I am integrating Sinch instant messenger into my app. The purpose of this is to facilitate one-on-one communication between the user and app owner. I have created the Sinch account and have the app keys. When I try to send the message, I get an HTTP response : User not found.
Two questions:
I thought that since there will only ever be communication between the app owner and user, that I could get away without implementing Parse (or equivalent). Is this true? Could this be the cause of my issue?
How does Sinch create users? I am having difficulty seeing in the documentation how that is handled and where the user data is stored.
Thanks
You dont need to use parse, but we dont proivde a login mechanism for users so you if you want login you need somekind of backend to handle you users,
WE create the users onhte fly when you start a client with that username, but again we trust that you authenticated them.
Related
I Guys, i have to create a mobile app that need to make a request to a laravel endpoint, app no require registration or login, which is the best way to protect my api? To make sure the only my application can call it?
Thanks!
There's no full proof method of securing your api, because with the right tools and following some tutorials on the web, anyone could view your whole api request, headers, tokens, etc.
Anything you do or store on the app is already compromised, so signatures,ssl, encryption,tokens, etc are not that helpful if malicious users have access to the app. It can make it more troublesome for malicious users, but a dedicated one could overcome it.
Using authentication atleast forces users to register before they can use your api and you can block the user when needed. Along with requiring email verification, users who wish to misuse your api would then need valid email addresses atleast. But since you mention securing without authentication, this goes out of scope.
You can secure your api somewhat by using rate limiting. laravel has an inbuilt rate limiting with the throttle middleware. You can use this to restrict the number of times an api can be called in a particular time interval by an ip address.
Next would be Ip blocking. If any malicious activity is found, you could block the ip address. But this can be overcome with a vpn, and a malicious user could also block someone elses ip in this manner.
Captcha can help against bots, but would also annoy regular users.
Another method would be restriction with cors, those who have faced cors issues know exactly how annoying it can be, but it wont work on native apps (or you could try pwa).
And in a worse case scenario you could go with some terms and conditions and some legal action
A simple solution You can create a table for devices with api key which will be generated for each device app, and always use it to send requests to the api end point, then used it to fetch data from the rest api. The same process like if you are loging in, but you will use the api key unstead and the key will be fixe not refreshed evrey time.
I'm developing an application that utilizes Google sign-in and the Gmail API. My test users, once logged in, keep receiving an email like the attached file.
Other applications with similar functionality (basic email access) do not seem to trigger these emails. Any ideas? It makes my app seem less trustworthy.
One possibility is that you are obtaining tokens with offline=true indicating a requirement to use the refresh token to renew expired access tokens. If you only require short-term access, perhaps you should remove the offline parameter in the construction of your auth request link.
In this scenario once the access token expires, then the scope will no longer be usable or renewable and so your end-users should not receive the alert emails.
I am writing this goroutine that'll call the GMail API and poll my inbox every 2 minutes or so. The problem I am having trouble with is the authentication part because it'll need me to login and authenticate myself and give authorization to the app to read my inbox. I am trying to eliminate the part where I will need to login via the Web UI and give access to my program. Does anyone have any ideas on how to login and authenticate myself programmatically?
You should be able to use the steps here in order to generate and OAuth client ID, then use that to connect using oauth?:
https://github.com/google/GTMAppAuth/blob/master/Example-macOS/README.md
Failing that, you could use IMAP access to bypass the api entirely. Turn on imap in settings and use a library like this to access your messages:
https://github.com/emersion/go-imap/blob/v1/README.md
I'm using the Expo Facebook login on my React Native app. In my app they can create and join events, which is done via API calls to my Laravel backend. I need these API calls to be authenticated (so some random person can't submit requests on someone else's behalf), but I don't want them to have to login twice. How can I ensure the person making API calls is who they say they are?
When they auth with Facebook they get their unique Facebook user ID, but I'm not sure if that is a secret they would only know after authenticating with FB or if anyone could get it. For my alpha version it's just sending their FB user ID with the request to ensure it's coming from the right person, but that seems really insecure because if anyone gets that ID they can forge requests.
One idea I had was to pass the auth token the React Native app got from Facebook to my API, and then on my server use that auth token to ensure it's really them. That just seems sort of complicated and it's hard to find a package that helps facilitate this, though.
It seems like this has to be a common problem. Any resources on how other apps handle this? Tinder, for example, must have this same problem.
I have an App on Parse platform. What I need:
The User logs in on first device.
The User logs in on second device.
System revokes session on the first device.
I tried to remove objects from Session/Installation classes, but it did not help.
How can I do it?
Achieving this is not quite straightforward as there is no way to intercept login events or write cloud code triggers for Parse Session class. If you delete a client session record from the Session table, it should certainly revoke it and you end up getting authentication errors on that client. To achieve what you want, you need to write your own cloud function that logs a user in instead of using the SDK login function. That way you can first go through the Session table and revoke/delete any session associated with that user before logging in your user on the new device.