Please help me figure this out. All the FCM docs neglect this part (which makes me think it's something simple that I should know, but I'm new to coding backends). I need to send the FCM FIRInstanceID token to my server (I use Google Cloud, writing in Node.js). When it gets to the server, it is decoded (according to the FCM docs). But how do I get it to the server? The video says, "This is kinda up to you." This is absurd to me, having no clue how to send anything to a server, let alone a token. What's the code for this? Do I need to structure the token in a certain way? How do I know what address to send the token? (www.google.myserver.com???). I would deeply appreciate any help. I've spent so many days trying to figure this out.
More generally, if anyone has set up FCM + iOS + Firebase + Google Cloud and can explain it to me that would be amazing too (there are no resources for this online!) Thanks!
You need to send the FIRInstanceID to your server only if you plan to use it in the future (like to send a message to a specific device).
If you only want to use topics you can skip this part.
To send the token to your server you can use different ways like:
use Firebase Database to store the value in the backend database
implement a http endpoint (like in Node.js) that can receive and store the token, than call the http endpoint from your app with the token (and maybe more information like the username of the user and some form of authentication to protect your backend)
Related
When we configure Server-to-Server Notifications, we Specify our secure server's URL in App Store Connect and the apple server communicates on that URL. but is there a way to authenticate this request?
It is not safe to keep url open without authentication
in case of PlayStore we can use GOOGLE_DEVELOPER_API_KEYFILE_JSON for authentication, but how to do this for iOS server-server notification?
As the comments have already clarified that there is no built in way.
So, here is my work around of this problem.
Apple sends password in the notification which is App secret key which ideal should only be known by API and Apple.
And to verify receipts coming from the App this password must already be stored somewhere (configuration?) in the API.
So I suggest to check whether the password in request matches with the one stored in our API?
If yes then this is a valid request.
If not then it may be sent by a hacker.
My only concern is that does this App shared secret key aka password change? by Apple or developer? If not than this is the solution.
One way to do it is to use Basic auth. As you cannot specify a header you can use the url format: https://username:password#SERVER_ENDPOINT. This will automatically encode the username:password and construct a basic auth header with the encoded string.
Source:
https://en.wikipedia.org/wiki/Basic_access_authentication
The API that I'm using requires me to send Credit Card Details to complete payment through a HTTP POST request (through swift). Is this safe by any means? And moreover, how do I securely store credit card information for repeated payments?
The credit card holder's name, credit card number, cvc, and date of expiry are all sent over a POST request. Then, the API returns whether the payment was successful, and the last four digits of the credit card number.
Simply put, I'm not entirely familiar with payment security, and would like to know if this is safe, and moreover how to save payment information securely using swift, even if that's possible. I don't think I can use stripe for this process, but I would love to know if that's possible as well.
EDIT:
I have confirmed that the API I'm using does in fact employ an HTTPS connection, and not simply a HTTP server. At this point, I know not to save credit card information locally and that I should retrieve it from a third party service before handling it. Thanks All!
Just append a 's' with your http then it's permissible. http is insecure as already mentioned by #t0mm13b. So it's not safe.
there is a Nice post.
Edited:
Don't be just happy that appending 's' is sufficient though. :)
Using Swift or any other programming language and sending sensitive information over HTTP is not secure as mentioned in the comments.
Instead you should use an HTTPS connection.
Sending any sensitive information over HTTP is not secure and not recommended. Most of the payment gate ways doesn't allow you to establish a session on HTTP. Even if you are using HTTPS usually sensitive information is encrypted and sometimes encoded on client end and server decrypts, decodes and processes it which inturn gives double security to the requests you make.
I have made a slack app in which I have a bot. I have selected channels:history, channels:read, channels:write under my permission scope, and also I have passed scopes
"scope":"bot channel:history channel:read channel:write"
while doing my oauth2 verification (using python), and I got a response where the scope is
"scope":"identify,bot,channels:history,channels:read,channels:write"
along with client and bot access tokens.
Now when I do an api call to fetch history of a channel in which my bot is invited to, I get
{
ok: false,
error: 'missing_scope',
needed: 'channels:history',
provided: 'identify,bot:basic'
}
Can someone please tell me where I am going wrong. How can I PROVIDE the channels:history scope in my api call. This is really driving me nuts. Should I be using the client access token, ie xoxp-xxxx, instead of bot token, ie xoxb-xxxx ?'
Thanks!
For people having this problem in the future;
your integrated bot has full access to the slack api, whereas a bot in a slack app don't, as it will used publicly. When you successfully finish oauth2, you should get 2 tokens, user access token and bot token. The user token is used to read history from any channel/groups, and the bot access token is used to write to them. This means you constantly have to be switching from user token to bot access token in your app.
Also, remember that bot-user MUST be a member of a private channel which you want him to connect to.
Hope that helps.
Ps, if any found a better way going about this, feel free to answer below.
Since you did not mention it: You also need to specify all required scopes on the admin page for your Slack app under "Oauth & Permission Scopes".
I currently have a functional iOS application (with react) and an app server using nodejs. So far, I am able to register with Firebase Messaging and console log my registration token through the AppDelegate.m file. And from my server, I can send my app a notification on a certain device with a POST method. However, in order to do that, I have to copy my registration token from the consolelog and paste it in the post request. Which is pointless because the token can change at any time.
I am still fairly new to this and I cannot find any examples of people sending their registration token to their app server. In all of the documentation it is always just a comment like "//If necessary send the token to your app server" with no explanation on how to go about it.
I just want to send the registration token to my server every time it refreshes so I can save it, and then send downstream messages to certain devices using their latest tokens. How do I get the Firebase token from my Obj-C AppDelegate file to my javascript server side? Can anyone help me out? Or show me an example?
You are on the right track, your app server will need an endpoint (say /register) that will let you make an http request posting your token to your app server.
I am connecting to the QB API using a Go library that I found for OAuth 1.0a: https://github.com/kurrik/oauth1a. I actually had everything working, and I cannot think of anything that I changed, but now every request I make is returned with token_rejected. From what I have read elsewhere, this usually means that my access token has expired, but even if I start the whole 3-legged OAuth process from the beginning I will get the same response as soon as I am verified. I have triple-checked my consumer key and secret, I know they are correct. I can plug in the Access Token and Secret created using the API Explorer into my code and it works just fine, so I know the problem is something related to the Access Token that I am getting back from QB. Everything looks OK when I print out the tokens that I am using, they do match what QB sends me back via the querystring after the handshake process. I have been banging my head against the wall all day now, any help would be great.
Just adding the answer, it was an issue with the Oauth Library code and is now resolved.
-Jarred