I am new to firebase , I want to know that is there any way to send firebase OTP SMS from Laravel backend ?
I am using Laravel 6
When using Firebase Authentication, signing in the user (including requested an OTP via SMS) always has to happen from the client-side code. So while you can request the SMS OTP from client-side JavaScript as shown here, you can't send the SMS OTP from server-side PHP/Laravel.
Related
Why does laravel need authentication while sending mails? Is it possible to send mail without authentication just a valid email id?
I want to create a Slack bot which will monitor incoming messages of channel, and respond to those messages based on the content using Events and Web API.
In Events API, the verification URL which I am currently using requires Shibboleth login i.e I need to put in username and password if I want to access that URL through browser.
How do I have Slack send its request to that URL? Currently Slack gets HTTP 500 error from the server, and also my server doesn't get any hit.
After talking to Slack help chat, I was told that Slack can't do auth. I was suggested to use proxy of some kind, but I ended up removing the Shibboleth from my server. Slack does sign every request it sends, so to have server respond to attackers, verify each request is from Slack before responding.
I'm developing an app with Ionic 3 and Angular 4, and also implementing Login With Facebook button (and logic).
I don't understand how to secure this process.
The API returns the user's email + id and then I need to send them to my server to register / log in the user.
But how can I be sure that nobody "fake" the ajax call with those user email & id? And skip the whole Facebook Button process?
I don't get it at all - no matter what the API returns - I need to send it to the server via AJAX, and anyone can fake this process and send specific parameters with AJAX.
A good way is to send the Access Token to the server and make the API call to the Facebook API there. You can/should activate "Require App Secret" in the App settings:
Only allow calls from a server and require app secret or app secret
proof for all API calls.
The answer is - backend!
You should always verify the token in the server side to prevent "hacks" like you said
I started a project using the Google API signin mixed with an angularJS+Firebase app.
What I would like to do is to be able to send an e-mail from one person to another programmatically.
Example: John is logged in, clicks on a button which sends an email to Rachel. But that email is sent using the stored token from Ted, not John's account.
It seems possible using the php library which is not an option here.
So far, I get the token easily using these few lines:
var GoogleAuth = gapi.auth2.getAuthInstance();
GoogleAuth.grantOfflineAccess({
scope: 'https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/drive https://mail.google.com/ profile email'
}).then(function(resp) {
console.log(resp);
this.storeToken(resp.code);
});
Is it actually possible ?
A quick search just got me results for php or about how you get a token with the JS library... not how to use it !
From my understanding you want to use a refresh token ( offline access ) to send an email from Ted's account via Javascript.
Sadly this is not possible client side. What your code gives you is a 'code' that you can send to your server using a $http.post () and trade with Google server side for a refresh token.
Here is a guide for how to change that code into a refresh token.
While you can do this client side it would involve exposing your client secret which you should never do.(https://developers.google.com/identity/sign-in/web/server-side-flow)
Every time John wants to send an email from Ted's account your application will have to send a request to your server that:
Sends a request to google with the refresh token and generates an access token (https://developers.google.com/identity/protocols/OAuth2WebServer#offline)
Sends a seccond request to google using the access token to send the email from Ted's account
I hope that this helped.
I am running a php website(www.mywebsite.com). Now I would like to add a real-time chat function so users can chat with others.
I decided to run node.js and socket.io in another server separating from web server(chat.mywebsite.com).
Users who wish to use chat function have to log in through www.mywebsite.com. After login, they will be sent to a chat page (www.mywebsite.com/chat). So on this page the client must post a request to web server for a JWT and use this JWT to authenticate in socket.io.
My question is: if the JWT is stolen by someone else, and pass the JWT to socket.io, it will definitely fake the server that the user is authenticated. So is this approach correct or can you suggest another method for my situation? Thanks!
If someone has access for a JWT token - they basically hijacked his session, https://en.wikipedia.org/wiki/Session_hijacking
As long as you don't have XSS's or other vulns on your website, it shouldn't be something you should worry about.
just make sure that the socket.io does auth the user by using the jwt token before letting him send/recieve messages.