Does shopify have a method of authenticating requests to my postgresql db. I was given code to a shopify embedded app done using ruby on rails (backend) and react.js with Polaris (front end) and I see that the front end makes requests to the backend without any headers or authorization.
Example:
axios.get('/api/main/vendor’)
.then(response=> {
console.log(response)
})
.catch(error=> {
console.log(error)
});
This seems to work and print outs the response from the backend.
However, when I run the server and make the GET request through Postman, passing in this URL:
https://<NGROK_URL>/api/main/vendor
I can see in my terminal that I get status 302 (redirected to login).
Processing by Api::MainController#vendor as JSON
Redirected to https://<NGROK_URL>/login
Completed 302 Found in 19ms (ActiveRecord: 0.0ms)
I’m wondering if there’s some sort of authentication that shopify does when developing an embedded app that I’m unaware of. For example does it implicitly pass in some token? If so, where can i find this. Sorry for this question if it sounds newby, I’m pretty new to shopify dev.
Shopify usually passes a hmac argument that needs to be validated in the backend.
This hmac includes mostly static information like your store name, timestamp, language etc... but the important part is that is salted with the APP password.
You can read more about this here: https://help.shopify.com/en/api/getting-started/authentication/oauth#verification
This means that you can't make requests outside of Shopify.
Related
I have a Ruby on Rails application which redirects users to the start or login page if they end up at a resource they are not authorized for.
For that, it redirects through a 302 Found.
This does not feel right to me, as for example a successful creation of a resource via POST also returns a 302, with the only difference being that it redirects to the created resource.
On the other hand, it does not seem possible to redirect a user without returning a 30X status code (401/403 in this case).
Am I missing something here, or am I already doing it correctly and this is just the way to go?
Well I'd say that it depends of the context, for an API I'd go for you way, if the user is trying to reach an endpoint without authentication or without enough permissions, I'd return a 401 or 403 respectively.
But for a web application without a separated frontend app, you've no choice to tell to the browser where it has to go next and the only way of doing this is to use redirections (that are only 3xx HTTP codes => https://developer.mozilla.org/en-US/docs/Web/HTTP/Status#redirection_messages).
I am trying to integrate an authentication system with Graphql and rails that communicates with a React front end and I would like to know what is the best way to do it for a production environment
I know that this might involve using jwt but I would like to know how would you do it?
When the user signs in/up from the react front end it sends the request to the rails graphql api that authenticates the user. Then when the authenticated user makes a request/query it, the backend first makes sure that the user has access to the resources that he is requesting and then send those resources in json to the react front end
This is a bit of an open-ended question. It's probably not really possible to write a specific answer to your question, but here goes nothing.
There are multiple ways to set up authentication with GraphQL. First of all, it's important to understand whether your user is allowed to make any GraphQL queries at all without being authenticated.
You're saying you're authenticating the user with your Rails GraphQL API. Are you doing this with a mutation or with a REST call? If it's just REST and the user isn't allowed to use the GraphQL API without authenticating then you may just be able to block the user from interacting with the GraphQL API at all, when they're not authenticated.
Otherwise it's common to check whether the user is authenticated and if so keep the user data in your GraphQL query context. Then you'll now — per query — whether the user is authenticated.
When the user is attempting to access any resource that they may not be able to see or are attempting to send a mutation without being authenticated, then you can just end the entire query/request with a GraphQL error.
Since GraphQL errors are still considered part of a successful HTTP request you can handle them as usual in your front end as part of the UI. They'll be listed in the usual errors array of the response, as specified in the GraphQL spec.
Regarding JWT, you can of course use JWT to authenticate the user, which requires you to either store a token in a cookie or somewhere else in the user's browser. Typically you'd just send the token in the Authorization header with every GraphQL request.
I am trying to create my very first Azure Logic App that simply makes a http post request every hour to a website that has MVC ASP authentication. Whilst setting up the http Logic App action I am using the Basic option to enter the user details.
When it is run, the Logic App keeps failing and returning a 302 (redirect) error; I guess this is because the http post is getting redirected to the account login page.
I have run a test by carrying out a Logic App action to run a http post on a url from the same site that doesn't require user authorisation and it works.
I have also read that I may be able to add configuration to the Logic App action using the Run After rules, but for some reason this option is disabled for my action.
I'd appreciate it if someone with any knowledge in this area, could provide some possible direction.
Thanks.
What is the best way to make authentication?
on frontend I use Angular.js
on backend: Ruby on Rails
Rails app using as API for my frontend.
UPDATE:
This is will be single page application.
Frontend wiil be developed in Angular.js, backend in Ruby on Rails.
In ideal I want to build backend as collection of resources returned in json.
I search best method of security implementation.
When user open the app I need to check if user authenticated.
If not - go to login page,
If authenticated - open that he wants and return needed resource from backend.
I think that I need to store auth token on the client side.
What is the best method to generate it, or maybe Rails already generate it for me?
I don't know Angular.JS at all but I will try to provide you general information on rails that you can use with any Javascript Framework.
For authentication, you just needs:
A model for users
a controller which handle login, this method check user login/password, create a session object with all information needed (session is stored on server side and a cookie is used on client-side to associate each request to a session)
A controller for handling logout which basically only destroy the user's session
You have a good implementation in the rails tutorial here, or you can find several plugins (authlogic seems to be the recommendation of stackoverflow usershere).
Then, there is few differences between handling authentication with static html pages or with AJAX:
A HTML request will send login and password to the controller, which will automatically redirect it to another internal page once the session create
In AJAX, the javascript on client side should send an ajax request, look for the answer by the server (success / failure) and launch adapted actions (message if failure, redirection if success)
In both cases, the important thing is to check that the user is authenticated at at each controller otherwise anybody would be allowed to launch action or access internal information.
I'm trying to do something similar and I found this example app which has been very useful to get me going in the right direction: https://github.com/karlfreeman/angular-devise
Also checkout further discussion about it here: https://github.com/karlfreeman/angular-devise/issues/1
And here's another repo which takes a slightly different approach: https://github.com/colindensem/demo-rails-angularjs
I ended up borrowing ideas from all of the above. Here's a working demo if anyone's interested: https://github.com/jesalg/RADD
I've been trying to get Rails to play with the new Facebook Graph API. After I get the authorization "code", I need to send another request which returns the access token in JSON form.
It seems to work fine, however I want to fetch the access token JSON without redirecting the user. I'm attempting to use Net::HTTP.get, but I'm not sure how to use it to get a request body, or even if it's the right thing to use to begin with.
Can anyone give an example of performing an HTTP GET?
I've figured out how to do this, the problem was mainly with the fact that I needed an HTTPS connection.
Adapted from http://snippets.dzone.com/posts/show/788:
path = '/oauth/access_token?...'
http = Net::HTTP.new('graph.facebook.com', 443)
http.use_ssl = true
res = http.get(path, nil)
#access_token = res.body
Anyone specifically trying to use the Graph API, note that the value stored in #access_token is in the form of a params string, e.g. "access_token=xxxx&expires=1234".
I got around needing to parse this by just redirecting to another page and using that as the URL params, but there's probably a better way to do this.
SOA#1
However please note that it means that server have to be log onto facebook - while if browser is redirecting it is user who have to be log into server. Hence did your server set the permission?
You can pretend that you are the user. Bad Horrible idea (you have to store passwords in cleartext on you server).
You can use OAuth. Hence you should use OAuth gem instead of Net::HTTP. You will not avoid the redirection - it is part of authorisation process and user must say that he allows to access data (imagine what would be if anyone could access anyone data on facebook). Turorial on writing OAuth clients in rails.