I'm trying to integrate an app-in billing into a flex mobile application.
I found this page : http://www.adobe.com/devnet/flex/articles/flex_paypal.html
It seems to work but, for security purposes (store Paypal credentials), I had to install a web app on my web server.
I had a look on the libraries (MPL) for android and ios SDKs, they don't seem to call a web server.
Does someone know if there's a way to avoid installing this server?
The linked article is an excellent treatment of integrating PayPal's Adaptive Payments product from the perspective of a Flex/AIR single-page web app. However, this product (Adaptive Payments) would not be recommended for use in a mobile app rather than a browser due to the different security features of apps (with embedded minibrowsers) vs. browser environments.
The MPL libraries have also been deprecated in favor of PayPal's newest mobile SDKs. See:
https://developer.paypal.com/docs/integration/mobile/mobile-sdk-overview/
I would recommend looking into using either these newest PayPal SDKs, or mobile Braintree SDKs that combine PayPal and Braintree card acceptance in a single SDK, as the most secure & having the best mobile user experiences (and the most likely to be supported well into the future).
These SDKs do not require you to have a web server that hosts any pages for user interaction (e.g. a page that redirects a user to PayPal, or one that handles a redirection back). They provide libraries for the secure collection & validation of the user's credentials from inside your app.
That said, you still need to maintain the security of your PayPal API credentials access. The latest SDKs (as referenced above) allow you to generate access tokens for a particular device while keeping your account credentials secure on your server. But you do need that server, and your mobile app will need to communicate with it to become authenticated to make calls to PayPal on your behalf; otherwise your full PayPal API credentials would have to be sent to every device on which your app is installed, which would not be wise.
Related
I am using firebase admin sdk on the server to generate sign in links and send them out via custom SMTP api.
I just glanced at https://firebase.google.com/docs/auth/limits and I am well within these, but I believe there is nothing stopping a malicious third party from creating/requesting sign-in links via front end code. Is there a possibility to disable this functionality so it is only available to admin acc?
Additionally, I'd like some emails (i.e. multi factor enrolment) to not be possible, but again, given that someone can obtain some of my firebase front end details, they technically can send these?
You can restrict the API key from accessing an API (e.g. Identity Toolkit) but not disable a single method of the API for client.Sign up and delete user can be (that requires upgrading to Identity Platform) .
Firebase generates an API key when you add a web app. You can either update that or create a new key from API Credentials console.
You can then restrict what the API key in Firebase web config has access to:
However, Firebase Auth Client SDK will not work as Identity Toolkit is not selected. You'll have to proxy the requests through your backend and use a different key that can be used from your server's IP only.
Firebase Admin SDK will still be functional as usual so you can use that to perform other operations like updating/deleting users. You'll just have to write APIs on your backend for what could have been done using client SDK directly (or use Admin SDK when possible).
It might be a lot to update and I would not recommend unless you are facing rate limiting issues where Firebase Support should be able to help.
I am building a react native mobile application, and I'm using the expo Google and Apple sign in libraries to provide authentication. Both libraries use firebase to authenticate, but my database is hosted elsewhere (heroku while in development, but probably migrating to digital ocean in the future). How can I protect my API using the access tokens I receive from the Google and Apple sign in utilities on my non-firebase server? All the code samples I've seen use firebase as the backend. I want to make sure that all the API calls are authenticated, and that the proper storing/refreshing techniques are used on the client, while maintaining the "persistent session" UX for users so they don't have to sign in every time they open the application.
I feel like I should know this, and I have a few ideas, but really don't want to get this aspect of the application wrong.
I'm planning to add push notifications to my web app.
As far as I understand it, to push notifications to my users, I can either use a web push library and deliver the notifications directly, or use a push notification service such as OneSignal, Firebase Cloud Messaging, or Batch.com.
From what I understand, these services offer a one-stop solution to deliver notifications not only as Web Push, but also to iOS and Android apps.
If I'm focusing only on Web Push for now, is there any advantage I should be aware of, to use one of these services over a web push library directly?
Web Push is a standard which is still under development and subject to change. Also browser support is quite limited at the moment (see https://caniuse.com/#feat=push-api).
The advantage is: you have one API to rule all the supporting platforms (including desktop).
Disadvantage is: You have to be aware that not all platforms support the standard.
Using a notification SaaS solution to handle notifications enables you to handle all platforms. Sending out a notification from your backend will be a single call to your notification SaaS service, but you still have to be aware, when you want to have native notifications on Android, iOS and the browser, you will have to handle the integration of those platforms differently in your client apps (see example here using Google Cloud Message integration in an Android App: https://firebase.google.com/docs/cloud-messaging/android/client).
So your decision should be based on which platforms you have to support.
- If you get away with supporting Chrome, Firefox and Edge browsers on non-iOS-Devices (or handle iOS Notifications differently), you can use Web Push.
- Otherwise i would choose a Notification SaaS Solution.
The most important point for me personally when doing your own implementation is that you control everything. This means that your notifications don't fail when AWS loses a region or pricing changes and you can't afford it any more. Not any provider can ban you because of the content you distribute or the complaints from users. You can implement your own logic for showing the notifications on the front-end, like stacking them or having your own segmentation rules (paying users versus free tier, for instance). I'm not even speaking of the custom subscription UI. No weird copyright in your messages.
From what I understand, these services offer a one-stop solution to deliver notifications not only as Web Push, but also to iOS and Android apps.
When you've got the server logic to process the app events and send notifications in place, it shouldn't be really hard to extent it do work with mobile push notifications. The only thing that changes is the way you subscribe devices.
And the last, but not the least - it's fun to develop. This is more of a personal matter, I guess, but I like learning new thing :)
Hope that helps you to make a decision.
you can implement push notification to your website without using third-party libraries. You have required to get subscription token from the client and store this subscription token onto the server (Inside database). After when you want to send a push notification to the user then you have to just call endpoint (endpoint is mentioned in subscription token). That's it.
Due to security risk and managing subscription tokens, developers prefer to use firebase, AWS push notification or onesignal.com services. These services are optional you don't need at all.
Read links introduction to push notification and also the same lab code examples. Later I will update with simple working code for further reference to your question.
It depends on what you want. It‘s not possible to use iOS Safari for Web-Push. For notifications to iOS you have to use a service or build your own app.
I use Pushover for notifying myself from Scripts and Software. That may or may not be a solution depending on how much users you have, how many notifications you send and how willing your users are to use a web app like Pushover (or an app on iOS).
A service will keep notifications going when things change. So it should be less maintenance for you.
If you want to target iOS visitors also, this is not possible, as web push notifications are not supported by iOS.
To circumvent this, you need to use a third party service like Wise Notifications.
The alternative is to build an iOS app and send native push notifications.
I need advice as i am new in .net and azure, i am creating a architecture for a project which has its mobile application, web based admin panel and Website.
I am planning to host every thing in Azure. I am creating application in Xamarin. Application needs to have Push Notification, Offline Sync etc, features provided by Mobile App Services (Controller inherited from TableController).
I want to create 1 database which will be used by all 3 modules. I have already created a Mobile App Service and Database. Mobile application is using it as it was supposed to. Now i want to create a website and Web based admin panel and use the same database. Is this possible ?
What is the best way? Should i create a web project and perform operations on data via REST API? and use this API for Mobile Apps and Web based Backend?
I am really confused between different services from azure and which one to use. Should i use .Net Core or .Net. I need to know the best way to do it.
Edit 1 :
So far this is what i have done and i need to know if this will work fine in future when project get complex. I created database and back end via Azure Mobile App. Now i have created a .net MVC website and used RestSharp for CRUD operations in it. I have used the following code to perform the operations. Note the /tables/ part in the request url.
var client = new RestClient("http://xxxxxxx.azurewebsites.net");
var request = new RestRequest("/tables/request?ZUMO-API-VERSION=2.0.0", Method.POST);
string data = "{\"createdFor\":\"535862cf-e2b3-41de-99f9-88c47a77750c\",\"status\":\"IN_PROCESS\",\"createdBy\":\"7108147e-c11c-4d78-ac3d-d5d6c5eb78d0\",\"description\":\"Master room 5 door produces strange sound when opened or closed\",\"title\":\"Door Sounds Strange\"}";
request.AddHeader("Accept", "application/json");
request.Parameters.Clear();
request.AddParameter("application/json", data, ParameterType.RequestBody);
var result = client.Execute(request);
Console.WriteLine("Content " + result.Content);
Get and post operations works fine. Is this a good way?
Thanks in advance
As the official document mentions about Mobile App Features:
Authentication and Authorization (AAD,Facebook, Google, Twitter and Microsoft Account,Custom authentication)
Data Store (SQL Database, Azure Table Storage,etc)
Offline Sync
Push Notifications (Client SDKS seamlessly integrate with the registration capabilities of Azure Notification Hubs)
Client SDKs (A complete set of Client SDKs that cover native development, cross-platform development,etc)
Per my understanding, if the build-in features provided by mobile app could totally meet your requirement, then Mobile App is better for you and it would save your time. For Web API application, you need to do all stuff by yourself.
Now i want to create a website and Web based admin panel and use the same database. Is this possible ?
I assumed that you could create a Azure Mobile App application (Mobile App) and a web application (Azure Web App) under your solution, and you could extract the DbContext related classes into a shared class library.
Should i use .Net Core or .Net. I need to know the best way to do it.
For choosing between .NET Core and .NET Framework, you could refer to the official document about choosing-core-framework-server.
UPDATE:
Can you please take a look at edit 1, and suggest if this is the right way or it can create a problem.
Your code would work fine, since the mobile client SDK just wraps the common processing as your provided.
Note:
For accessing only by authenticated user, you need to add x-zumo-auth header with the authenticationToken after you logged.
Additionally, for your MVC application to retrieve the data from your mobile app (need authentication), you need to log with your mobile app and retrieve the authenticationToken for your subsequent requests against your mobile app. At this point, except for Custom authentication, otherwise you could only leverage Client-managed authentication and use JavaScript client library for Azure Mobile Apps in your MVC application for logging to mobile app and retrieve the authenticationToken, then you could send request from your front-end or pass the token to your back-end. For SPA, you could use both Client-managed authentication and Server-managed authentication.
Moreover, Adrian hall has wrote some useful tutorials about developing against azure mobile app, you could refer to Adrian hall's book.
UPDATE2:
For custom authentication using an Identity Database, you just pass the username and password to your mobile app, then it would validate the user info and generate the authenticationToken. While for Auth0, you firstly login with Auth0 provider, then pass the token to your mobile app.
My mobile application has its own signing up and sign in option with username and password.
For the connection Username-Password-Authentication from Auth0, it would manage the users for you, while using an Identity Database, the users would be stored in your storage and you need to manage them by yourself.
Per my understanding, both approaches could implement the custom authentication for you, but you need to choose the better one that matches your scenario.
The latest LinkedIn SDK requires the user to have the LinkedIn app installed on their devices to login with Linkedin. The authentication process doesn't work otherwise.
We are trying to build an app that creates electronic and customized business cards. The App will use the user's own LinkedIn profile data to fill out the fields within their business card. The user will login into the application by login with LinkedIn.
The LinkedIn API and latest SDK for iOS doesn't allow to login with LinkedIn if the user doesn't have the native LinkedIn iOS app already installed on their devices. The SDK forwards the user to the App Store and forces to download and install LinkedIn app.
This adds complexity to the login process for the user and increase the likelihood that the user will not download the LinkedIn app and so they will not use our app.
We would like understand why and why LinkedIn decided to follow this route that leads developer to user other social networks instead of LinkedIn.
And most important, What is the process to get login with Linkedin without needing to have the app installed?
Any advice would be massively helpful for us! Thanks to everybody, we really believe in the power of StackOverflow