I'm trying to make a simple Jabber client using the libstrophe library.
It's going fairly well so far, except for one thing for which I need some clarification.
Namely, how am I supposed to (continuously) know the status (i.e., Online/Offline) of contacts, so that I can display it to the user of my program? Similarly, how am I supposed to request the roster of the user?
I've looked at the roster.c example provided by libstrophe, but that only prints out the roster once. In a real application, I'll need to request/update this continuously, in order to show any new contacts the user added, etc., in the application.
So basically, I'm unclear on how to make sure that I always display the most current roster and most current statuses of people in my user's contact list.
Am I just supposed to request the roster at some predefined time interval, for example?
roster and presence are 2 different topics.
When you login you normally request the roster which you are doing already. When your contact lists changes during your session you get a roster push with the updated contact. This is an stanza. It doesn't matter if another logged in client manipulated the roster our your client.
The online state called presence of all your subscribed contact comes in with stanzas.
You have to setup handlers with xmpp_handler_add for
Online state, presence stanzas
Roster pushes, iq stanzas with query of namespace jabber:iq:roster
Related
I am working on a web application which is based on Google App Engine (GAE). The requirement of the application is that one user can be associated with multiple company accounts.
My application has two main types of accounts. One is that main Admin/Company account. Other is the employee account (i.e. the persons who work under a company). Now, what I want to do is that to allow an employee to work under more than one companies, but he does not have to make a separate account for each company. His single account can be associated with multiple companies.
I have explored different platforms which are already supporting this feature. The major ones which I found are Slack and Asana. And my problem can be perfectly mapped to what Slack is doing right now i.e. I create a single account on Slack and I can join multiple workspaces on Slack using this single account.
I want to achieve the same in my application too. I am curious that how Slack is supporting this feature right now? Does it send some ID with every request to the server which indicates that the activity which just has been done is associated with the workspace under this ID? Or there is some unique sort of token associated with every workspace (on Slack API level)?
I do have such a model in my app. A unique auth_token is associated with every company account. So, I am thinking that when an employee wants to do an activity for a specific company he will send this unique token with the request to the server so that server knows for which company the activity was performed.
Does anybody know what is the best way of achieving this?
There are two different concepts at work here:
Relation between account and company / workspace
The data structure for the Slack account is designed such that it can be linked to multiple Slack workspaces, e.g. in SQL you would have a many-2-many relation between the accounts and the workspaces table.
Staying logged in
The way Slack and others Single-Sign-On provides like Google SSO keep you logged in is by settings a browser cookie. That cookie would usually be some kind of crypto hash and the SSO provider will use it to identify to which account the current user belongs to or to request a login via OAuth if the cookie is missing / invalid.
This can also be achieved partly with server sessions (which also uses cookies). Using server sessions is easier to implement than implementing your own (secure) cookie solution, however the user will only stay logged in as long as the browser stays open. But that should be sufficient for most solutions.
Note that tokens for the Slack API work very differently. e.g. they have to be generated per workspace, user and app.
The company I am working at offers a web based calculation tool which has to be paid monthly (a fixed price for a license).
Normally, users go to our website and authenticate themselves with their credentials and then can use the application. When they cancel their subscription they are not able to use the tool anymore, obviously.
Now another company called us because they want to provide our application for their own clients. We have already fixed that they have to pay a license fee for every of their clients. But there is also a restriction: their users should not have to log in on any of our websites (only on the website of our client). But the web application is hosted on our server and is loaded as an iframe.
Now there is that problem that we are not sure whether our client tells us the correct number of people who use our application wherefore we would like to verify that in some way.
One of my ideas is the following:
Our client has to call an API for every users who would like to use our application in order to submit some information like name or an unique ID of that user
When the user would like to access our application, an ID parameter is appended to the iFrame URL
I think that this is not a very good solution because our client could use the same ID for every access and pretend that only one users uses the application. By saving the ip address and id of the accesses it is possible to determine fraud in some cases because ip address will not change frequently.
We even do not have to know WHICH user accesses the application but only the NUMBER of users per month.
I am interested if there is a cryptographic solution where it is hard to cheat. Something like an authentication method which does not require any interaction of the user.
Well you can't. You should require the partner to issue a token for each user so you know they came from the partner.
You could have the partner call an api you expose to issue a one time token for a user and specify user id and IP. You could alternatively have the partner digitally sign such a login request.
If you bill the partner per user, and the partner decitfull he could claim less users.
You can fingerprint the users, you can give long term coockies, you can check IP and fonts installed etc. These will allow you to detect most types of fraud.
If you give a declared userId a cookie and then see him again without it, you assign him a new cookie and then later see the first cookie again while the partner is always declaring same id that is a very strong indicator of fraud.
If I was the decietfull partner I would pair up geographicly close users and merge their IDs. it would look no different from a user with two devices. But this still limits the extent of fraud possible. Two devices per user is plausible. 10 less so.
Find business partners you trust.
How can I have access to bigcommerce's %%GLOBAL_CustomerId%% variable?
I create a sample template and logged in with as a user. That variable doesn't show up. Isn't it suppose to be a Global variable?
Background: I want to create an app for bigcommerce that can identify a user base on their customerID. If I can't grab that variable, you guys see any other way to work around this?
It's not immediately clear in the docs, but you can use %%GLOBAL_CurrentCustomerEmail%% anywhere on the template to get the email address of the currently logged in user.
If you need the customer's ID, then you can query the API with the email as a parameter.
Personally, I'd rather "trust" the customer's email as a point of identification, because you never know if the Bigcommerce ID's may get changed or not (example: Customers are deleted and then reimported, now having brand new ID's).
On a subject of security though, you cannot trust client side data, and should attempt to mitigate fraudulent requests through the use of a CSRF token or some similar measure. Otherwise, anyone can send you an email address and receive back a list of that person's favorite products -- golden information for say, a targeted advertising company, or just your suspicious next-door neighbor Joe who seems to always be conveniently checking his mail right when you get home from work, but never says anything when you walk by, not even a wave or a smile, despite the fact that you all have been neighbors for quite some time now. Like, should I say something? Hahaha, I kid I kid.
I am using mixpanel user profile tracking.
1 : If a new user, say A , visit my site and go through some pages without sign-up. That time mixpanel is tracking events to a unknown profile.
2 : Then the user A, sign up in my site and placed an order.
That time mixpanel is tracking previous events and the events after sign up also to a the same profile. (mentioned in above point).
3 : Then the user comes to my site using his mobile, then he go through the pages without login
That time mixpanel track the events to different a profile.
4 : The user then logged in in his mobile and continue to place order.
Then the mixpanel track events after the login into the previous profile mentioned in the 1st and 2 nd step.
My problem is I would like to re-map the tracking done in the 3rd step also to the profile which is used to track in 1st and 2nd step
There are 2 routes
1-) Queue anonymous events: the idea would be that instead of sending Mixpanel the events when the user is still anonymous, you save them either on the device (if it's a mobile app) or on your server. Then, when the user logs in, or creates the account, you can flush the stored events since now you know who the user is. As you might realize, the downside is that if the user never logs in or signs up, then the events are never sent (unless you build a mechanism in your server to flush them in that case).
2-) You could so as you currently do, but when the person goes to step 4, and logs in, before changing the ID to the correct one, you could create a People profile with the anonymous ID, mark it with a flag that it's an orphaned profile, and save the correct ID for it. That way, you can schedule a task to look at those profiles every so often, export their events, and import them back with the correct ID. That would essentially duplicate the data for those events, but you would have the full history with the correct ID. You could also try to filter events based on the "orphaned" flag later on, but it does mean you will always have to have it mind.
I have a single authorize.net account, and I have 5 different e-commerce applications tied to that account. Some are posting from a public site and some are posting from managed access sites. I am using SIM and I have read about the Relay Response, but as far as I can tell I can only have one URL listed. That will not work for me as I need a different URL for each different point of entry into the e-commerce system.
My problem at the moment is that I need to update a datafield via a guid upon successful payment completion to confirm purchase of a digital item, but if I put in a relay response page it is getting sent to all my access points and throwing errors. Other parts of the e-commerce system need to send different emails upon completion etc, plus all the urls are different at the top level.
Is there some other way of accomplishing this task that I am overlooking?
Use Silent Post*. It's Authorize.Net's equivalent of Paypal's IPN. It will only post to one URL per account but it happens behind the scenes. This means you can send a custom flag along with each transaction identifying which site the purchase is for and then have it respond accordingly (e.g. send emails, update database, etc).
*I am the author of this content