I received email from Shopify like :
This is Shopify’s Partner Governance team. We are reaching out as our security team discovered that secret API credentials for the Public/Draft app S**y have been exposed in the following public repository:
We require that you eliminate this vulnerability by a) closing the above exposure, and b) address the vulnerable app by re-creating a new version of the app with new credentials and deleting the exposed app
So, Do I have to delete the Shopify app or is it fine if I only delete that repo?
As I don't want to remove old app because getting an access of some points in Shopify app but it will take too much time.
You should follow what they are saying. You don't need to delete the app.
Yuo remove the credentials from the repository (keep in mind that is not sufficient to just remove the file and push because it will still be in the git history - check here How to remove file from Git history?)
You go into the app settings on shopify.dev and recreate your API secrets.
Related
I would very much like to enable users of my app to backup some of app data on their own Dropbox. I would like to direct users to login to their Dropbox account with their email and password and then the app would generate and store a file there without users having do anything on their own.
Is this possible?
I wouldn't want users to have to go to Dropbox App Console and then Create App and then fill in all the options and then copy the access token and paste in my app manually. That would repel a lot them.
I haven't seen anything in the docs suggesting that programmatic access to an account without an app created in the Console and generated access token is possible? Did I miss something?
Yes, this is possible. You as the developer would register the app once, and implement the Dropbox OAuth app authorization flow in your app to allow your end-users to then connect your app to their accounts.
You may want to check out the following guides:
https://www.dropbox.com/developers/reference/getting-started
https://developers.dropbox.com/oauth-guide
https://developers.dropbox.com/dbx-file-access-guide
I am able to login GitHub account on Web login. But in Windows desktop app,
I am able to publish, fork and clone repository but at the time of initial commit, it is always saying authentication issue.
I have tried all the points given in popup-box as by signing-out and signing-in again, by creating GitHub PAT (Personal access token) token also.
I have checked my account settings, In settings, the main branch is the default branch and SSH is also enabled in app and the repository type is public. Even I am able to see changes and created repositories on web login also.
Usually it'll be a credential problem, but it is not. What should I do?
I'm using gemfury to host a private package that will be used by other people in my github organization. I'm also using CircleCI (but this applies to any CI system) for building/pushing.
My CI setup watches for any new tags in github and then pushes this new tag to gemfury.
My issue with the current setup is that I'm using my personal access token to authenticate. To me, this means the builds are dependent on my status as collaborator of the organization, and would break if I were to leave. I know I could instead use the Account token, but it feels insecure (what happens if the token is compromised?).
Ideally I would be able to generate application-specific push tokens that belong to the organization, and use those in CircleCI. If the token is compromised, it could be easily revoked and it wouldn't break other applications. However, gemfury does not offer this option.
I think my only option is to create a "fake" CI user add add it to my github organization. I could then use this user's personal token to push builds. Is this correct? Are there any other better approaches? I don't want to have to add a fake user for every package.
You are in luck!
Under the menu item Tokens when logged in, you can find a tabbed interface, where Push tokens can be created:
Push tokens βeta
These tokens can authorize new package uploads for this account.
You can integrate these into your CI builds, etc.
These are impersonal, and can be used for this!
Good luck!
I am in the process of updating my Shopify App with new Permissions. This means there is a change in the authourize_url which would show up the permissions window when trying to install an app. I have also changed the redirect URL of the App. The App is currently listed in Shopify, and there are accounts using the App.
How would this change affect the current App Installs?
How do I go about this without having any downtime or manually asking Customers to uninstall and reinstall the App again?
What is the best way to handle such scenario?
You change the scopes. Your customers will therefore all have unauthorized oAuth tokens. The next time they try and use the App with the new scopes, your App will create a new oAuth token for their access as Shopify will prompt them to accept your new scopes.
It seems like pain, but it is the only way to go.
I'm creating a Dropbox application which uses a webhook to get the file's updates.
When a user uses my app, I receive notification on my webhook URL. Perfect.
But if the user no longer wants to use my app, and removes the Dropbox link from my site... How can I remove my app from the Dropbox user's account to not receive calls anymore on my webhook URL?
The user can unlink an app from their account via the "Apps linked" section of their account security page:
https://www.dropbox.com/account/security
This will stop webhook notifications for that user from being sent to the app.
There isn't a way for the app to do this programmatically though. The Dropbox API only provides a way to revoke access tokens, but not a way to completely unlink the app from the account. We'll consider this a feature request for that though.