as you know, the documentation indicates tha we need a javascipt like this:
Checkout.configure({
session: {
id: '<your_create_checkout_session_ID>'
},
interaction: {
merchant: {
name: 'Your merchant name',
address: {
line1: '200 Sample St',
line2: '1234 Example Town'
}
}
}
});
, as it is javascript in an HTML, everyone can see our Merchant_id and the session_id,etc.
How can we hide this info ??
thanks
In my opinion, you shouldn't use this type of information and configuration in your Front-end application/client because of the security issue that you mentioned.
Instead of that, use these steps:
remove all implementation like configuration, checkout, double-check payments, etc. from your client.
implement them into your backend-application / server (as a service or microservice)
use the usual REST API to communicate between your client and server applications
hope to be useful in your case.
Related
We are planning to use recaptcha-V3 on our website. To try this out first and do a phased released - one suggestion was just to have the front-end integration (without backend integration for site verification) and then monitor using the reCaptcha console for unusual activities. If we find unusual activities, we'll then turn on an extra verification on the login page (controlled by a switch).
So the key question I have got is - Can we integrate recaptchaV3 only on the front-end and not on the backend - and use the Admin console to monitor activities?
Yes you can do that. without any backend integration it can be done but that will not be a good way to implement this . The secret key and as well as the request token will be exposed in client browser.
Try this code :
<script src="http://www.google.com/recaptcha/api.js?render={recaptchaSiteKey}"></script>
<script>
grecaptcha.ready(function() {
grecaptcha.execute('recaptchaSiteKey', {action: 'homepage'}).then(function(token) {
var recaptchaSecret={recaptchaSecret};
var responseString = "https://www.google.com/recaptcha/api/siteverify?secret="+recaptchaSecret+"&response="+token;
$.ajax({
url:responseString
//your code
});
});
});
</script>
EDIT: rest-server gives the option "Specify if you want the generated REST API to be secured: (y/N)", is this to enforce the acl?
I've been trying to setup a simple test using hyperledger-composer node js client. In my config I have the following:
"connection-info" : {
"participantId" : "gk1",
"participantPwd" :"CjysyeLjriRT",
"businessNetworkIdentifier" : "myBizNetwork",
"connectionProfile" : "defaultProfile"}
In my business network definition I have the following:
rule Default {
description: "DENY all participants access to all resources"
participant: "ANY"
operation: ALL
resource: "net.name.myBizNetwork"
action: DENY }
When I call the following code in node js app, I can still see the resources:
this.bizNetworkConnection.getAssetRegistry('net.name.myBizNetwork.TestAsset');
}).then((registry) => {
return registry.find('testAssetId = ' + id);
Obviously I'd like to do more scenarios with access control, but in my understanding this should work.
A good first point of call is to try out your model, acl, and script files in the online playground here https://composer-playground.mybluemix.net/
Note - you are an admin by default, to simulate being a participant you can do so by:
Clicking 'admin' in the top right of the playground
'+ Issue New ID'
Supply a User ID (whatever you like) and participant (will be one you created earlier) and then press 'Create New'
Select Option 2: '+ Add to my Wallet' (This will allow you to then use the identity and you will 'be' that participant
From looking at your code, the resource you deny is "net.name.myBizNetwork".
Following the documentation here https://hyperledger.github.io/composer/reference/acl_language.html I think that to deny access to the resources within your network you will need to add a '*' wildcard (see the Examples section in the link). If that doesn't work it may have something to do with identities.
Another note, from my understanding, you need to secure the API if you want to use identities. However, you also need to create/bind identities to existing participants, and then use those identities to 'be' that participant. See the article here https://hyperledger.github.io/composer/managing/identity-issue.html
By default, you are a Null participant (you can see what participant you currently 'are' by pinging the network)
I'm using aws-flow to interact with Amazon's Simple Workflow Server and I want to get logging set up to go to an external source (PaperTrail).
I've set my $logger to use PaperTrail and I pass this into the client I use to start the execution;
client = Aws::SWF::Client.new(region: 'eu-west-1', logger: $logger)
client.start_workflow_execution({
domain: domain,
workflow_id: ...,
workflow_type: {
name: "...",
version: ...
},
task_list: {
name: "..."
}
})
This successfully logs that the client has started, but no action from inside a Workflow or Activity gets logged.
From reading the documentation and this SO answer it seems like you need to specify a logger when creating new Activities, but I can't see how to do that.
The main workflow uses activity_client to select the Activitiy it needs, and the activity being called looks like;
class MyActivity
extend AWS::Flow::Activities
activity :my_activity do {
default_task_list: '...',
version: ...,
default_task_schedule_to_start_timeout: 60,
default_task_start_to_close_timeout: 60,
exponential_retry: { maximum_attempts: 2 }
}
I can't see anywhere with this setup that you can add a logger to.
Any help would be greatly appreciated
So it turns out aws-flow doesn't support logging.
There is some chat about it in issues and there is a PR which appears to fix things.
For my needs I just forked the project (which at the time of writing hasn't been updated in 2 years) and made the relevant changes for me.
I want to be able to create users, but from my admin account. So when I use this line:
this.af.auth.createUser({email: email, password: password});
It creates the user, but then it logs me in as them, and I don't want that. I just want to create it. Anyone know?
Long Answer:
There is no AngularFire 2 way to programatically manage users. The issue is that even if you use the Firebase Admin SDK, at least one of the module's dependencies simply won't run in the browser; e.g., webpack.
So you could install the Firebase Admin module with npm install --save firebase-admin and then...
import * as admin from "firebase-admin";
adminCreateUser() {
admin.auth().createUser({
email: "user#example.com",
emailVerified: false,
password: "secretPassword",
displayName: "John Doe",
photoURL: "http://www.example.com/12345678/photo.png",
disabled: false
})
.then(function(userRecord) {
// See the UserRecord reference doc for the contents of userRecord.
console.log("Successfully created new user:", userRecord.uid);
})
.catch(function(error) {
console.log("Error creating new user:", error);
});
}
... would likely throw the error Error: Can't resolve 'dns' in '.../node_modules/isemail/lib'. The reason for this is explained here.
You could probably figure out some sort of hack for this, but this particular issue raises an important objection to this method of user creation, which has to do with client-side cryptography.
Short Answer:
Run the Firebase Admin SDK on a backend service instead.
I'm trying to use express-stormpath on my Heroku app. I'm following the docs here, and my code is super simple:
var express = require('express');
var app = express();
var stormpath = require('express-stormpath');
app.use(stormpath.init(app, {
website: true
}));
app.on('stormpath.ready', function() {
app.listen(3000);
});
I've already looked at this question and followed the Heroku devcenter docs. The docs say that for an Heroku app, it's not necessary to pass in options, but I've still tried passing in options and nothing works. For example, I've tried this:
app.use(stormpath.init(app, {
// client: {
// file: './xxx.properties'
// },
client: {
apiKey: {
file: './xxx.properties',
id: process.env.STORMPATH_API_KEY_ID || 'xxx',
secret: process.env.STORMPATH_API_KEY_SECRET || 'xxx'
}
},
application: {
href: 'https://api.stormpath.com/v1/applications/blah'
},
}));
To try and see what's going on, I added a console.log line to the stormpath-config strategy valdiator to print the client object, and it gives me this:
{ file: './apiKey-xxx.properties',
id: 'xxx',
secret: 'xxx' }
{ file: null, id: null, secret: null }
Error: API key ID and secret is required.
Why is it getting called twice, and the second time around, why does the client object have null values for the file, id and secret?
When I run heroku config | grep STORMPATH, I get
STORMPATH_API_KEY_ID: xxxx
STORMPATH_API_KEY_SECRET: xxxx
STORMPATH_URL: https://api.stormpath.com/v1/applications/[myappurl]
I'm the original author of the express-stormpath library, and also wrote the Heroku documentation for Stormpath.
This is 100% my fault, and is a documentation / configuration bug on Stormpath's side of things.
Back in the day, all of our libraries looked for several environment variables by default:
STORMPATH_URL (your Application URL)
STORMPATH_API_KEY_ID
STORMPATH_API_KEY_SECRET
However, a while ago, we started upgrading our libraries, and realized that we wanted to go with a more standard approach across all of our supported languages / frameworks / etc. In order to make things more explicit, we essentially renamed the variables we look for by default, to:
STORMPATH_APPLICATION_HREF
STORMPATH_CLIENT_APIKEY_ID
STORMPATH_CLIENT_APIKEY_SECRET
Unfortunately, we did not yet update our Heroku integration or documentation to reflect these changes, which is why you just ran into this nasty issue.
I just submitted a ticket to our Engineering team to fix the names of the variables that our Heroku addon provisions by default to include our new ones, and I'm going to be updating our Heroku documentation later this afternoon to fix this for anyone else in the future.
I'm sincerely sorry about all the confusion / frustration. Sometimes these things slip through the cracks, and experiences like this make me realize we need better testing in place to catch this stuff earlier.
I'll be working on some changes internally to make sure we have a better process around rolling out updates like this one.
If you want a free Stormpath t-shirt, hit me up and I'll get one shipped out to you as a small way to say 'thanks' for putting up with the annoyance: randall#stormpath.com
After endless hours, I managed to finally get it working by removing the add-on entirely and re-installing it via the Heroku CLI and then exporting variables STORMPATH_CLIENT_APIKEY_ID and STORMPATH_CLIENT_APIKEY_SECRET. For some reason, installing it via the Heroku Dashboard causes express-stormpath to not find the apiKey and secret fields (even if you export variables).