I'm trying to provide a contract with some external data. They need an oracle setup for the same. I have decided to go with chainlink external adapter. The issue is that I don't the off-chain data to be accessible by other contracts. EA has support for accessing protected apis. However this does not allow me filter based on contract address. Also not sure how to include initiator information in the request to the server in a secure way
Related
I am trying to make a desktop application with Twitch API and Google API.
Since this application requires Twitch user permission, a user needs to authorize my application through twitch's OAuth and I think there's no way to omit this process.
Now, I want to add some functionalities from Goole APIs, for instance TTS.
My application will be installed and run on user's local machine,
it cannot store API key or credential information safely.
I think I have three options:
Add Google OAuth: This is most safe way, I think, but I don't think I can convince users to authorize another Google account even though they already authorized their Twitch account.
Make a kind of proxy server which verifies request for Google API using twitch authentication information and relays request to/response from Google API. This seems feasible but it requires additional payment to running server for sending data from Google API. I already have to pay for TTS service, another payment for proxy server which sends binary data frequently would be a financial burden for me.
Make a server to acquire API key for Google API. This also requires additional server, but it does not involve lots of traffic because application will access Google API directly once API key acquired. However, I concern that the API key may be easily stolen using monitoring tool such as wireshark.
Which method should I use here, and how can I improve it?
Or, is there better way for this case?
I'm planning to make a microservices architecture using Laravel as the backend and VueJs or maybe ReactJs as the frontend. The microservices will consist of
User authentication service (For authenticating user)
User management service (To manage organization member database)
Event management service (For creating organization event)
Etc.
All of the services will require user request to be authenticated, but using central user database, which is located on User authentication service. Eventually, on each web application, it will use at least 2 of the services.
How am I able to authenticate the user before making the request to the specified services? Thanks in advance!
Think carefully about your reasoning for developing a distributed system with a microservice architecure. Developing such a system can be complicated and might introduce more problems than it solves for you. You should consider things like code base management, data synchronisation and service availability for example. A standard monolithic architecture with the frontend (Vue/React) and backend (API) as separate projects will be simpler and may provide the flexability you need. Should the need arise in the future to develop a service orientated architecture arise, worry about it then.
That said, typically you wouldn't allow direct access to your services. There would be an API gateway which users access and it proxies requests to the relevant service. So your users would make a request to api.domain.tld/auth/login which would then be forwarded by the gateway to your auth service, process the request and then provide a failure response, or a success response which would include some sort of auth token which would be used to authorise subsequent requests to your other services. Sometimes services are aware of each other and can communicate directly if require, other times they use the API gateway for service communication.
I'm trying to find out how I can know if my application that wants to use a restricted Google API scope is exempt from the security assesment.
The documentation for the Google API Services User Data Policy states that:
Local client applications that only allow user- configured transmissions of Restricted Scope data from the device may be exempt from this requirement.
How can I find out if my app qualifies for this exemption?
If you check the OAuth API verification article here:
These applications [local client applications] may be exempt from the secure handling policy because the security assessment (and successful securement of a Letter of Assessment) primarily addresses risks associated with developers obtaining and storing data on servers.
Developers should specify in the verification application whether they believe the application is a local client application, and we will work with the developer to verify that is the case.
Therefore, when sending the verification application you should mention that the application you have is a local client one and if this is indeed the situation, you will be notified about it.
Also, please bear mind, that the local client applications can be defined as, according to Google:
Local client applications are generally applications that only run, store, and process data on the user's device (like a computer, mobile phone, or tablet). While user actions may cause data to leave a device (such as sending an email), local client applications do not transmit restricted scope data to the developer's servers (or servers specified by the developer), unless the user explicitly configured the application to do so. This would include local email clients, file managers, and calendar and contact management applications that don't utilize cloud services or only transmit restricted scope data to user-configured destinations.
Applications that send restricted scope data to a developer's or third-party's servers without explicit user-initiated action, such as setting up a backup capability, will not be considered a local client.
Reference
OAuth API Verification FAQs.
Our current API use seesionID for the authentication. We plan to use Azure API management to manage our web api. However Azure web api management has their own authentication. How can we link those two together. Our customer can use the same logon information.
Conversations about authentication and identity in Azure API Management can get tricky because there can be three different identities and then there are the different contexts of runtime requests vs management requests. So, to be sure I'm answering the right question, let me try and get some terms defined.
The three identities:
API Provider: This is the Azure user who has created an API Management instance.
API Consumer: This is a developer who is writing some client software to consume the API.
End User: The user of the application written by the API Consumer and will be the one who actually initiates runtime requests to the API.
I am assuming that you are the API Provider. What I'm not sure about is whether your customers are the API Consumers or the End Users.
Azure API Management provides identity services for API Consumers. Consumers can either manually create a username/password account or use some social identity provider to create an account. They then can get a subscription key that will allow Azure API Management to associate requests to the API Consumer.
I think you are asking if you can connect the sessionID, which I am guessing you use to identify End Users, to a subscription key used to identify API Consumers. If that is correct, then the answer is no (except for the scenario described below), because we need to identify the API Consumer key before any policies are run to ensure we run the correct policies.
You can change our Api Consumer subscription key. So, if you only have a low quantity of customers/End Users you could create an Api Consumer account for each End User. However, you would only be able to map sessionID to API Consumer Subscription Key if sessionID was a constant value. I'm presuming based on the name, that value changes at each login.
Although Azure API Management provides identity services of API Consumers, it does not provide full identity management for End Users. We leave that to external partners like Azure AD, Thinktecture Identity Server and Auth0. I'm assuming that your existing system is already using some kind of identity provider to generate the sessionId. What you can do with Azure API Management is validate that sessionId using policies in the API Management Gateway. To do that we would need to know more about the format of the sessionId.
Sorry for the long post but it is a confusing topic and I wanted to be as clear as possible.
I am working on a program that uses Azure for it's database. It works pretty good, except that I have to authorize every IP address that I access it from. So, if I go to a friends house I have to authorize that IP, and if I go to a coffee shop I have to authorize that IP...
I am hoping that there is a way to authorize the connection from the program, whatever IP it is coming from. Or, worse case senario, turn off that security measure.
DON'T.
The idea behind Firewalling your DB is to protect your data from anything that could have the SQL Server credentials should they somehow leak. It's for your own safety.
Instead, try to write a quick Web Service with ASP.Net WS/Jax RS/Rails/... to expose the DB data in a sane, secure and thoughtful manner. It's not hard and there are tons of tutorials and books on the matter out there.
Although NOT Recommended, but if you want to turn off this security measure you can allow connections to your SQL database from all IP Addresses by setting the IP address range to 0.0.0.0 - 255.255.255.255 in Azure Portal.
Another alternative would be to dynamically manage allowed IP addresses by using Azure Service Management API. You can manage Firewall rules using this API. You can read more about it here: http://msdn.microsoft.com/en-us/library/azure/dn505717.aspx
So what you could do is have a small service running in Azure. When your application starts, it sends the current IP address to your service and your service sets the IP address in the firewall rules. When the application terminates, it sends another request to your service and then your service removes that IP address from the firewall rule.
As #Machinarius so eloquently said DON'T. .NET already has a way of exposing data through OData services. You get SOAP or Json, LINQ queries, caching, security even down to the entity or operation level.
Exposing an EF model as an OData service is very easy. You can create an ASP.NET Web API OData endpoint using the "Web API 2 OData Controller with actions, using Entity Framework" template as described in the "Creating an OData Endpoint" tutorial.
To call the service from a client, you add a service reference to it and then use the proxy to execute LINQ queries. It could be something as simple as:
Uri uri = new Uri("http://localhost:1234/odata/");
var container = new ProductService.Container(uri);
var myProducts=container.Products.Where(....);
Check "Calling an OData Service From a .NET Client" for a detailed tutorial.
As an alternative, if you need to access your application from random places, why not have a VM configured in Azure with your application installed. And whenever you need your app, fire up that VM, RDP there and work via RDP. Would not need to update connection and much more secure rather then having to allow random IPs to access your database.
I realise this is not an answer to your question, but other stackoverflowers already provided a significant input on your problem. And I do agree with them all. Do not disable the firewall. It is for your own good!