I want to make a survey form page for a blockchain project, that people have to add a few data to claim their reward. But first of all, I would get the first input box autofilled (non editable) that is automatically filled with the crypto wallet address, that is connected.
So before being able to fill the rest of the input text boxes, people have to connect their wallet to autofill the “Wallet address” input box and that is not editable by the user.
This way I want to make sure that who added the wallet address is really the owner of the wallet.
Can someone help me please?
I have not tried any code yet.
Related
I am developing an ASP.NET Core web application with user management functionalities. My question is about the email address changing algorithm. Almost every web app I saw before have the following flow:
User authorized
User requested an email address change
User received a message on the new mailbox with the confirmation link
User clicks the link and the email address updates
But I think, this algorithm might be a bit insecure and that is what I want to discuss here.
How about this flow:
User authorized
User requested an email address change
User received a message on the old mailbox with the confirmation link
User received a message on the new mailbox with the second confirmation link
User clicks the link and the email address updates
With this additional step in the middle of the algorithm, things may be much better from the security perspective, but would it be too complex or not? How do you think what algorithm I should implement? And what would you prefer if you will be in my shoes?
The second options might sound great, and it's not too much headache to implement too. But I'll stick with the first approach due to some reason:
Common work flow pattern.
As the backend side can be wrote by many language, by various developers, so common pattern would make things more standard when we need some kind of migration, and even maintaining by new developer. If the project doesn't require ultra-secure authentication flow, the simplicity of first approach was enough.
From user convinient pespertive
Let's just imagine when changing an email address, what case the user likely want to change email address ? I was register my facebook account long ago using yahoo mail, that's no-longer active, and i need to switch to a gmail one. What's the point of sending the email back to the old one ? Cumbersome... and i can do nothing in this case except get some help from the staff.
I totally aggree with the second approach on security angle. But that's not suitable for most of the case, only implement if the project have some requirement. And even in that case, I suggest don't even do that too, build some thing like sub-admin account role and grant permission to someone have responsible. Like Google enterprise email organize some account called admin if anything wrong happen to user account. As long as it has this kind of security level requirement, it's not gonna serve massively user.
The intension of all the flow
The User got authorized first, right, that's mean we Identified what the user are, and what she capable to do. Imagine when we hide a hotel room then request to change to another due to some reason. What's the point of proving that's I booked my own room, since we all know that's the fact ? Kinda weird... right ?
To conclusion, I think we shouldn't mess with something that's become common pattern that widely acknowledged, except we have some special requirements and the project have something uniquely to satisfy, and we consider ourself, as developer that's reasonable.
The main problem with this approach is: what happens if the user no longer has access to their original email account? Perhaps it was a work/school/uni account that they no longer have, or perhaps they've just forgotten their password or otherwise lost access to it.
With your second approach, they are not going to be able to update to the new account, because they'll never receive the first confirmation link.
How about the following approach instead:
User requests an email change.
Require the user to re-authenticate with their current password (just like when they change their password).
Send a confirmation link to their new email.
Send a notification to their old email, with the details of the change, and instructions of what to do if they didn't initiate the change.
User clicks the link to update or contacts your support to say their account has been compromised.
This way you still provide them with an alert that someone is trying to change their email (and potentially a means to stop it), but a user who has lost access to their old account will still be able to update their email.
I have an application and I want users to have the ability to create a user instantly without even having the page to reload (So that if they are in the middle of something they dont have to stop). I have used ajax for similar things in the past however I am a bit scared using it for something like users with passwords (I am using hash salt and pepper but still, im a bit paranoid). Are there any security issues with that?
Using AJAX is not a problem.
Using hash, salt, and pepper is fine, but do you check user's email address for receipt? You can send a six-digit number to the email address entered by the user, and ask the user to enter that number on the input form to confirm that the user can use the email address.
I want to Create a user screen with Two authentications (SMS and Email)
User will receive email to verify and activate his account first.
After that he set password and he will receive SMS massage to verify the password.I want to do this in Oracle apex.I have tried Custom Authentication but i didn't found fruitful, Any one have some good idea to achieve this.
after u take care of the email and sms verification, u should store that data in the data base and create a function to use in your custom authentication that verifies if the user is already validated.
put the function in shared components -> authentication schemes -> settings -> Authentication Function Name
(the function must return true or false to allow the login)
I'm not a fan of using SMS for Two-Factor Authentication, but if you must, perhaps this might demo implementation for Time-based One Time Password (TOTP) might give you some ideas: https://github.com/fuzziebrain/orclapex-tfa-demo
I provided some background information here as well: https://fuzziebrain.com/content/id/1718/
Good luck!
I have achieved this in one of my APEX project but only with the e-mail. For the sms I use it in another context but you could still do it. You will need a smtp server ( you can run one on your server ) and for the sms you will need an external provider. In your oracle database, create a table called OTP ( one time password ).
This table contains a foreign key to a user. When the user creates an account, run a dynamic action in pl/sql that will generate a random 6 digit number that will be encrypt in your OTP table. This dynamic action will also send an email to the user with APEX_MAIL. The full documentation for how to use APEX-MAIL is here and it is pretty easy to use. You can send the user the password for authentication trough email.
Create a new session user called user_na (not authenticated) and make it so that when he connects, the only page he can see is a page with a text field to enter the password he receive through email. After he enters it, encrypt it the same way you did when he created an account and compare the password in the OTP table. If they match , change his account type to user and then he will be able to access every page that you made accessible for the users.
If you also want to send an sms, I recommend using this tutorial. The sms provider have a free trial if you want to test. If you have any questions don’t hesitate to ask I can easily help you with this.
NOTE: if you don’t want to create different session_users you can just add a column in your user table named authenticated. Set it to 0 by default and to 1 when he enters the email password. Then, when he log in, check if this value is 0 or 1 to know which page you should redirect him to.
In my Codeignitor website, I have a registration form.. Earlier my developer added mailchimp API to collect users details in mailchimp who register and it's working fine (as soon as someone registers their details get saved both in mailchimp and in my site's backend).
After registration users receive an email as well with a link to activate their account on my website.. Now I want to segment my mailchimp list based on who activated their account and who didn't.. (want to move users in separate lists based on who clicked the activation link).. Currently, as soon as someone registers their details get saved in one list whether they activate their account or not..
Please note that the email users are receiving on signup is coming from Codeignitor site itself (not from mailchimp, it's not the confirmation mail from mailchimp).
Please let me know if this is possible and how can it be accomplished.. If you can provide any reference link that would be very helpful..
Thanks.
I've a solution for this,
Step 1: Create a Group/Segment as Radio button(prefered) with two options'Activated Users' and 'Not-activated Users'
Step 2: Add all users who signing up to the site into the 'Not-activated Users' segment.
Step 3: After a user clicks the activation link, you need to write custom code after the activation process to add that user into the 'Activated Users' segment.
Step 4: Remove the user from 'Not-activated Users' segment.
Please give me some feed back…
Let's suppose we are adding users to a platform using the email address.
Until the invited users don't upload an avatar or a profile picture, the best we can display is either a generic "user icon" or a identicon (or similar).
I assume that given the email address, there's a possibility that the user is on LinkedIN, Google plus, facebook, twitter and who knows where.
Is there a library or do you have experience in writing an algorithm that will try to fetch a profile picture from multiple channels?
--edit--
I am aware of automatically generated avatars (identicon), but what I am really trying to achieve is personal avatar that belongs to the user.
The gravatar API is the simplest option:
http://www.gravatar.com/avatar/0123456789abcdef0123456789abcdef?s=80&d=identicon&r=g
Result:
The long hex number is the md5 hash of the user's email address (trimmed and lowercase). s is the avatar size.