I have been following the rails tutorial by Michael Hartl for some time. When I came to the point of creating account activation links and automatically send them in an Email, I noticed some bad stuff:
I'm using the cloud 9 ide and the activation link from the Email only works when the cloud 9 project is private. Since I need to store the password for my gmail account in the configs, everyone can view my code and log in to my gmail account.
How could this problem be solved? Making the project private doesn't work because you then aren't able to activate your account.
If you'd like to keep your workspace private, but your application url public, just click on the 'Share' button near the top right of the IDE. Once there, check 'Public' next to 'Application'. That will disable Cloud9's authentication when accessing the application url while keeping your code/workspace private.
Related
I'm trying to migrate from local NLTM authentication to Azure AD login for an on premise app. I have set up the connected service, but everytime the SignIn method is called:
The request is already authenticated and it's using my local PC name, so the O365 log in is never triggered. Debugging doesn't help as the User info and Request don't seem to exist outside of the AccountController. Does anyone know what is going on and how I can get it to load up the login instead?
If anyone else finds this, check and triple check your web config and project files for any lingering windows authentication variables. Failing that try creating a new project with authentication and then copy the content of the old project across bit by bit. It turned out for me to be something dodgy in the project, but even using a comparison tool afterwards showed no discernible differences.
Only thing I can think of is that the Authentication with Azure Active Directory Connected Services made changes that broke something, but using the auth option during project creation did it properly.
I have searched for solutions to this issue but everything I've found seems to be applicable to a firebase web app, not to iOS implementations.
When verifying a user using firebase phone auth for iOS, I understand the recaptacha is very unlikely to appear. However in the event it does, it creates a webview for the recaptcha like so:
Is there any way for me to hide the myProjectId-12345.firebaseapp.com from the user? It's not very clean or secure I'm afraid. I haven't been able to find anything in the way of documentation on this topic, and most stack overflow answers that solved the issue seem to be applicable to the firebase web sdk only.
Am I missing it somewhere? I have followed the documentation for silent notifications as well, so normally the recaptcha does not appear. From the documentation, "only a very small percentage of users will experience the recaptcha", but I would still like to account for those users.
Set up your domain for Hosting
Step 1: Add domain
From your project's Hosting page, enter the wizard for connecting a
custom domain:
If you have only one Hosting site, click Connect domain. If you have
more than one Hosting site, click View for the desired site, then
click Connect domain. Enter the custom domain name that you'd like to
connect to your Hosting site.
(Optional) Check the box to redirect all requests on the custom
domain to a second specified domain (such that example.com and
www.example.com redirect to the same content).
Click Continue to initiate the validation process.
Step 2: Verify domain ownership
If requested in the Connect Domain setup wizard, verify your apex domain.
Step 3: Go live
In the Connect Domain window of the Firebase console, select Quick
Setup for a new site or Advanced Setup if you already have a site
running on another hosting provider and need a zero-downtime
migration.
Have a look at this for detailed information.
I have been trying to implement the OAuth v2 for Microsoft Accounts for my website. Its currently in development stage and so am testing on localhost. The Website is an ASP.NET Core MVC 5 Application.
I have followed the tutorial here to implement OAuth for Twitter, Google and Facebook accounts. I found this to be quite simple with only a few small issues that I was able to solve with simple google searches.
However I have spent several days trying to understand what is happening when trying to use Microsoft Account authentication on my site.
I have watched the video here on registering an application in the Microsoft App Registration Portal. At around minute 6 in the video a short demo shows how to set up the App. You can see my App details in the following screen shot:
In the video at about 7.5 mins in, there is a small section explaining how to test the App by building a URL string.
On submitting the query string to the browser the page is redirected as expected to my App page as you can see here:
In this instance I was all ready signed into my Microsoft Outlook account. If I wasn't signed in I would be prompted to login to a Microsoft account. Logging in, in this case choosing my already signed in Outlook account causes the page to be redirected back to my site as seen in the following screen shot but because the site didn't send the request its not expecting a token sent back for login so nothing really happens. This is expected behaviour, at this point as I was only testing that the Apps end point was working as expected.
[
The next stage is to test the functionality from my website. This is where I always have issues. To activate the OAuth functionality for Microsoft Account login requires simply un-commenting a couple of lines of code within the Startup.Auth.cs file in my websites App_Start folder and passing in the Apps ClientKey and ClientSecret values as can bee seen in the following code snippet:
app.UseMicrosoftAccountAuthentication(
clientId: System.Configuration.ConfigurationManager.AppSettings["MicrosoftOAuthClientID"],
clientSecret: System.Configuration.ConfigurationManager.AppSettings["MicrosoftOAuthClientSecret"]);
This code basically adds a little button to the login page that allows you to choose Microsoft login as can be seen here:
[
When I click the Microsoft button I get the following error page:
And the query string returned contains the following:
https://login.live.com/err.srf?lc=2057#error=unauthorized_client&error_description=The+client+does+not+exist.+If+you+are+the+application+developer%2c+configure+a+new+application+through+the+application+management+site+at+https://apps.dev.microsoft.com/.&state=JMxMRuKaOiYWCQw_Uqkhv3gLQn3ULlkG2miM4ymcHhTK5niXVQl5n4L0a6VoWeEKmFM7T1ciU2oQAh26_Y0i2DMjdt6BOAtpjNeMaSpBq4wbCjva9lOuctOUIWwoFdTEGvxJ4M904lUsoudd9e9cYi6eiH3JF81HB5ouQSus2ddE1sVUQLw-YB1GjUL79y2muFaBFIOIOk75oCV2IxX4cFO2rJU04K9Se6gxu698WpzR8taUB2c6tK9u0dBisckhavf0IvKB9dWQq-IVwQgvaA
Anybody know why or what is happening????
Now I have read in several of my many searches while trying to understand whats happening when I try to test the App from my site rather than a URL directly in the browser that I should have
/signin-microsoft
appended to my Redirect URL in the App Portals configuration. I have Tested with my Redirect URL set like that and this does not work. I get a HTTP ERROR 500 sent back because the page signin-microsoft does not exist. So this is not my problem.
Please help if anyone has had the same issues and solved it.
EDIT: I should have mentioned that I was initially trying this using Local IISExpress but after reading some posts saying it can be done only on IIS so I published my site locally to IIS.
I am using azure AD authentication to authenticate a user in my MVC
application.And I published my application on azure and it is
working fine.
But, when I run my application locally then it Microsoft's login
page comes up and when I enter credentials and click on SignIn
button then it is giving "Sorry, but we’re having trouble signing
you in.We received a bad request."
But the same application is on azure and if I access it from there then it allow me to login.
To create this apllication I follwed link to add azure AD authentication
If you notice the error message, it clearly indicates that you have not configured https://localhost:44320 as one of the reply addresses.
Please go back to application configuration screen in your Azure AD and add https://localhost:44320 as additional reply address. That should take care of this problem.
Add the below to your Web.config. It must be the same port which you have added at the time of Application registration.
<add key="RedirectUri" value="https://localhost:44320/" />
I hit this, it has cost me a lot of time.
I would check firstly that you have the ability in Azure to access third party applications.
In Azure > Users & Groups > User Settings:
You see the first item (Users can allow apps to access their data) - without this checked I believe it wont work.
As you are running your application locally it is not published to Azure, this means that although it may be within the realms of your organisations network, Azure still views it as a third party application.
Be wary setting this to 'Yes'. I understand that there are ways to then create applications that allow you to behave as an Azure super user....
In case anyone else comes across this, here is what happened to me. I had been switching back and forth between environments within Visual Studio (Project >> Properties >> Debug >> Environment Variables). Well, the last time I switched it, I wrote "Develop" instead of "Development" to switch back. This caused .NET Core to grab the wrong appsettings which connected to the wrong AD which did not have my localhost setup on it. It took me an hour to catch what I had done wrong.
This may not be exactly what has happened to you, but do check to make sure you are picking up the Azure AD settings you are expecting if they are in your appsettings. It could be a good point to start at.
I occasionally receive emails from Google (accounts-noreply#google.com), similar to the following:
Subject: Suspicious sign in prevented
Someone recently tried to use an application to sign in to your Google
Account, ________#gmail.com. We prevented the sign-in attempt in case
this was a hijacker trying to access your account. Please review the
details of the sign-in attempt:
Monday, November 19, 2012 8:40:55 PM GMT
IP Address: 184.72.161.49 (amazonaws.com)
Location: Dixmoor, IL, USA
If you do not recognize this sign-in attempt, someone else might be trying
to access your account. You should sign in to your account and reset your
password immediately. Find out how at
http://support.google.com/accounts?p=reset_pw
If this was you, and you want to give this application access to your
account, complete the troubleshooting steps listed at
http://support.google.com/mail?p=client_login
Sincerely,
The Google Accounts Team
© 2012 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
You have received this mandatory email service announcement to update you
about important changes to your Google product or account.
Indeed, this was me, as I have an app running on Heroku (hence why the IP address is from amazonaws.com), and I send email directly from my app via Gmail SMTP (I don't think it should matter, but specifically, I'm using the gmail_smtp plugin which I updated for Rails 3.2).
Is there a way to avoid this warning, or a way to whitelist known IPs?
Short Answer
In a web browser (perhaps Chrome/Incognito), log into your Gmail account (the one via which you're trying to send email from your app).
In another browser tab, open https://accounts.google.com/DisplayUnlockCaptcha -- and follow the steps.
Long Answer
I ended up logging into my Gmail account (mentioned as ________#gmail.com in the Stackoverflow question above) and saw the following warning:
[Note: I'm piecing this Answer together after the fact.] Clicking the link Was it you?, I'm pretty sure I was taken to a page that contained the following, though below it there was a message and button about adding another application to the list:
[Again, I'm pretty sure...] Clicking the button on that page brought me to https://accounts.google.com/DisplayUnlockCaptcha -- which looks like this:
Clicking Continue brought me to another page:
At that point I just went to my app, and made it send an email.
Note: for general live-testing of email in my app, I have a view at triggers#index with two buttons that send PUT requests to these actions: triggers#send_email and triggers#raise_exception. This enables an admin to go to /triggers and send an email or raise an exception to test if the production system is working correctly as far as being able to send email is concerned. Raising an exception in any of my apps emails details to me via exception_notification.
I had the same problem when I tried sending emails through Gmail SMTP using PHP. You shoud complete the troubleshooting steps provided at the end of the email.
On your Gmail mail box look at the bottom right corner and you can see a Details button. Click on it and then on the pop up window change the suspicious warning settings.
To get this working in dev with Rails 4 i had to enable access for less secure apps.
Visit https://www.google.com/settings/security/lesssecureapps while signed on to your gmail account and click 'turn on'. Note, this enables access for less secure apps which could come with unintended consequences.
Some apps and devices use less secure sign-in technology, which makes
your account more vulnerable. You can turn off access for these apps,
which we recommend, or turn on access if you want to use them despite
the risks.
To get this working in Rails 4, in addition to enabling access for less secure apps, as described already (Visit https://www.google.com/settings/security/lesssecureapps while signed on to your gmail account and click 'turn on'. Note, this enables access for less secure apps which could come with unintended consequences.),
one more step may be required in some cases, if account access is still blocked.
If this is the case, also visit https://accounts.google.com/DisplayUnlockCaptcha and click continue, to enable account access to send via gmail SMTP.
Credit to Steve Polito