A little background info so you can know my overall goal:
I have a web app that uses rails and Devise for authentication. I also am making an iPhone app which I need to be able to send and retrieve data to/from this app. I've decided to make a custom token authentication system in order to handle this.
I want to be able to send a username and password in JSON format as a post request to my app, have the app get that username and password, then have the app reply with a token in an xml or JSON format.
How do I make an action that will get information from a post request (username and password) and process it then return something else?
I just recently attended a meetup that explained Helios, which sounds like what you are looking for.
Check out their docs. Also this Github is an example of helios in action.
Related
I recently started getting into Typo3 but now I have to implement something for work and I have no clue where to start.
The requirements:
I have to add a separate page that can only be accessed by frontend
users. (so far no problem)
These frontend users should be able to login with the same password
as they got for their iOS app. (uh-oh)
The separate page should display data from the app. (less of an uh-oh
but connected to the previous point)
After talking to the developer of the app, he made a specific POST request that can be used for the webpage. I am also getting a json-file with the required data that I need to display upon successful login.
My question lies with the login. How do I go about implementing this? I use the extension felogin to provide the login form on the page.
The POST request is looking sort of like this:
https://domain.at/api/queryMediaItems. It needs user and password, declared as user and pwd. In the body there should be a json object with the language, e.g.:
{"language":"de-at"}
You need to implement a SSO (SingleSignOn) as your users need to identify against the iOS-app.
This might give you a concept.
You also can look inside the code of some extension
I want to create a new iOS app.
and for this app I have some security questions
Example
The first start the user log in with username and password. When the log in is correct The user receive a api code. Just This code Will be stored in the app
So every time they use a make a request to the side like calling for the use a list I don't send the username and password I will send the api code for authentication.
Like this
https://example.com/api/{APICODE}/getUserList
The answer will be json
So my Questions are
- how to securely store the api code in the app
- is there a better way to make the requests
- I will store the requested data in the app, what is the best way, SQLite or plain files with json
The reason is That the app works without Internet
Thanks for help
Save secured data in the Keychain. For other you may use UserDefaults, files, SQLite DBs, CoreData
I have a website that users can log into to see their account info.
I would like to build functionality into my iOS app that allows them to log in and see their info in the app. The usernames and passwords are stored in a SQL database.
How can I authenticate the username and password the user types into the app with the database?
If you have better atuthentication system in your web..
then i would prefer you to use the WEBVIEW for your login page. and continues the other using the normal app flow.
there are lot of tutorials for creating username and password login Function in IOS. i dont know whther you are basic or new progrmmer. But try this you may get some idea.
http://www.youtube.com/watch?v=HrZR2SyeoSk.
You can go with JSON serialisation, if you experienced to load data from server.
There are multiple ways you can go about this but at the end of the day you need an endpoint for your iOS application to talk to your web server. This can be done with a TCP connection (little more complicated) or with a RESTful HTTP API endpoint which is generally the way most developers will go.
To get you running up and quickly on the client side have a look at AFNetworking to do the heavy lifting on your HTTP requests. You will then need a URL on your website that the iOS application can query. Abstract things to keep your API on a different subdomain, say for instance by creating a subdomain to handle your API requests. A login example could look like this
http://api.mysite.com/login
For a PHP based REST API here is a tutorial for you, PHP API or you could use a Node.js framework such as Restify
The general practise is to use JSON encoded data when sending requests back and forth from the server, iOS 7 has built in JSON encoding/decoding, node and PHP also have pretty good support.
Once you are able to send and receive HTTP request from your iOS device to your web server it is just a matter of checking the username and password match up on the server side (seems you already know how to do this?) to the ones in your database and sending back a authentication BOOL and option error message if failed.
Has anyone had success using Stripe connect with an iOS app. I have a few questions:
I'm following the guidelines here: https://stripe.com/docs/connect/getting-started
Registering an Application: easy, no problem here
Then a little further down:
Send your users to Stripe: again, easy no problem here, I just have a button that opens up the link in a UIWebView. I assume having the client_id in the URL is fine? A lot of my uncertainty is what IDs/keys I should hard-code into the app
Then a little further down:
After the user connects or creates a Stripe account, we'll redirect them back to the redirect_uri you set in yourapplication settings with a code parameter or an error.
What I'm doing here is using the UIWebview's webView:shouldStartLoadWithReqest:navigationType delegate method to check for the string "code=" in the URL. If it finds that, then I'm able to grab the "code" parameter. So in reality, the redirect_uri is completely unnecessary for me. Is this the right way to handle this? Should I be doing this within my app or on my server?
After receiving the code, we are supposed to make a POST call to receive an access_token. Again, should this be done within the app or on the Server? It requires the use of a secret_key, so I'm guessing server? And how do I send credit card information along with this token if the token needs to be sent to the server? I know how to obtain the card number, exp date, and CVV. But in terms of passing it to the server (with or without the token) is something I'm not sure of.
Then when it comes to actually writing PHP, Ruby, or Python code on the server, I'm at a total loss.
Any help would be greatly appreciated.
You should setup a small web app to create stripe charges and storing you customers Authorization Code. Configure two routes in your web app for redirect_uri and webhook_uri and add the url in your Stripe Apps settings. The charges should be created from a server side app because it requires the secret_key / authorization_code which should not be stored in an iPad app. Otherwise they may lead to a security leak. I'm trying to describe the concept below:
Provide the stripe connect button in your app and set the link to open in Safari (not in an web view). You should add a state parameter to the url with an id which is unique to your users.
On tapping the button your user will be redirected to Stripe where s/he will be asked to authorize your application. Upon authorization stripe will hit your redirect_uri with a authorization_code and the state you previously provided. Do a post call according to Stripe Documentation with the authorization_code to get an access_token. Store the access_token mapped with the state in a database.
Define a custom url scheme in your app. Invoke the custom url from your web app. The user supposed to open the url in mobile safari. So invoking the custom url will reopen your application. You can pass an additional parameter to indicate failure / success. In your app update the view based on this parameter.
Now you are all set to create a charge on your server on behalf of the iPad user. Use stripe iOS sdk to generate a card_token from the card information. It'll require your stripe publishable_key. Then define an api in your web app which takes 3 parameters: card_token, user_id and amount. Call this api from your iPad app whenever you want to create a charge. You can also encrypt this information with a key if you're worried about security using any standard encryption method. You can easily decrypt the info in your web app as you know the key.
When this api is called from the iPad app you'll receive the user_id (which you saved as state previously), card_token and amount. Retrieve the access_token mapped to the user_id (or state). You can then made a charge on behalf of the user using the access_token, card_token and amount.
You can use ruby / php / python / node in the server as Stripe provides sdk for them. I assume other languages can be used as well as there is a REST interface.
Please note that this is just a concept. It should work like it but I haven't implemented it yet. I'll update this answer with sample code when I'm done.
You can use UIWebView. You will still need to use redirect urls and monitor the redirect using the delegate "webView:shouldStartLoadWithRequest:navigationType:"
I'm developing a Shopify App with Rails and have been using the query-string to detect which shop is accessing it. This seems vulnerable as users could alter the url to access someone else's settings.
Here's an example:
I click on the preferences link on my app and get redirect to http://example-app.com/preferences?shop=example.myshopify.com and get a page of settings related to the the store: example.myshopify.com
So what's to stop the user from changing the querystring to http://example-app.com/preferences?shop=notmystore.myshopify.com and logging in to a store that they don't own?
Should I use an authentication gem (https://www.ruby-toolbox.com/categories/rails_authentication) and make each user create a username and password to prevent spoofing attacks?
Interesting. There were live production Shopify App store Apps that did what you did Paul. When I found an App like that, I informed Shopify and they promptly knuckle wrapped the App developer. He learned his lesson pretty quick and was hopefully very embarrassed.
Shopify Partner accounts (free to get) provide you with a nice API token and a corresponding secret for your App that you can use to ensure when you get a merchant trying to access your App that the incoming shop
is actually a shop that installed your App and,
they have the right to use your App
You should really check that out.
I found the solution is to always retrieve the shop url from your session variables and not from the query string:
session[:shopify].url
also make sure this is at the top of each of your controllers to ensure the shopify session exists:
around_filter :shopify_session
as shown in this: https://github.com/Shopify/shopify_app/blob/f9aca7dfc9c29350f7f2c01bb72f77a54ece2b77/lib/generators/shopify_app/templates/app/controllers/home_controller.rb
This question may be too localized, but I'll try to give you a direction.
If you are using the query string as the only authentication method, then yes, you will get hacked/spoofed, etc. You need to do some form of authentication. - Shopify provides an API that can probably handle some/most of this for you.
https://github.com/shopify/shopify_api