I am looking for a dart package in order to implement key exchange protocol (Elliptic-curve Diffie–Hellman) in a Flutter application. So the flow will be like this:
app generates a key pair during login and sends the public key to
server (so a new key pair is generated for every login)
server sends back its public key that it just generated
app generates a secret key from its private key and server's public
key
app includes the hmac of all subsequent messages sent to the server
I tried using the ed25519_dart package for the key generation, but it doesn't work. My app doesn't even start due to integer literal can't be represented in 64 bits error, which is also pointed out by the dart analyzer.
I also took a look at pointycastle, but it doesn't seem to support Diffie–Hellman.
The Diffie–Hellman package also doesn't work for me. Provided example throws this exception in the first line:
FormatException: Invalid radix-16 number
FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B1...
Any idea how I could achieve what I want to do in a Flutter application?
The error I am assuming is connected to BigNum and Dart 2. Pointy Castle has a branch on GitHub where they are switching to Dart 2.0.
Here are some ways you could get a keypair:
Use a native SDK (Java, Kotlin, or C++) and use a platform channel
Use the pointy castle Dart 2.0 branch
Try flutter_sodium package. It works with Dart 2 but is a work in progress.
Hopefully, this helps. I am trying to figure out the best way as well!
Related
I am quite new in the orocommerce ecosystem, and I would like to generate API client librairies automatically for orocommerce API (frontend and backend). The objective is to build my own UI.
I found some dependencies on NelmioApiDocBundle than could potentially generate swagger file, but I hit multiple problems:
this is a quite old version, that only support swagger 1.2
the generated file (using symfony run php bin/console api:swagger:dump /tmp/api/) seems not working with swagger codegen "as is"
all the part of the API seems not written using NelmioApiDocBundle annotation
I am wondering if there is an other mechanism to generate API client librairies for orocommerce. I would like a SDK for typescript.
Thanks in advance for your answer.
Right now, the only supported swagger version is 1.2, as you stated.
By default, the api:swagger:dump command works with an outdated API, to generate data for the current API, run it with --view=rest_json_api option:
api:swagger:dump --view=rest_json_api
As an alternative to the API client generation, as Oro API strictly follows JSON.API standard, you can use many existing client libraries, compatible with the JSON.API specification. The list of Typescript implementations can be found at the official website: https://jsonapi.org/implementations/#client-libraries-typescript
The Phoenix application I'm supporting has OAuth authentication using two different authentication servers. Mysteriously, only in my development environment they have begun exhibiting unexpected behaviour.
The code uses the OAuth2 hex package for authentication.
When an attempt is made to get a token via OAuth2.Client.get_token/1, an error is returned with a tuple rather than a string for the reason. The value of the tuple is {:option, :server_only, :honor_cipher_order}. I haven't been able to find out why this is happening nor what the tuple means.
Any help would be appreciated.
Discovered that this was caused by https://github.com/benoitc/hackney/issues/591 following an upgrade on my machine to Erlang 22.1.
Without having to downgrade your erlang version, try:
mix deps.update hackney
My Nativescript app has some secret api tokens. I want to publish the app to the iOS app store. What do I need to do to keep the tokens secret when I publish the app?
I see a discussion here about storing secrets using webpack environmental variables. I am new to webpack, but it seems like this is the best way to do it.
Following that discussion, I am able put my tokens into the webpack bundle (instead of hardcoding it), like this:
$ tns run ios --bundle --env.uglify --env.aot --env.secret_token="yaySecret"
But does this keep "yaySecret" secret? I don't see this addressed anywhere in NS docs or online.
I assume this bundle command creates a bundle, and then this bundle becomes part of what Apple publishes. But then isn't Apple able to view "yaySecret"?
Uglify actually does the job here (--env.uglify).
--env.secret_token will be just a parameter that is passed to the compiler. It will replace the occurrence of the variable in source code with actual value based on your webpack define configuration.
You should have something similar to this in your webpack config
// Define useful constants like TNS_WEBPACK
new webpack.DefinePlugin({
"global.TNS_WEBPACK": "true",
"global.SECRET_TOKEN": JSON.stringify(env.secret_token),
"process": undefined,
}),
So all occurrence of global.SECRET_TOKEN in your actual source code will be replaced by actual token you passed in command line.
So far it had nothing to do with security, reverse engineering the APK may show the entire source code and token value. Using minimizers like Uglify is what makes your code hard to read.
There are many other minimizers / obfuscators in market, javascript-obfuscator is one free tool I have seen people using with NativeScript often. All of these tools have tons of options, if you want to encrypt your code properly, you might need to pay more attention to those options.
There are even paid tools like jscrambler. Using Obfuscators are not limited to NativeScript / JavaScript, even many native android apps use Java Obfuscator to prevent extraction of source code & sensitive information from the APK. So using an Obfuscator is very much common irrespective of platform you choose.
Additionally what you could do is, do not simply hard code your token. You may pass some encrypted value to env.secret_token, then write some complex function which can take this encrypted value and give you the actual token at run time. End of the day it's all about making your code harder to break.
Can't use my model file generated with the discoveryapis_generator.
It ask for a http.client to be used, but it's from dart:io, and i m trying to use it in a web app
static YoupipeApi api = new YoupipeApi(new http.Client()); //cant work on webapp
Failed to invoke tokenLoaded callback: Unsupported operation: IOClient isn't supported on this platform.
So, discoveryapis_generator is only available for native dart client?
Am i doing something wrong?
(related question here)
The http package also contains a client that runs in the browser. Just change the import to import the file package:http/browser_client.dart; instead.
I've got ServiceStack working nicely on the server and with a Windows test client, and now need to get it working in my Mono For Android application.
I've downloaded the following:
ServiceStack.Common.dll
ServiceStack.Interfaces.dll
ServiceStack.Text.dll
from the github tip, and added references to these in my Mono for Android project.
However, we need to use authentication, so need the ServiceStack.ServiceInterface.Web namespace to be available for the client, so I can do the following:
var c = new JsonServiceClient("http://localhost:53434");
var authResponse = c.Get(new Auth { UserName = "myusername", Password = "password", RememberMe = true });
Looking at my working test client, Auth is defined in ServiceStack.ServiceInterface.dll, so presumably I need to get hold of this DLL, or its source and compile it in my project.
Am I on the right lines here, or is there a simpler way to set things up? I've searched around but can't find a good resource on how to use ServiceStack with Mono For Android - if there is one, please feel free to point me to it!
I note this StackOverflow indicates I'm on the right lines - all I might need is ServiceStack.ServiceInterface.dll compiled for Mono For Android.
James
You shouldn't have to compile the server ServiceStack.ServiceInterface.dll for use in any client library as there is a copy of the Auth DTOs is also available in the ServiceStack.Common.dll client library at ServiceStack.Common.ServiceClient.Web.AuthDtos.cs.
This is possible since both server and client DTOs generate the same wireformat.