I am trying to verify a paypal webhook using the headers. I have this code which gets the headers
#PostMapping("paypal")
fun paypalMapping(
#RequestHeader("PAYPAL-TRANSMISSION-SIG") transmissionSig:String,
#RequestHeader("PAYPAL-AUTH-ALGO") authAlgo:String,
#RequestHeader("PAYPAL-CERT-URL") certUrl:String,
#RequestBody paypalOrder: PaypalOrder
){
println("Incoming paypal order!")
println(transmissionSig)
println(authAlgo)
println(certUrl)
}
However I am unsure what I should be comparing these strings to. The only sdk i am using is the checkout one, as the general REST one is deprecated
There are a couple methods, DIY Verification or the Webhook API, documented here: https://developer.paypal.com/docs/api-basics/notifications/webhooks/rest/#verify-event-notifications
Don't use the REST SDKs as they are no longer maintained.
Related
I'm trying to convert a v2 recaptcha flow to use the enterprise version. What is the equivalent to the server side call to https://www.google.com/recaptcha/api/siteverify?
If I try to send the same or similar POST request to https://recaptchaenterprise.googleapis.com or https://recaptchaenterprise.googleapis.com/<project path>, I get a 404 back.
There does not appear to be a matching v1 or v1beta1 endpoint for siteverify -- at least not that I've found in any of the docs or in the official recaptcha node.js library. What am I missing here?
There is no direct equivalent to the previously recommended verification call in the enterprise version (the call to https://www.google.com/recaptcha/api/siteverify).
If you want to mimic this server side verification flow, you must create a new assessment for the checkbox token and make a judgement based on that score yourself.
Probably you have found a solution by now. But for those still looking
if you configure your request like this you'll get what you want:
https://www.google.com/recaptcha/api/siteverify?secret=${recaptchaSecretKey}&response=${recaptchaToken};
where secret is 'The shared key between your site and reCAPTCHA.'
And response is 'The user response token provided by the reCAPTCHA client-side integration on your site.'.
I've seen a lot of posts recommending using Xamarin.Auth for SSO in Xamarin, but having reviewed a tutorial as well as the GitHub Getting Started wiki (in which says it supports "Authorization Code Flow", but seems to require a secret key from the client to get the auth code, which is not what I'm looking for) and searched the web fruitlessly for "Xamarin.Auth implicit flow", and "Xamarin.Auth authorization code flow", it appears to me that Xamarin Auth supports only Implicit flow, which is less secure than an Authorization Code flow for a native app that is connected to a backend web server application as mine is. Am I correct in understanding that Xamarin.Auth can only support an implicit flow (requiring that the access token be sent to the client, and a client_secret can't be retained server-side and sent server-side as part of the retrieval of the access token), and not an authorization code flow (in which the client would receive only an authorization code, which it would then send to the server, which then would retrieve the access token using a client-secret and possibly a PKCE exchange)?
Furthermore, even flows with other libraries I've seen recommended seem to retrieve the access token to the client - AppAuth supports PKCE, which is a security improvement vs no PKCE, but the posts I see showing examples of it here and here and here still all retrieve the access token on the client. Auth0 is also recommended in some posts I've seen (e.g. here), but the example I see for that here also retrieves the access token on the client.
Is there a reason why sites are not doing this? Is there a sample or API documentation anyone can point me to for a library that does support retrieving only an authorization code client-side in a Xamarin application? (and then separately, server-side, using that to retrieve the access token using a client-secret, not necessarily with the same security library since that would not need to be Xamarin code - this server-side part I feel confident is a pretty standard thing - e.g. as outlined for Auth0 here)?
Xamarin.Auth do support Authorization Code Flow. As you find in the tutorial, Xamarin.Auth's OAuth2Authenticator class has a parameters called 'Client Secret', together with other provided parameters, Xamarin.Auth is capable of handling the Authorization Code exchange part and return the access token directly back to you, it looks like this part didn't happen, but actually it did.
Digging into OAuth2Authenticator source code, method VerifyOAuth2FlowResponseType shows Xamarin.Auth provides both Authorization Code Flow and implicit flow. For more detailed information, you may read the code together with The OAuth 2.0 Authorization Framework
And here is an example for Authorization Code Flow from client side.
There is need to send from my SP to IdP SAML AthnRequest over HTTP-POST and HTTP-Redirect is not allowed.
Good package is aacotroneo/laravel-saml2 but it does not support HTTP-POST.
simplesamlphp/simplesamlphp is popular but it is a mess to use.
What library to use for proper SAML integration in Laravel that supports HTTP-POST requests to IdP?
With some effort you should be able to modify https://github.com/aacotroneo/laravel-saml2 to send AuthNRequest using HTTP-POST.
Instead use directly the login method of php-saml that you can find here
https://github.com/onelogin/php-saml/blob/master/lib/Saml2/Auth.php#L428
you can execute the code described there and do a POST instead of a GET, if you need to support signature, you will need to embed it.
The alternatives is https://github.com/KnightSwarm/laravel-saml
https://packalyst.com/packages/package/aherstein/laravel-saml2-post is the library that has been forked from aacotroneo/laravel-saml2 and modified to send POST requests.
I am making a VueJS app with a Laravel backend. I see Laravel has Passport which is used to authenticate/authorize APIs. (Sincerely I have not yet succeeded in integrating Passport. I have not understood where the starting point is. Will post that question separately).
I have done a lot of searching and still have not found the best/easiest way of doing authentication and authorization, and also interface control depending on permission. (I know "best" is subjective but basically means a method that is easy to integrate, understand and use).
Anyone who has been there and used one that worked really well?
I generally use JSON Web Tokens for my web and mobile apps. It's simpler to set up than Oauth and is a better fit for many applications.
Basically, the user sends a POST request containing their authentication details to the appropriate endpoint and receives a token in response. The user can then include that token in the Authorization header of future requests to authenticate them.
The token also includes a timestamp for when it expires, and it can be decoded on the client side so that an application can refresh the token before it expires.
There's an excellent implementation of JWT for Laravel which I use all the time and can highly recommend. There are also client-side libraries for handling JWT with pretty much every framework under the sun.
#MatthewDaly, I followed your recommendation and I stumbled on a VueJs-Laravel JWT implementation here: http://jimfrenette.com/2016/11/laravel-vuejs2-jwt-auth/
I followed through the Tutorial and was able to make it work for my case. (Caveat: The post is slightly old (using Laravel 5.2), but with good understanding of Vue and Laravel, you can be able to follow and implement it easily).
I'm implementing a webhook callback in my Rails controller and I've attempted to follow the approach used in the rspec test that comes with the gem in order to verify the signature passed from Nexmo (see the 'check_signature method' test):
https://github.com/Nexmo/nexmo-ruby/blob/master/spec/nexmo/client_spec.rb
In my Nexmo API Settings, I added a Signature Secret (generated with Ruby Digest::MD5) to my account. I configured my webproxy with ngrok and on my Nexmo test number, I added the webhook callback generated by ngrok when it started up.
So, I try texting to my Nexmo phone number and Nexmo does push me a POST to my controller method however it does not contain a 'sig' or 'signature' parameter in the payload.
Unfortunately, I've not been able find much in the way of documentation on this specific feature. I may not be generating the Signature Secret correctly in my account on Nexmo. Most similar services actually generate these webhook validation secrets for you... not sure why Nexmo does not.
Anyway, if anyone has any suggestions, I'd really appreciate it.
You will need to email support#nexmo.com with your API key and ask them to turn on webhook signatures.