I would like to hook my own webservice running on my own system in webhook URL of the fullfilment ? is it possible ?
Yes, with some qualifications. Your webhook must be at a publicly accessible address (you can't have the service available just to your local network) and it must handle HTTPS requests with a valid cert.
Related
I am developing an app for shopify. The app will provide pages and functionality for the Shopify Admin area, specifically using App Bridge.
The app bridge URLs look like this:
https://[shop].myshopify.com/admin/apps/[my-app]/[my-path]
When you visit this page it loads shopify header/footer/menu, also an IFrame pointing to [my-path] on my site, for example:
https://example.com/[my-path]
I would like to setup Ajax requests using the same system of URLs. for example I would use the endpoint as follows (I know this one doesn't exist, just an example):
https://[shop].myshopify.com/admin/apps/proxy/[my-app]/[my-path]
Then instead of rendering the IFrame with my URL, Shopify admin would proxy the request, forwarding it to:
https://example.com/[my-path]
Is this possible, or do I have to send the Ajax request directly to my own server? If the later, how is it recommended I do authorisation? Can the HMAC that came in the original request be forwarded to the AJAX request (seems that would be bad, but not sure exactly why), or use a session that I establish on the original request?
You setup an App Proxy in your App. You provide an endpoint in your App for the Proxy. Once this App is installed in a store, you can now call your App from the store itself, to the Proxy. Securely. That is the whole point of the App Proxy.
I'm using a Google Login component in my website that calls Google OAuth API. Is it possible to somehow define an IP whitelist together with the domains whitelist?
The expected result is that even if someone successfully identifies with a whitelisted-domain google account, it will still be rejected if their IP isn't whitelisted
When a domain is used on the consent screen or in an OAuth client’s configuration, it must be pre-registered. If your app needs to go through verification, up need to the Google Search Console to check if your domains are authorized.
Domains used for a redirect uri when the app is set to production must also be verified domains.
You cant set a domain as an ip address and you wont be able to set your redirect uri as an ip address either.
I deployed an app on Heroku and set up automatic SSL configuration. According to my Heroku, my app can be accessed via https. If I use that URL, the connection is indeed secure.
I added a Synthetic Recored in my google domain to point to this url. I also added a Custom Resource Record where the Name is www, Type is CNAME, and Data is my DNS Target for the app.
I can only connect securely when I use https://www.osrshub.com. If I use www.osrshub.com or osrshub.com, it is not secure. What am I doing wrong?
The comment from user2864740 is correct. I needed to update my front end to redirect to https.
Force SSL/HTTPS with mod_rewrite
What are best practices when it comes to sending user credentials to stateless services (Let's say ASP.NET Web Api's).
What should be done when SSL is not an option?
And is it safe to send user credentials in URL parameters (with or without SSL)?
Thanks in advance
Check this post about securing your API, it is easily readable and explains most of what you need.
About SSL not being an option, as stated in the post:
When do I use HTTPS?
Answer: whenever you don’t want information stolen from the HTTP request.
Use a standard authentication (BasicAuthentication, OpenID or Oauth)
Use HTTPS. Creating of self-signed certificate and enabling a server with is a very simple operation
Do not pass any confidential information (also a user password) in URL parameters even with SSL. They can be logged on the way to your server
An external CRM webhook will occasionally call into my CI app to notify me of a data change so I can update the CI app's cache. What's the best way to make sure those calls into my app are from an authorized source?
I looked at options like Tank Auth and Ion Auth but they appear to be overkill for what I am trying to do?
You're probably better off leaving this to the webserver, like adding http auth or ip restrictions. However if you want to do it in CI, you could check the requesting host/domain or IP address as well.