I am using first data global gateway web service version 27. I am generating first data token from this site
https://developer.payeezy.com/payeezy-api/apis/post/transactions/tokens
Now i don't know where to use this token when request to web service?
I am passing these parameters to web service
ExactID
Password
Transaction_Type
DollarAmount
Expiry_Date
CardHoldersName
Card_Number
TransarmorToken
CardType
I use generated token in 'Card_Number' parameter but it gives me error 'Invalid credit card number'
Can someone please tell me where to use token?
I had the same message, please check the CCN owner address.
The CCN error validation disappeared after correction..
Hope this help!
Related
I am working on a CustomerEngagement solution that is integrated with twitter. Looking for suggestion with implementation.
I have configured multiple twitter-apps with a call back URL for each twitter-app (same callback URL), pointing to the same end point in CustomerEngagement application.
I have 2 java methods written, 1 for responding to CRC challenge by twitter(authentication) and 1 for actually receiving the tweet from twitter.
I would like to configure multiple twitter-apps to be served/used by the same single instance of the CustomerEngagement-application from the same endpoint
However, the CustomerEngagement application should have a hint about which twitter-app is responsible for posting the tweet to the application, so that CRC response to twitter can be generated accordingly.
Can I pass a different request parameter in each call back URL of different twitter-apps to identify the app?
I already see a conversation on the same
https://twittercommunity.com/t/callback-url-with-fixed-query-string-parameters/107821
however, can some one please elaborate on how to achieve this ? I am assuming that this a 2 step process where registering the call back URL ( along with request parameter ) happens to be step 1, followed by setp 2 in which the call back by twitter having the request parameter registered in step 1 is passed !
Thanks in Advance!!
Say your configured callback_url is xyz.com/social/
append the query strings params when parsing the callback_url
tweepy
import tweepy
auth = tweepy.OAuthHandler(consumer_key, consumer_secret, 'xyz.com/social/?var=val')
url = auth.get_authorization_url()
You get an authorization URL that redirects to a twitter login page. After login, it returns
xyz.com/social/?var=val&oauth_token=****$oauth_verifier=***
I am trying to GET an issue in Jira using POSTMAN. I have selected Type as OAuth 1.0. For that it is asking me some fields mentioned below. I have generated Token and Token Secret which I am passing to it. I have also configured my generic application to Jira in Application links. I am not aware of what to be passed in Consumer Secret and Signature Method (what should be the signature method). I am currently selecting HMAC-SHA1. For rest of the fields it is generating values based on the parameters passed above.
Consumer Key : hardcoded-consumer
Consumer Secret : ?? (What should I pass here)
Token : ojn33TZALMlvp5eCa6HeErDSx9K8LL6A
Token Secret : inHfn2QFJkkYkWQ8FxT9mXkdcoNxYPf5
Signature Method : HMAC-SHA1
Timestamp : 1474290363 (Generated value)
Nonce : x1hs2v (Generated value)
Version : 1.0 (Generated value)
Realm : (It is optional)
After hitting my jira Url it is giving me oauth_problem=token_rejected error. Can anyone tell me where I am making the mistake?
Here is the Jira URL which I am hitting :
http://bmh1060149:8080/rest/api/2/issue/NWFM-1 (NWFM-1 is the Jira issue)
Please find the below screen shot for more reference.
After little bit of research I found the answer. Once we get the access token we can directly pass that to your Jira Url. There is no need to pass all those parameters.
To get all issue types we can use the following URL and passing access token as an argument.
http://bmh1060149:8080/rest/api/2/issuetype?access_token=euyyIxB6q5waBHeZ9zB7kGV21GRNNOud
Please see the attached screen shot for more reference.
How would you think a hacker is doing the following, and how would you prevent (looking for some helpfull links, keywords or assessment of the sitution)?
Their is a website where users can register and get an invitation Email. The invaitation link (https) contains the token. It looks like 'https://www.example.com/token/123456' (123456 is the token).
It seems that a day after my users clicked on this link, someone else uses the same links too.
How is this possible and how can I prevent this sort of hack?
Thanks
EDIT:
Sorry I should have given more information. I can eliminate the opinion that it is not just a try of random token variations. Why? The exact token is used a day after one of the user had use the link. The token is a hash token of more that 20 characters.
They can just run a script to try any numerical value in the token value.
it's easy. How long is your token? I would also suggest using a hash token rather than a simple numerical one to limit automatic processing, as the "hack" is scripting to try a number, gets a result - store the result, and then number = number + 1;
Edit: What evidence do you have you've been hacked? What happens in your script once someone has clicked the token link?
A simple logic to apply could be:
define a string pattern. like: secretconstant%email
hash the string and now you have the token (and save it)
create your invitation url with the token
If someone call your service with random token you can reject them because your information system don't have saved that token.
Then if you have the token you must discard it so the link will not be valid anymore.
You could check also if the email used in the registration is the same used for calculate the token.. so you may block the registration!
We're making requests for bearer tokens using client_credentials OAuth 2 grant flow with Apigee. According to the spec:
4.4.2. Access Token Request
The client makes a request to the token endpoint by adding the
following parameters using the "application/x-www-form-urlencoded"
format per Appendix B with a character encoding of UTF-8 in the HTTP
request entity-body:
grant_type
REQUIRED. Value MUST be set to "client_credentials".
If we make a call however we get an error like this:
{"ErrorCode" : "invalid_request", "Error" :"Required param : grant_type"}
It seems that using Apigee we have to send grant_type as a query parameter.
Why is this? We have clients of Apigee that are unable to use OAuth libraries in their language of choice because of the way that Apigee deals with OAuth 2, and it would be good to know if there is by-design or not.
In addition it doesn't seem like it supports grant_type in the post body and sending id and key using basic auth.
Turns out you do not need to send in grant_type as a query parameter. There is a <GrantType> element in your GenerateAccessToken policy that takes in a variable. For instance, I can use the following:
<OAuthV2 name="GenerateAccessToken">
<DisplayName>GenerateAccessToken</DisplayName>
<FaultRules/>
<Properties/>
<!-- This policy generates an OAuth 2.0 access token using the password grant type -->
<Operation>GenerateAccessToken</Operation>
<!-- This is in millseconds -->
<ExpiresIn>1800000</ExpiresIn>
<Attributes/>
<SupportedGrantTypes>
<GrantType>password</GrantType>
</SupportedGrantTypes>
<GenerateResponse enabled="false">
<Format>FORM_PARAM</Format>
</GenerateResponse>
<GrantType>user.grant_type</GrantType>
<UserName>request.header.username</UserName>
<PassWord>request.header.password</PassWord>
</OAuthV2>
In this example, the grant_type is passed in as user.grant_type. But user.grant_type can be anything-- header, query param, form param, or even a hard-coded value. This way, you (the developer) are provided maximum flexibility on how you want to send in the grant_type.
Can you paste the exact API call that you are making (obviously you should obfuscate the key and secret)?
I'd like to understand what you say when you say "Apigee" -- it could mean API BAAS (https://api.usergrid.com) or a proxy that you defined using API services and attached an OAuth 2 policy to, or something else?
I'm working on a piece of a web application in ASP.Net MVC where the user registers for membership using an sql membership provider. When they register they are put in the system but not approved. The code then sends an approval email to the user with the email given.
BfEncrypt refid = new BfEncrypt();
refid.Encrypt(user.ReferenceID);
string code = HttpContext.Current.Server.UrlEncode(refid.CipherText);
...
Body += "Approval Link\n\r\n\r";
But when a user clicks on the link they get the following error:
Description: HTTP 404. The resource you are looking for (or one of its dependencies)
could have been removed, had its name changed, or is temporarily unavailable.
Please review the following URL and make sure that it is spelled correctly.
Requested URL: /Approve/k/9IHrY43os=
The question is, if I'm url encoding the link before I send it, why is it decoding before it tries to call the action? The url in my browser is actually 'http://localhost:1091/Approve/k%2f9IHrY43os%3d' when I get the error. My routing is setup correctly but it doesn't account for the extra '/' in the encrypted string in the url (since it shouldn't be there anyways.)
You could encode it as base64 instead of using URLEncode.