Background / Context:
Take any out of box ASP.NET Core template with user logins enabled. You may use external login providers google, facebook, msft etc. as well. Alternatively, just clone this sample web application: https://github.com/dotnet-architecture/eShopOnWeb
Test:
Login to the test website created. (test user name we used : neel)
Record any authorized web request using Fiddler or web developer tools etc. We recorded /basket request of eShopOnWeb sample website which shows personalized shopping cart of the logged in user.
Logout.
Close browser.
Open website in guest mode. (do not login). You may choose a different browser altogether.
Replay step 2. (This uses exact same headers containing cookies, token etc.)
Observation:
This successfully returns shopping cart items of the user neel.
I am faced with two questions:
Is this a login related vulnerability? I think it is!! Shouldn't the token expire (session destroy) with logout?
If this is a vulnerability, how to fix it? Anti-forgery token comes built in with Identity, but it doesn't seem to help.
Related
I'm trying to follow the instructions here which tell me to create credentials via the instructions here, which as step 6 tells me 'Click the user type for your app. If you're running a Quickstart, select Internal.'
On the page in question, 'Internal' is greyed out, and tells me I can't select it because I'm not a Google Workspace user. Going to Google Workspace, it tells me I need a domain name for 'my business'. Since I don't have a business, or any domain that would have anything to do with this project (I just want to push some personal data from the command line to a sheet), I don't seem to be able to proceed. Is the Google Sheets API just not available for such use?
If you don't have a Workspace account but you don't want to publish your app publicly (and go through the associated review by Google), you can set the app to External and test the app instead of publishing it.
In order to do that, just add yourself as Test user when setting the OAuth consent screen, and leave the Publishing status on Testing, don't change it to In production:
Testing
Projects configured with a publishing status of Testing are limited to up to 100 test users listed in the OAuth consent screen. A test user consumes a project's test user quota once added to the project.
Google will display a warning message before allowing a specified test user to authorize scopes requested by your project's OAuth clients. The warning message confirms the user has test access to your project but should consider the risks associated with granting access to their data to an unverified app.
Authorizations by a test user will expire seven days from the time of consent. If your OAuth client requests an offline access type and receives a refresh token, that token will also expire.
Reference:
Publishing status: Testing
Unfortunately, that means that the authorization lasts only for 7 days. Which means that I have to keep creating new projects every 7 days, which is untenable. Here is the excerpt from the "Setting up your OAuth consent screen" page on the Google support site.
Authorizations by a test user will expire seven days from the time of consent. If your OAuth client requests an offline access type and receives a refresh token, that token will also expire.
I am trying to set up an integration API between ServiceM8 and another 3rd party application. I need to create a webhook which requires Platform Services Authentication using Oauth.
I have created a developer account and a store item after which I got the APP ID and APP Secret which are required for the authenticatcation.
I initiated the authentication by redirecting the user to the url
https://www.servicem8.com/oauth/authorize?response_type=code&client_id=[App ID]&redirect_uri=[my redirect url]&scope=manage_jobs
The user was es expected directed to the login page.
However after logging in, instead of prompting the user to accept the required permissions and redirecting to the redirect_url the user is being redirected to the ServiceM8 dashboard page.
Can someone please help me.
Thanks
While implementing the Facebook Connect to a web application , its possible to show Facebook Sign up page in a pop up and once logging in and Granting permissions are complete, its possible to Authenticate Again in PHP and to get the necessary details of the user, - id, email etc.
I believe, thats secure because, the User Insertion is not based on the Ajax Request Parameters.
Is it possible to do the same with Google Plus Login also ?
Means - Logging in to Google - Using Javascript SDK, asking permissions, Authenticating all done in a Pop Up Window. and then, Creating a new user with the Help of google-api-php-client ??
Yes, what you're trying to do is outlined with https://developers.google.com/+/web/signin/server-side-flow which includes some PHP code samples to help you do this. In general, the steps at authentication time are:
User clicks the "Sign in with Google" button which may pop-up a new window at Google prompting them to log in and authorize your webapp.
After they do so, a one-time code is sent to a JavaScript callback you specify.
Your Javascript method sends this code to your PHP server.
Your PHP server uses the client library to contact Google's server and exchange this one-time code for an access token and refresh token, which you keep and use to perform actions on the user's behalf.
We tested our web application successfully using a sandbox REST API account (and test credentials).
When we wanted to put the application into production (using REST API live credentials visible on the same PayPal web site where the sandbox/text credentials were shown), we received an error from the production PayPal server on a live credit-card transaciton:
Error code : 401 with response : Server returned HTTP response code: 401 for URL: https://api.paypal.com/v1/payments/payment
We have a Business Account that is not yet 100% verified (75% verified at the moment), so we are not sure if this is caused by some technical issue or the fact that the account is not yet 100% verified.
PayPal web site is quite confusing and the process of moving the app from test to production is not clearly explained. It seems that they are migrating from some old web sites to new ones and the user is prompted to login multiple times, redirected to different URL-s... E.g. we can see our application test and live credentials on the developer.paypal.com, but not on apps.paypal.com where no apps are listed, even though the same user is logged in (owner of the business account)???
For future readers, you have to use Live Credentials, on https://developer.paypal.com go to My apps and in App details there is a link at a bottom of the page :
Click on that link and you will see live credentials.
You now click on your sandbox application and then click live at the top of the screen to get your live credentials.
For the PayPal REST api use the credentials provided on developer.paypal.com (new version of PayPal dev experience). Live calls require the account to be vetted which includes fully verified.
We are developing applications for different platforms including ones with no browser interaction support. And we have decided to emulate browser from our application. So is it ok with Facebook's TOS?
This theme have been mentioned already in this topic (the last post):
http://facebook.stackoverflow.com/questions/4000896/logging-into-facebook-without-a-browser#comment4285566_4000963
By emulation of browser I mean following:
We are getting the user login HTML form and fill it with information that user supplied. Then we are sending it.
When we are receiving the authentication page we are asking the user to authorize the Facebook application to post messages.
If user agrees then we are sending authentication form and then get access token.