I need to add additional validation to emails in registration process. so I will to add an app in external server to handle this using the API. But I wanna save custom settings data per store, to access it later from the app, this is to handle additional information without create other database.
is this possible ?
Related
When store owner installs my app I save access tokens into database for later use. Having access tokens from store is huge security responsibility because anybody with these tokens can modify stores from any domain/address, there is no ip or domain lock.
What method could I use to make this more secure? I was thinking to save tokens offline and then upload it only when needed (in case I need to make some global updates for all stores), then delete it again. In case when merchant access app configuration within admin, I would just save it into session. Is there any better method?
Good question.
I save them in a database as well but I encode them with a separate key from the Shopify App password. That way even if someone have access to the database because of some backdoor entrance he won't be able to use them. That said if someone have access to the code he will be able to figure out how to decrypt it since he will have access to the key.
That said I make sure that each and every request is authenticated before I show any response from the server. Since I'm using NodeJS as the back-end I make sure that there are no global variables that can be accessed or modified from different stores. Everything is neatly scoped in separated functions so that the session is scoped for the current store and no other ones will be able to dirty the other store session.
In addition I make sure that there is a webhook that fires when the client uninstall his app in order to clear my database from any information regrading his store.
I know some people are using sessions for this ( online method ) but they pose other problems that I didn't like so I stuck with a database ( offline ) since that is the quicker way to access the App instead of multiply redirects in order to save the session.
As for proposals I can give you a few tips that I learn on my way while building a few basic Apps. ( I'm not an expert on the subject by any means )
don't rely on any cookies when it comes to sensible information
authenticate every request that comes from the front-end
don't trust the user and validate any input that comes from the front-end
don't over-complicate your setup, while it's good to have high security it's bad if it makes your app slow for the user and you lose customers
look to other ready to use popular solutions that can guide you to the correct path
don't get greedy with the App scopes, only request the scopes that you need for you app
remember to clean up after yourself when it's possible but don't over do it ( too many Apps modify the code of customers and break it only to prevent any way to clean it afterwards ) Example use the ScriptTag API instead of a liquid snippet using the Asset API. If you have to use the Asset API add only the parts that you know that won't break a site. Creating a variable is ok if you are using var if the site supports IE11 creating a variable using const or let is not OK or using vanilla JS is OK but using jQuery without knowing for sure that the site has it installed globally is not OK.
More insights on the matter can be seen here:
https://help.shopify.com/en/api/getting-started/authentication/oauth/api-access-modes
https://community.shopify.com/c/Shopify-APIs-SDKs/Best-way-to-store-shops-that-have-installed-my-app-and-their/m-p/402972
I see that there's a row for each user in the "Authentication" section of Firestore with their data. Am I able to query for users in this table and add columns, or to create a new collection of users with a one-to-one mapping from user in the authentication section to user in the collection? If it's the latter, is there any way to both create a new user account and create the corresponding document in the collection as part of a single transaction?
Firestore doesn't have an "Authentication" section. Firestore only lets you read and write data into its database. Firebase Authentication is a different product that keeps track of logged in users in a way that's completely separate from Firestore. You can't query users in Firebase Authentication using Firestore. In fact, you also can't even query Authentication using the mobile client libraries (because that would be a possible security hole for your app).
If you want to query for all users in your app, you're going to have to do perhaps arrange for each user to write a document in some collection in Firestore that can be queried by Firestore client libraries.
You can use Cloud Functions with Admin SDK. Make a http endpoint or a http Callable that queries at admin.auth. But this is not a secure. The best way to do that is registering a firestore docuement whenever user is created using functions.auth.user().onCreate
We have an existing OAuth2 based website. Our plan is to use a web based (XMPP over websockets) chat system.
now this chat system will be available once the user logs in. What we actually do not want is to login twice, once for the web site and once for the chat system.
So I figured how to trick it with my own auth provider and a custom username/password.
So basically the question is how do I have an object that I want to travel along with the user chat session so that I can provide out of band processing.
Does the session management allow this?
In a similar use-case, there I need to persist and store various pieces of information about a user, in Openfire, so that external calls and look-ups are not necessary during later, custom logic in an Openfire plugin. It is possible to add any number of custom properties to an openfire user, via REST, or other APIs.
Then, those custom properties can be retrieved as needed, without external calls.
create user api
Then, if using Internal APIs, you get
Get the session's username or address (JID)
call UserManager's getUser on the username or JID to get the User object
call User's getPropertyValue to get a specific property or getProperties to retrieve all custom user properties
I'm new to Piranha CMS and just trying to get my head around it. I'm using the MVC implementation and I need to do the following:
I need to extend the User with a property that stores an account number.
I need a page that is only accessible once the user logs in
On this page, I need to call a REST API on another server, using the account number a parameter, to retrieve a list of documents that the user has stored on this server.
When the user clicks the document, it will be downloaded as a PDF using the REST API once again
I just need general guidance on how to do this. How do I store the account number against the user (and manage this) and do I need to create a new Region that will show the list of documents from the remote server. Is there an example of creating a new Region anywhere and maybe returning a list from SQL that I can adapt?
Any help gratefully received.
Thanks in advance
Mike
The easiest way is to implement an extension with your custom fields that you attach to the user where you store this information.
When editing a page, go in under "settings" and select which groups should have access to your page. For this purpose I suggest creating a new group for site users that are not admins.
This should be easily implemented in either the controller or model for your page. When the user is logged in "User.Identity.Name" is the user id. Get the user, load the extensions & use the account number.
See number three.
Regards
Can I set some properties for a worklight app from another worklight app, in the same project ?
I want to make one configuration app which configures properties, like date format/time format/enabling-disabling some functionalities etc, for different worklight applications in the same project.
Is that possible?
You could probably achieve this, but there is nothing built-in or existing that does this.
Whatever you do will have to go through the Worklight Server and not peer-to-peer.
Here's what you could possibly do (you'll need to actually implement it and see how feasible it is):
Note that this is highly simplified; it's just general steps.
User application
Application launches
User logs-in
Upon successful log-in, invoke some "RemoteControl" adapter procedure, "applySettings".
By default this will return a pre-defined configuration, a set of application settings that the client logic will know how to apply. Like some JSON object containing key:value pairs that you will apply logic based on them.
Since all client applications will connect to the Worklight Server, they are thus registered in the database with the user identity.
Controller application
In the Controller application, you will be able to retrieve a list of all registered users as well as retrieve the settings that are set for each of the listed users, using the "RemoteControl" adapter procedure "retrieveRegisteredUsersAndSettings".
Devise some UI for all users and the available settings and checkboxes etc which will be marked with whichever settings are enabled or disabled per user.
Have another procedure in the same "RemoteControl" adapter, "setSettings". This will store the user settings in the database
When the user logs-in, these same set settings from step 6 are applied instead of the previous default (now changed...) settings in step 3.
Notes:
You could also have it so the procedure will be invoked whenever doing any sort of request to the server rather than only after log-in. Purely applicative.
If you have more than 1 application, you could also save in the database using userPrefs which app the logged-in user uses and the retrieve this information as well in the controller application; you can then sort the display of all of this information in the UI.