thanks,
Nathan
I am attempting to validate an email but when I follow the mailgun docs and have code such as follows
https://documentation.mailgun.com/en/latest/user_manual.html#email-validation
EMAILPUBLICVALIDATIONKEY = 'my sexy key'
def validateemail(emailaddress):
return requests.get(
"https://api.mailgun.net/v3/address/validate",
auth=("api", EMAILPUBLICVALIDATIONKEY ),
params={'address': emailaddress}
)
I get the response
["{"Error":"exposed account credentials"}"]0: "{"Error":"exposed account credentials"}"length: 1__proto__: Array(0)
I haven't actually gotten this error in MailGun before. But I'm assuming exposed account credentials means that your API key got exposed and they deactivated it in order to try to protect you.
Kinda unrelated, but GitHub recently released a feature where they will scan commits for API keys and tokens and notify the company that it was exposed. Doesn't look like as of posting this MailGun is on that list, but there is also a slim chance since it's in beta that list hasn't been updated. https://help.github.com/articles/about-token-scanning/
This is most likely due to exposing a Mailgun API key on Github. I had the API key in a file and commented it out but still got flagged. If you file a ticket on Mailgun, a reply will be sent with these instructions:
Due to the compromise, you will need to take a few steps to secure your Mailgun account:
- Remove the repository from Github or making the repository private. A new commit will not overwrite the previous commit history which contains the password.
- Please log in to the Mailgun Control Panel and reset your Mailgun account password. Click your email address in the top right, "Edit Account Info" -> "Password Change" section.
- Enable 2 Factor Authentication. Click your email address in the top right > Security > Two-Factor Authentication section.
- Reset your Mailgun API key. Under "Account Settings" -> "Security" click the refresh symbol to generate a new API key.
- Reset your SMTP credentials. Go to the "Domains" tab and repeat the following process for each domain listed in this view.
I don't THINK Mailgun was on that list. But they could have been added.
It is official now (May 23rd, 2019): "Token scanning"
Token scanning is now generally available in all public repositories.
Additionally, token scanning now supports detection of new token types from Alibaba Cloud, Mailgun, and Twilio.
The full list is on "About token scanning".
See more at "Token scanning".
You need to go to your Mailgun account, a banner will say that your account has been suspended, then you have to contact support to unlock it
I have just today realised that the authorisation emails sent from my perfectly legitimate Firebase backend are being flagged as malicious by Microsoft Outlook's "Advanced Threat Protection"
There is no reason for this other than perhaps it was flagged during development due to me sending myself repeated confirmation emails in order to test the functionality.
This warning does not show up in regular hotmail/outlook accounts, but I am an Office 365 subscriber so it appears as though I am lucky enough to get this "advanced" protection which protects me from my own completely non-malicious website.
Should I contact Microsoft or Firebase for a solution?
Thanks a lot!
Update: I contacted Firebase support and received the following:
My name is XXXX from Firebase Support, thank you for reaching out to us, problems on Microsoft services such as this “Advanced Threat Protection” is not in my area or expertise, I would suggest to open a ticket with Microsoft for this issue, I see that there is already a topic on Stack Overflow, please be sure to check other Firebase community channels as well.
I understand that this isn't Google's problem to solve, but it would seem any Firebase app using email verification is going to run into trouble with Microsoft email systems. Which is a lot of corporate and government systems...
Any suggestions on how to get some attention paid to this from either Google or Microsoft?
Cause
This error is caused by having inconsistent domains in the email. By default, user management emails link to the default action handler, which is a web page hosted at a URL in your project's Firebase Hosting domain ([project].firebaseapp.com), rather than the the same domain you may be sending emails from (veritification#yourdomain.com).
Solution
Make this “action link” go directly to your website. This will solve the outlook warning, and also make it less likely you'll end up in spam filters in general. On your website, you have 2 options for how to handle the actual validation.
Both solutions below require your domain to be authorized.
This can be done under Authentication -> Sign-In Providers -> Authorized Domains
Option 1 - Use Custom Email Action Handlers (Hard option)
You can setup a custom email action handler so that these actions take place directly on your website, rather than on the firebase hosted page. This is a more integrated experience.
This can handle
Resetting passwords
Revoking email address changes—when users change
their accounts' primary email addresses, Firebase sends an email to
their old addresses that allow them to undo the change
Verifying email addresses
1. Create your custom email handler page
custom email action handler page - firebase docs
2. Update Email Template In Firebase
This can be done under Authentication -> Templates -> Email Address Verification -> Customize Action URL
Option 2 - Just Redirect (Easy option)
Link the email back to a page on your website, that will immediately perform a javascript redirect to the [project].firebaseapp.com authentication page, carrying through the URL parameters required to perform necessary verifications and changes.
For Example
action url for email template: https://www.yourdomain.com/account-action (firebase will attach the appropriate params to the url automatically)
Javascript redirect on your website goes to ”https://project-name.firebaseapp.com/__/auth/action?” + params
I recommend ensuring you implement the continueUrl in your verification email delivery so that the user can easily get back to your website.
If you're using Firebase hosting, and you're serving from their built-in your-project.web.app address, then you can simply use the other built-in, your-project.firebaseapp.com, as your site address instead -- no configuration needed.
The .web.app address is a bit sexier, but the various action emails are actually sent from the .firebaseapp.com, and Outlook is suspicious of the mismatch. Having users originate from the .firebaseapp.com address solves the issue.
I opened a GitHub issue about this: https://github.com/firebase/firebase-js-sdk/issues/5021][1]
I am planning to use Google Identity Toolkit and will integrate only with Google Provider (no other providers and no chance in the future too).
Whatever example I have seen, flow is showing "Email First" option.After providing email based on domain, it takes to identity provider site.
Scenario is, if user is not logged in, user is required to enter his email address twice, first on "Email First" page, then on Google Account Page.
As I have, only Google as provider, question is how can I directly redirect user to Google Account, once he clicks Sign-In button, instead of showing him "Email First" page?
Edited
Now I have little change in the flow, the web site I am working with has been integrated with different companies active directory, so once user enter his email address, based on email domain user would be redirected to required company portal for user verification.
Now web site is planning to allow Google accounts and when user enter email address with Google domain, use should be redirected to Google Account Page. Web site owner, does not want to see "Email First" or "Provider First" screen as this is bad user experiences.
If you specify displayMode: 'providerFirst' in the widget options, it should work as desired.
https://developers.google.com/identity/toolkit/web/setup-frontend#email_first_vs_provider_first_modes
Why not use Google Sign-In for Websites instead? Since Google is your only identity provider, that seems like your best option. You'd also get first and last names on login which Identity Toolkit doesn't provide.
https://developers.google.com/identity/sign-in/web/