I need to implement server side captcha in web api. Angular 4 is my front end.
What i need is catcha generate and validate in server side using sql server(for storing captcha for validtion) and render captcha in client side.
Is there any open source library available for that?
I used SuperNova 3.0.9 but it uses its own sql lite db for verification and i couldn't override the functionality.
Related
I have a project which I use Google Places API.
For the API key I have now, I have set IP restriction because the API is called in server-side. Place Search and Place Details are called in Server and returned to client side.
But the endpoint Place Photos, I call in client side, and of course it doesn't work because I have set IP restriction. So, my idea is to create one more production api key which works on client side and set HTTP referrers. Is this Ok? Or should I call all apis in server-side instead?
I am buiding an app using svelteKit and django rest framework. SvelteKit is responsible for rendering HTML page(SSR) and django rest framework is responsible for providing restful API.
Both App server and browser will fetch my restful API. I want protect my restful api by add Authorization. After reading some documents, I plan to use OAuth2(django-oauth2-tookit) and I draw the following chart:
My auth flow chart
But I was confused by following problems:
I can use Authorization Code grant flow auth APP server, but how about the browser?
Can I separate the auth server and restful server, If so, how auth server protect restful server?
I can use Authorization Code grant flow auth APP server, but how about
the browser?
In fact the authorization code based flow is the one that is suitable & meant for web client. While using this flow server will redirect the intermediate code (oauth code) to the redirect uri passed in the request so client can capture that code and make another request to exchange it with access_token.
Can I separate the auth server and restful server, If so, how auth
server protect restful server?
Blockquote
Yes, you can. The resource server should talk to auth server to get the authentication/token object verified.
I'm working on Hyper Ledger Composer and integrating the REST API in a nodejs web app "using js client side to call the API "
and I'm wondering how can I keep some interface private and prevent from show and post to it .
Should I simply call the api server side before or is there an elegant way ?
To protect access to the REST APIS, you can implement an authentication strategy - see here https://hyperledger.github.io/composer/integrating/enabling-rest-authentication.html and https://hyperledger.github.io/composer/integrating/enabling-multiuser.html (the latter requires that authentication is enabled).
A tutorial on using one such strategy - eg using Google OAUTH2 as an auth provider - is shown here -> https://hyperledger.github.io/composer/next/tutorials/google_oauth2_rest
There is another way to develop your own rest api using NodeJs sdk.
You can connect to the network using Cards and perform any action using BusinessNetworkConnection class and factory object.
Read [https://hyperledger.github.io/composer/v0.16/applications/node][1]
We have a web app that has a security setting where it checks the referrer to allow access. We need to open this website from an Oracle Form. Currently we are using the web.show_document command to achieve this. Trouble is that this command doesn't report any referrer and thus the web app is refusing access. Does anyone know of a way to specify a referrer when opening a website from Oracle Forms? Or another command that sets the INB Server's domain as the referrer?
We are using Forms [32 Bit] Version 10.1.2.0.2 and this is an Ellucian Banner 7.2 forms app. The app we are trying to access is Evisions Argos.
After a lot of trial and error, and back and forth with the Evisions Support Desk, it appears that it's impossible to use the Check Referrer security in this setup. Oracle Forms 10 only has the web.show_document function to launch websites on the client computer. And this function creates a new http request with no "referer" http header. Argos specifically uses that header to check for the referrer. What we ended up doing was disable this security check.
In Oracle Forms 11g it is possible to use this Argos security feature with the web.javascript_eval_expr built in. This function allows to run a javascript window.open function which actually adds a referer header.
Here's an example of the call:
web.javascript_eval_expr('window.open("https://someargosserver/mrr?report=LONGREPORTIDKEYVALUE¶m1=some_text¶m2=some_other_value", "_blank");');
I want to use native applications and a web server to get refresh tokens to use for some operations (on google drive). Client ids and secrets have been generated for both the native and the web application using the Google developer console.
I'm trying to generate authcodes from the native applications and exchange them from the web server for access/refresh tokens using a script heavily inspired from the java example. The main difference is that there is two GoogleAuthorizationCodeFlow (they represent the native and server parts):
One using the native application's id and secret and used for generating the authorization code.
One using the web application id and secret and used to exchange the authorization code for credentials.
Such procedure does however result into a 401 Unauthorized exception.
When using for both GoogleAuthorizationCodeFlows the same credentials, either the creds of the native application or the web application ones, the process succeed and returns a refresh token.
How can I use the authorization code from a native application on a web application to generate access tokens? Is there a way to use the web application id and secret to exchange the authorization code or must be procedure be finished using the same credentials used for generating the token?
The reason that it is not working is that Authentication is linked to the client id and client secret.
When a user authenticates they are authenticating that client id / client secret pair. You cant just take the Refresh token or the Authentication code and use it with a different client id and secret they wont match and it wont work and you will get a 401 Unauthorized exception.
your on the right track with
How can I use the authorization code from a native application on a
web application to generate access tokens?
What you need to do is create Client ID for native application just one and use the client id and client secret for both your native application and your web application.
Web vs Native
The only real difference between a Client ID for native application and a Client ID for web application is the Redirect URI. The Redirect URI just tells the Authentication server where to return the authentication to. In the case of a website that's easy its the web page where you handle the code most of the time this is the same ip address. In the case of a native application there is no way to know this so the server sends the information back to the requesting ip. Beyond that there is really not difference, except maybe that Google likes to know if its a website or a installed application running the code maybe. So you can use a native client id on a web application the server will just return it to where ever it asked.
Security
There are probably some security considerations with using a native one on a web application, I guess someone could potentoaly get a hold of it and send info with your client id. TBH I find the chance of this limited.