Writing Rules both in Firebase and in your Code - firebase-security

Firebase suggests we write security rules in both our firebase rules section online at their console for (database/storage) in addition to the rules that we have in our code (swift/java, etc). Why is this? I feel like this would be repetitive?

This is very common in a client-server architecture.
The server must validate the data to ensure that no invalid/corrupt data every gets written to the database.
The client should validate the data to give the user the best experience.
Think of an example here: say that you have a travel site where the user selects the start and end date of their journey. A common validation will be that the end date cannot be before the start date. In Firebase database security rules this could be:
{
"journeys": {
".validate": "newData.child('startAt').val() > now &&
newData.child('endAt').val() > newData.child('startAt').val()"
}
}
We did an extra check here, you can also not book travel before now. This is much simplified, but hopefully illustrates the server-side aspect.
On the client-side you'll typically show a calendar. When the user opens that calendar, you want to ensure they can't select dates before today. You'll also want to ensure that the end date can only be after the start date. If you've ever used a travel site where this last bit wasn't implemented, you'll know how annoying it it. Annoyed users go to other sites.

Related

Paypal REST API returning 404 Not Found only in live mode

Having a weird problem with Paypal API. I'm using the Subscriptions API an before creating a subscription, I need to create a plan. In the Sandbox enviroment, the resource /billing/plans (https://api.sandbox.paypal.com/v1/billing/plans) works fine, but in Live mode (https://api.paypal.com/v1/billing/plans) I get ´404 Not Found´ with an empty body. Didn't found any hint at the docs. Any ideas?
https://developer.paypal.com/docs/api/subscriptions/v1/
Paypal's customer service is very poor. We will not get any answer from them.
Temporary, we can use backend to create via https://www.paypal.com/billing/plans/plan/create
I contacted the Merchant Technical Support (https://www.paypal-support.com/s/?language=en_US), they made a correction and now it's working again.
A couple of easy mistakes you could have made which I made which give rise to 'the blank screen'. A very easy one: Check that your country codes comply with the iso standards. I was using UK instead of GB. Particularly your shipping address. You can replicate this error by putting in the wrong country code.
Also ensure that your start_date is greater than the current date. The test samples contain old start dates which are behind current dates. Increment the date function with 36000 instead of 3600 to ensure that your start date is greater than an extra hour from your current date or just hardcode a very late date. Your server might be operating at a different timezone.
The token passed was not found in the system....If you have a blank screen it is likely that the access token is not being passed after the 'first run' because you do not have an approval link as a result of the pre-passing error. It sounds like it could be a basic content error but you have likely checked for this.
Check the runtime log file and look out for the approval link. A successful 201 pass will give you something like the following.
"links":
[
{
"href":"https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=EC-22608875RF361971P",
"rel":"approval_url",
"method":"REDIRECT"
},{
"href":"https://api.sandbox.paypal.com/v1/payments/billing-agreements/EC-22608875RF361971P/agreement-execute",
"rel":"execute",
"method":"POST"
}
]
These are some of the errors that I have encountered which might be of use to you perhaps.

How to sum scheduled work hours for a user?

I wonder if it's possible to sum up a user's scheduled work hours?
I have customized the user entity and added a field that I want to show the user's total defined work hours in for the current week. But I don't know how to access the entity containing work hours. The problem is that I'm in an online organization and I can't access the database.
I've tried downloading SDK and of course googling. Since I'm a beginner I haven't found anything useful.
I've found an example for selecting time spans of working hours of a certain user. It's found in the SDK but, given that the example is written as a console application in C#, it might be perceived as complicated an unnecessarily complicated.
Also, it's mentioned that there's a field on the user entity, I assume that for this particular task, JavaScript might be more suitable and such an example I haven't seen.
This page presenting the source code is on MSDN. The bottom line is that you create a service and then execute the below.
QueryScheduleRequest scheduleRequest = new QueryScheduleRequest
{
ResourceId = GetRegardedUserId(),
Start = DateTime.Now,
End = DateTime.Today.AddDays(14),
TimeCodes = new TimeCode[] { TimeCode.Available }
};
QueryScheduleResponse scheduleResponse
= (QueryScheduleResponse)_serviceProxy.Execute(scheduleRequest);
For more information on how to handle the requests to scheduling and working hours see this article and for service appointments look over here.

Xcode 6: parse online calendar

I am currently creating an app, in which the user is able to book devices (which are provided by a json file) for a certain time period (start date - end date). I was planning to use a online calendar, such as http://30boxes.com/welcome.php to check if the requested device is currently in use by another user at this period of time.
What might be the best strategy to parse that online calendar?
just noticed this website has an API, which makes it super-easy to set and get the calendar data. I feel stupid right now: http://30boxes.com/api/

Apply pattern recognition to user authentication for malicious attempts

To strengthen the authentication mechanism (web), I would like to log a user fingerprint for every attempt and apply pattern recognition to distinguish malicious attempts. For example if the user always logs in from European computers and there is an attempt made from China, the user is blocked until the user confirms (via email, for example) to allow logins from China.
I have a very, very small knowledge of pattern recognition from a university course. However, I cannot recall enough to start developing this service. What I know is that you should look at these various features:
Browser agent string, resulting in:
Operating system
Browser vendor
IP address, resulting in:
Location
Time stamp of login
Number of (failed) attempts (within session, or total)
You search for patterns and any extraordinary attempt is marked because it does not follow the average pattern. You probably will apply a threshold, so if a user logs in at night or has a new PC, it still works.
There are also a few requirements: first, the check of an attempt must be made real-time. You cannot block access after 2 minutes if the credentials were OK but you found out later on the attempt could have been malicious. Furthermore, all our apps are written in PHP, but PHP is probably too slow for this. I prefer to use Python then, but subsequently there is also a binding to Python required.
So the question is: where to start? What is the best approach to accomplish this? I can log all data in a key storage like Redis or document based like Mongo. How would I design a service which allows to validate a new attempt with certain features against a bulk of known other attempts? And return whether the attempt matches the average within a timely fashion, say 250ms.
What you want to do is called anomaly detection- wikipedia is a good place to start. As a first stab, you might want to try clustering:
you will need a data set. The good news is clustering is unsupervised, so you will not have to mark up a ton of login attempts as regular or malicious.
For a given user, keep a history of their past N logins (big brother warning!) and features of those logins. The features you have listed are a good start, but you can think of more.
apply a clustering algorithm to estimate what the average login is like. For every new attempt you can calculate the distance from the average and decide if it look malicious or not.
As a side not, you can go a long way without learning. My intuition is the location of the login and the number of failed attempts will get you most of the way there. A simple if-else might be good enough.

Trac plugin to send email number of new and closed tickets and their details based on define schedule

I am looking for a way or a plugin so that trac sends me email about the number of new or closed tickets (and some information about these tickets also ) for a specific duration lets say for the last three days.
Basically I need to know how many tickets have been created in last week and how many of them have been closed at the end of week.
Of course the email only should be sent to the admin and not to all the users.
For additional Trac funcionality we have Trac plugins, yes. And the first place to look for them is trac-hacks.org .
The excellent TagsPlugin in use overthere already delivers some hints on resources tagged with notification or notifications. The most comprehensive and mature solution is certainly TracAnnouncer with a just reworked configuration interface providing a highly sophisticated opt-in and opt-out subscription system. Unfortunately digest notification are not integrated today.
Still there are other plugins, that fill in the gap, i.e. check the XMailPlugin. It claims to do configurable instant, daily and weekly notifications, so this may be for you. Since this is a relativly new plugin, you should expect some pending issues, but the author might be very open to your suggestion. If you're becoming a heavy user giving valuable test feedback and a bit lucky too, asking kindly could be enought to make things happen.
There's a slightly different way to solve this problem that doesn't require any plugins. First, create a custom "timeline" view that displays the information that you want. In your example, this would be all "opened and closed tickets" starting from "today" and going back three days. When viewing this custom view, you should see a link at the bottom of the page that says "RSS Feed" (on my system, the resulting URL looks something like this: http://myserver/timeline?ticket=on&max=50&authors=&daysback=3&format=rss). Click on this link to subscribe to the feed using your web browser, email client, or other program capable of reading feeds. Now, you can view the results live at any time. What you can do at this point is only limited by the capabilities of your feed reader app, but most can at least be configured to notify you when the feed is updated.