I host an Facebook application (https://apps.facebook.com/igoaltip/) on AppFog. Suddenly it stopped working. When I try to get information about the user using user access token (https://graph.facebook.com/me), Facebook returns OAuthException (#5) Unauthorized source IP.
I use Node.JS on server with facebook-node-sdk.
I do not specify IPs in server IP whitelist.
In Heroku, i've had the same issue, and a simple restart solved my problem!
Currently experiencing the same issues on Appfog regarding Facebook requests. AppFog might have received a block from Facebook.
We added the US east IP's of appfog to our whitelist, but for more then half an hour we still receive the same error. Stangely enough we can still use the apps tokens from other IP's. This causes me to believe it takes quite a while for Facebook to enforce the whitelist
Send a support ticket to support#appfog.com and they will help you with getting your app whitelisted with Facebook. Put Facebook and Whitelist in the subject.
According to appfog, it's something they need to take care of, you can only work around it by cloning apps, which for me isn't a solution for SoA architectured app
Source: https://groups.google.com/forum/m/#!topic/appfog-users/K4UCWhvxGZU
Related
I am trying to register OAuth client, following the docs, but none of the links containing /developers in the path are working for me. I am either getting redirected to the https://my.tapkey.com/AdminUI/ and infinite load, until i refresh the page, or getting status code 502 Bad Gateway.
The ones I am having problems with are:
https://my.tapkey.com/AdminUI/developers/oauth-clients
https://my.tapkey.com/AdminUI/developers/identity-providers.
I tried on different OS's, using proxy, but nothing worked for me.
I am trying to register OAuth client, and explore more of the TapKey web api, but this one is a blocker for me.
You caught us here - we have changed the website a bit, and updated documentation is on its way but not yet published. We are working on it right now.
Developer section has moved to Tapkey Integrator Portal available on https://portal.tapkey.io .
Use the same login credentials you are using with Tapkey.
Let me explain in detail
I've 2 servers hosted and one of them for Back-end and other is for Front-end.
Back-end server : 127.0.0.1:8000 (just for explaining)
Front-end server : 127.1.1.1:9000
User requests UI from Front-end server and if he wants to create an account on my website he needs to send POST request to 127.0.0.1:8000/create-account/ and this works fine
but if I open console of other website or make use of Postman, I'm able to achieve the same results.
So I want to prevent this thing and only allow anyone to create account from my website only.
Methods which I've tried
I've used windows.location() and sent it to server and then verify if domain name matches. But in this method everyone can just pass it simply via fetch()
I've used allow only IP address, But if I push my website in production Other visitors get 403 error.
I develop back-end with help of Django and rustlang
It isn't possible. You can make it hard for entry-level programmers to reverse-engineer your solution, but there isn't any way to prevent access to your API if you are going to allow access to it from some public UI.
IP address-based restriction will not work here because your backend will receive the IP of the user. In this case, you will be blocking access to users, not to any UI. Even the host header verification doesn't work here as anyone can use a proxy server, i.e. NGINX, to override the headers and can fake the request to originate from an intended website.
IP address-based authorization can work only if API calls originate from a server and your API server receives the same IP address for each API call. But for your use case, it isn't applicable.
The older techniques like CSRF are useless too as anyone can easily retrieve the token and can send it. In short, if you make something public, it can be reverse-engineered. If you are accepting public registrations, there shouldn't be anything to worry about the registration source. You should think about solutions like email verification etc. to reduce the spam if that's the concern.
You could have your frontend solve a recaptcha and send the solution to the backend. Verify the solution before accepting the request. It is still possible to bypass although a bit harder.
Recently discovered in our Google Admin Portal that: Per User outbound Gateway is turned on, checking with other people I work with, no one knows why its turned on and when it was turned on.
I have been digging through the Google admin sdk and have not found a way to check to see if any users is using this setting.
In short, does anyone know how I can check to see if a user in our domain has a secondary smtp connection or a "Send Mail As" option in use?
So, the setting 'allow per user outbound gateway' does indeed give users permissions to add a 'From' address external to your domain. However if anyone is using this, they'll likely need to configure it as a send-mail as address inside Gmail.
You can list all 'Send as addresses' via the Email settings API as per https://developers.google.com/admin-sdk/email-settings/#retrieving_send-as_alias_settings. Note that the code examples provided will not work as they're out of date and showing client Login which has been disabled for months now. I'd be advising you to Auth with Oauth 2.0, call the endpoint with wget or CURL(probably wget since recursive)
I have an API endpoint which receives and sends sensitive data to a mobile SDK (that we created). The API lives in a Django Heroku app. I need to protect this information somehow, and I am a bit confused on where to start.
A friend of mine suggested provisioning HTTPS for my heroku app. After reading SSL Endpoints for Heroku, I couldn't be more confused. I read about buying a SSL certificate, yet their are so many different kinds, I don't know which one would fit my needs.
Mainly, my questions are:
What type of SSL certs do people get to protect APIs?
Would the mobile SDK require its own type of cert to interact safely with the web API?
Where can I buy/find a cert that fits my needs?
General question about HTTPS: Without HTTPS enabled, are logins able to be compromised on a heroku application with a custom domain?
Sorry if the questions are silly, I am new to SSL/HTTPS. Thanks!
The main thing that HTTPSprotects you from is man-in-the-middle attacks: that is, someone sitting between the client and the server who reads your web traffic, either copying important data or modifying what you send. In that sense, it gives some protection from compromised logins - in that no-one will be able to sniff your password from the data - but doesn't protect you from anything else, eg getting passwords from cracking, or social engineering (phishing) attacks, etc.
In terms of what to buy, the links on that documentation give you all you need to know, so it's hard to know what you mean by your first or third questions. For the second one, certificates are for the server, not the client, so unless you're serving your mobile API on a completely different domain from the rest, you don't need a separate one.
So, we just got word today that one of our clients firewall is blocking our HTTP requests because "The [software] is sending anonymous packets to our firewall (a Microsoft TMG firewall) so the firewall is dropping the packets as anonymous access is [not] allowed."
For our connection code we are using c++ with curl and we fallback to IEDownloadToFile if needed. I didn't write the original code nor am I really a network programmer so I came here for help. So, my questions are: What are anonymous packets? What am I doing in curl that could cause anonymous packets? Where can I find more information about solving this problem? Thanks!
What they mean is your app has to authenticate with the firewall. That link provides a wealth of information concerning the TMG product. Your client probably has this configuration:
Require users to authenticate whenever
they request Web access. Every Web
session requires authentication.
When using this method, note the
following:
Anonymous Web access is disabled.
Forefront TMG requests user
credentials and validates them before
it checks the request against the
Firewall policy. If users fail to
authenticate, their access request is
denied.
This method is defined per network.
Most non-interactive clients, such as,
the Windows Update client, cannot
authenticate, and are therefore denied
access.
So when the user opens their web browser and tries to access a web page, they'll get a pop-up window asking for credentials because the firewall has intercepted their web request and sent its own authentication page. When the user authenticates, the firewall passes web traffic.
Your automated app does not authenticate with the firewall, so the firewall drops packets and your traffic is classified as anonymous.
Sorry, I don't know the solution on how to make your application authenticate with the firewall. If your app goes to specific URLs, the site operators could whitelist them.
According to this page, you should be getting error 407: proxy authentication required from curl. Try adding these options to the curl initialization, but you still have the problem of asking the user for their network credentials interactively:
CURLOPT_HTTPAUTH: add CURLAUTH_NTLM
CURLOPT_PROXYAUTH: add CURLAUTH_NTLM
set CURLOPT_FOLLOWLOCATION
There is no such thing as an 'anonymous packet' in standard networking parlance. Your client's firewall is making up terms, or there was a miscommunication somewhere along the line before the message got to you. Either way, you're going to need to get clarification from your client or the firewall's vendor or documentation.
I agree with bdonlan. In the context of http requests, "anonymous packets" is vague and ambiguous at best. Maybe they mean there is no referrer code? Or they require http-authentication? Or you need to establish a session key before being able to access the specific url you are requesting? You need actual technical details from your client.