I created a service via the Service module on Drupal 7 that allow registration on the website. Trying it i get a message saying that captcha has not been filled. I send with my request all the required data like name, or password, or email, but i cannot send captcha for obvious reasons.
Now, the simpler solution is to disable captcha on my website but i don't really want to do it for it must be enabled for the normal 'human' registration.
So, there's a way to disable captcha for a request coming from a web service? Or whatever else is the correct way to do it, for i don't really know how to correctly use web services, so i guess i'm doing some conceptual error...
You can use hook_form_alter() to remove the captcha elements from your form(s). For example, in a custom Drupal module try this:
<?php
function my_module_form_alter(&$form, &$form_state, $form_id) {
//dpm($form);
// Disable captcha on Services user register form.
if ($form_id == 'user_register_form') {
if (arg(0) == 'my_services_endpoint_path') {
unset($form['captcha']);
}
}
}
?>
Use the devel module's dpm() function to inspect the form structure and find the name of the element. The example above work's for the captcha module. If you're using Mollom, I think you can just use unset($form['mollom']);
Related
I am implementing a Oauth for different services and I am using "OAuth2ConsumerBlueprint" (using flask-dance).
I was thinking about Flask-OAuth but I think I would end up with the same issues I am facing with Flask-Dance.
What I am planning to do is:
User go on ".mydomain.com"
User click on Login via FB for example
User goes on social.mydomain.com (so that the authorized URL is always the same)
User after login should be brought to ".mydomain.com"
it looks like I cannot find a way to do it.. It should be feasible. I tried to parse out different information eg.:
print(request)
print(request.referrer)
I even used: #oauth_authorized.connect
Printed all the information to see if I could collect some additional information to reuse
print(vars(request))
print(vars(blueprint))
print(vars(token))
print(session)
Also I tried to add in the GET parameters a "foo" variable to see if I could read it back again from the social.mydomain.com but I couldn't. No idea on how to redirect the user back to the original .mydomain.com
Any suggestions here on how can I have the authentication done on a specific subdomain (so I only need to whitelist one subdomain) and then redirect the user to his own domain?
That is how I setup everything:
facebook = OAuth2ConsumerBlueprint(
"fb_social", __name__, url_prefix='/fb',
client_id=FB_CLIENT_ID,
client_secret=FB_SECRET,
scope='email',
base_url="https://graph.facebook.com/",
token_url="https://graph.facebook.com/oauth/access_token",
authorization_url="https://www.facebook.com/dialog/oauth",
redirect_to='fb_social.social_facebook',
)
Thanks a lot
Hook into the oauth_authorized signal, and return a redirect to the location where you want the user to go.
I'm wondering if it's possible to set up secure login authentication in a Chrome extension without OAuth2. I'm considering setting it up as follows:
On opening the extension, send a POST to server which returns the CSRF token
JavaScript inserts the token into the usual login form (as in Django template)
[steps 1 and 2 replace the usual Django template rendering]
User provides username and password and submits the form
Success/Fail JSON response is returned and handled appropriately
CSRF token is stored as a cookie (or in browser storage that Chrome extensions use) to enable automated login until it expires
Would be great to hear possible problems/corrections to this approach as well as pointers to relevant resources!
== UPDATE ==
It seems like chrome.identity.launchWebAuthFlow is the way to go. I found resources that explain how to implement it client-side but they all say nothing about how to authenticate server-side for non-Google accounts:
"The provider will perform authentication" - how?
"Validation of the returned access token isn't shown here"
It seems that the last missing ingredient is to write code that validates a URL such as:
https://www.my-app.com/dialog/oauth?client_id=123456789012345&
redirect_uri=https://abcdefghijklmnopqrstuvwxyzabcdef.chromiumapp.org/provider_cb&response_type=token&scope=user_photos
That will surely be done by another Chrome Identity API call from my application's server. I looked through a large number of resources (and related stack overflow questions) and they provide no clear answer. Thanks!
I am totally new to moodle. Now exploring it to build a LMS. Here I need to implement core registration through API, so that user email verification works properly.There is a default API function to create core and moodle use. Does any of those types refer to registration? If no, is there any way to do user registration through API.
I have found a similar question with accepted answer, where the API function is not mentioned.
Even though I'm not convinced I understand the question correctly, I'll give it a try...
It's certainly possible to create new users in Moodle through API calls (hopefully that's what you call registration). You can do it through PHP using function user_create_user() (defined in user/lib.php) and you can do it through a web service, with a call to core_user_create_users.
Either way, I think it completely bypasses email verification, meaning that Moodle will not check whether the provided email address is valid or not. If you want a "syntax check", you can call validate_email() (in weblib.php). There's also send_confirmation_email() (in moodlelib.php) that will send the confirmation email, with link. You would need to do it manually (and set confirmed to false, when creating the user, to prevent anyone from logging in before having confirmed their email address).
(EDIT: looking the linked question..) To use a webservice and trigger the email validation, I would create a new webservice (using a local plugin) to receive the "new user request" and hook into the auth/email plugin. Actually, you might just want to add a webservice into auth/email...!
Hopefully this helps.
I'm very novice when it comes to web applications and ASP.
Recently, I've been experimenting with the Microsoft Sync Toolkit to synchronize databases over a OData web service.
The obvious question here is: Once the service is set up and published - so it is open for anyone knowing the URL - how to prevent unauthorized users from accessing this service.
Please note: Basic authentication of forms authentication - as far my little web development knowledge reaches - doesn't seem to be appropriate for this task, as it's not a web page that the client is trying to reach - where the page can display / or re-direct a logon request - it's a service that we are accessing here.
To make things more difficult, for the client-side syncing I'm using a 3rd party library/sync-provider that only accepts a URL for the service. So, there's no way (I think) I can experiment with incorporating login credentials inside a request header etc.
I assume the best bet would be embedding the login credentials inside the URL and use that for the 3rd party library.
Can somebody please direct me how to to set up such thing on the server? I would prefer to have somehow somewhere in the server-side code a place where I can check for the credentials and based upon it to proceed or abort (return 401) the service request.
I could not find any place where to hook such code into the sync service. Although somebody in MSDN suggested to handle the _OnBeginSyncRequest event, there is no way to access the web-request header from within that method.
Is there by-any-chance a global object accessible from everywhere from which I can access the request header? Could anyone please help with this?
And last, I would prefer a plain User / Password string pair. It should not necessarily (or rather not) have anything to do with windows or directory accounts. I would prefer in my code to simple check against plain strings, such if(userStr == "Authenticated user" && passwordStr == "Correct Password").
if you are using SOAP web service, you can use WS-Security usernametoken which adds your user name and password to the request header, otherwise you can add username and password as parameters in your webservice and then simply validate it on the server side. i.e.
instead of
bool SyncData(datatable)
it becomes
bool SyncData(datatable, username, password)
note for web service you will authenticate per call, if you want to do it per session, you need first login with username password, retrieves a token than on each subsequent call your service with the token.
You would also use SSL to secure the channel so username and password aren't transmitted as plain text.
In my App I need to communicate with my Django website. Some resources require authentication so I need user login.
But this does not happen in a browser or a web view. I need to use Object-C to issue a login request and handle the response - basically to store the session ID I guess.
On the web server side, how should I do this in Django? To have a stand-alone view for that and return JSON maybe? How can I get the newly generated session ID though?
I wouldn't get the session ID. I believe logging in a user is more geared toward a web interface. I would create an API that serves the resources you need in your app. http://en.wikipedia.org/wiki/Representational_state_transfer Authentication would probably be best suited for a private/public key pair or some other similar popular api authentication system.
You don't need to make any changes to your authentication system, save for maybe making sure the login form is usable on the smaller screen. Cookies work the same on iOS as they do on the web. You can display a modal UIWebView with your login form. After the user logs in, presumably you are setting a session cookie. If you make a subsequent request to the domain the cookie matches, the cookie should be sent along. You want to look into the HTTP 'Accept' header field, which specifies the content type the client expects to receive. In your controller (view?), you'll want to check the 'Accept' header, and return the appropriate content type, probably 'application/json' (or a custom type for your API).