Title says it all. Is it possible to send payments with a Plaid API developer account?
I am using developer account access tokens in Google Sheets and don't have a great way of hiding them. I'm hoping the developer accounts are read only so that if someone hacked me, they wouldn't be able to transfer money out of my accounts if they got a hold of an access_token.
Access tokens should always be stored securely. If an attacker has your access token, as well as your client_id and secret, they can make Plaid API calls on your behalf to get data for a specific Item.
The specific data that can be obtained from an access token depends on what products you are enabled for in Production. If you are enabled for Auth, this would include account number and routing number. This information can be used to request an ACH fund transfer via, e.g., your a website (note that this information is also printed on all checks in your checkbook). Finally, if an ACH transfer was made in this way, you would have grounds to have it reversed for fraud.
So while it might be possible for an attacker to use your access_token in conjunction with other hidden information (your client_id in secret) to get information that they could use to request a funds transfer out of your account, there are a number of hurdles for this attack vector. An attacker would also need your secret (or Plaid login info), and even then they would still only get the information that is present on every check you write, and there is a mechanism in the ACH system to reverse fraudulent transfers.
Related
My API is able to link a client's bank account, but is unable to 'unlink' it. The documentation specifies that 3 body params are needed: "client_id", "secret", & "access_token." However, from what I have read an access_token can be linked to MANY accounts. Is there a way to retrieve the access_token associated with a client's client_id & account_ID, and subsequently remove that account while not removing others (if they exist)?
tl;dr: No.
There is currently no way for you as a developer to delete, say, the user's checking account from an Item/access token while keeping access to e.g. the user's savings account at the same bank behind the same login.
That said, I'd be interested in hearing more about your use case -- it's possible that the "Select Account" feature might solve the problem you are looking for, and we're also rolling out some improvements to Select Account soon that might make it work even better for you.
As per Google Assistant documentation for Smart Home, the agentUserId used in action.devices.QUERY is defined to 'Reflects the unique (and immutable) user ID on the agent's platform. The string is opaque to Google, so if there's an immutable form vs a mutable form on the agent side, use the immutable form (e.g. an account number rather than email)'
However there can be cases where the same device (with same agent user id) is attached to multiple Google Assistant accounts and in such cases a DISCONNECT request may result is ceasing report state for all accounts. The solution will be to add some unique ID corresponding to the Google Assistant account, however such information is not available in any request.
Has anyone seen similar issue and is my understanding incorrect?
The agentUserId is meant to be the user account on the smart home platform. SHP user '1234' may have a vacuum and two lights, but could be linked to multiple Google accounts.
During the account linking process, you would be expected to give a refresh and access tokens to allow for Google to have authorized control over these devices. If you assign unique access tokens for each Google account that signs in, you'd be able to determine which Google account the request is coming from.
At that point, once the user disconnects, you can use the access token in the request header to associate that with a specific Google account and only disable reporting for that account while not affecting other accounts.
So, yes the solution is to have a unique ID connecting to the account. While this is not passed in the agent ID, there is already a mechanism to make this association through the authorization system.
Alternatively, you could append a key in the agentUserId, ie. '1234-user#gmail.com'. However, this may have unintended impacts in the Home Graph. In a multi-user home, you may end up seeing the devices duplicated because Google doesn't have the right information to deduplicate.
I have successfully implemented Google Login in my web application, using OAuth 2.0 for Client-side Web Applications. For most needs, I just need to have the user log into my application once, and I pass the id_token back to my server to authenticate it, and give back a JWT token to the front end on success. The user doesn't have to log every time they visit the page by storing that JWT token in the browser.
Now I want to build some additional capabilities into my application that require me to act on behalf of the user, and so I have to incrementally ask for additional scopes. I think I have a handle on that aspect.
On the client side, I gain consent to use a Google API on behalf of a user, and then use the Bearer token I get back to make a request to that API, then I get back an object from Google.
Now I want to convey that object to my server (my back-end) to store some information in my database associated with the user that is logged into my system. How do I authenticate, on my server, that the object I got back from Google, by proxy through the browser, actually belongs to the user who is conveying it to my server.
What's to stop someone from using cURL with their valid JWT token to my server and conveying some arbitrarily constructed Google object of their own creation. I don't see anything in the Google response object that I can verify its authenticity on my server (like I can with the id_token I get from their successful login, as described here). Perhaps there is a 'sub' field (which I think is Google's notion of identity) on the object which at least lets me know it belongs to the Google User, if I can trust the object's authenticity in the first place.
Can anyone set me straight and give me a reasonably intuitive mental model to organize my thoughts around, and tell me if I'm way off base with my concerns here, or if I'm approaching this from an entirely wrong vantage point?
I'm trying to use the Coinbase API for Ruby to create an application to accept Bitcoin payments. I assume one way I can use their API is through their OAuth sequence. So I created an OAuth 2 application on their site. It has these scope restrictions by default ...
• wallet:transactions:send is limited $1.00/day per user
• wallet:transactions:send:bypass-2fa is disabled
with a link that reads "Please verify your identity to upgrade limits." When I click on the link, it gives me two options
Buy limits (where I can upload my ID) or
Sell limits (where I'm given a link to "Verify my Identity")
Which of these do I need to use in order to achieve what I want?
According to the Coinbase documentation on Send Limits...
To better protect Coinbase users, the wallet:transactions:send permission requires additional OAuth authorize parameters and two factor authentication.
This implies that Coinbase limits the funds that are sent, likely to protect users from accidentally emptying their accounts by a software bug. However your app is being built to receive payments, which is not governed by this limitation. Your app should be able to receive payments as fast as they arrive!
Of course, when you try to withdraw funds from your account, you will run into these or similar limits. But that would be a great problem to have.
I am trying to build a small toolbox of scripts such that I can automate some tasks involving Google contacts, calendar and so on. Most of the work is already done by means of the googlecl project, which looks very promising.
As far as I understand the process, googlecl needs to request an authentication ticket from Google by means of OAuth. Admittedly, I have only a sketchy notion of what is going on there, but that’s something that Wikipedia will help me solve.
Here’s the catch: My Google account uses a non-Gmail address (let it be vucar#example.invalid for the sake of this discussion). The account was created back in the old days when Google didn’t force GMail down people’s throats who have no use for it. googlecl will direct me to https://www.google.com/accounts/OAuthAuthorizeToken?oauth_token=…&hd=example.invalid to complete the OAuth handshake. Google will then tell me that ‘the domain name has not been signed up for Google Apps’. Which is correct.
If I don’t supply my user ID to googlecl, then the URL reads …&hd=default. Google will accept the OAuth request, granting whichever permissions needed to my locally running googlecl, but then googlecl will complain that the token was issued to a different user ID than for the user ID that was requested. Which of course is also correct.
I’ve read through https://support.google.com/a/answer/33419, which in turn redirects me to http://www.google.com/a in order to ‘to sign up your domain for Google Apps’. Apparently, if my Google account uses a domain different from #gmail.com, then I am a business user and need to purchase Google Apps for my domain—to get, amonst a truckload of other stuff, my domain connected to GMail, the polar opposite of what I wanted to have by having that ‘foreign’ domain in the first place.
I have to admit that I am stymied. I understand what OAuth in this case is used for, but I fail to grasp the byzantine reasoning at Google’s. I do not believe that I want Google Apps for my domain, and I especially do not want to hand over my emails or anything else to Google. I merely want to access and modify my data at Google’s, with my user ID happening not to end in #gmail.com.
Is it strictly required that I purchase Google Apps for Work for such a configuration? The contacts, calendars and so forth is already at Google’s, and used from both Google’s web site and Android clients. The only thing new to the mix is API access.