How to know if a user is logged in from another service - authentication

I have a php/apache service and meteor on the same server. I am using the accounts-ui package.
Is there anyway to know in my php script, that a user is logged in, given the login token (session id?)
This is my original need: upload a profile picture for a logged in user.
Very simple right? But I have not found an answer after hours of googling.
First solution would be using html5 File apis to send data to meteor server and the server save the image. But this solution wont even work for IE9.
Second solution is what I am trying: Using a html form to upload picture to a php script (or whatever script, it can be a nodejs script if needed). This script will save the image like a traditional php script does. The thing is I cannot know if the upload request is authorized, otherwise everybody can change profile picture of anybody. I must add some information in the upload request and verify them in the php code before saving the image. I am thinking about sending a request from php script to meteor server but I need to know which parameters to send and how meteor responses it.
How can I achieve the second solution or if someone has a another solution for my origin problem that would be great.
Thank you.

Meteor uses an a protocol called DDP to communicate between the client and server. But as of now there isn't a PHP ddp client so you would have to use a REST type communication method between your meteor server and your PHP server.
If you feel you could build a PHP client for your meteor client, it would greatly help you as you could do stuff like run Meteor.call from your php scripts and have them subscribe to collections. The full DDP spec (pre1) can be found at : https://github.com/meteor/meteor/blob/master/packages/livedata/DDP.md
To do a REST method you should use Meteor Router to allow you to create server side routes. It is installed via meteorite which helps you access a list of community packages at [atmosphere.meteor.com].1
sever side js
Meteor.Router.add('/checklogin', 'post', function() {
var userId = this.params.userId;
var loginToken = this.params.loginToken;
if(userId && loginToken) {
return (!!Meteor.findOne({_id:userId,"services.resume.loginTokens.token":loginToken}));
}
});
You can then do a POST request with PHP to /checklogin with two params, one is userId which is the userId (found with Meteor.userId() or localStorage.getItem("Meteor.userId"). The other is the login token found via localStorage.getItem("Meteor.loginToken") on your Meteor client.

Related

is there a full Nextcloud API accessable from outside?

I use Nextcloud as a normal user to store and share files.
I decided to use it as a backend for a web application I am developing so that I can store the files in Nextcloud while the frontend is done by me.
I spent some hours on the API docs
https://docs.nextcloud.com/server/latest/developer_manual/client_apis/WebDAV/index.html
and, with some disappointment, unless I have not made a mistake, I realized that the only API that can be used from outside Nextcloud is the WebDav API.
This is a minimalistic API that allows doing basic things such as uploading a file by passing the full path like with this GET statement (authenticated by basic auth passing username and password in the headers:
GET https://nextcloud.example.com/remote.php/dav/files/username/FolderOne/SubFolderTwo/HelloWorld.txt
This will download the file located in /FolderOne/SubFolderTwo/HelloWorld.txt
with a PUT request, it is possible to overwrite the file by passing the file content in the raw body request
This is very effective but minimalistic.
I was expecting to have a full REST API to access more properties and perform complex operations.
Could you please tell me if I missed some important information?
There is the OCS API but it works only from inside Nextcloud.
Thanks.
A full REST API is avaiable - https://docs.nextcloud.com/server/22/developer_manual/client_apis/OCS/ocs-api-overview.html
Create a Share - https://docs.nextcloud.com/server/latest/developer_manual/client_apis/OCS/ocs-share-api.html
The OwnCloud documentation also offers more examples
https://doc.owncloud.com/server/10.8/developer_manual/core/apis/ocs-share-api.html
You can register an App id and use that to login or passthru a username and password in the authentication header.

Attempting to access Shopify api from localhost with a GET request

Currently I'm trying to access data from my shopify store through local host and I'm getting the CORS error. I realize this question has been asked but I couldn't find an answer. Also I realize that this is a bad practice since credentials are exposed. I have a local computer that for a reason (with out taking the time to explain it) needs to be able to GET data from my shopify store. This HAS to be done in javascript so I am using XMLHttpRequest like so:
var url = "https://apikey:secretkey#mystore.myshopify.com/admin/orders.json?limit=25&page=2";
this is based on this answer on SO: shopify how to get product data using php in my localhost
In the above I'm passing my apikey and secret key from an app I've setup and approved on my account. One thing I didn't do is whitelist my ip which I'm not sure if that's what would allow me to get the data. This returns a CORS error.
I've also tried this:
var url = "https://username:password#mystore.myshopify.com/admin/orders.json?limit=25&page=2";
Here I pass my username and password and I get the CORS error also.
What is a challenge is that if I'm logged into the account or not logged in when I go to my browser window I can go to this url: "https://username:password#mystore.myshopify.com/admin/orders.json?limit=25&page=2"; and the json data appears in my browser window.
Again this has to be done in javascript and it has to be done from a local computer.
The way I went about this is forget the XMLHttpRequest. To access the shopify api via my local host I used the node library provided here: https://www.npmjs.com/package/shopify-api-node
I'm marking this as the answer just in case someone in the future is attempting to do this.

Bigcommerce authentication get request only returns scope and code, context is missing

I am kicking off the Bigcommerce app installation process by following the instructions given in this official documentation page https://developer.bigcommerce.com/api/callback apparently I am following every thing. I have https Auth Callback url setup in the app configuration page
NOTE: I am using ngrok to tunnel my localhost to internet.
When Install my app I receive the code and scope objects in the Get Request but not the context object.
Please help me with what did I missed ? and how I can get the context object ?
UPDATE
I tested it without ngrok and its the same.

How to access OData URLs with authentication

I have a OData Server which returns me a json.
When I accessing the URL through a browser i need to input the username/password.
Doesn't accept the entries which I do in the pop-up. Need to cancel it and then it shows me a dialog box after which i can see the required json.
I am not able to figure out the kind of authentication in use.
Using basic authentication in Postman client is not working.
Any suggestions as to how do I go about using this URL both in postman and inside an Anuglar JS or Node JS program.
You can install interceptor in postman. Go to cookies tab next to body and install the interceptor then turn it on.After installing interceptor you can login with your user/pass and then send your request.
See this picture.enter image description here
Thanks for the input.
But I got access to the code implementation which is accessing the URI which I want.
So There is a Sharepoint/C# application in the universe which is doing a Forms based authentication to get the data required. :/
Will try to reverse engineer that get it working in my Node App.
Cheers. :)

Problems working with Google Calendar Api V3 and PHP

I'm just trying to make a little, simple application (that i already made two years ago in Objective-C with api V1) that presents a screen with time of event and description and a button : "insert event in your calendar".
Every user has, obviously, to configure the application with his google username and password.
The app simplifies some process using the first calendar available.
I had infinite problem trying to do it with javascript (this app will be made in html5), so, looking at docs, I ended up trying to make a back-end on my server in php5 (thought it could be easier...ohohoho).
So, i read docs from here : https://developers.google.com/google-apps/calendar/
What i did :
1)
Get to the Google Developers Console.
Created a project.
I now have this (not real keys):
OAuth 2.0
Client ID 352xxxyy9.apps.googleusercontent.com
Email address 3527xxxy#developer.gserviceaccount.com
Service Account
Client ID 3523xxxyy419-vpfgdfg9u77s0.apps.googleusercontent.com
Email address 35ssss9-zzzzsnhavna78ea0b9gvn6a9u77s0#developer.gserviceaccount.com
Public key fingerprints :ac15ddfxdffrtg5565fgfg545r
2)
I installed Google APIs Client Library for PHP (beta) in my server.
doc says:
Using the Google APIs Client Library for PHP requires that you download the PHP source. In the future, packages will be provided. Refer to the project page for more details.
Run the following commands to download and install the source: svn blaj blah blah.
I copied the entire source in my server. Easy :)
Then..
3) You can now import the classes you will need using the following statements:
require_once "../src/apiClient.php";
require_once "../src/contrib/apiCalendarService.php";
Ok, i'll insert them in my php script !
4)" Configure your app"
You must instantiate a client to make requests to the API. All requests to the Google Calendar API require authorization.
The following code demonstrates how to configure an authorized service object using OAuth 2.0 for native applications. For more information, see Authorize Requests.
To find your project's client ID and client secret, do the following:
Go to the Google Developers Console.
Select a project.
In the sidebar on the left, select APIs & auth. In the displayed list of APIs, make sure the Google Calendar API status is set to ON.
In the sidebar on the left, select Credentials.
Find the lines labeled Client ID and Client secret. Note that there may be a client ID without a client secret, for use with Compute Engine and App Engine; in that case, create a new client ID and client secret by selecting Create New Client ID.
Edit the src/config.php file to put in your developer API information.
global $apiConfig;
$apiConfig = array(
// Site name to show in Google's OAuth authentication screen
'site_name' => 'www.example.org',
// OAuth2 Setting, you can get these keys in Google Developers Console
'oauth2_client_id' => 'YOUR_CLIENT_ID',
'oauth2_client_secret' => 'YOUR_CLIENT_SECRET',
'oauth2_redirect_uri' => 'YOUR_REDIRECT_URL',
// The developer key; you get this from Google Developers Console
'developer_key' => 'YOUR_DEVELOPER_KEY',
...
// Which Authentication, Storage and HTTP IO classes to use.
'authClass' => 'apiOAuth2',
....
// Definition of service specific values like scopes, OAuth token URLs, etc
'services' => array(
'calendar' => array('scope' => 'https://www.googleapis.com/auth/calendar'),
)
);
But they are DIFFERENT from the key i have, what's wrong ????
What are client secrets ? redirect_url??
Please help.
I think you need to setup a service account access as described here:
https://code.google.com/p/google-api-php-client/wiki/OAuth2#Service_Accounts
I had difficulties to get it work as I made many trial and errors and my cache got filled with non-working token.
If ever you find yourself not able to access the calendar even after following all the steps, try to change this line of code:
$client->setAssertionCredentials(new Google_AssertionCredentials(SERVICE_ACCOUNT_NAME, array('https://www.googleapis.com/auth/prediction'),$key));
to this:
$client->setAssertionCredentials(new Google_AssertionCredentials(SERVICE_ACCOUNT_NAME, array('https://www.googleapis.com/auth/prediction'),$key, 'notasecret','http://oauth.net/grant_type/jwt/1.0/bearer',false,false));
The last false tells AssertionCredential class to not use any cache. I did it once and then it worked with it set to true afterward.
First go here https://console.developers.google.com/project that is where you configure your app...
Click on your project, then on the left side you will see APIs & Auth, click on Credentials. You will need to create your OAuth, and Public API Access keys.
Once you have done that you will then enter those into the appropriate client_id, secret, redirect etc.
The redirect uri is the same page your app is on, its the page the user gets sent back to after authorizing.
I had the same problem.
On this page, when you click on the Create new Client Id, choose Web application and it shoudl give you the client secret key as well.
https://console.developers.google.com/project
Add a project etc.
Hope it helps