Interact with OAuth secured api from gnome shell extension - api

I would like to show a bunch of my google calendar tasks on my desktop using a gnome shell extension. I just went over how the quickstart that explains how to use the api normally over at https://developers.google.com/calendar/api/quickstart/python. That seems to require the user to click a specific button every time the application requests access to that users's calendar.
I want to call the api from a gnome shell extension, where preferrably I only get some kind of security key once, and cache it so that i can use it for all subsequent requests. How can i make this happen (with GJS, since it's an extension)?

Related

Chrome Extension: how to safely restrict the content and customise the user experience?

I'm enjoying developing cross-browser web extensions, the main target being Chrome, so much that I started to think to develop one for my company. I find a chrome extension quite a cheap and efficient way to deploy internal apps. The main purpose is to host a couple of dynamic dashboards that fetch data from various APIs by using cross-domain ajax in background scripts. I finalized the app and I was also able to implement the authentication via chrome.identity and Azure AD.
However, I am struggling to find a safe way to customise the content.
I mean, when the extension is installed it requires to login to azure via the chrome.identity flow. Then I get a token that I use to query ms graph and get the user ID, name, email and basic info.
Until I get this information I want the browser action (popup) to be unavailable to the user as well as any other extension pages. After a successful login I would like to show the content on the pop up and to let the user access the pages, but here I want to customize the experience.
I know how to use the user id retrieved from the api call to customize the extension, but I think it is not safe because all the code is in the client.
If I code something like
if (user === logged) show something
it will be damn easy for a malicious user to look at the code and bypass it, or even to impersonate another user. And chrome extension cannot be obfuscated.
Any help?
Thanks

Access application-saved data from a web browser

We have a desktop application for which the user enters some registration details (e.g. support code), and can then use the application.
We would like to be able to automatically fill our support website ticket form with this information, even if the desktop application is not running.
So far we've considered:
InternetSetCookie - but it only works for Windows+IE
use Selenium to create cookies for all major browsers (seems an overkill, and required us to distribute Selenium along with our app)
have a JS service always run in the background
Are there better alternatives?

Dropbox - any API to cli_link?

I'm using the dropboxd service under Linux, which requires you to log into their website e.g. https://www.dropbox.com/cli_link?host_id=2173bf325f94beee3b1879d2c7b49e69 to link the machine to your account.
Is there any programatic way to do this (ideally using Java)? To access the website above it seems you need to login using forms (which seems tricky to do programatically), and their basic REST API (https://www.dropbox.com/developers/core/docs) doesnt seem to cover the cli_link command.
I could write an app to do the sync using their full API, but it seems like overkill since aside from the cli_link requirement the basic dropboxd does all that I need.
The official Dropbox desktop client is unrelated to the API, though both the API and the Linux CLI require user interaction on the Dropbox web site (once per link) to authorize the linking. Also, note that automating/scraping the site itself is not allowed by the terms:
https://www.dropbox.com/terms#acceptable_use
Not really a solution for DropBox users, but in the end we just moved over to use MediaFire instead. That has a full REST API and doesnt require any manual intervention.

Mac - Launch desktop application from browser passing parameters

I have written a click-once deployed application in .Net that runs on windows machines. I had a requirement to launch the application from a browser so that I can pass information to the application based on the current browser session (the HTTPHeadercontains a single-sign-on id that needs to be passed to the application so it can call secured web services).
So the click-once application is provided as a link on a jsp, and the required id is passed as a querystring parameter in the link, which the click once application can read).
Now I need to make similar functionality available for Mac users. Is there any way to do this that doesn't require Java? I would like to write in Objective C, but then the question of how to trigger the launch of the application from the browser, passing the necessarily information remains.
The flow is:
User hits link to our site
User is routed to single sign-on authentication form
User submits form and is redirected to our site (with id embedded in HTTPHeader)
Server builds page with a link to Click Once application with id appended as a querystring parameter
User clicks link, click once deployed app is downloaded and executed with full trust on the users computer (the app is signed with a code signing cert).
Application runs locally on users computer and calls RESTful web services on server passing the single-sign-on ID as a cookie along with the web request which allows the request to make it through.
I would appreciate any ideas that point me down the right path, as I am primarily a windows developer.
Thanks!
I just saw your request to my original post on this topic.
The need for this was put on the back burner for a time, but the solution that we will probably pursue is to have a server-side process that modifies the delivered Zip or DMG file on-the-fly. The additional information would be inserted into the application's Info.plist file. This will not invalidate the cryptographic signature, and does not require anything additional to be downloaded.

Instapaper Simple API : adding links without storing user password?

I'm trying to use Instapaper's Simple API (http://www.instapaper.com/api/simple).
The API terms of use (http://www.instapaper.com/api/terms) says apps should not store user id and password, and I don't want to store them either. However, it seems that the only way to add a link to a user's Instapaper via simple API is to store the username/password (if the user does have a password).
Am I missing something?
The API terms of use state that:
Apps must not store users’ passwords. Passwords may only be collected for the xAuth token acquisition and must be discarded afterward.
Only the full API uses xAuth tokens. The above sentence doesn't apply to the simple API, since it uses Basic HTTP Authentication.
You still "must make reasonable efforts to prevent passwords from being compromised, and must not disclose passwords to any other services or individuals".
If you are using a native Mac application (like Apple’s Mail client or a third-party mail client like Airmail) there isn’t an easy way to save a link to Instapaper without first opening the link in a browser and then using one of Instapaper’s browser extensions to actually save the article.
One workaround that I’ve found to expedite this task is to write a service for OS X which uses Instapaper’s API to save links.
In order to write your own service, first open Apple’s Automator application and create a new Service. Then, drag the Run Shell Script action into the application’s main workflow area.
Make sure the service receives no input, can be used by any application, and that the shell script is set to run python.