I've an app that needs to share data among users, but not all of them. The idea is that users can belong to different groups, like, for example, users of 2 different companies who are using my app. I'm evaluating Simperium, but before embedding its library in my iOS app I would like to understand if there is a way to isolate users to avoid reading data belonging to other groups. I don't know if that is possibile using different buckets and in that case; how do I create separate buckets?
The iOS SDK doesn't provide a sharing mechanism. Nevertheless, you could still use the REST API to do so.
>>> curl -H 'X-Simperium-Token: { access_token }' \
https://api.simperium.com/1/{ app_id }/{ bucket_name }/i/{ object id }/share/{ target username } -d '{"write_access": true}'
Documentation can be found here.
Other than that, it would be up to the Host App to implement any required user group management (perhaps a simple REST endpoint of your own, that returns the collection User ID's for the current user would do the trick).
Hope that helps!
Related
I am trying to collect all active TIs via the Beta Graph API by following this. But it doesn't return anything. Here is what I use in Postman:
https://graph.microsoft.com/beta/security/tiIndicators
Response (200):
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#security/tiIndicators",
"value": []
}
A bit of context for the environment I work in.
The tenant has multiple Sentinel workspaces & resource groups.
The application I use has the correct permissions:
ThreatIndicators.Read.All
ThreatIndicators.ReadWrite.OwnedBy
ThreatSubmission.Read.All
ThreatSubmission.ReadWrite.All
It is my current belief that this might be due to the limitations of the Beta API. My reasoning is that accourding to this documentation you need the ThreatIndicators.ReadWrite.OwnedBy permission to access the API. This would suggest that currently you can only view TI's that the resource itself created.
If more info is needed just ask.
According to the documentation, ThreatIndicators.ReadWrite.OwnedBy permission allow you to manage threat indicators your app creates or owns.
If you want to read all the threat indicators for your organization then your app needs ThreatIndicators.Read.All permission.
Although this is not a solution to the question it is a workaround. By using the Log Analytics API you can get the TI via a KQL.
ThreatIntelligenceIndicator
| where ExpirationDateTime > now() and
NetworkIP matches regex #"^(?:(?:25[0-5]|(?:2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$" and
ConfidenceScore > 25
| summarize by NetworkIP
This is probably better as you can also use a watchlist to exclude specific IP addresses with one request.
One thing I struggled with this was Authorization. You must give your Application permission to use the api.loganalytics.io API, and the application needs the Log Analytics Reader role in the Log Analytic workspace you want to use.
This might seem rather basic, it seems like it should be the simplest possible API call to make with any video call provider.
I need to:
Get an API key for my web application.
Create a meeting link with the video call provider using the key.
Share that link with an external user via e-mail (or SMS, or whatever, my app does that bit).
Redirect then internal user to the link (possibly in an <iframe>).
Optionally end the meeting afterwards so the link can't be re-used.
Optionally report on who attended and for how long.
It seems like that should be fairly simple (or at least straightforward), and for every other provider I've looked at it is, but for Teams I have struggled to get started.
For instance, in Skype this is (or used to be) simply a POST to https://api.join.skype.com/v1/meetnow/createjoinlinkguest.
I think the API key needs to be generated in Azure, and then the meeting request needs to be made via Microsoft Graph but it also appears like it is not possible to use this API unless a delegated user - i.e. users would have to sign in via their "work or school account".
I think that would mean switching our entire user model over to Microsoft's, a prohibitively large amount of work just to generate video call links.
Is there a way to generate these links without requiring the user to sign in via Microsoft?
Is this only possible via an Azure application instance and Graph API? It seems a very long way round compared to any other provider?
I'm trying to find a way to restrict the access to each of the buckets in my application. The goal is to prevent users to access objects from other buckets other than the one which is "assigned" to them.
In short the app assigns a bucket for every user to store objects within and I want to prevent users to access buckets which are not meant to be accessed by them.
I guess a request could look like this:
curl -v 'https://developer.api.autodesk.com/authentication/v1/authenticate'
-X 'POST'
-H 'Content-Type: application/x-www-form-urlencoded'
-d '
client_id=obQDn8P0GanGFQha4ngKKVWcxwyvFAGE&
client_secret=eUruM8HRyc7BAQ1e&
grant_type=client_credentials&
scope=data:read&
# I'm thinking for some parameter like this
bucket=CLIEN_SPECIFIC_BUCKET_ID
'
You should implement your own management layer of your app to manage user permissions to different buckets - per best practice user should not be exposed to app level access tokens to access the buckets themselves.
Forge cloud buckets to Forge app and not end users as it’s a development platform and operates on developer/application levels and rather than those of end users.
EDIT:
For Viewer you can go with an AOP approach and set up a proxy in your backend and delegate authentication to the proxy - you can redirect Viewer to send requests to your endpoints to retrieve resources and your backend can in turn authenticate and retrieve the resource from Forge services so that you won’t have to expose your access token to the users. Try:
Autodesk.Viewing.endpoint.setEndpointAndApi('https://yourhostname/your/proxy/service/path')
And you can add custom headers to Viewer’s requests to authenticate against your own app:
Autodesk.Viewing.endpoint.HTTP_REQUEST_HEADERS = {}
Alternatively you can download the derivatives to your own storage and load them from there - see here for details.
I am planning to make a browser extension which uses Youtube data API v3. Since the code is public to the user, I am unable to use my API-key in the code. What is the correct way to use API in such a scenario? Also, since the API call will be made from user's browser, is there any other way to fetch data without using API-key at all?
TL;DR
On the API screen of Google Cloud Console, create a new key or edit an existing one to have no restriction. This will enable anyone to use this key to make requests the moment you publish it. There is no way to use the YouTube API without a key (or token respectively, when using OAuth). Your clients are allowed to consume up to 50.000.000 quota units per day, after which your app will essentially break for the rest of the day unless you buy more quota.
However, I have to disagree with the statement that you cannot (or "shouldn't") publish your API key; in certain scenarios, this may very well be desired.
Detailed Explanation
Web application keys used to be organized in two groups: Server keys and browser keys, the former of which where to be kept secret on the server of the web application, while the latter was sent to the client for use in JavaScript. Server keys could be configured to only be accepted from certain IP addresses. That way, even if someone got hold of your key, they wouldn't be able to use it. Browser keys could be restricted to a specified referrer, i.e. the domain (as in DNS) of your web application, so it wouldn't work on other sites beside your own either.
Nowadays, there is no distinction between server and browser keys anymore, they are simply called "API keys". This union makes perfect sense to me, since the only difference between the two types was how they were restricted. With the new API keys, one can still choose how to restrict its usage - or choose to not restrict the key at all.
This is where we get back to your case: It is, of course, possible to publish a key and at the same time not restrict it. Depending on how many users are using your app (and will be using it in the future) and how many are using your key for their own app (which you have no control over), the 50 million quota limit will work out for you or it will not.
An then there's responsibility as well. You are responsible for the queries that are made with your API key. This is probably one of the reasons why YouTube doesn't allow for requests without a valid key: They need to stay in control of their service and, naturally, want to protect it from DOS attacks. If someone does mischief with your key, you are the one who gets punished for it, usually by deactivation of the key.
I'm creating an iOS app which uses django as my backend. I need to have a chat functionality between users.
I heard that XMPP is good for real time communication, and I have successfully set up ejabberd as the XMPP server. But still I'm having hard time to deal with the details:
I created the app first and then the chat feature, so before I setup ejabberd, there are already users in my django DB. I need ejabberd to authenticate users against my existing DB and I have almost solved this by using external authentication. There is only one small problem, as ejabberd seems to require the jabber ID like username#abc.com, and here abc means the virtual host of ejabberd. I don't know maybe I could only use one virtual host on my server(which is the domain name)? But then at the beginning I asked the user to register using emails which are from different domains of course, e.g. gmail.com, yahoo.com, but username#gmail.com#abc.com is not a valid jabber ID, so maybe one small trick I can do here is to convert first # to # and handle it properly in the python script in the backend. But maybe I did it totally wrong?
Another issue is about user profile. I stored the user information as well in my django DB, e.g. display name, avatar url, etc. I learnt that I could use the vCard module if I want to get those information from XMPP server. So maybe I need to have duplicated information in two places? And still I haven't figured out how to synchronize the user information from DB to ejabberd. Or maybe I just need to have only one source, which is my DB, and the iOS client could then query the information from the backend whenever needed?
I feel that XMPP is not easy to setup, is it really popular to use it in your Apps? Especially if chatting is not the main functionality of your App and you are not expecting to have huge messages from big number of users?
You wrote:
but username#gmail.com#abc.com is not a valid jabber ID
You are supposed to escape the user id (i.e "username#gmail").
XEP 106 explains how you should escape the node part of a JID.
In python, it would look something like this:
def escape_node(node):
""" """
node.strip()
node = node.replace('\\', "\\5c")
node = node.replace(' ', "\\20")
node = node.replace('\"', "\\22")
node = node.replace('\&', "\\26")
node = node.replace('\'', "\\27")
node = node.replace('\/', "\\2f")
node = node.replace(':', "\\3a")
node = node.replace('<', "\\3c")
node = node.replace('>', "\\3e")
node = node.replace('#', "\\40")
return node
With regards to storing your users' details in Django. When you register your Django users in XMPP, just make sure that you also register valid vCards for them.
When a Django user changes his details, update the vCard as well.