I upgraded Postman to 6.2.5. It allows Teams for free user. Ok, so I created Team and started new collection within it.
On collection level I specified Authorization as OAuth 2.0, generated new Access token (using the button Get New Access Token) so it is now in Available Tokens. I don't know if the tokens are shared with other team members (I haven't invited them yet). But there is a hint
Heads up! These parameters hold sensitive data. To keep this data secure while working in a collaborative environment, we recommend using variables.
I know the variables but don't know how to employ them in this scenario. What is the correct way to setup OAuth 2.0 Authorization in collaborative environment? (I would like to keep it on Collection level so it could be inherited down the structure of folders and requests.)
Here's what they mean by that:
Source: https://learning.getpostman.com/docs/postman/team_library/sharing/#sharing-environments
1) In addition to the standard way to share an environment, Postman Pro
and Enterprise users can also share an environment with their team.
2) From the gear icon in the upper right corner of the Postman app,
select "Manage Environments", and click the orange Share button next
to the environment you want to share. You will have one last
opportunity to hide any sensitive values like passwords and access
tokens before sharing the environment. When someone else imports the
environment, or accesses the shared template, they can input their own
personal information within their own version of the template.
environment
3) Click the Share button to complete the process.
4) Go to the Team Library to view the full list of shared team environments.
Where you have your long access token like: "a1dfgz51dgs5dg1s21gdsdg" you'll write {{accessToken}} as it will become an environment variable.
Related
When store owner installs my app I save access tokens into database for later use. Having access tokens from store is huge security responsibility because anybody with these tokens can modify stores from any domain/address, there is no ip or domain lock.
What method could I use to make this more secure? I was thinking to save tokens offline and then upload it only when needed (in case I need to make some global updates for all stores), then delete it again. In case when merchant access app configuration within admin, I would just save it into session. Is there any better method?
Good question.
I save them in a database as well but I encode them with a separate key from the Shopify App password. That way even if someone have access to the database because of some backdoor entrance he won't be able to use them. That said if someone have access to the code he will be able to figure out how to decrypt it since he will have access to the key.
That said I make sure that each and every request is authenticated before I show any response from the server. Since I'm using NodeJS as the back-end I make sure that there are no global variables that can be accessed or modified from different stores. Everything is neatly scoped in separated functions so that the session is scoped for the current store and no other ones will be able to dirty the other store session.
In addition I make sure that there is a webhook that fires when the client uninstall his app in order to clear my database from any information regrading his store.
I know some people are using sessions for this ( online method ) but they pose other problems that I didn't like so I stuck with a database ( offline ) since that is the quicker way to access the App instead of multiply redirects in order to save the session.
As for proposals I can give you a few tips that I learn on my way while building a few basic Apps. ( I'm not an expert on the subject by any means )
don't rely on any cookies when it comes to sensible information
authenticate every request that comes from the front-end
don't trust the user and validate any input that comes from the front-end
don't over-complicate your setup, while it's good to have high security it's bad if it makes your app slow for the user and you lose customers
look to other ready to use popular solutions that can guide you to the correct path
don't get greedy with the App scopes, only request the scopes that you need for you app
remember to clean up after yourself when it's possible but don't over do it ( too many Apps modify the code of customers and break it only to prevent any way to clean it afterwards ) Example use the ScriptTag API instead of a liquid snippet using the Asset API. If you have to use the Asset API add only the parts that you know that won't break a site. Creating a variable is ok if you are using var if the site supports IE11 creating a variable using const or let is not OK or using vanilla JS is OK but using jQuery without knowing for sure that the site has it installed globally is not OK.
More insights on the matter can be seen here:
https://help.shopify.com/en/api/getting-started/authentication/oauth/api-access-modes
https://community.shopify.com/c/Shopify-APIs-SDKs/Best-way-to-store-shops-that-have-installed-my-app-and-their/m-p/402972
I've been creating an extension for VSTS, and so far i have stored some data in documents in collections (https://learn.microsoft.com/en-us/vsts/extend/develop/data-storage).
The problem I have now, is that I need to GET these documents somehow from an external application. I have looked into: https://github.com/Microsoft/vsts-auth-samples/tree/master/ClientLibraryConsoleAppSample to get the authorization done, but then I am unable to get the documents. If I try to access through the REST API I have issues authorizing myself(without the personal access token provided. The application is supposed to work for every user, and i cannot get and use every user's personal access token. This is not feasible for 350+ people) as well as I am unable to get the REST API working. The documentation on all of this is severely lacking.
Anyone able to help?
The documentation is lacking, because the Data Storage is isolated for the extension and there is no easy way to access the data from outside of the extension. If you need external access, you also need to store your data externally. Azure storage or in a TFVC/Git repo under the VSTS account.
As for per-user storage access, that's also isolated and would indeed require either a account owner token or a user specific Oauth or PAT token.
I have found the solution. The documentation states that there are 2 ways of working with the documents/collections. REST API and their VSS wrappers. The url required to get all documents in a certain collection is as follows:
https://{account}.extmgmt.visualstudio.com/_apis/ExtensionManagement/InstalledExtensions/{publisherName}/{extensionName}/Data/Scopes/Default/Current/Collections/{collectionName}/Documents/{documentName}.
Using this in a browser works just fine. All that needs to be done in order to use this with an external application is authorization.
If you use sdk methods from docs like VSS.getService(VSS.ServiceIds.ExtensionData) you can view (easiest in dev tool in browser) the request.
Its look like:
https://extmgmt.dev.azure.com/{organization}/_apis/ExtensionManagement/InstalledExtensions/{publisher id}/{extension id}/Data/Scopes/Default/Current/Collections/{collections (by default 'MyCollection')}/Documents
I am building a suite of apps that rely on each other's data.
I wanted to put this shared data repository in the Documents library folder.
However, when I attempt to submit the app to the Windows 8 store, I am denied access to that folder location.
I have a developer account which does not qualify for DocumentLibrary access.
I was told that because I am not a company, I do not qualify for a company account.
How can I share application data with my other apps when offline?
Yes, one of the differences between company/individual accounts is access to the Document Library (full list of differences here).
If offline is a requirement, one option is SQLLite. See Tim's post on it here.
If online is sufficient, Windows Azure Mobile Services is pretty awesome for throwing up a quick and easy database backend. More details here.
Windows Store apps run in a sandboxed environment, isolated from each other, therefore they can't easily share their data.
If having a custom online service that both apps can connect to for sharing data between them is not enough, then you'll need the user to select a folder (from both apps) where the shared data will be stored. This way you'll be able to access it.
First use FolderPicker for the user to select the folder:
var picker = new FolderPicker();
picker.FileTypeFilter.Add(".sqldb");
var folder = await picker.PickSingleFolderAsync();
Then add the folder to FutureAccessList so that you'll keep the access to it even after the app gets restarted:
var token = StorageApplicationPermissions.FutureAccessList.Add(folder);
You need to store the token so that you can load it next time. LocalSettings would be a suitable location. When your app is run again, you first read the token and with it regain access to the selected folder:
var folder = await StorageApplicationPermissions.FutureAccessList.GetFolderAsync(token);
I know this is not a perfect solution since it needs user intervention to setup everything correctly, but I think it's the only way to make such data sharing between apps possible. Even so, you might have a hard time certifying the app with this functionality.
We're currently evaluating SAP Business Objects XI 3 for a front end reporting solution, but I'm not happy that we will need to create a new set of logins that will be managed independently from our existing website. We have an authentication API that our various applications all hook in to, so we effectively get single sign on, and single account management.
Is there a way to write a custom authentication plugin for SAP BOE 3? I've googled for information and have come up empty handed. Links to documents would be handy also.
The solution that we use for this problem is to have a seperate password management page built into the HR space that will change all the user's passwords to the same thing. So there is one input for username and pass that changes the global password for a user and then it runs through and changes all the different SAP ones that are needed.
Not really the answer you are looking for, but it is somewhat of a solution.
I need a Global variable/class that stores some basic information about the currently logged in user including that user's preferences, security rights, UserID, etc. This information will be needed by any/every part of my application.
In the past I have either used a Public variable/class in a vb.net module for this purpose. I'm trying to get away from my old ways of doing things and was curious what people currently do for this functionality.
I am thinking a singleton or 2 regarding preferences and security but am not sure if that is the best way to go.
EDIT: This is an n-Tier WinForms application.
In my ASP .net web app, I store an object that contains login information for that user in the Session Cache. That is one way.
If you want different "global variables" for each user, then sessions are the way to go (as Russell mentioned). If you want variables that are the same for every single user, then Application variables are what you want.