How to integrate Google OAuth 2.0 with a Subdomain - google-oauth

I have found some similar questions on the website, however I couldn't find the proper answer that works for my website.
So far, OAuth it looks hard to implement for me, Facebook was much easier.
I am trying to integrate OAuth to one of my websites. The problem is that I am using a subdomain for it and I'm getting and error when I press on the Google login button:
The redirect URI in the request: http://a.example.com/auth/google did not match a registered redirect URI
In Google Developers Console, I didn't added anything in the Javascript Origins, but added the following to the Redirect URIs:
https://a.example/auth/google_oauth2/callback
I also found this .htaccess code and used it, but doesn't seem to change anything:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^google\.
RewriteCond %{QUERY_STRING} state=([a-z0-9]+)
RewriteRule ^(.*)$ http://%1.example.com/$1 [L]
Anyone knows what needs to be done to integrate OAuth with a subdomain?

The answer is in the question. "http://a.example.com/auth/google" doesn't match "https://a.example/auth/google_oauth2/callback".
The match needs to be character perfect.

Related

How to stop spam bot from accessing site using htaccess?

I have an apache server running WordPress, and recently I noticed large traffic from a spam bot more specifically bot-traffic.xyz which shows in the "Top Referrals" section when looking at Google Analytics. My question is since I don't know the source IP address, how do I block the spam bot using the .htaccess?
I have found a post (https://moz.com/blog/how-to-stop-spam-bots-from-ruining-your-analytics-referral-data) pointing out the process, but I'm not sure since it's from 2015.
The post says to do something like this:
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http://.*domain1\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*domain2\.com/ [NC]
RewriteRule ^(.*)$ – [F,L]
If this is correct, how would I block bot-traffic.xyz?
Can some describe what the above code is?
Thanks,
These bots are not hitting your site at all but rather using your Google Universal Analytics (UA) code and hitting Google directly & pushing their website URL in the page variable. Adding a rewrite rule won't help. Check your Apache log file and you won't find any traffic.
These URLs all go back to the same website run by someone selling fake traffic as a service. You can try to setup a filter in Google Analytics however that's going to be a game of wack-a-mole. Best way to get rid of this is to setup view filters in Google Analytics Universal. Admin icon (lower left) -> Filter (in right most column). Add a filter. Choose custom filter, exclude from Request URL. Then build regex to remove the offending sites.

how do some websites use any URL requested to create a page on the fly without 404's

For example: http://www.ebuyer.com/flange
this url does not esist but when you visit the site it takes you to a search page where it has the search results for flange.
firstly i though that they had used .htaccess and ErrorDocumnet to point to a search script to return the search for what ever was in the url.
This is fairly easy to do, but what ihave noticed is that ebuyer responds with a 200 OK and my method responds with 404 Not found. The user will never see this but im guessing for SEO it would be better practice for this to return 200 OK.
how have they done this?
Thanks
You're right that it is NOT done via ErrorDocument directive since that returns 404 status to the browsers. It is actually done via RewriteRule. See following example:
RewriteCond %{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_FILENAME} !-d [OR]
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule ^(.*)$ search.php?q=$1 [L,QSA]
Which simply means if requested file or directory or link doesn't exist on your web server then internally forward the request to a script called search.php and pass requested URI as search parameter q. In the end a HTTP 200 is returned to the browser instead of 404.
e.g. /flange would become /search.php?q=flange internally and return 200 to the browser.
What's happening is that there's some routing rules in play. Basically, a bit of code sees the URL (for example: www.ebuyer.com/flange ) and knows that the "flange" aspect is a key word it is supposed to try and find and display.
For a similar concept, like at the URL for this question.
It's broken down into the following logical concepts:
[domain]/[function]/[identifier]/[extra information for human readability]
This tells the module on the server that it needs to look in the "questions" functionality, and deliver the question with the identifier of 14689056.
It's easy enough to have the system respond with a search results page as opposed to a 404 in this situation, because you're already re-directing the user behind the scenes based upon the URL.
In .NET (3.5+) and IIS, there's a nice set of classes associated with URL Routing that can be manipulated in the Global.Asax to do this (earlier versions of .NET can do this as well, it's just a bit more hassle involved since there are no native classes).
In apache, you'll need to deal with mod_rewrite and other odds an ends that I'm not overly familiar with as I'm a .NET programmer. This question Routing URLs in PHP will get you started heading in the direction you need to go.

.htaccess Redirect based on HTTP_REFERER being empty

I'm trying to set up a redirect on a WP blog installation that will detect anyone coming in from nowhere (i.e. not from another site). The idea is to trap some of the spambots that plug pre-constructed URLs into the system to create comments/posts. I figure if they don't have a referrer site, I can pop them back to the homepage (www.domain.com/index.php or just www.domain.com), which should mess with the bots but not with real people.
I understand that the referrers can be forged but hopefully it'll stop the stupids, at least.
I have very little clue about .htaccess rewrite rules (I apologise for being a noob), but I couldn't find one that did this in existing answers or anywhere else online, despite several searches. Either no one's done it or I'm not phrasing correctly.
Any help appreciated. :)
I'd advise against this. By doing it, you may annoy and alienate a portion of potential your users: for example my browser is set not to report referer information, others use anonymity networks. The dump bots you can catch by matching their reported user agent string (as seen here).
Otherwise it's simple: match against the HTTP_REFERER environmental variable in a RewriteCond:
RewriteCond %{HTTP_REFERER} ^$
RewriteRule .* http://example.com/
The RewriteCond checks to see if the referer is an empty string; the RewriteRule redirects everything to http://example.com/ root. This is a hard redirect, meaning that the server will issue an R=301 moved permanently header. If you just want to sneakily serve another resource, use a soft redirect by specifying a relative URL, like RewriteRule .* index.php. However, it may be kinder for people not reporting referrer information to redirect them to a page saying something like "You should enable referrer reporting if you want to read this page".
For more examples on such things, see the manual. There's a very similar prevent-hotlinking method there.

Prevent users from accessing files using non apache-rewritten urls

May be a noob question but I'm just starting playing around with apache and have not found a precise answer yet.
I am setting up a web app using url-rewriting massively, to show nice urls like [mywebsite.com/product/x] instead of [mywebsite.com/app/controllers/product.php?id=x].
However, I can still access the required page by typing the url [mywebsite.com/app/controllers/product.php?id=x]. I'd like to make it not possible, ie. redirect people to an error page if they do so, and allow them to access this page with the "rewritten" syntax only.
What would be the easiest way to do that? And do you think it is a necessary measure to secure an app?
In your PHP file, examine the $_SERVER['REQUEST_URI'] and ensure it is being accessed the way you want it to be.
There is no reason why this should be a security issue.
RewriteCond %{REDIRECT_URL} ! ^/app/controllers/product.php$
RewriteRule ^app/controllers/product.php$ /product/x [R,L]
RewriteRule ^product/(.*)$ /app/controllers/product.php?id=$1 [L]
The first rule will redirect any request to /app/controllers/product.php with no REDIRECT_URL variable set to the clean url. The Rewrite (last rule) will set this variable when calling the real page and won't be redirected.

Can Apache configuration check cookies?

My situation:
We have a mobile version of our website, and want to start redirecting mobile users to it. The plan is to do this in Apache httpd.conf or .htaccess, using something like this:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (iPhone|Blackberry|...)
RewriteRule (.*) mobile/$1
However we want there to be a way for users to override our default action of redirecting them. One way we thought to do it was to show a link on the mobile site directing back to the regular site, and store a cookie when they use that link.
Could the Apache configuration file check a cookie before redirecting?
Is there a better way?
The HTTP_COOKIE server variable contains the cookies passed from the client to the server. You can look in there to find out what cookies have been generated by a script or module.