I'm using gemfury to host a private package that will be used by other people in my github organization. I'm also using CircleCI (but this applies to any CI system) for building/pushing.
My CI setup watches for any new tags in github and then pushes this new tag to gemfury.
My issue with the current setup is that I'm using my personal access token to authenticate. To me, this means the builds are dependent on my status as collaborator of the organization, and would break if I were to leave. I know I could instead use the Account token, but it feels insecure (what happens if the token is compromised?).
Ideally I would be able to generate application-specific push tokens that belong to the organization, and use those in CircleCI. If the token is compromised, it could be easily revoked and it wouldn't break other applications. However, gemfury does not offer this option.
I think my only option is to create a "fake" CI user add add it to my github organization. I could then use this user's personal token to push builds. Is this correct? Are there any other better approaches? I don't want to have to add a fake user for every package.
You are in luck!
Under the menu item Tokens when logged in, you can find a tabbed interface, where Push tokens can be created:
Push tokens βeta
These tokens can authorize new package uploads for this account.
You can integrate these into your CI builds, etc.
These are impersonal, and can be used for this!
Good luck!
Related
With Firebase's Admin SDK, I want to allow a user to login (verify the user with my Firebase instance) without any JavaScript on the front end. Just an old fashioned POST, with the form data in the request body.
Then in node (server side) verify the email and password on the back-end, retrieve a token, update the user's session, pass back a cookie, etc. I've been digging around various examples and the Firebase Admin SDK docs but have not found an answer.
I can do it if I run the non-admin-SDK Firebase module, in node, but this seems like an odd approach to me, especially as I need the Admin SDK for some other things.
I could see why they want to force a "triangle" approach like say payment auths use.
Authorize with Firebase on the front end and pass a token to the back-end.
Not allowing the password to possibly be sent or stored on the node server unencrypted.
But I want to pass as little JS to the client as possible and I want my site (MPA) to be progressive (not need JS). It seems odd they would not address this in their docs. Other than in some explanation of how to write one's own validation or integrate with another.
If anyone can describe how this can be done or what the recommended approach is, I would be very happy.
Firebase's Admin SDKs are designed to be stateless, so don't have a concept of a current user. The recommended approach is what Firebase Authentication does, sign in on the client and pass an ID token with every request/connection to establish the identity of the user.
If you don't want to use Firebase's SDKs in your client-side application, you can call the REST API. I'm not sure if you can construct the right call with a FORM post though.
Also check:
Sign in with Firebase-Admin using node.js, the main answer is the recommend approach.
How to authenticate an user in firebase-admin in nodejs? shows how to sign in a user in Node.js with the regular/non-Admin SDK. This is probably closest to what you want to accomplish.
I received email from Shopify like :
This is Shopify’s Partner Governance team. We are reaching out as our security team discovered that secret API credentials for the Public/Draft app S**y have been exposed in the following public repository:
We require that you eliminate this vulnerability by a) closing the above exposure, and b) address the vulnerable app by re-creating a new version of the app with new credentials and deleting the exposed app
So, Do I have to delete the Shopify app or is it fine if I only delete that repo?
As I don't want to remove old app because getting an access of some points in Shopify app but it will take too much time.
You should follow what they are saying. You don't need to delete the app.
Yuo remove the credentials from the repository (keep in mind that is not sufficient to just remove the file and push because it will still be in the git history - check here How to remove file from Git history?)
You go into the app settings on shopify.dev and recreate your API secrets.
I am in control of three twitter accounts: One is my main account, the other two are supposed to automatically post content via a bot. I created the bot logic and added it to Twitter's development tools and I can easily use it to post to my main account.
Now I need to add the access tokens for my two secondary accounts. My question is - what's the easiest way to do this.
As far as I can see, Twitter only enables one way to do this: 3-legged OAuth flow. It is not too complex, but it seems to me to require setting up a mock website with callback url, which seems like too much considering I only need to generate two api tokens. Am I missing something?
There are some alternative ways to generate access token and access token secret for OAuth 1.0A via command line tools which allow you to use the “PIN-based” OAuth flow.
One example would be Twitter’s own twurl tool for API testing, which requires you to also have Ruby installed. This will let you authenticate a user account (it still pops open a window onto twitter.com to have you do the authentication) and stores them into the ~/.twurlrc file in your home directory. There is also tw-oob-oauth-cli which is a standalone app for doing the same thing.
You're not missing something. The reason this is required is to force users have a browser they trust open and see that they are on https://twitter.com/, so they can trust that it's a safe place to put in their password.
I am using the meteor accounts-github module to handle my authentication/account creation in my application.
I want to ensure that any new user who attempts to sign into the application is a member of a particular Github organisation. I also want to verify this not just when the user is first created, but on every sign in. If the user has been removed from this Github organisation then they should not be able to sign in to my application.
Essentially, I am adding some admin functionality to a website, and I only want Github users who are members of a particular organisation to be allowed to sign in and perform this admin functionality (such as update some basic content).
Is there a way to perform this Github API call on every user creation and sign in event?
you will need to customize the authentication a bit, checkout my project:
https://github.com/534N/miProfile
I implemented it so that only github account is accepted.
I'm trying to use Instapaper's Simple API (http://www.instapaper.com/api/simple).
The API terms of use (http://www.instapaper.com/api/terms) says apps should not store user id and password, and I don't want to store them either. However, it seems that the only way to add a link to a user's Instapaper via simple API is to store the username/password (if the user does have a password).
Am I missing something?
The API terms of use state that:
Apps must not store users’ passwords. Passwords may only be collected for the xAuth token acquisition and must be discarded afterward.
Only the full API uses xAuth tokens. The above sentence doesn't apply to the simple API, since it uses Basic HTTP Authentication.
You still "must make reasonable efforts to prevent passwords from being compromised, and must not disclose passwords to any other services or individuals".
If you are using a native Mac application (like Apple’s Mail client or a third-party mail client like Airmail) there isn’t an easy way to save a link to Instapaper without first opening the link in a browser and then using one of Instapaper’s browser extensions to actually save the article.
One workaround that I’ve found to expedite this task is to write a service for OS X which uses Instapaper’s API to save links.
In order to write your own service, first open Apple’s Automator application and create a new Service. Then, drag the Run Shell Script action into the application’s main workflow area.
Make sure the service receives no input, can be used by any application, and that the shell script is set to run python.