Create per-user admin key in Simperium - http

The http API docs request that a special token be created for several operations (e.g. List Buckets, All Changes)
X-Simperium-Token — Authentication token must have been created using an API key that has admin privileges
How do I create this token?
I have tried a few things:
curl -H 'X-Simperium-Token: {my admin key}' https://api.simperium.com/1/{app_name}/buckets.
This results in the "meta" buckets {"buckets": [{"name": "exception"}, {"name": "code"}, {"name": "message"}]} which is kind of interesting.
curl -H 'X-Simperium-API-Key: {my admin key}' -d '{"username":"{valid user}", "password":"{valid password}"}' https://auth.simperium.com/1/{app_name}/authorize/.
Result: invalid app credentials
Authorize with my normal key, which works fine and gives me an access token which I can use for the other (non-admin) operations.
My thinking is that I need to pass in my admin key into 'authorize' somehow and generate an auth token blessed with admin privileges for this user (to list all of his buckets, for example).
Thanks in advance.

You should be able to use the admin key directly for the token anywhere that requires a token that was created with an API key with admin privileges. We're currently working on the UI to actually create these API keys with different options. In the meantime, you can either use the admin key from your dashboard directly, or contact us and we can create one for you.

Related

Get password in account user in AppDynamics

I'm working in an instance of AppDynamics where we enter using SSO, so we just type the name of our account and enter without an user/password.
I need to create a custom event and, according to this documentation https://docs.appdynamics.com/display/PRO43/Alert+and+Respond+API#AlertandRespondAPI-CreateaCustomEvent
what I would need is to run a curl like curl -X POST --user user1#customer1:secret 'http://demo.appdynamics.com/controller/rest/applications/5/events?severity=INFO&summary=test1&eventtype=CUSTOM&customeventtype=mycustomevent&propertynames=key1&propertynames=key2&propertyvalues=value1&propertyvalues=value'
Problem is, I don't have an user/password. If I don't type them I get a 401 as expected.
I can see in My Preferences my username, but I can't find any password in the application.
Is there something I could do to find that password or something that would work for that POST to work?
The credentials for an SSO user reside with the Identity Provider (on your side) not the Service Provider (AppDynamics).
So there are two options here:
Create (or ask an admin to create) an AppDynamics user in the Controller Administration UI. Then use the username / password from this user in your requests.
Create (or ask an admin to create) and API Client configuration in the Controller Administration UI. Then use the Access Token in your requests (Docs: https://docs.appdynamics.com/appd/22.x/latest/en/extend-appdynamics/appdynamics-apis/api-clients)

Is it possible to hack and Update a firebase realtime database data

Recently i build a app using Firebase, But after i got Some users through advertisement, Someone just hacked Firebase database and Updated all user datas like .
Username
Profile pic path
They set it to a bad word and bad pic.
So then i Also Checked the Firebase rules and redefined them..
Like
Only Authenticated users can read/write.
But problem is.
The hacker is still updated the Value on firebase db.
and i want to know what i am missing.
Is it possible to update a Firebase db without the whole secure key and things..
using a browser may be?
User data of a single user ...
email : "https://m.me.developer.scg"
lastseen : "1617987743"
pic : "https://www.dropbox.com/s/03a50cx4adxqepk/(url cannot be posted publically it contains nude images)"
privacy : "PU"
state : "offline"
status : "Lets watch some movies"
type : "FREE USER"
username : "FU*KED BY DreamPLAY"
Here the hacker updated the 3 fields.
email :
pic:
username:
You have to know that as soon as (1) someone has the apiKey of your Firebase Project and (2) the email/password sign-in method is enabled, this person can use the Firebase Auth REST API and sign-up to your project (i.e. create a new account).
Getting the apiKey is not very difficult if you deploy an app linked to your Firebase project (Android, iOS, Web...).
Consequently, rules only based on auth != null allow anyone that has signed-up through the REST API accessing your Realtime Database. No need to use any GUI: after having been identified through the Auth REST API, the user can use the RTDB REST API.
One classical approach to avoid "non-desired" users to access data, is to add one or more Custom Claims to the desired accounts and use these claims in the Security Rules: See the doc for more details.
I will answer as parts :
Reason of Problem :
The Hacker found your API then created project and added your API to it then he
created authenticated user then he updated the fields , So this the reason of
problem
Solution :
First : is to create unique Fields (e.g Email to 1234567890Email as
Example but more secure)
Second : is to connect to Google Cloud Platform then setup Google Cloud Platform HTTP with your Domain (As Firebase will only accept data from your Domain ONLY)
Third : Is to create more secure rules as to denied access to Entire Database but just
give access to some collections or even documents So it will be more
secure
I just covered the most famous actions (You can see more but by google your problem)
& Wish I helped you :)
I just thought of a way to secure Firebase credentials so thought of a way to use a custom cloud functions authentication function (URL based function) to accept user credentials like username and password via URL encoded parameters. This method will only use database(firestore would be preferable). The function will only have to create custom tokens and send it to the user while keeping the user's temporary data like IP addresses etc. So request to write or read to the database will only be granted to this function.
You CAN prevent all those non authencated activities right from your firebase console.
GO to your firebase console, Open your project's android app.
Add SHA fingerprints of your app's SHA signing certificate fingerprints.

Is there a way to enable Firebase Auth via Email through an API/CLI?

We are transitioning to using Terraform to create our architecture on Google Compute, and part of it utilises Firebase for the front-end. So far, I have managed to get this all working fine, but have hit a snag on Firebase Auth. Essentially, I want to allow 'Email/Password' authentication on a Firbase project programmatically.
The above shows where you find the setting in the UI console, but I want to be able to do that via an API/CLI, and also set the 'Authorised Domain'.
Yes, as of November 2022, this is now possible, either using Terraform, or the gcloud CLI and a bit of scripting. Both methods make use of the REST Identity Toolkit API.
If using Terraform: Your config file needs to specify a google_identity_platform_project_default_config resource: the documentation for it is available here. By way of example – assuming you've already declared a google_project resource called my_project, you could add the google_identity_platform_project_default_config resource as follows:
resource "google_identity_platform_project_default_config" "myconfig" {
project = google_project.myproject.project_id
sign_in {
allow_duplicate_emails = false
anonymous {
enabled = false
}
email {
enabled = true
password_required = false
}
}
}
This would enable email+password authentication, disallow anonymous access, and disallow duplicate email addresses.
If using the gcloud CLI: This would be a good deal fiddlier. I haven't tested it out completely, but it is presumably equivalent to what Terraform is doing behind the scenes. You need to obtain a service account access token, then use cURL (or a similar tool/API) to amend the Identity Toolkit configuration using the PATCH method (documentation here), supplying the token in the "Authorization" header.
gcloud lets you get an access token using the command gcloud auth print-access-token, but according to this 2021 blog post1 by #DazWilkin, the token obtained using your regular human credentials can't perform the necessary PATCH operation; you need to use a token backed by a service account that has the correct permissions.
The blog post gives further details, but roughly, the steps are:
Create a service account and give it the correct permissions. (Not necessary if you already have an appropriate service account; such an account can be created either using the Firebase console or Terraform's google_service_account resource.)
Create a JSON service account key file. (Not necessary if you already have a key created, plus a JSON file for it. These JSON files contain an object with the keys "project_id", "private_key_id", and "private_key", and are exactly the same sort of file as gets generated from the Firebase console if you go to "Project Overview" / "Project Settings" / "Service Accounts" / "Generate new private key". They can also be created programmatically using Terraform's google_service_account_key resource.)
Allow gcloud to perform operations using the service account's permissions, by running gcloud's "auth activate-service-account" subcommand: something like
$ gcloud auth activate-service-account --key-file=/path/to/key-file.json EMAIL_ADDRESS_OF_SERVICE_ACCOUNT
Obtain an access token for the service account by running gcloud auth print-access-token EMAIL_ADDRESS_OF_SERVICE_ACCOUNT.
Supply that token in the header of an HTTP PATCH request using cURL.
For more details, see the blog post; it's concerned with amending the "authorized domains" list for a Firebase project, but enabling email/password authentication would be very similar.
1 Also mentioned in this stackoverflow answer.

Evernote SDK - How can I get the permission to access all notebooks' metadata?

I'm writing a chrome extension for quick search notes in fuzzy match model. So I need to cache all notes' metadata(title, url, createdTime,etc) in local storage.
According to evernote offical doc, there are two ways to authenticate to the Evernote API, developer tokens and OAuth.
But right now,
1. developer token has been deprecated.(if you go to the application URL you will get Update: the creation of developer tokens is temporarily disabled.
2. OAuth can only access one specific notebook(depend on user authentication)
So my question is : is there any way can work around to get all notes' metadata?
OAuth can only access one specific notebook(depend on user authentication)
This is not the case. By default, Evernote API keys are scoped to the account level; so you'll have access to all notebooks in the account of the user who authenticates using your OAuth process.
Evernote does also have an optional type of API key available, called an App Notebook key, that can be requested. But you have to specifically request that type of key when you request your API key; otherwise it'll be a full account access key.

Here API - These credentials do not authorize access - Some Requests

Im getting some 403 errors in some HERE position requests. Looks like that the servers are not synchronized.
My Account was created 2 weeks ago.
{"error":{"code":403,"description":"These credentials do not authorize access. Please contact your customer representative or submit a request here https://developer.here.com/contact-us to upgrade your account. You can also get valid credentials by registering for a free trial license on https://developer.here.com.","message":"Forbidden"}}
First, generate apiKey and bearer token in your here account. For the apiKey go to your profile, create a new app and then you can generate it under Credentials -> API Keys.
For the bearer token, you first need to create oauth tokens (under Credentials -> OAuth), download the credentials.properties file, then use their CLI to generate the bearer token. Before you can use the CLI, you need to install it and then set it up.
I'm on a mac, so for me this installed it:
$ brew install heremaps/olp-cli/olp
Follow instructions on their page for whatever OS you have. Now you are ready to generate the bearer token. Make sure you are in the same directory where you downloaded the credentials.properties file earlier:
$ olp credentials import default credentials.properties
Generate the token:
$ olp api token get
Now you have everything to do a call to their API (replace HERE_API_URL with the one you want. They have many different ones for various use-cases):
GET
https://{HERE_API_URL}?apiKey={YOUR_API_KEY} -H 'Authorization: Bearer {YOUR_TOKEN}'
Note: Do not use app_code and app_id. These have been deprecated.
I had the same issue when I had only one API key created. Once I created a second API key, the issue went away.
Make sure you have two API keys generated, even if you only use one. The documentation suggests setting two keys but it never mentions it's required.

Resources