Such as WhitelistedCrowdsale.test.js in openzeppelin-solidity:
contract('WhitelistedCrowdsale', function ([_, wallet, authorized, unauthorized, anotherAuthorized]) { ... } in line 12.
why the parametes of function(...) is _, wallet, authorized, unauthorized, anotherAuthorized? Can they be other things? why?
Thanks!
Truffle injects the list of accounts available from the node you’re connected to. From the Truffle docs:
The contract() function provides a list of accounts made available by your Ethereum client which you can use to write tests.
To use these accounts, you write your test case like this:
contract(‘MyContract’, function(accounts) {
it(‘test1’, function() {
const account = accounts[0];
// do something with account
}
});
accounts is just an array. The code from OpenZeppelin you posted is expecting there to be at least 5 accounts available in the node (the same array of accounts are available via web3.eth.getAccounts()). They are just decomposing the array into specific variable names. _ is accounts[0], wallet is accounts[1], etc. You can name them whatever you want.
Related
With the Admin SDK it's possible to further enrich the administration in Shopware 6. As in the installation guide for apps stated, an entry point (base-app-url) needs to be provided in the manifest file of an app.
Since every request needs to be authenticated properly, this GET request also needs authentication. However, I am not able to authenticate this one in the same way as I am successfully doing it with the GET request from modules.
The base-app-url request looks the following (in my case with some [custom] entity privileges):
http://localhost:3000/sdk?location-id=sw-main-hidden&privileges=%7B%22read%22%3A%5B%22language%22%2C%22ce_atl_faq_group_faqs%22%2C%22ce_atl_faq_group%22%2C%22ce_atl_faq%22%5D%2C%22create%22%3A%5B%22ce_atl_faq_group_faqs%22%2C%22ce_atl_faq_group%22%2C%22ce_atl_faq%22%5D%2C%22update%22%3A%5B%22ce_atl_faq_group_faqs%22%2C%22ce_atl_faq_group%22%2C%22ce_atl_faq%22%5D%2C%22delete%22%3A%5B%22ce_atl_faq_group_faqs%22%2C%22ce_atl_faq_group%22%2C%22ce_atl_faq%22%5D%7D&shop-id=sbzqJiPRrbHAlC2K&shop-url=http://localhost:8888×tamp=1674045964&sw-version=6.4.18.0&sw-context-language=2fbb5fe2e29a4d70aa5854ce7ce3e20b&sw-user-language=de-DE&shopware-shop-signature=e7b20a46487046a515638f76c6fadab6b1c749ea4a8ac6e7653527e73ba18380
The shop has the following data
Shop {
_id: 'sbzqJiPRrbHAlC2K',
_url: 'http://localhost:8888',
_secret: '3c5a2f031006791f2aca40ffa22e8febbc8a53d8',
_apiKey: 'SWIAB2PVODCWSLZNDMC5ZM1XWA',
_secretKey: 'VnNwM0ZOMnN1Y05YdUlKazlPdlduWTdzOHhIdFpacjVCYkgzNEg'
}
I am currently authenticating my modules like the following (Node.js):
const SHOPWARE_SHOP_SIGNATURE = 'shopware-shop-signature';
export function authenticateGetRequest(req: Request, shop: Shop): void {
// e7b20a46487046a515638f76c6fadab6b1c749ea4a8ac6e7653527e73ba18380
const signature = getSignatureFromQuery(req);
verifySignature(shop.secret, removeParamsFromQuery(req), signature);
}
function getSignatureFromQuery(req: Request): string {
if (!req.query[SHOPWARE_SHOP_SIGNATURE]) {
throw new Error('Signature is not present in request!');
}
return req.query[SHOPWARE_SHOP_SIGNATURE] as string;
}
function removeParamsFromQuery(req: Request): string {
// Some code
// Returns following string - Does neither work for base-app-url nor for module GET requests:
// 'shop-id=sbzqJiPRrbHAlC2K&shop-url=http://localhost:8888×tamp=1674045964'
// If the string follows this pattern, it works only for modules:
// shop-id={id}&shop-url={url}×tamp={ts}&sw-version={v}&sw-context-language={cl}&sw-user-language={ul}
}
function verifySignature(secret: string, message: string, signature: string): void {
const hmac = crypto.createHmac('sha256', secret).update(message).digest('hex');
if (hmac !== signature) {
throw new Error('Signature could not be verified!');
}
}
However the base-app-url cannot be verified correctly and the "Signature could not be verified!" error is thrown.
What am I doing wrong here?
More info:
Additionally I added a GET request for a module where everything is working:
http://localhost:3000/faq?shop-id=sbzqJiPRrbHAlC2K&shop-url=http://localhost:8888×tamp=1674045963&sw-version=6.4.18.0&sw-context-language=2fbb5fe2e29a4d70aa5854ce7ce3e20b&sw-user-language=de-DE&shopware-shop-signature=0f0889c9e8086c6c3553dc946a01f2ef27b34cd1c55b0c03901b6d8a6a9b6f53
The resulting string can be verified:
shop-id=sbzqJiPRrbHAlC2K&shop-url=http://localhost:8888×tamp=1674045963&sw-version=6.4.18.0&sw-context-language=2fbb5fe2e29a4d70aa5854ce7ce3e20b&sw-user-language=de-DE
Try out following code in some php sandbox environment:
<?php
$message = 'shop-id=sbzqJiPRrbHAlC2K&shop-url=http://localhost:8888×tamp=1674045963&sw-version=6.4.18.0&sw-context-language=2fbb5fe2e29a4d70aa5854ce7ce3e20b&sw-user-language=de-DE';
$secret = '3c5a2f031006791f2aca40ffa22e8febbc8a53d8';
$signature = '0f0889c9e8086c6c3553dc946a01f2ef27b34cd1c55b0c03901b6d8a6a9b6f53';
$hmac = hash_hmac('sha256', $message, $secret);
if (!hash_equals($hmac, $signature)) {
echo 'Signature not valid';
} else {
echo 'Signature valid';
}
SOLUTION:
Express decodes the query strings automatically with req.query depending on your express configuration. Keep in mind to validate the hmac with encoded query params as they are passed from shopware.
In my case the only difference where the decoded privileges and they looked like this:
&privileges={"read":["language","ce_atl_faq_group_faqs","ce_atl_faq_group","ce_atl_faq"],"create":["ce_atl_faq_group_faqs","ce_atl_faq_group","ce_atl_faq"],"update":["ce_atl_faq_group_faqs","ce_atl_faq_group","ce_atl_faq"],"delete":["ce_atl_faq_group_faqs","ce_atl_faq_group","ce_atl_faq"]}
But they need to look like this:
&privileges=%7B%22read%22%3A%5B%22language%22%2C%22ce_atl_faq_group_faqs%22%2C%22ce_atl_faq_group%22%2C%22ce_atl_faq%22%5D%2C%22create%22%3A%5B%22ce_atl_faq_group_faqs%22%2C%22ce_atl_faq_group%22%2C%22ce_atl_faq%22%5D%2C%22update%22%3A%5B%22ce_atl_faq_group_faqs%22%2C%22ce_atl_faq_group%22%2C%22ce_atl_faq%22%5D%2C%22delete%22%3A%5B%22ce_atl_faq_group_faqs%22%2C%22ce_atl_faq_group%22%2C%22ce_atl_faq%22%5D%7D
Looking at the QuerySigner, this is how the signature is generated on the side of Shopware with the actual arguments:
hash_hmac(
'sha256',
'location-id=sw-main-hidden&privileges=%7B%22read%22%3A%5B%22language%22%2C%22ce_atl_faq_group_faqs%22%2C%22ce_atl_faq_group%22%2C%22ce_atl_faq%22%5D%2C%22create%22%3A%5B%22ce_atl_faq_group_faqs%22%2C%22ce_atl_faq_group%22%2C%22ce_atl_faq%22%5D%2C%22update%22%3A%5B%22ce_atl_faq_group_faqs%22%2C%22ce_atl_faq_group%22%2C%22ce_atl_faq%22%5D%2C%22delete%22%3A%5B%22ce_atl_faq_group_faqs%22%2C%22ce_atl_faq_group%22%2C%22ce_atl_faq%22%5D%7D&shop-id=sbzqJiPRrbHAlC2K&shop-url=http://localhost:8888×tamp=1674045964&sw-version=6.4.18.0&sw-context-language=2fbb5fe2e29a4d70aa5854ce7ce3e20b&sw-user-language=de-DE',
'VnNwM0ZOMnN1Y05YdUlKazlPdlduWTdzOHhIdFpacjVCYkgzNEg'
);
// 8034a13561b75623420b06fb7be01f20d97556441268939e9a5222ffec12215a
Given on your side you remove the shopware-shop-signature query param AND that the secrets are equal on both sides, you should be able to regenerate the matching signature.
const crypto = require('crypto');
const message = 'location-id=sw-main-hidden&privileges=%7B%22read%22%3A%5B%22language%22%2C%22ce_atl_faq_group_faqs%22%2C%22ce_atl_faq_group%22%2C%22ce_atl_faq%22%5D%2C%22create%22%3A%5B%22ce_atl_faq_group_faqs%22%2C%22ce_atl_faq_group%22%2C%22ce_atl_faq%22%5D%2C%22update%22%3A%5B%22ce_atl_faq_group_faqs%22%2C%22ce_atl_faq_group%22%2C%22ce_atl_faq%22%5D%2C%22delete%22%3A%5B%22ce_atl_faq_group_faqs%22%2C%22ce_atl_faq_group%22%2C%22ce_atl_faq%22%5D%7D&shop-id=sbzqJiPRrbHAlC2K&shop-url=http://localhost:8888×tamp=1674045964&sw-version=6.4.18.0&sw-context-language=2fbb5fe2e29a4d70aa5854ce7ce3e20b&sw-user-language=de-DE';
const hmac = crypto.createHmac('sha256', 'VnNwM0ZOMnN1Y05YdUlKazlPdlduWTdzOHhIdFpacjVCYkgzNEg').update(message).digest('hex');
// 8034a13561b75623420b06fb7be01f20d97556441268939e9a5222ffec12215a
So in theory your code looks fine. Verify that the query string matches exactly. Things to check:
Maybe your node server decodes the url entities unwantedly?
Does your node serve escape special characters in the query string?
Do the secrets match on both sides?
To consider additionally:
Consider to just point the base-app-url to a static page outside of the scope of your app server instead. As that page will be loaded inside an iframe, you can use client side javascript to read the query parameters and, only if necessary, make requests to your app server using the credentials from inside the iframe. Keep in mind you really only need the authentication if you need to handle personalized data, otherwise you might as well serve static assets without the need for authentication.
i am new to JWT concepts while i am learning in this site
https://code.tutsplus.com/tutorials/jwt-authentication-in-angular--cms-32006
in the above link at this line :
var token = jwt.sign(user, JWT_Secret);
he has written the jwt.sign() with only two parameters but while i saw few other posts where they are sending 3 parameters
my doubt is that jwt.sign() is correct
2) how to create a secret_token
3) and how to send all the required parameters to send in the jwt.sign() method
please help me i hope you understood my problem ,friends please help me
If you read the JWT docs, the function can run in two modes: Synchronously (sync) and asynchronously (async). The function can automatically decide on which method to use depending on the number of parameters and type of parameters you provide the function, and the parameters you can supply are (in order):
The data/payload
Secret key/token
Options/configs (optional, can use callback here if you use default options)
Callback function (optional, will run in async mode if you provide this)
To illustrate this, read the code below:
// Synchronous
const syncToken = jwt.sign({payload: { x: 1, y: '2'}}, 'JWT_SECRET');
console.log(syncToken);
// Asynchronous
jwt.sign({payload: { x: 1, y: '2'}}, 'JWT_SECRET', (err, asyncToken) => {
if (err) throw err;
console.log(asyncToken);
});
As for the secret token, just make a hard coded one with no need to randomize, otherwise you wouldn't be able to consistently verify your tokens if at all possible. Or as an alternative, you can perform signing and verification asymmetrically by using algorithms such as RS256, or ES256 (using public and private key pair).
I hope this answer helps.
Reference:
https://github.com/auth0/node-jsonwebtoken
Concerning the new Paypal SDK, there is almost no useful example code, and the Internet is littered with examples of the old SDK. My question concerns making an API request for a third party paypal account for which i have obtained the token and secretToken through the permissions API.
In attempting to construct a PPAPIService object, where is the list of possible sevice names?
ie: $this->serviceName = $serviceName; (in the constructor) What is the string syntax for these?
In regards to the makeRequest method, how do I define the $apiMethod variable, and what is the format of the $params variable? What are the different parameters?
A simple example of how to just obtain the account balance of the authorized third party account would be extremely helpful.
I am using PHP.
from the PPAPIService.php file:
class PPAPIService
{
public $endpoint;
public $serviceName;
private $logger;
public function __construct($serviceName = "")
{
$this->serviceName = $serviceName; //is there ANY documentation about the syntax and types of service names?
$config = PPConfigManager::getInstance();
$this->endpoint = $config->get('service.EndPoint');
$this->logger = new PPLoggingManager(__CLASS__);
}
public function setServiceName($serviceName)
{
$this->serviceName = $serviceName;
}
public function makeRequest($apiMethod, $params, $apiUsername = null, $accessToken = null, $tokenSecret = null)
{
//what are the apiMethod types? syntax? and params? type.. options...??
}
}
Well, you do not have to create a PPAPIService object directly. Let's say you want to use the Invoicing SDK, here's what you would do
$invoiceService = new InvoiceService();
$invoiceService->setAccessToken($accessToken);
$invoiceService->setTokenSecret($tokenSecret);
$createInvoiceResponse = $invoiceService->CreateInvoice($createInvoiceRequest);
There's one service class (such as InvoiceService in this code snippet) per API that you would instantiate as per your needs. The API username/password are picked from the configuration file and the access token/token secret are set via code since they typically tend to be different for different invocations.
Which API are you trying to call, by the way?
To answer on your other concern, the new PayPal SDK's have all the required samples bundled within the SDK itself. The SDK + Samples canbe downloaded from
https://www.x.com/developers/paypal/documentation-tools/paypal-sdk-index
When javascript is run in the browser there is no need to try and hide function code because it is downloaded and viewable in source.
When run on the server the situation changes. There are use cases such as api where you want to provide users with functions to call without allowing them to view the code that which is run.
On our specific case we want to execute user submitted javascript inside node. We are able to sandbox node.js api however we would like to add our own api to this sandbox without users being able to toString the function to view the code which is run.
Does anyone have a pattern or know of a way of preventing users from outputting a functions code?
Update:
Here is a full solution (i believe) based on the accepted answer below. Please note that although this is demonstrated using client side code. You would not use this client side as someone can see the contents of your hidden function by simply reading the downloaded code (although it may provide some basic slow down to inspect the code if you have used a minify).
This is meant for server side use where you want to allow users to run api code within a sandbox env but not allow them to view what the api's do. The sandbox in this code is only to demonstrate the point. It is not an actual sandbox implementation.
// function which hides another function by returning an anonymous
// function which calls the hidden function (ie. places the hidden
// function in a closure to enable access when the wraped function is passed to the sandbox)
function wrapFunc(funcToHide) {
var shownFunc = function() {
funcToHide();
};
return shownFunc;
}
// function whose contents you want to hide
function secretFunc() {
alert('hello');
}
// api object (will be passed to the sandbox to enable access to
// the hidden function)
var apiFunc = wrapFunc(secretFunc);
var api = {};
api.apiFunc = apiFunc;
// sandbox (not an actual sandbox implementation - just for demo)
(function(api) {
console.log(api);
alert(api.apiFunc.toString());
api.apiFunc();
})(api);
If you wrap a callback in a function, you can use another function in that scope which is actually hidden from the callback scope, thus:
function hideCall(funcToHide) {
var hiddenFunc = funcToHide;
var shownFunc = function() {
hiddenFunc();
};
return shownFunc;
}
Then run thusly
var shtumCallBack = hideCall(secretSquirrelFunc);
userCode.tryUnwindingThis(shtumCallBack);
The userCode scope will not be able to access secretSquirrelFunc except to call it, because the scope it would need is that of the hideCall function which is not available.
Hi I'm a little perplexed. I'm making a paypal api call with sandbox credentials. The return ACK is: success. When i go to either payer or business sandbox account no transactions have been processed. I debuged through and looks like i'm populating all the fields, plus i would think if some fields are missing the error would've been thrown. Here is the code I'm using.
.....
APIProfile apiProfile = ProfileFactory.createSignatureAPIProfile();
apiProfile.setAPIUsername(paypalAccount.getApiLogin());
apiProfile.setAPIPassword(paypalAccount.getApiPassword());
apiProfile.setSignature(paypalAccount.getApiSignature());
apiProfile.setEnvironment(paypalAccount.getApiEnvironment());
// caller
NVPCallerServices callerServices = new NVPCallerServices();
callerServices.setAPIProfile(apiProfile);
// encoder
NVPEncoder encoder = new NVPEncoder();
encoder.add(METHOD, METHOD_VALUE);
encoder.add(RETURNURL, paypalAccount.getReturnUrl());
encoder.add(CANCELURL, paypalAccount.getCancelUrl());
encoder.add(CURRENCYCODE, CURRENCYCODE_VALUE);
encoder.add(PAYMENTACTION, PAYMENTACTION_VALUE);
encoder.add(AMT, payment.getPaymentOrder().getPrice().toString());
encoder.add(L_NAME0, L_NAME0_VALUE);
encoder.add(L_AMT0, payment.getPaymentOrder().getPrice().toString());
// call
String NVPRequest = encoder.encode();
String NVPResponse = callerServices.call(NVPRequest);
NVPDecoder decoder = new NVPDecoder();
decoder.decode(NVPResponse);
String ack = decoder.get(ACK);
payment.setPaymentTransaction(decoder.get(TOKEN));
......
Any help would be awesome!
If you are using express checkout you need to make 3 calls:
SetExpressCheckout (response with a token)
GetExpressCheckout
DoExpressCheckout
Once ‘DoExpressCheckout’ passes you should be able to see a transaction logged in your sandbox buyer and merchant accounts.
Have a look at: https://www.x.com/devzone/excerpts/chapter-2-express-checkout