I'm creating a web portal that will allow customers to login, modify data as well as create and update payment and subscription data.
I'm reading that the Stripe API and Stripe.js only works over SSL.
Would it be easier to:
Keep my public site as http and once a user is logged in and authenticated switch over to https? (If this is possible).
Make the entire site accessible by https?
Not use stripe as all and use some other solution?
I read in another stack overflow post that if u use Stripe.js then you don't have to worry about sending the request over ssl. (However i think this may be false).. any insight would help.
Related
Salutations!
I have just completed my first REST API, deployed on heroku, and I decided it would be cool to make $0 a month through rapidAPI.
The rapidAPI testing dashboard passes the tests successfully - with one of their keys being a requirement for an API call.
However when I access the site on a browser or on Postman, there is no need for an API key and therefore no restrictions in get requests.
I have noticed that the test code makes a fetch request to the rapidAPI url for the project but how can I make the heroku url accessible only from rapidAPI?
I know it's extremely unlikely someone will find my heroku app url but it is technically possible.
I appreciate your time and insights.
RapidAPI provides 2 security features to support this:
set X-RapidAPI-Proxy-Secretin the API Dashboard: this token is added in the X-RapidAPI-Proxy-Secret HTTP header for each request. You should validate this for every API call. This is the default measure in place.
the list of IP addresses used by RapidAPI is provided: you can check/validate for every API call.
There might be Heroku Addon to help with the IP filtering, but those are typically enterprise-plugin (with associated cost).
RapidAPI allows you to add secret headers and/or query string parameters to API requests. The RapidAPI proxy adds these secrets to every request, but are hidden from the API consumers.
Find more details in this page: https://docs.rapidapi.com/docs/secret-headers-parameters
I try to migrate from eBay Finding API to Browse API. My technical setting is quiet easy:
A Server searches the Browse API to find products by a keyword. Thats it.
Does anybody know if I need to implement OAuth, a redirection page for eBay-Users to log in etc.? I don't need all those features..
Thanks!
You can use the browse API with the client credential flow that mints the Application access token.
Application tokens are general-use tokens that give access to interfaces that return application data. For example, many GET requests require only an Application token for authorization.
See Documentation
The client credential flow does not require a User to Login via eBay and the redirect etc. However, you can only use the "GET" methods like getItem, getItemByLegacyId or search for example.
If you using NodeJs or Browser you can checkout the "Get Item" example here. (The library will get the Application access token automatically and return the result.)
Currently I'm trying to access data from my shopify store through local host and I'm getting the CORS error. I realize this question has been asked but I couldn't find an answer. Also I realize that this is a bad practice since credentials are exposed. I have a local computer that for a reason (with out taking the time to explain it) needs to be able to GET data from my shopify store. This HAS to be done in javascript so I am using XMLHttpRequest like so:
var url = "https://apikey:secretkey#mystore.myshopify.com/admin/orders.json?limit=25&page=2";
this is based on this answer on SO: shopify how to get product data using php in my localhost
In the above I'm passing my apikey and secret key from an app I've setup and approved on my account. One thing I didn't do is whitelist my ip which I'm not sure if that's what would allow me to get the data. This returns a CORS error.
I've also tried this:
var url = "https://username:password#mystore.myshopify.com/admin/orders.json?limit=25&page=2";
Here I pass my username and password and I get the CORS error also.
What is a challenge is that if I'm logged into the account or not logged in when I go to my browser window I can go to this url: "https://username:password#mystore.myshopify.com/admin/orders.json?limit=25&page=2"; and the json data appears in my browser window.
Again this has to be done in javascript and it has to be done from a local computer.
The way I went about this is forget the XMLHttpRequest. To access the shopify api via my local host I used the node library provided here: https://www.npmjs.com/package/shopify-api-node
I'm marking this as the answer just in case someone in the future is attempting to do this.
all,
I need a little bit of guidance here. I have a Polymer frontend that handles Google oAuth to allow the user in the app. The front end captures the user's email address from oAuth and uses that for GET requests to a Flask API that I built on the backend. I did not build authentication into my Flask API because I didn't think I needed to since I have Polymer as the gatekeeper. I realized though that folks can see the source code and retried the API URL to use if they wanted to capture other user's data.
I am looking for guidance on how I can lock down the API backend given I am only using Google oAuth on the front end.
Thank you,
Marcos
I am not sure if this is the correct answer, but I will post my result anyway. If wrong, send feedback. I am going to have my frontend send the user's access token from the auth process in the header with every API call. My backend API will take that access token and use it to query the Google API to find what email address the token was created by. If the email matches the email the API call is requesting data for, data will be returned. If not, it will return an error.
I've been creating API and consumer by following Simple API Development with Laravel from Aaron Kuzemchak. I got the problem after I success to auth via API from my consumer; I do not know how to check it, if the consummer already success logged in or not at the other pages...
For example, at the first; I show the login page, click the submit button to check the credentials via API. The login attempt is working, success to logged in and redirect to dashboard. But, if I haven't logged in and accessed the dashboard from URL, i got the dashboard :O
The API server and the consumer have separated machine and the database only exists at the API server.
Am I doing this right (with the flow for the API and Consumer) ?
At the consumer, how can I get to know if the user already logged in or not (after success attempt the credential)? (somehow? someidea?)
Thank you before... :)
This question is very confusing, probably because I haven't watched that screencast yet, but shouldn't Auth::check() be what you are looking for? It will return true or false depending on if the user is logged in.
Just to make sure:
You have a back end API built from the tutorial posted here: http://kuzemchak.net/blog/entry/laracon-slides-and-video
You're using HTTP Basic authentication as described in the above tutorial
You're building a (consumer) front end web interface for users on a separate server
Your consumer interface uses forms based authentication (a login form)
The backend API uses HTTP basic authentication (and the consumer sends an API key for the user with each request). As such, the backend won't keep track of a user being logged in. That means your consumer interface will need to do this.
You could use the Laravel Auth class for this normally, but your front end would normally have access to the database and the bundled authentication drivers could just check a username/password.
I'd say your options are:
Store details of the user in a session using the Session class (feels a bit nasty but simple)
Write an authentication driver and then use the Auth class (advanced but cleaner: http://www.karlvalentin.de/1903/write-your-own-auth-driver-for-laravel-4.html)
Just talk straight to the database using the existing Auth class and Eloquent