Trying to make Octokit Github API calls using access token
client = Octokit::Client.new(:access_token => 'xxxxxx')
I needed to fetch email address for a particular user apart from user whose access token is being used, so I'm trying to fetch email address for user 'abc'
user = client.user 'abc'
puts user.email
user email return nil, but able to see other details like repos_url, organisation etc.
I'm able to get the email address of the user whom I made connection using access token.
client.emails
this return the expected value.
So to fetch email address for a particular user we need to be authenticated with that user itself https://github.com/octokit/octokit.rb/blob/4-stable/lib/octokit/client/users.rb#L293-L301, otherwise the email would just return nil.
Do we have an alternative way to achieve this?
Related
I'm working on a existing Parse server, and I am currently adding an OAuth system, so that external apps can connect in the name of Parse.User.
I created different classes for codes and tokens, and now my external apps can send requests with an accessToken, corresponding to their application and user (who granted access).
I'm looking for a way to inform the Parse server that the "logged in user" in requests is the end user that authorized the OAuth application. For this, I have created an express middleware handling request before the Parse server middleware, extracting the access token from the request, getting the correct User and Application, and then I wanted to create a Parse.Session programmatically, get the token, and set it in the request as x-parse-session-token. This way, the next handler, Parse, would treat the request as authenticated and performed by the end user.
My problem here is that I cannot find a way to create a session programmatically, I'm aware of the Parse.User.logIn, but that works only with a password.
I've tried the following:
const oAuthSession = await new Parse.Session().save({
user: user // user got from Parse.Query(Parse.User) with masterKey
}, { useMasterKey: true })
But get a Cannot modify readonly attribute user error.
Any hidden method to programmatically create a Parse.Session without a password ?
As pointed out by #DaviMacêdo in the community forum: https://community.parseplatform.org/t/create-new-parse-session-programmatically-for-a-user-without-their-password/1751
We can inject the user directly in the request field, and it will be picked up by Parse: https://github.com/parse-community/parse-server/blob/f6a41729a7a3adc6bd5310cefb3458835b4abb58/src/middlewares.js#L199
const user = await new Parse.Query(Parse.User).get(‘idOfUser’);
req.userFromJWT = user;
I want to simulate the password reset service for service now users from an external application and I have installed Password Reset - Orchestration Add-on plugin on my servicenow developer instance. Along with this I can see a list of Pwd Reset APIs on my REST explorer (e.g pwd_init, pwd_verify, etc). I went through the documentation available on this documentation page but I'm at a loss to understand what the request payload would be like if I'm trying to call these APIs from an external service like Postman. I wanted something similar this api documentation.
Can anyone help me with this?
Use the Table APIs to do this.
In order to reset a user's password, you basically want to update the user_password field of the user record from sys_user table.
Method: PUT/PATCH
http://<instance>/api/now/table/{tableName}/{sys_id}
here tableName will be sys_user and sys_id will be the sys_id of the user's record in sys_user table.
The body of the API request should be something like this:
{
"user_password": "resetpasswordtext"
}
Bear in mind that this will reset the user's password but the new password will not be "resetpasswordtext". So the user will not be able to login using "resetpasswordtext".
To actually set the password for a user via API, same table API as above can be used. But in order to store the password properly encrypted in the database, below query parameter should be added in the request URL to set the password.
sysparm_input_display_value=true
So the API call will be
Method: PUT/PATCH
http://<instance>/api/now/table/{tableName}/{sys_id}?sysparm_input_display_value=true
BODY: {
"user_password": "newpassword"
}
Now the text "newpassword" can be used by the user to login to the instance.
hope it helps in your use case.
so, my use case did not involve using the Password reset API, but for those of you interested in generating a new password externally, then making an api call to set that as the new password for that user, then here is acode sample that is based on Milind's answer above:
Python3
def change_password_snow(user, pwd, new_pwd, snow_url, sys_id):
# Set the request parameters
url = snow_url + sys_id
# Set proper headers
headers = {"Content-Type":"application/xml","Accept":"application/json"}
# Set query params
params = {"sysparm_input_display_value": "true", "sysparm_fields": "user_password"}
# Do the HTTP request
response = requests.patch(url, auth=(user, pwd), headers=headers, params=params, data=f"<request><entry><user_password>{new_pwd}</user_password></entry></request>")
return response
Setup on ServiceNow
For this to work, the user you are authenticating with in ServiceNow needs to have Admin privileges.
Either that, or modify the sys_user.user_password ACLs to allow non admin users to read and write to that field if they have a role that you select. For my use case, I created a custom role and attached it to that user.
In Password Reset page user needs to type their email, we feel its unwanted and think of removing it.
so i can get the token from the url,
www.example.com/password/reset/c1ac740d8b1d8674995145577152216e0bb38091f572fd8f040d0cccd293a637.
but checking in database its different what is in url and stored in database and im using laravel 5.5.
Learned something from google they are again hashing these token and saving it in db.
so im having 2 ways,
1) How can i get the email address from the token?
2) Else how can i send the email address with the url while sending reset link email like this (www.example.com/password/reset/c1ac740d8b1d8674995145577152216e0bb38091f572fd8f040d0cccd293a637/yourmail#gmail.com)
FYI: All i am using is native, it has $actionUrl only.
I'm new to Laravel and JWT-auth. I've implemented the process of generating JWT tokens and getting the associated user in my back-end, but I'm still can not understand how the server verifies the authentication of a user from just a token stored on the client side.
If I log in on machine A and change my password on machine B, can I still log in from machine A with the previous token?
You have a 'users' table and generally another table like 'sessions'. When a user makes a request to login through your API, a new line into the 'sessions' table is inserted (the token is saved) and the API return the token to the user. For all requests that need authentification, the user will have to give this token (through HTTP header for example).
When you want to authentificate a user on a request you have to verify if the token exists and remains valid and then retrieve the user. Example in Lumen :
$this->app['auth']->viaRequest('api', function ($request) {
$session = Session::where(['token' => $request->header('token')])->get(); //user gives his token in the header request
if($session){
return $session->user(); //you have setup the hasOne/hasMany relationship between sessions and users
//the user is authenticated
}
return null;
// the user is not authenticated
});
"If I log in on machine A and change my password on machine B, can I still log in from machine A with the previous token?"
If the token is still valid and you allow multiple active sessions then yes. The token isn't set depending of the password.
The Stripe API reference says this about authentication:
The example they give is this:
require "stripe"
Stripe.api_key = "sk_test_BQokikJOvBiI2HlWgH4olfQ2"
The sk_test_BQokikJOvBiI2HlWgH4olfQ2 secret key is found in the account settings on Stripe's webpage. I understand this is the secret api key for my application to talk with Stripe.
But then I read this documentation on getting started with Stripe Connect:
When using our official API libraries, we recommend that you pass in the
access_token with every request, instead of setting the API key globally.
This is because the access_token used in any API request depends on the user
you're charging on behalf of.
The example they give is:
# Not recommended: setting global API key state
Stripe.api_key = ACCESS_TOKEN
Stripe::Customer.create(
:description => "example#stripe.com"
)
# Recommended: sending API key with every request
Stripe::Customer.create(
{:description => "example#stripe.com"},
ACCESS_TOKEN # user's access token from the Stripe Connect flow
)
Here, the access token is returned to the application after a user has connected to the application through Stripe Connect. The access token can be used to perform actions on behalf of that user, like charging their card.
So, they pass the API key with every request, but why would the user's access token be an api key? I thought from the first documentation that the api key is supposed to be my application's secret api key? Instead, they are setting the user's access token. How will Stripe identify my application then if I'm setting the user's access token and not my own secret key?
Then, I read their example on integrating Stripe Checkout with Sinatra. The code sample they give is:
require 'sinatra'
require 'stripe'
set :publishable_key, ENV['PUBLISHABLE_KEY']
set :secret_key, ENV['SECRET_KEY']
Stripe.api_key = settings.secret_key
....
get '/' do
erb :index
end
post '/charge' do
# Amount in cents
#amount = 500
customer = Stripe::Customer.create(
:email => 'customer#example.com',
:card => params[:stripeToken]
)
charge = Stripe::Charge.create(
:amount => #amount,
:description => 'Sinatra Charge',
:currency => 'usd',
:customer => customer.id
)
erb :charge
end
So in this instance, they set the API Key to be the application's secret key. They don't pass any Access Token in the request either. So I'm a bit confused why an Access Token would be set as a secret API Key in the previous doc or why I should pass it with each request, when all their example docs don't even do that.
To understand this, you should know first that the Stripe API can be used to build applications that serve two kinds of audiences:
to accept payments from end-users as a merchant (normal use-case) and
to provide add-on services to merchants having their own Stripe
accounts (eg. one service helps me configure the emails to be sent out on different Stripe events)
Hence, all the API endpoints can be authorized in two ways:
the API key way which you can directly get from your Account Settings. This identifies your Stripe account
the access token way through Stripe Connect. This identifies the Stripe account of the connected merchant.
What the Stripe Connect docs is telling you is that suppose you are building an application that serves use-case #2 above, then you must remember to authorize each of your API calls with the right access token and not have a global API key (which, by the way, is fully acceptable for use case #1) as you might be making changes incorrectly to the wrong account(s).
So, if use case #1 is what you want to do, you don't have to worry about Stripe Connect at all.