We have an app built with Strapi, let's say, https://my-strapi-app.com
I want to load testing of the application
For that, I went with Loader.io
Now before loader.io can start sending the load to the app, I need to verify that the website belongs to me.
For that Loader.io ask me to place a verification token that is accessible via one of the following links:
https://my-strapi-app.com/loaderio-c56xxxxx.txt
https://my-strapi-app.com/loaderio-c56xxxxx.html
https://my-strapi-app.com/loaderio-c56xxxxx/
What steps can I take to make the verification token accessible at any one of the above URL?
Although it's a bit late,
and I have no experience with Strapi (I use Flask / Python),
but if anyone still looking for the answer,
here is my "Flask" way solution:
#app.route("/your-loader-io-token/"), methods=["GET"])
def loader_io_verify():
return send_from_directory("/path-of-the-txt-file", "your-loader-io-token.txt", as_attachment=True)
Basically, it will just download the "your-loader-io-token.txt" file, when someone access url "https://your-website.com/your-loader-io-token/".
That's it :D !
Related
I just would like to annonce before exposing my problem that I’m not English so he could be not great as expect, sorry for that ! Anyway,
Here is few month I’m working on a solution to use MFA on a Mikrotik using FreeRadius and G-Auth btu i can’t find something that can help me
I look every topic but nothing really help me
So basicly what I would like is : When I connect myself to the mikrotik, the user should be register on the FreeRadius server (If I don’t, I get reject) and if my user is register on the Freerad Server, I need to give the G-auth pass from my phone to log in the Mikrotik
Both are already implemented on my FreeRad server and the Mirkotik and the server communicate together, I can connect myself with a user write in the “freerad user” file on the mikrotik but the G-auth doen’t work, it work on local when the user is not write on the “freeRad user” and doesn’t wortk at all all when I try with G-auth
It doesn’t trigger on the Mirkrotik, it simply connect myself because the user is write in the file
I’m still studying so I can’t really understand how really work FreeRadius and what am I trying to do for solving the problem actually, sorry for that
If you have any idea or another with anything else for getting what I’m searching, I would be really grateful !
Thank you in advance and I would take any advise
I want to enable session for every user who requests for the token using the URL "/auth/local" which is the default API provided by Strapi. I guess Strapi is by default configured with Koa session but inspite of that no session cookie is returned in response by default.
What is the best way to enable session management in Strapi? Can anyone share their experience on this one ?
Why do not you try using the mechanism of sessionStrage.
I referred to this page of the official reference.
(I used non-react part because I do not use it)
Plugin Development - Front-end Helpers - Auth
https://strapi.io/documentation/plugin-development/utils.html#auth
github
https://github.com/strapi/strapi-examples/tree/master/login-react/react-login-front-end-app
blog?
https://medium.com/strapi/protected-routes-and-authentication-with-react-and-node-js-d31d234644cd
The source of auth.js is pretty helpful
https://github.com/strapi/strapi-examples/blob/master/login-react/react-login-front-end-app/app/utils/auth.js
I POST from the request module and returned to json
auth.setToken (body.jwt, body.rememberMe)
auth.setUserInfo (body.user, body.rememberMe)
Then we kept the data in sessionStrage.
I do not know if it will be helpful, but maybe it may be useful, so I wrote it.
I am a Japanese who is not good at English, so I'm going to google translate as it is.
Even if there is a strange part, I do not know, so please forgive that point.
I'm trying to access and store a database of my read books and/or uploaded documents. I don't really mind what the method is as long as it's not scraping the info with some javascript extension in the browser. That defeats my purpose of automation.
This is what I've tried so far:
Oauth2: Gives me VERY limited information. Email, name, and not much more. So apparently the way is to scrape for that info, so I tried the following:
Mechanize: I tried to load the amazon login form and post it with my personal information stored on my server, but it seems this info is not sufficient, not sure why. Some hidden values also needed apparently.
I tried using an iframe to load the amazon site and the store the session cookies but can't find the way to make this work. Also, is this method allowed? I´m having some concerns about the legitimacy of this.
I know I asked about Amazon I think it also applies to the more general question of how to extract some data from a website that requires authentication.
Thanks a lot.
Capybara would be a good choice. It uses Selenium to open a browser and navigate to a URL, post form info, etc.
I'm setting up an iOS app to use the IP Messaging and video calling apis. I'm able to connect, create channels and setup a video call if I manually create hard-coded tokens for the app. However, if I want to use the PHP server (as described here https://www.twilio.com/docs/api/ip-messaging/guides/quickstart-ios) then I always get an error and it can't connect anymore.
I'm attaching a screenshot of what I see when I hit the http://localhost:8080 address which seems to produce a 500 Internal error on this URL: https://cds.twilio.com/v2/Streams
Thanks so much!
After much time spent on this I decided to try the node backend instead - under other server-side languages of the PHP and I have it running in 2 minutes! I used the exact same credentials as the ones that I was using on the PHP config file so either my PHP environment has something strange or the PHP backend needs some fixing. In any case, I'm able to move forward using the node backend, so if you run into the same issue just try node instead of PHP. woohoo!
I would like to protect my s3 documents behind by rails app such that if I go to:
www.myapp.com/attachment/5 that should authenticate the user prior to displaying/downloading the document.
I have read similar questions on stackoverflow but I'm not sure I've seen any good conclusions.
From what I have read there are several things you can do to "protect" your S3 documents.
1) Obfuscate the URL. I have done this. I think this is a good thing to do so no one can guess the URL. For example it would be easy to "walk" the URL's if your S3 URLs are obvious: https://s3.amazonaws.com/myapp.com/attachments/1/document.doc. Having a URL such as:
https://s3.amazonaws.com/myapp.com/7ca/6ab/c9d/db2/727/f14/document.doc seems much better.
This is great to do but doesn't resolve the issue of passing around URLs via email or websites.
2) Use an expiring URL as shown here: Rails 3, paperclip + S3 - Howto Store for an Instance and Protect Access
For me, however this is not a great solution because the URL is exposed (even for just a short period of time) and another user could perhaps in time reuse the URL quickly. You have to adjust the time to allow for the download without providing too much time for copying. It just seems like the wrong solution.
3) Proxy the document download via the app. At first I tried to just use send_file: http://www.therailsway.com/2009/2/22/file-downloads-done-right but the problem is that these files can only be static/local files on your server and not served via another site (S3/AWS). I can however use send_data and load the document into my app and immediately serve the document to the user. The problem with this solution is obvious - twice the bandwidth and twice the time (to load the document to my app and then back to the user).
I'm looking for a solution that provides the full security of #3 but does not require the additional bandwidth and time for loading. It looks like Basecamp is "protecting" documents behind their app (via authentication) and I assume other sites are doing something similar but I don't think they are using my #3 solution.
Suggestions would be greatly appreciated.
UPDATE:
I went with a 4th solution:
4) Use amazon bucket policies to control access to the files based on referrer:
http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?UsingBucketPolicies.html
UPDATE AGAIN:
Well #4 can easily be worked around via a browsers developer's tool. So I'm still in search of a solid solution.
You'd want to do two things:
Make the bucket and all objects inside it private. The naming convention doesn't actually matter, the simpler the better.
Generate signed URLs, and redirect to them from your application. This way, your app can check if the user is authenticated and authorized, and then generate a new signed URL and redirect them to it using a 301 HTTP Status code. This means that the file will never go through your servers, so there's no load or bandwidth on you. Here's the docs to presign a GET_OBJECT request:
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Presigner.html
I would vote for number 3 it is the only truly secure approach. Because once you pass the user to the S3 URL that is valid till its expiration time. A crafty user could use that hole the only question is, will that affect your application?
Perhaps you could set the expire time to be lower which would minimise the risk?
Take a look at an excerpt from this post:
Accessing private objects from a browser
All private objects are accessible via
an authenticated GET request to the S3
servers. You can generate an
authenticated url for an object like
this:
S3Object.url_for('beluga_baby.jpg', 'marcel_molina')
By default
authenticated urls expire 5 minutes
after they were generated.
Expiration options can be specified
either with an absolute time since the
epoch with the :expires options, or
with a number of seconds relative to
now with the :expires_in options:
I have been in the process of trying to do something similar for quite sometime now. If you dont want to use the bandwidth twice, then the only way that this is possible is to allow S3 to do it. Now I am totally with you about the exposed URL. Were you able to come up with any alternative?
I found something that might be useful in this regard - http://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempFederationTokenRuby.html
Once a user logs in, an aws session with his IP as a part of the aws policy should be created and then this can be used to generate the signed urls. So in case, somebody else grabs the URL the signature will not match since the source of the request will be a different IP. Let me know if this makes sense and is secure enough.