Is there a way to re-validate a card using the card security code? I'd like to offer users to login with Facebook or to remember their login otherwise and I want to add an additional step during checkout to verify that the user is in possession of the credit card. I think some websites ask for the CSC again during checkout.
I could also ask for the user's password again, but I don't think that can work if the user logged in with Facebook.
Any suggestions around this?
Alright, so it seems as if this kind of verification is not currently possible with Balanced. There is no API method to re-validate a card. Here are the solutions I came up with, just in case someone else has a similar problem:
Using a different piece of information to verify the user (card expiration date, etc). But that doesn't seem very common and would probably scare away some users.
Indeed forcing the user to enter the password again. No problem if the user uses a site-local login. In case the user is logged in using Facebook, there seems to be a way to force a re-authentication: https://developers.facebook.com/docs/howtos/login/server-side-re-auth/
Related
I set up an account creation page with a remember me and a jwt token verification via WorkOS. There is no password creation and just this verification (plan to add in password later if needed as the country uses OTP more than passwords)
A new user creates an account and selects remember me (using JavaScript).
The next time I sign in, I have my account populated like a*****#gmail.com.
A lot of websites I have seen have it so that when you click on this email, it goes to the full list of all gmails and you have to select that email again.
I’ve seen this remember me automatically sign in only if the user saves a password (like Facebook - see other profile accounts in sign in and you click and go in directly). But above mentioned this country doesn’t prefer passwords as much as OTP. I don’t have a password yet and really looking to avoid adding it in unless it is absolutely necessary to do this.
My goal: I don’t want to see this full screen of all gmail accounts in Google OAuth also referred to in documentation as the Account picker. I just want it to automatically sign in to the specific remembered account selected, assuming I have that gmail password saved.if the user doesn’t have the gmail password saved then, they will be directed to that specific emails sign in screen
How do I bypass this full list of gmail accounts and manual selection and just automatically sign in to my remembered email account?
I’ve looked at older answers on here but nothing seems to fully handle this. I’m wondering if this will help me achieve this.
https://developers.google.com/identity/gsi/web/guides/automatic-sign-in-sign-out
I’ve tried just having the email remembered and then they click on it and it asks do you want to sign in via gmail or magic link? That works and is better than not providing the remember me at all, but it’s only half way.
From the documentation I could find out that only upon first login into my app, the users name and email will be returned with the credential. So i go ahead and save these to my backend.
Now if the user decides to delete his account, I delete all his data from my backend (thats propably what the user wants me to do. And isnt that what i have to do anyway according to some privacy laws or what not?).
Now if the user ever decides to change his mind another time and install the app, will i not be able to fetch username and email? No matter what i do? Or did I miss some kind of user.ultimateSignoutAndDelete(for: .ever) to be able to fetch userdata on his next sign in?
Maybe this scenario seems a bit constructed but when testing apple-sign-in you stumble upon that immediately.
Once you delete a Firebase Auth account, there is no way to recover any information from that account. All links between the user and your projects are gone. The user will have to create a new account.
I was wondering if anybody knows a way to authenticate a user without asking for a password. I have searched but haven't found a thing. I'm not looking for facebook authentication or something like that.
Maybe you could help me.
yes, do a two factor authentication without the first factor. So when people register for your application, have them chose email, or sms, or both, as a verification method. Verify their identity by sending an email (or sms) with a code they have to enter.
Once you verify their ownership of the email/phone number, going forward, every time they want to login, they enter their email (or phone number) and click "send me code", you send them a one time code that expires in 5 minutes or upon login, they enter the code and login.
Next time they want to login, ditto. This way you are not storing/hashing/encrypting passwords that can be hacked/stolen. It is their responsibility to maintain security of their email/phone, not yours.
I am very curious to know some of the points regarding registration and login related points as a developer points of view. Please see below the steps for any online account which is publicly open for all,
CREATE USER ACCOUNT : Insert the data entered by user along with a column activate which default value is 0
SEND A LINK TO ACTIVATE : a link has been sent to user email at the time of registration
ACTIVATE THE ACCOUNT : user clicks over the link and the link is verified and update the column 'activate' with value 1
Why to sent a link & verifying is necessary which I supposed that is not utmost required. I asked to clients why u want such verification and i get the answer almost same e.g. checking the authenticity of the user and it'd be helpful to stop the duplicity of the user.
but practically at the time of user login, i suppose it is useless to verify each time the activate column along with password for every user.
I would appreciate if u explain the points which is very important regarding my concern.
This is really a slippery slope, but there are reasons. Obviously spam users will try to create accounts as quickly as possible, for spam reasons. Email and captcha verification will handle this.
Another is the issue of clumsy or accident-prone users that will forget their passwords, which can be worked around by email reminders/resets. Sadly, users may try to add fake email addresses(or mistyped ones) and lose access to their accounts, requiring admin intervention. Simple verification can force users to get their account into a self-rescuable state before adding any data.
I'm always told I write "biblical length" emails, but hey, I'm trying to characterize the situation the best I can for ya.
I created my sandbox. The Business account was auto created. I created a Personal account.
I successfully paid to the Business account with the Personal account with my Buy-now setup and my IPN works correctly (after changing the fsockopen to use SSL, changing \n to \r\n, etc). No problems with the "front side" of all the account business.
Part of the "Backend" needs are to transfer some of the Business account money to another account after 3 days (my Business account is a middle-man).
I switched from Firefox to Chrome. I had done all the account setups in FF, so I didn't want to try to have two logins running under one browser, sandbox or not.
I tried to login as the Business account and it failed and ended up in the "make sure your email and password are correct" loop.
I tried to login with the Personal account (the one which successfully paid into the Business account via the application). Same error.
I tried changing the password on the original Business account, flushed cache/cookies, still cannot login. There should not be any password errors because the accounts have the same password!!! I cannot use the "forgot my password" logic to see what it thinks my password is, because the email is fake and it won't get sent anywhere.
I created a second Business account, and I tried to login and it logged in correctly and showed my balance correctly. I logged out and tried the other two accounts, but the only one that ever logs in is the second Business account.
I could solve the issue by changing the target of my front side Business transfers to the second Business account, because I know I can log into that one, but that would be condoning the fact that the system is flawed, and I'd rather push this issue to find out what is wrong.
I switched to IE (argh!)
I tried the original Business account. Failed.
I tried the Personal account. WORKED!!!!
I tried the second Business account. WORKED !!!! and I didn't have to flush cache or cookies. It still won't allow the original Business account, even with IE.
I don't have time to wait 2 hours (in case it's the "too many times" problem). There was nothing wrong with the account/passwords in the first place, and since I'd never tried logging in with any of the accounts directly before, there was no history of failed transactions.
I switched to Safari.
Once again, original Business account fails, but the other two accounts work correctly!!!!
I switched back to Chrome.
Again, original Business account fails, but the other two accounts work correctly!!!!
So, it appears once I have successfully used an account, it will work regardless of the browser, cookies or cache. IE, Chrome and Safari all work with two accounts but none of them work with the original Business account.
Finally, I tried changing the password again for the original Business account. Still doesn't work.
My suggestion is to add a button to the "test accounts" setup page, "LOGIN AS" and just let us automatically login as that user (after first successfully logging into the sandbox with our validated paypal account) and bypass the whole password thing, if you aren't going to get it to work.
2 things.
1) Apparently I should have used "Paypal" in the initial title, I had assumed the tool was already in a Paypal specific sub-forum (wrong) and I have added the word to the title. Sorry for the confusion.
2) To answer my own question ...
I tried to login to the orig. Business account first thing this morning and it worked. I tried to do a transfer and it wanted login validation and failed again and again. If your results do not prove out your premise, then there is probably something wrong with your original premise in the first place, right? So I went back to my original course of action, which was to switch from Firefox to Chrome when I went to login (because I didn't think someone would have you logging in as two different users within the same window). WRONG AGAIN. I logged in as Developer, but instead of going to a different window or browser, I logged in a second time by using the "Enter Sandbox" link, and was able to succesfully login with each of the accounts.
You have to be logged in as a developer in the top portion of the sandbox interface window, while you login as one of the Business or Personal accounts in the lower half of the test window or else it doesn't work. If that is the case, and I am now doing it as it was designed, then that would explain why it was failing when trying to login when using Chrome/Safari/IE, since I wasn't logged in as the Developer account in those browsers. Why it did occasionally PASS is crazy. Software should be consistent, if anything.