I'm having trouble finding a way to provide users a reset password method for my apps.
Unlike this question, I don't wan't to manage it locally, instead I prefer to validate the user by some sort of connection to my server.
Should I validate the user via e-mail? By sending him a link containing a key like:
http://www.myweb.com/inc/mobile/activate.php?email=pepe%40hotmail.com&key=252b6a8e98b8109cda4f53500a419b62
I'm not sure how to make that work without using any webView.
Or maybe the best approach is to e-mail them a link to a website in which they can reset their password (like in Path).
Please, can someone point me in the right direction?
Any help would be appreciated.
The safest approach is to have your app contact the site, and have your site send an email to the user with a password reset link. It seems fairly common to provide a GUI in your app telling the user to check his email for the password reset instructions.
That way, if an impostor gets access to the app, he may not have access to the email or may not know the credentials for your site.
Your GUI could be done natively or with a webView. I am not sure why you are trying to avoid a webView in any event, but it is not required.
Related
I have this task that need to show the suggested username & password on my app.
something like this that I found [credits to this site]
https://brainsandbeards.com/blog/quick-change-that-helps-ios-users-sign-in-quicker
or something like this
Other way to autofill
But every time I press the 'password' on the top of the keyboard it always goes directly to the list of keychains and not giving the option like the above image showing a suggested account or choose other passwords.
I even followed this documentation:
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_associated-domains
even use an 'alternate-mode' on the associated domain.
I suspect that the webserver we're using is not managed shared credentials enabled server?
Is there a possibility to do this without associated-domain capability?
Thanks in advance!
I want to open, from an iOS app, a web page that requires authentication in order to get to that page.
I googled a little bit and I believe I need to use WebKit and Javascript injection, but I am not sure and I have never done something like this, so every bit of information is welcomed or pointing me in the right direction.
I will give an example that I hope will make things more clear(I don't actually want to open facebook, it's just part of the example):
Is it possible to do the following scenario? And if yes, how?
Open a web page from an iOS app, for example: "https://www.facebook.com/profile" without having to go through the login page? I do have the user credentials(username and password), as the user is already logged in with those credentials in the iOS app, but the requirement is to not go through the login page, but to go straight to the profile page.
In general the answer is: no. Even if the user is already logged in and has a valid authentication token that token may only be valid from within your app and not from within the browser. And the login form may be protected by something like a captche preventing you from automatically logging someone in.
There certainly are situation where it is possible: For example if the tokens are not scoped to your app you can try passing them along. Or there is an actual API that you can call with the token that logs the user into the website on the website, etc. But those depend on the specific target website or wether you can control that target website and can add this functionality.
I need to send the email without opening the MFMailCompseViewController. I have searched about this and got some point like use the web service and another one is connect with gmail server through ask the emailID and password from the user.
My email format is fixed i just have to send the email to user whose id will be given by the user without showing any thing else.
Your existing research is accurate - you can connect to some web service to send the e-mail automatically, but you can't automatically create, configure and send using MFMailComposeViewController. The user always gets to see the presented controller and choose whether to do any editing and whether to send or not.
There is no way of sending an email directly from iDevice without showing the MFMailComposeViewController.
If it was possible it would be a great tool for mobile distributed spam bots.
Things to consider: MFMailCompseViewController is an interface for the user to compose an email.
If you want to use it, you have to hand over control to it. Apple does not expose the underlying functionality to you: it has to go through this view controller.
If you don't want the user to be aware that you are sending emails on their behalf (I assume it is on their behalf or you wouldn't need the composer view) you are probable doing things a little wrong; why would you want to send an unsolicited email?
If you want to report information from the device, implement a web service and send it to that. Email is meant for correspondence; don't hijack an account.
If you still need an email, have the web service create it
I am currently developing an app that will use the FB SDK (for the first time) to log a user into the app. The flow is typical, I assume. User taps "log in with facebook", facebook graph authenticates, then we do a call to our api and log the user in via their facebook email (only) we have on file.
However, whats freaking me out here is, theoretically if some knew our api_token, and knew that calling a POST to a login url with only a valid existing email to log them in, isn't that a security issue since they could actually log in as someone else. Am I over thinking this? Understandably, they'd have to know every aspect of the api to do any damage. But still, I'm not feeling comfortable with this flow. Am I missing something?
This shouldn't be something you have to worry about. Facebook first protects you by having the requirement for the user to be logged into Facebook. Next, the user's UID(readily available to anyone) and your API Key isn't enough. They'd still need your API Secret Key (which if someone has is a bad thing) to sign requests as you.
What you're really using is OAuth (though Devise, through OmniAuth). I'm not an expert but you can read more here: http://hueniverse.com/oauth/guide/security/
When a user registers via OAuth, you aren't going to have a password set for them, and that's not a huge deal as they have to also first log into Facebook. It might be a good idea though to ask them to set a password if they ever edit their account, that also means they can sign in the old fashion way if they desire/delete Facebook/etc.
I'm trying to use MyOpenID for my sign-in, but it doesn't seem to be sharing the email address.
If I use Google or others I do seem to get the email address, though. I thought that this was a standard field to return.
I even see some documentation here that seems to suggest they would share email:
https://rpxnow.com/docs/providers
(I'm using Ruby on Rails and Janrain for this project)
One interesting thing is that if I setup an identity page on MyOpenId, then the email IS shared with my application. I thought that there was supposed to be a way when logging in with MyOpenID to specify what data is shared during "SimpleRegistration"?
The problem was that I was testing with my own MyOpenId account and the very first time I logged in to my development server I had not paid enough attention.
When logging in the first time it said something along the lines of "blah site is asking you to share information with it. Click here to use an existing persona or to create a new one. I didn't select one and it defaulted to "don't ask again".
I was able to fix this by going in to MyOpenId and revoking permission for my site. Then the next time I logged in it asked me again and it worked.