I have have a rails application which a payment form. As showed it the official website, I create a new credit card like this :
attributes = params[:credit_card]
credit_card = ActiveMerchant::Billing::CreditCard.new(
:number => attributes[:number],
:month => attributes[:month],
:year => attributes[:year],
:first_name => attributes[:first_name],
:last_name => attributes[:last_name],
:verification_value => attributes[:verification_value]
)
It works but it's not very secured because it pass data in clear on the post request, after submiting the form.
What is the best way to secure my application? I seen this railscast but It's not very applicable for activemerchant.
I can use ssl but is it enough? I am using heroku so, to have ssl, I must simply use https instead http.
Having your payment calls go through the HTTPS protocol is the best way. In fact, even if you found a better way to obfuscate the data you are sending, if the counterpart does not share the same logic it will be useless.
All sensible and risky data like this should live only under the HTTPS protocol.
Related
Hi I'm new to Ruby/Rails and I had a question about handling an OAuth response with the Ruby version of GitHub's Octokit. After reading the documentation I'm a little confused about how to follow best practices with the wrapper vs with RestClient. When I authorize my app the response returns a "code" which I'm supposed to exchange for an access token.
In the GitHub API documentation it shows a Sinatra example of this with Restclient, which is currently in my create action of the sessions controller. However, it says you should approach it differently when building an app and that you should use the Octokit library, but I can't find any documentation on exactly how to exchange the code for an access token with Octokit.
My goal is to be able to crete a new member for the app via a user's GitHub account, save that info, & then sign them in with that account, rather then ever creating a username/password. I've pasted my new.html.erb code below to show the request that I am making as well. Really appreciate any help, thank you!
Sessions Controller
class SessionsController < ApplicationController
def new
#client_id = Octokit.client_id
end
def create
# CHANGE THIS TO USE OCTOKIT INSTEAD
session_code = request.env['rack.request.query_hash']['code']
result = RestClient.post('https://github.com/login/oauth/access_token',
{:client_id => Octokit.client_id,
:client_secret => Octokit.client_secret,
:code => session_code},
:accept => :json)
access_token = JSON.parse(result)['access_token']
end
end
OAuth Request
<p>
Sign In with GitHub
</p>
<p>
Click here to begin!</a>
</p>
As it doesn't explicitly state this in the README. What I recommend is always going through the source code to get a better understanding of how a gem works. Often you will find that the gem's creator(s) have written great code that is self-explanatory, and sometimes even commented to provide more info as in the situation below. Here is the method you're looking for, good luck on your journey to learn to Ruby/Rails and welcome! Let me know if you have any more questions and run into any more issues getting this to work.
# Retrieve the access_token.
#
# #param code [String] Authorization code generated by GitHub.
# #param app_id [String] Client Id we received when our application was registered with GitHub.
# #param app_secret [String] Client Secret we received when our application was registered with GitHub.
# #return [Sawyer::Resource] Hash holding the access token.
# #see http://developer.github.com/v3/oauth/#web-application-flow
# #example
# Octokit.exchange_code_for_token('aaaa', 'xxxx', 'yyyy', {:accept => 'application/json'})
def exchange_code_for_token(code, app_id = client_id, app_secret = client_secret, options = {})
options.merge!({
:code => code,
:client_id => app_id,
:client_secret => app_secret,
:headers => {
:content_type => 'application/json',
:accept => 'application/json'
}
})
post "#{web_endpoint}login/oauth/access_token", options
end
So I am currently using Disqus for my commenting system on my website It works perfectly but the downfall is that users need to have two accounts. One to access the site and another to comment!
Disqus offers SSO for this exact reason to allow a user to sign up only once (on the site) and automatically be given an 'in-app' disqus account to comment.
The people at Disqus have activated SSO for me and have linked me to various documentation. I was wondering if there are any good tutorials/documentation to show you how to do this with rails?
disqus_rails gem - Disqus service RoR wrapper
acts_as_disquser and Single Sign On
Disqus provides SSO service which gives ability to link your local users info to Disqus users, read more in Disqus tutorial. To do this, as and for linking model to Disqus thread - you have to add 'acts_as_disquser' line in your users model. You need pass there four attributes: 'id', 'username', 'email' and 'avatar'(avatar is an optional field, so you can omit this). Here is example:
class User < ActiveRecord::Base
acts_as_disquser :username => :full_name, :email => :email, :avatar => Proc.new{ avatar.url }
...
end
As you see, you can pass there or symbols, or procs. First will try to get instance variable with such name from model's instance, second will evaluate code inside Proc with context of model's instance. Important - only Proc are available for second way of defining attribute, no lambdas. Also, you may not implicitly pass acts_as_disquser :id => :id - it will try to get id automatically if it is not defined. Next, you need to specify in disqus_init helper attributes 'disquser' with current user instance, and 'sso' as boolean to enable or disable SSO.
<%= disqus_init :disquser => current_user, :sso => true %>
After this is done, when users will post comments via Disqus, their username, email and avatar will be taken from your site.
https://github.com/sandric/disqus_rails
Hello I am designing an online application that uses mobile money as a means of payment. But I need assistance on how I can pass my order form data to the API of the mobile money service providers who complete the transaction.
Try httparty, post method.
An existed example could be
options = {:type => auto}
payload = options.to_json
query = {
:request_id => request_id,
......................
:user_id => user
}
response = post("/tbc/submit_job.json", :body => payload, :query => query)
You can use httparty to customize yours.
I recently came across sending emails via Rails. After watching railcast, it seems that you can write up a template when using Action Mailer. I really liked this feature for my purpose. I also came across Pony, which seems really easy to use.
I was wondering if I can use templates for sending emails via Pony, unless Pony is meant for express non-templated emails.
You can easily access the view framework by explicitly rendering a template:
Pony.mail(
:to => 'somewhere#example.com',
:from => 'sender#other.example.com',
:subject => 'an example',
:body => render_to_string("path/to/_partial", :locals => {foo: #foo}, :layout => false)
)
In my research, Pony seems to be promoted as a non-template based tool, making it "simpler" to use. The home page for the utility does not mention templates at all:
https://github.com/benprew/pony
I have a ruby-on-rails application that wishes to utilise the tumblr gem for adding posts when an action is taken (eg: creating a blog post)
I currently have the tumblr gem installed and can manage to fetch my posts using
#tumblruser = Tumblr::User.new('myemail','mypassword')
However when i go to add a post where it asks me to pass the user information like so (according to the API for the gem)
post = Tumblr::Post.create(#tumblruser, :type => 'video', :embed => #post.video_html, :title => #post.title, :caption => #post.content)
it just does not want to authenticate and returns a 403 error
anyone had any experience with this?
NEW SOLUTION:
I have found recently that there has been a problem with the gem. So I have made a copy of it, changed a few things in the docs and code and put it at http://rubygems.org/gems/matenia-tumblr-api
Hope the changes and docs help someone else out there.
As always I welcome any improvements, or refactoring on any of my projects.
Kind Regards,
Matenia
OLD ANSWER BELOW
I managed to get around this by the way ... all i did was declare the username and password in place of #tumblruser like so:
post = Tumblr::Post.create(:email => 'user name email here',
:password => 'my password',
:type => 'video',
:embed => #post.video_html,
:caption => #postcontent)
where #postcontent is the html text of post.content and gsubbed to escape most of the html.
hope this saves someone else some time.
If you are only going to check authentication with any media like Facebook , Twitter ,LinkedIn ,Tumblr , Github and almost 20 others (you can check Here ) .Then omniauth gem is the first thing that comes to mind . Means It's clearly simplest solution for authentication and I love it