I'm working on an application which should import all e-mails from a user's e-mail-account and store them in its own database for further use. The collection of all the e-mails should be done in a background job (via Delayed Job or similar).
To achieve this I'll need to store the user's email-password somewhere in my application. As this is going to be an internal application trusting my app won't be the problem.
I am looking for a best practice on how and where to store these e-mail passwords as securely as it gets.
Encrypting the e-mail password with the user's login password to my app is not an option, because I have to run the job in the background.
Any advice on this? Thanks in advance.
Env: Rails 3.2 with MongoDB
I solved it by using the attr_encrypted Gem. Be sure to use the encoding: true option when using MongoId.
As the key for the encryption I use my application's secret token. I think that's secure enough for my purpose.
Thanks to this answer: https://stackoverflow.com/a/6686132/1437361
Related
With Firebase's Admin SDK, I want to allow a user to login (verify the user with my Firebase instance) without any JavaScript on the front end. Just an old fashioned POST, with the form data in the request body.
Then in node (server side) verify the email and password on the back-end, retrieve a token, update the user's session, pass back a cookie, etc. I've been digging around various examples and the Firebase Admin SDK docs but have not found an answer.
I can do it if I run the non-admin-SDK Firebase module, in node, but this seems like an odd approach to me, especially as I need the Admin SDK for some other things.
I could see why they want to force a "triangle" approach like say payment auths use.
Authorize with Firebase on the front end and pass a token to the back-end.
Not allowing the password to possibly be sent or stored on the node server unencrypted.
But I want to pass as little JS to the client as possible and I want my site (MPA) to be progressive (not need JS). It seems odd they would not address this in their docs. Other than in some explanation of how to write one's own validation or integrate with another.
If anyone can describe how this can be done or what the recommended approach is, I would be very happy.
Firebase's Admin SDKs are designed to be stateless, so don't have a concept of a current user. The recommended approach is what Firebase Authentication does, sign in on the client and pass an ID token with every request/connection to establish the identity of the user.
If you don't want to use Firebase's SDKs in your client-side application, you can call the REST API. I'm not sure if you can construct the right call with a FORM post though.
Also check:
Sign in with Firebase-Admin using node.js, the main answer is the recommend approach.
How to authenticate an user in firebase-admin in nodejs? shows how to sign in a user in Node.js with the regular/non-Admin SDK. This is probably closest to what you want to accomplish.
Looking for additional products similar to www.nylas.com which provide an API to sync my web application with my microsoft exchange email and calendar.
Most email services are aimed at marketing and hosting, whereas I just want a simple connection between exchange and my app, without building an API from the ground up.
Any suggestions?
Why not using Exchange EWS?
Calendars and EWS in Exchange
Working with calendar items by using the EWS Managed API 2.0
I do not know your App so a simple cronjob would do it...
P.S.
By the way I personally think the best way is to access the calendar via the App directly on the device. The reason is that a user normally have ActiveSync configured so that he get all the content on his device. If he change his password he do that on the device. So your app might use a old password and will no longer work. Additional your app try to access content with the old password and might block the user account then. The user got upset and will no longer use it. Accessing the calendar now directly on the device eliminate the need to get the user password and also eleminite the need that the user need to change it in your app...
I'm creating a Windows 8 app. I have a login screen and when I press a button it will authenticate against a REST API. But what do I do when the user is authenticated? Where is the "session"? How can I store who the user is? So far my search has taken me to these answers
1. ApplicationData.Current namespace
Where would I store session specific data? Local application data? Temporary application data?
2. Password Vault
I've seen this suggested to a similar question, but as far as I understand this is just a password store? How would it help me to keep the current user in session? Or would I simply for a every view I load question the Password Vault:
This is the users Windows Live ID, what id does he have in my app?
3. CookieContainer
Is it possible to store the user info in a cookie when doing a Windows 8 app?
It seems to me a rather simple question to which I hope there is a simple answer :)
I have an app too with an authentication against an REST service with a simple OAuth authentication and I store the credentials (AccesstToken and AccessToken secret) in the PasswordVault. One of the advantages (apart from being stored securely) it's synchronized between Windows 8 devices. In the PasswordVault you store the username and the Password in a PasswordCredential
http://msdn.microsoft.com/en-us/library/windows/apps/windows.security.credentials.passwordcredential.aspx
I'm trying to use Instapaper's Simple API (http://www.instapaper.com/api/simple).
The API terms of use (http://www.instapaper.com/api/terms) says apps should not store user id and password, and I don't want to store them either. However, it seems that the only way to add a link to a user's Instapaper via simple API is to store the username/password (if the user does have a password).
Am I missing something?
The API terms of use state that:
Apps must not store users’ passwords. Passwords may only be collected for the xAuth token acquisition and must be discarded afterward.
Only the full API uses xAuth tokens. The above sentence doesn't apply to the simple API, since it uses Basic HTTP Authentication.
You still "must make reasonable efforts to prevent passwords from being compromised, and must not disclose passwords to any other services or individuals".
If you are using a native Mac application (like Apple’s Mail client or a third-party mail client like Airmail) there isn’t an easy way to save a link to Instapaper without first opening the link in a browser and then using one of Instapaper’s browser extensions to actually save the article.
One workaround that I’ve found to expedite this task is to write a service for OS X which uses Instapaper’s API to save links.
In order to write your own service, first open Apple’s Automator application and create a new Service. Then, drag the Run Shell Script action into the application’s main workflow area.
Make sure the service receives no input, can be used by any application, and that the shell script is set to run python.
I am planning pin making an ftp client, however how in my code in objective-c for my mac application can I keep my username and password safe? They will be in the code, so how can they be kept safe?
Whats an alternative solution? My app will automatically without the user having to enter any credentials allow them to download form my ftp server.
Any help much appreciated, thanks.
You can use the Keychain to keep such things safe. You can read about it here...
About keychain stuff
You'll also find a fair few keychain topics on this site.