restrict video call access for only host and guest - agora.io

i want to integrate agora on my website with angular.
I need to have several active video calls, how do i make sure that the host and the guest are the only ones joining the session?
And that the rest (host and owner) enter their respective unique rooms? Is there a unique id of temporary channel so that both enter through that or something like that?

You can decide a pre-defined unique channel name which won't be shared with anyone by the host other than the guest.
Check the Agora Documentation for Video Calls here.
<label for="form-channel">Meeting ID</label>
<input type="text" id="form-channel" class="form-control" placeholder="Meeting ID" required>
<script>
// Join Channel Modal
$("#join-channel").click(function (event) {
var agoraAppId = "<APP-ID>";
var channelName = $('#form-channel').val();
initClientAndJoinChannel(agoraAppId, channelName);
$("#modalForm").modal("hide");
});
</script>
Using the above code snippet you can make dynamic channels on the go. You can also have predefined channel names coming from a server if you need by giving a variable instead of $('#form-channel').val();.
If you still have doubts you can check my sample app at: https://github.com/akshatvg/speakOut. Even though the app isn't on Angular, you will understand how you need to make the channels work.

Related

How to generate a file after a created command?

I have an e-commerce customer who uses Shopify APIs to create an order (a customer who purchased an item).
From a created command (which can contain different items), I must generate a file with some attributes like weight or the destination address.
I was drowning in their public documentation and honestly can't get over it (I don't have much programming experience).
I would like to know which APIs (or services...) I have to request in your opinion please?
Given what I'm being asked, I don't know if I can find all this info with a single API or I have to call several methods to build my file little by little...
For example, I have no idea, really no idea to know if a given command is fragile or not. I don't even know if they communicate such information by their API.
Thanks in advance
If you want realtime (as soon as the order is created, the file is created) : You need to register a webhook.
A Shopify webhook is simply a script that, on a certain event, send the event's data to a link.
Example : An order placed webhook (predefined Shopify webhook) will send the order's data to an URL in JSON format as soon as the order is placed.
So you will need a server running 24/7 (get a VPS for less than 5 bucks a month). The server will listen at an ip at a certain port.
You will setup Shopify's webhook to send data to that ip / port.
Step 1: Create your server
You will need any backend framework for this. I choose NodeJs + Express framework, because it is so easy to do with it.
Here is a sample code :
const express = require('express');
const bodyParser = require('body-parser');
const app = express();
const port = 3000;
app.use(bodyParser.json());
app.post('/', function (req, res) {
let body = req.body;
console.log(body);
});
let server = app.listen(port, function () {
let host = server.address().address;
console.log('Example app listening at http://%s:%s', host, port); //Copy this to your clipboard, you will need it in step 2
});
Step 2: Register Shopify Webhook
Go to your client's store, add /admin/settings/notifications to the url.
Scroll to the bottom of the page, click Create Webhook, chose Order creation as an event, JSON format, Lastest as API version. Paste the IP / Port you copied earlier into URL.
Step 3: Check the data sent by Shopify
From here, you can check the data Shopify sent you. It will be printed by your NodeJs server.
It is in JSON format, so you can do all kinds of stuff with it. Filter important info, and output to file for example.
If you want to check everytime your script starts and not realtime : you need to create a custom app in your client's store, and use GraphQL
Shopify won't let you check for certain orders by order number, and the limit of their API is 250. Using GraphQL, you can do this, but you need to know GraphQL (a little more advanced).
You can check their docs at shopify.dev

Login to Microsoft Online programmatically

Goal
Given a company e-mail and a corresponding password, I need to programatically login to login.microsoftonline.com and access the Office 365 dashboard (office.com). The image shows the user flow where I try to find out the respective endpoints.
Research results
This is what I found out about what endpoints are called and how. Note that endpoints might differ if you don't use a company account.
Assumptions:
Always follow redirects.
Collect cookies along the way and pass them with every subsequent request.
In the bodies of the requests, I only include parts that I found relevant. I could have left out important parts that I'm not aware of.
GET login.microsoftonline.com
Follow the redirects. The resulting HTML contains a config json object wrapped in //<![CDATA[ and //]]>. Search for "sFT": and copy the value. Search for "sCtx": and copy the value. Search for "canary": and copy the value. Search for "sessionId": and copy the value.
POST https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US
I don't think this endpoint is essential. I still include it here.
Send a JSON body as follows:
{
"username": "<your-company-email>",
"flowToken": "<your-sFT-token>"
}
POST https://login.microsoftonline.com/common/login
Send as form data in the body:
login:<your-company-email>
passwd:<your-password>
flowToken:<your-sFT-token>
type:11
ctx:<your-sCtx-token>
canary:<your-canary-token>
hpgrequestid:<your-session-id>
POST https://login.microsoftonline.com/kmsi
"kmsi" stands for "keep me signed in". This might be an endpoint that is not called if you don't use a company mail for login.
Send as form data in the body:
LoginOptions:3
type:28
ctx:<your-sCtx-token>
flowToken:<your-sFT-token>
canary:<your-canary-token>
hpgrequestid:<your-session-id>
Calling these endpoints in the order displayed here, I am able to successfully retrieve these cookies:
From login.microsoftonline.com (10 cookies):
ESTSAUTH
ESTSAUTHLIGHT
ESTSAUTHPERSISTENT
ESTSSC
buid
ch
esctx
fpc
stsservicecookie
x-ms-gateway-slice
From office.com (1 cookie):
MUID
From www.office.com (2 cookies):
OH.DCAffinity
OH.SID
POST https://www.office.com/landing
Send as form data in the body. ??? is indicating that I don't know where this data is coming from.
code:<a code token ???>
id_token:<an id token ???>
state:<a state token ???>
session_state:<a session state token ???>
This endpoint seems to be crucial since it returns the following cookies:
OhpToken
UserIndex
OhpAuth
AjaxSessionKey
userid
GET https://www.office.com/
The cookies that were set during the previous request are sent in the request headers here. This is why the office.com/landing seems to be crucial. However, I can't figure out how the form data is constructed for that body, e.g. code, id_token etc.
Maybe related question?
Note that I've seen this question on stack overflow but I didn't find it useful and don't think it relates to my question.
Why do I need all this?
The main goal is to login users automatically from another tool (SSO). E-Mail and password is given. My approach is to login using these endpoints programatically on the server-side, collect the necessary cookies for subsequent logins, send them to the client. The client uses those cookies to access office.com and see the dashboard immediately without having to login.
A better approach? Note that I have access to the admin center (Microsoft) and to Azure Direct. If you know a much simpler approach to this solution, I'm glad to get to know it. Most of the articles I've read are concerned with how to use Azure to login to another service if you're logged in to Microsoft. But I need the opposite: being logged in to some service and accessing the Microsoft Office 365 dashboard automatically.
What you are trying to do is completely wrong - why to reverse-engineer frontend app and one day to find that everything changed?
There is official REST API to ms outlook online and authentication mechanism via Azure AD - exactly to let third-party apps to work with MS online apps.
Try to checkout this:
https://learn.microsoft.com/en-us/graph/overview-major-services
and this:
https://learn.microsoft.com/en-us/graph/azuread-identity-access-management-concept-overview
POSTing to https://login.microsoftonline.com/kmsi will return a html with all the values you need:
<html>
<head>
<title>Working...</title>
</head>
<body>
<form method="POST" name="hiddenform" action="https://admin.microsoft.com/landing">
<input type="hidden" name="code" value="0.AVwAAmogKpXYg0-1rfltzzT6ZQYAAAAAAPEPzgAAAAAAAAABAAA.AgABAAIAAAD--DLA3VO7QrddgJg7WevrAgDs_wQA9P-gWiQqeCHo-9FEKAxJ1WYio4IwurbBrT2hB561ujjKXXdH08Yoqwrn7KlDJ2Ybp0SP7VNeX0v0313oQy9u184OF9SUmmPCM9AqRp8cW_Oh9AhenJEP8ZThY680N5XdQ_xvTaxCdyu0G2rMld7Yp-fnmKxQsr3UrdysQW6qe9mEXX_IsUYecF46BYO2kh7XsLGLXDDdm1ZJa46G_wAN00fYPmxgH4dlsauqK0URhVxVFZrws3yuPWTJEn5VNhL2Z2cUdsFfBEAFdHDrjOujdxzJKbfqln2GqLcNP_3LdgHKx-atrIM7JXJfp_oJeKCwXwvK6tUa4bhvEotIeGhES_l_0kxOZQDIbBMU2yUoBYrn17fxUmTAOt-HpeYRQFYr4bymdVnRsfMINZCSbD-lOaW6oh-cvWYpxqbq8ZZ3tZ7OJzZKetSNtAwplcUjZZchysueXy3-t7u2nr8k27jrSe2DudpGcn1GY25kkGQyz-SiqVm70RsKT9Fb6lxoSm7I8zpAWfFnLZJtxYhddHRx4tA521wAXoXOhBZyc5I7_gZYk2a50QcxeJI0K88mXxyPNvndN4F8eCtRYp1X53LSFgs4XyJ2UzWo9LXsWZ_77Fz7Ivlz2n4AEZXVZlE_PnqYylRdOWDV2NdpBhgFB53geIEuiX9t4JVl0o8TdpPrYjgsiqGmtbg3ZO4J4c_CDLOzBBJemdpAEnkukRVKHt-ZcXKwMfWHjWmEi0p6Ji1GI92f0UO_ZTpUdXScKC4UQsPrWAU" />
<input type="hidden" name="id_token" value="[TOKENVALUE]" />
<input type="hidden" name="state" value="OpenIdConnect.AuthenticationProperties=78qNGNcn8xtuLU4P5T0Dz5QMprE4YNYcSnczbXtwxwZL-dMfErfi6EuAkBJw0mFDmV_sQY7Q3av60KFahCPqhj6hzPR_JtBiYotBBoHd0zSKjqM7HgdD_QMhKZKReePeYsiTgLZtXAcNmzRBdjtpeflCa4TTRQY7tqOvN2kOUZY" />
<input type="hidden" name="session_state" value="16f47f33-cf2e-4300-9a9b-72276bd518f0" />
<input type="hidden" name="correlation_id" value="1a7d67ed-2db0-44ea-a351-f9d70ff14229" />
<noscript>
<p>Script is disabled. Click Submit to continue.</p><input type="submit" value="Submit" />
</noscript>
</form>
<script language="javascript">
document.forms[0].submit();
</script>
</body>
</html>
You must extract the values of each input and use it on the https://www.office.com/landing. Do not forget to encode the state value

Am I doing/handling the GDPR privacy alert correctly inside my code

I am working on an asp.net mvc core web application for users' registration within our system, and we have the following scenario:-
1) when a user access the web application, they enter their registration number
2) then they click on submit >> and fill the registration form.
3) we want to track the users who enter step number one , but did not complete the registration.
so since i am tracking users' actions, so i enable the GDPR inside my application by following these steps https://learn.microsoft.com/en-us/aspnet/core/security/gdpr?view=aspnetcore-2.2 . and using the following code, i am able to check if the user accept the privacy alert or not:-
var consentFeature = HttpContext.Features.Get<ITrackingConsentFeature>();
var canTrack = consentFeature.CanTrack ;
and if the canTrack return true (the user accept the privacy alert) then i will track the users' action, while if the canTrackreturn false (the user did not accept the privacy alert) i will not track the user actions.. so am i going things correctly?
First things first: I'm not a lawyer.
Being GDPR-compliant means a lot more than "just" acquiring tracking consent from your users (although it's not an easy task as it is).
If you are collecting the consent and only do the tracking based on it, that's one (prominent) aspect; depending on your business/organization, you may also need to have a privacy policy and support consent revocation – as the user might want to withdraw their consent at any time. In addition, there might be other requirements to fulfil.
There is an abundance of resources at your disposal should you want to read more about it, and decide which are the next steps to take. But I would suggest talking to an expert who could help you on the matter. You could even hire someone at Fiverr or UpWork.
The question of whether or not that is compliant with GDPR is one you won't find an answer to on SO, but as for your question on whether or not you are using the consent mechanism in ASP.NET core correctly, can be answered.
First, I suggest you read up on the bigger picture here, here is an article from MS:
https://learn.microsoft.com/en-us/aspnet/core/security/gdpr?view=aspnetcore-3.1
In essence, you need something like this to handle the consent banner.
#{
var consentFeature = Context.Features.Get<ITrackingConsentFeature>();
var showBanner = !consentFeature?.CanTrack ?? false;
var cookieString = consentFeature?.CreateConsentCookie();
}
#if (showBanner)
{
<div id="cookieConsent" class="alert alert-info alert-dismissible fade show" role="alert">
Use this space to summarize your privacy and cookie use policy. <a asp-page="/Privacy">Learn More</a>.
<button type="button" class="accept-policy close" data-dismiss="alert" aria-label="Close" data-cookie-string="#cookieString">
<span aria-hidden="true">Accept</span>
</button>
</div>
<script>
(function () {
var button = document.querySelector("#cookieConsent button[data-cookie-string]");
button.addEventListener("click", function (event) {
document.cookie = button.dataset.cookieString;
}, false);
})();
</script>
}
The key point here is that it is your responsibility to present the user with a consent dialog and report back the response. The ASP.NET framework will help web developers track user consent status and there is a standardized API for managing this, which is essential since this will enable adhering to user consent even in third party middleware etc.
Which brings us to the next point, it is your responsibility to ensure that all your code as well as any third party code you pull in follow this. If you have any third party dependencies you need to check the documentation for those (or possibly use the web browser's debug tools to verify) that it does not store cookies nor send off request to third parties.
Any javascript libraries such as Google Analytics or whatever telemetry you use, also need to take this into account. This you have to solve on the JavaScript side. Check the documentation. Here is a checklist for Google Analytics.
For Application Insights, there is the window.appInsights.config.isCookieUseDisabled property that you may need to set. Looks like automatically adhering to the ASP.NET core consent tracking is still an open issue.
So in short, looks like you are on the right track, but you likely need to do more.

How can a webhook identify USER_IDs?

I'm developing a webhook, and I want it to be able to #mention specific users. The simple message format specifies using the format of <users/123456789012345> to #mention a specific users. Since this is not a bot, it is not processing an incoming message and cannot pull the from the sender field, as suggested in the note on the developer site linked above.
How can I get the USER_ID of a user on my domain?
I am in the same boat as you. Trying to use a Webhook to mention a user.
If you inspect the HTML on https://chat.google.com, using web/dev tools, you can actually see user ID under tag data-member-id="user/bot/123456789012345"
Using the above I tried to form a webhook that mentioned the user (in my case another bot).
Unfortunately it didn't work. Passing in the string <users/123456789012345> please test came through to chat as a string literal.
It's strange because the html links and markup DO get interpreted. As mentioned here. Edit: so does <users/all>.
I'm leaving this here since your question asks for how to elicit the ID. While it may not be pretty, or much automatable, it helped me get the user ID at least.
Edit 2: It works, just not to mention my other bot for some reason. But using this method I was able to mention a human user :)
I use this for find the USER_ID but if you have another way let me know
Right click on the user and select inspect
Search for data-member-id this is your USER_ID
A webhook will not be able to pull the USER_ID of a user. As a workaround for this, you can create a service account and a bot that has access to the room and use the REST API spaces.members.list() and spaces.members.get() method.
Note: The bot will need to be added to the room.
Okay, so in order to get the UserID without having to do all of the things that you're trying to do here you need to use the Admin SDK API in google app script. Basically what you'll want to do is use your google app script as an intermediary for what you're trying to do. So you'll post something to google app script via their web exec functions on a deployed app and then have that app communicate to the google chat API via something like this:
var googlewebhookurl = 'https://chat.googleapis.com/v1/spaces/ASDFLKAJHEPQIHEWFQOEWNQWEFOINQ';
var options = {
'method': 'post',
'contentType': 'application/json',
'payload' : JSON.stringify({ text: "<users/000000000001> I see you!" })
}
UrlFetchApp.fetch(googlewebhookurl, options);
To start, you'll need to add the Admin SDK API to the services in your google app script services area. So click the plus next to "Services" and then select the Admin SDK API and click add to add it to the services, it winds up showing up in the list as "AdminDirectory" once it has been added to the services.
This is an image showing what it looks like once you've added it to the services.
Here is a link to the documentation for the Admin SDK API getting user information: https://developers.google.com/apps-script/advanced/admin-sdk-directory#get_user
You should be able to copy and paste that example function to get the information you're looking for regarding the user. I'm pasting the example code below in case something happens to this link:
/**
* Get a user by their email address and logs all of their data as a JSON string.
*/
function getUser() {
var userEmail = 'liz#example.com';
var user = AdminDirectory.Users.get(userEmail);
Logger.log('User data:\n %s', JSON.stringify(user, null, 2));
}
In order to get the user id, take the user variable that comes back and access user.id and voila! You have the ID you're looking for. From there just plaster it into a text message in google chat and you should be in business. I haven't gotten it to work with cards at all yet. I'm not seeing any documentation saying that it's supported in cards at all. For more information regarding chat messages and cards take a look at these:
https://developers.google.com/chat/api/guides/message-formats/basic
https://developers.google.com/chat/api/guides/message-formats/cards

Sign in via Google Plus APIs

I am trying to collect data of my user while he signs up for my website.
I am asking for the following scopes while making a request
<span id="signinButton">
<span
class="g-signin"
data-callback="signinCallback"
data-clientid="1085488274737.apps.googleusercontent.com"
data-cookiepolicy="single_host_origin"
data-requestvisibleactions="http://schemas.google.com/AddActivity"
data-scope="https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/plus.login">
</span>
</span>
Then I am first trying to get the email ID and google plus ID of the user by making a GET request to https://www.googleapis.com/oauth2/v1/userinfo?access_token= with the access token obtained in the previous step. This works perfectly fine. It gives me ID and email of user.
However, if I am using that ID obtained and the access token to get the further profile details and the friends in his circle, it is not working.
https://www.googleapis.com/plus/v1/people/userID/?key=
It says invalid key Invalid.
I am totally clueless because of this . Is there any error in mentioning the data-scope ?
When doing the /plus/v1/people/{userID} call, you can either specify the key or the access_token, and use the corresponding parameter. If you specify the key, this should be the application key that has been assigned to you in the API Console. If you use the access_token, you can use the access token that you have received as part of the Sign-In button process.
Since you have it, it seems best to use the access_token something like this:
https://www.googleapis.com/plus/v1/people/me?access_token=11111111111111111111111