The default multi level dagsite has combination of Q&A + OTP/token , I am not sure how to modify the file to include capcha or if this is possible.
As of now the multi level dagSite does not support the Q&A + captcha or token + captcha. But the functionality for these types will be similar to Q&A + Token where you will have to handle one type of MFA at a time.
Related
I have to add an authorization to a REST request in Delphi.
Can someone give me an example how should it call the AddAuthParameter procedure?
I am doing this code in an onclick event of a button :
authjo, auth1, auth2, auth3, auth4, auth5, auth6, auth7, auth8, auth9, auth10 : string;
authjo := auth1 + auth2 + auth3 + auth4 + auth5 + auth6 + auth7 + auth8 + auth9 + auth10 ;
Restrequest4.AddAuthParameter('Authorization',authjo,TRESTRequestParameterKind.pkHTTPHEADER);
Restrequest4.Execute;
But this does not use thes the Authorization token 'authjo' and i don't know why.
I must have Authorization like this "Authorization Bearer :token" am i not constructing well in the code ?
If the authentication expects a Bearer token, you must add that to your call:
Restrequest4.AddAuthParameter('Authorization','Bearer ' + authjo,TRESTRequestParameterKind.pkHTTPHEADER);
Having messed around with Delphi to access an API (In my case Trakt), I managed to authenticate with OAuth2. But I ran into the very same problem as you did.
I have just asked my question here:
Accessing TRAKT API from Delphi - issues with Bearer authentication [SOLVED]
As I understand it, the root cause it that adding headers like we do, will create a parameter entry that is "Authorize=Bearer [token]" whereas it should be "Authorize:Bearer [token]".
See here:
How to add a "Authorization=Bearer" header with Indy in Delphi?
I have managed to mitigate the issue and would like to reference to that thread.
Also, the tool Fiddler was most helpful to see what my app actually sent and what it got back.
I having some trouble to understand something related to the API of youtube
So my code is basically very simple:
name = input("enter the username: ")
key = "MY API KEY"
data = urllib.request.urlopen("https://www.googleapis.com/youtube/v3/channels?
part=statistics&forUsername="+name+"&key="+key).read()
subs = json.loads(data)["items"][0]["statistics"]["subscriberCount"]
print(name + " has " + "{:,d}".format(int(subs)) + " subscribers!🎉")
just yelling the number of subscribers after giving specific YouTube Username:
The thing is that some Usernames(for example: Vsuase/Veritasium/Unbox Therapy ) which have many subs and the API-URL giving me wrong Data
Vsause - in return giving me back 72 subs
Veritasium/Unbox Therapy - not giving my any number at all
BUT, a channel "Computerphile" giving me that exact same subs they have.
How come that few Usernames work and few do not??
I tested in both, using the try-it functionality available in the YouTube Data API - Official Documentation and in the Google API Explorer and in both sites the results are closely1 similar.
For example, when the statistics of the YouTube user vsauce is requested vÃa YouTube API, the value in subscriberCount is 14220819 and checking his YouTube channel it says: 14,220,825.
Here is the example for request the statistics of the YouTube user vsauce (using the try-it)
And here is the demo for request the statistics of the YouTube user vsauce (using the Google API Explorer).
I didn't see any differences in the values in subscriberCount by requesting the other channels you mentioned in your question.
1 You need consider that some channels has more changes in the quantity of subscribers than others and such results vary too in the responses of the API.
For some reason, if you change in the URL from forUsernae= --> id=
it gives you the correct numbers.
TED channel:
https://www.googleapis.com/youtube/v3/channels?part=statistics&id=UCAuUUnT6oDeKwE6v1NGQxug&key=AIzaSyDjnINqqxQlIg4kbXoPDVYOhHNfdmDbb9I
I'm having some difficulties implementing the MFA workflow with Yodlee. The workflow does not specify how to proceed with multi-level banks, for example, when a bank asks for a phone number to send an SMS with a temporary PIN.
{
isMessageAvailable: true
fieldInfo: {
responseFieldType: "text"
minimumLength: -1
maximumLength: 25
displayString: "Enter your Mobile Number or eMail ID where to send the temporary PIN"
} -
timeOutTime: 111750
itemId: 0
memSiteAccId: xxxxxxxx
retry: false
}
In this situation, what do I have to do? Keep calling the getMFAResponseForSite every 2 seconds?
Also, in order to perform the putMFARequestForSite, which type should I use?
com.yodlee.core.mfarefresh.MFATokenResponse
com.yodlee.core.mfarefresh.MFAQuesAnsResponse
com.yodlee.core.mfarefresh.MFAImageResponse
As there are 3 types of MFA (to know about types of MFA refer what-is-the-mfa-differences-spotted-in-this-case
To differentiate you can use the response of getMFAResponseForSite.
SECURITY_QUESTION - The response from getMFAResponseForSite looks like -
fieldInfo":{
"questionAndAnswerValues":[
{
hence you need to use com.yodlee.core.mfarefresh.MFAQuesAnsResponse
IMAGE - The response from getMFAResponseForSite looks like -
fieldInfo":{ "responseFieldType":"text",
"imageFieldType":"image",
"image":[
hence you need to use com.yodlee.core.mfarefresh.MFAImageResponse
TOKEN_ID - The response from getMFAResponseForSite looks like -
fieldInfo":{ "responseFieldType":"text"
Since there will not be any indication of Q&A or Image hence you need to use com.yodlee.core.mfarefresh.MFATokenResponse
You can also check the various responses of MFA at getMFAResponseForSite and getMFAResponse. The fieldInfo returned in both the methods will be same and hence can be used to identify the type of MFA.
Hence in case of multilevel MFA you will have to use any combination of the 3 listed MFA types.
i don't see any post related to generating a call signature(session token 2) using mediafire api.So , here is my question.
I am trying to use the get_info api to get the user information but i am having a problem generating a call signature(Session token 2).
I am reading the documentation given here where it says to generate the call signature we need the formula
The signature = the Message-Digest (MD5) of the 'secret_key' modulo 256 + 'time' + the URI of the API call.
I have the secret_key and time which i got from calling get_session_token api.The problem lies (i guess) in the URI of the API call.
In my case , i wanted to call the get_info api , so i replace the URI with "/api/user/get_info.php" .But i got error saying i have invalid signature.What am i doing wrong here?
signature = sha1(email + password + application_id + API_Key)
i see that in here: https://github.com/MediaFire/mediafire-php-open-sdk/blob/master/mflib.php
I have been looking at techniques to secure an API for use in an android/iphone app or website application.
I have found one technique which I like but am unsure about if it is a good or what is wrong with it (aside from being a pritty long process).
Processing (users side initially):
First a salt is created by hashing the users password.
Then a signature is created by hashing the requested url (with username appended on the end via a query string) and the salt.
Lastly a token is created by hashing the username and the signature.
The token is passed inside a header to the server (everytime).
First Request:
The first request must be for the validate endpoint and include the device_id as a query string.
The same processing (as above) is done on the server and if the token matches that sent from the user than the device_id is stored in the database and is assigned to that username for future reference (the device id is found in the requested url) and is used to verify the username/device thereafter.
All subsequent requests:
The processing must take place on the users end and servers end for every request now with the token being different everytime (as the requested url changes).
No code is included as it is not written yet.
Your authentication model is a shared secret authentication. In your case your user's password serves as the shared secret. You need to ensure you have a secure way for getting the password to the user and server ahead of time. In order to sign the request you create a message with all your request headers and data. Then hash that request. Then that hash (token) will be passed with the request. The server will perform the same signing and hashing process on the server and ensure the tokens match.
In your example your sound like you want to create the token with this pseudo code:
Token = hmac-sha1( Hash(Pasword + Salt) + RequestUrl + UserName )
Your way is not bad but I would compare your method to Amazon's REST Auth model and implement a closer version of what they have detailed. http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html
Their implementation:
"Authorization: AWS " + AWSAccessKeyId + ":" + base64(hmac-sha1(VERB + "\n"
+ CONTENT-MD5 + "\n"
+ CONTENT-TYPE + "\n"
+ DATE + "\n"
+ CanonicalizedAmzHeaders + "\n"
+ CanonicalizedResource))
They have good reasons for including some fields that you have left out, including but not limited to:
The timestamp is to prevent replay attacks.
The content-MD5 is to prevent prevents people tampering with the request data (relevant to
POST and PUTS)