Working on our rocket.chat with login through iframe. I can create users and login through iframe and the API.
My problem is that the users email isn't verify so offline email notifications won't work.
How do I verify their email?
If you are using the Rocket.Chat REST API to create users, it accepts a property verified which will mark the user's email address as verified. An example of the json posted to the /api/v1/users.create with email being verified on creation is:
{
"email": "example#example.com",
"name": "Example User",
"password": "example-p#ssw0rd",
"username": "example",
"verified": true
}
Using the verified property, you no longer need to directly update mongo or use the /api/v1/users.update.
I think you can verify a user by editing his account and checking the verified option. The user account can be edited from /admin/users
Related
My user account can use the Google Classroom web UI to see all the announcements for a given course. Trying to pull them programmatically using the Google Classroom API.
I've set up an app with Oauth consent screen covering (for test purposes) ALL the scopes listed under the Google Classroom API, and can run the consent flow with my user account to get an access token.
I can successfully GET course details by curl'ing https://classroom.googleapis.com/v1/courses/<my course ID> using the access token obtained from the oauth flow. However, when I GET https://classroom.googleapis.com/v1/courses/<my course ID>/announcements with the same token, I get the following:
{
"error": {
"code": 403,
"message": "Request had insufficient authentication scopes.",
"status": "PERMISSION_DENIED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
"domain": "googleapis.com",
"metadata": {
"method": "google.classroom.v1.Work.ListAnnouncements",
"service": "classroom.googleapis.com"
}
}
]
}
}
Behaviour is same in using both client libraries as well as raw REST calls.
Am I missing an auth scope (I switched them all on), am I just not allowed to do this since I'm not the course owner, or am I doing something else wrong? Advice please!
You apear to be using the courses.get method
In order to access this method your application needs to be authorized with one of the following scopes.
You also appear to be using the courses.announcements.list method
This method requires that your application be authorized with one of the following scopes.
The error message "Request had insufficient authentication scopes." means exactly what it says. The access token you are using was not authorized with one of the scopes needed for the courses.announcements.list endpoint there for you can not use it.
You need to delete the access token you have now and request authorization of the user using the proper scope for this method. Always make sure to delete your old token. When changing scopes in code your app does not always request authorization again if you just change the scopes in the code. You need to force it to request authorization again.
All the scopes
you should not be requesting all of the scopes of the user only the scopes that you need. If you only need readonly access make sure not to request write.
I had forgotten that my code explicitly defines the scopes when configuring the client that then builds the oauth request URL:
config, err = google.ConfigFromJSON(b, classroom.ClassroomCoursesReadonlyScope)
Changed to
config, err = google.ConfigFromJSON(b, classroom.ClassroomCoursesReadonlyScope, **classroom.ClassroomAnnouncementsReadonlyScope**)
and it works fine.
I am trying to test the Google Cloud Logging API on the "Try this API" feature that Google Cloud Platform has on their documentation, but I get this response back:
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I know that my response body is correct because it works with OAuth 2.0 but fails when I use API Key.
Auth 2.0:
Working request using OAuth 2.0
API Key:
Non-Working request using API Key
Google docs says that they generate their own API Key for this "Try this API" feature. https://developers.google.com/explorer-help/
Since Google is using their own API Key, I do not understand why I am getting a response status of PERMISSION_DENIED.
Edit:
Here is a link to the Try this API feature in Google Cloud Platform if you would like to give it a try. https://cloud.google.com/logging/docs/reference/v2/rest/v2/entries/write?apix_params=%7B%22resource%22%3A%7B%22entries%22%3A%5B%7B%22logName%22%3A%22projects%2F%5BPROJECT_ID%5D%2Flogs%2Frequests%22%2C%22resource%22%3A%7B%22type%22%3A%22http_load_balancer%22%2C%22labels%22%3A%7B%7D%7D%7D%5D%7D%7D
Here is the python request that I am using in my code to create an entry:
import requests
entry = {
"entries": [
{
"logName": "projects/[PROJECT_ID]/logs/requests",
"resource": {
"type": "http_load_balancer",
"labels": {}
}
}
]
}
requests.post('https://logging.googleapis.com/v2/entries:write?key=[YOUR_API_KEY]', data=json.dumps(entry))
The API key was created from my user that has "logs writer", "logs viewer", and "logging admin" permissions. This theoretically should be all the permissions I need to make the post request. However, it is still returning a "PERMISSION_DENIED" status.
Any help would be much appreciated. Thank you in advance.
It looks like you are making a request to write data which isn't publicly writable. API Keys have no concept of user, they are only identifying you are allowed to call an API. So it looks like your API key request is working to the extent it can, but the response is telling you: I don't know who you are so I can't let you do this.
OAuth 2.0 is the solution here, as it acts on behalf of your account (you have to give consent), allowing the API to verify you have permission to take this action.
Service accounts are another option, to act on behalf of your project instead of your user, but they aren't practical from a web UI.
I would like to use the Slack Web API to update information of a user in the org. I appear to be getting a successful(200s) responses from the API however the user's information is never actually updated. The API shows no signs in the response that the payload was malformed and that is the cause for the failure to update. Just gives a 200 and then returns the "profile" of the user but without the newest update. Here is the current curl I am making (with tokens and PII scrubbed of course)
Link to Slack Docs for User.profile.set:
https://api.slack.com/methods/users.profile.set
curl -v -X POST -H "Authorization: Bearer xoxp-123123-1231-1231"
-F "user=USERID" -F "name=email" -F "value=jon.temp#gmail.com" https://slack.com/api/users.profile.set
I have also attempted the same request with the a json payload instead of a form like shown above and have had the same result.
The response of this request is the profile of the user without any of the attributes updated (In this case I want to update email)
The problem above stemmed from the organization having "adjusting email" disabled and even though this call was made from an admin account that API endpoint does not support changing the email if its disabled for the Organization. Simply used the SCIM API
https://api.slack.com/scim/v1/Users/
with a similar payload presented in my question.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"emails": [
{
"value": "john.temp#www.com",
"primary": true
}
]
}
With that I was able to update the email.
I'm attempting to access the Admin SDK Directory API using a service account with domain wide delegation and the REST API. I can obtain a bearer token successfully when not impersonating a user, but with I attepmt to impersonate a user with a "sub" key, I receive a 401, "unauthorized_client" error. From everything I've read online (both in numerous SO answers & elsewhere), this would indicate that I haven't approved the application in my GSuite Admin console, but this is not the case.
Here are the steps I've taken so far.
1) Enable the Admin SDK
2) In IAM & Admin area, create a service account with DwD.
3) In Apis & Services area, select credentials and create service account key for the service account I just created.
4) Download the private key file.
{
"type": "service_account",
"project_id": "gsuite-REDACTED",
"private_key_id": "------3d2e",
"private_key": "REDACTED",
"client_email": "REDACTED-320#gsuite-REDACTED.iam.gserviceaccount.com",
"client_id": "-----0381",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/REDACTED-320%40gsuite-REDACTED.iam.gserviceaccount.com"
}
5) Enable API Access in admin.google.com
6) In "Manage API client access" add the Service Account ID and the following scope for the client created in (3)
7) Ensure that the user I plan to impersonate is a "super-admin"
When I attempt to generate the bearer token I receive a 401 error
{
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method."
}
I've tried using various libraries but always with the same result, so I'm guessing this has something to do with my app configuration rather than my code implementation. Would appreciate any help. For example, here I am using Ruby:
require 'googleauth'
scopes = ['https://www.googleapis.com/auth/admin.directory.user',
'https://www.googleapis.com/auth/admin.directory.group']
authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
json_key_io: File.open("gsuite.json"),
scope: scopes).dup
authorizer.sub = 'joe#-----.io'
puts authorizer.fetch_access_token!
I figured out the problem - it was configuration not code. In Step 6, when I was autorizing the API client, I was entering the "Service account ID", in my case: "REDACTED-320#gsuite-REDACTED.iam.gserviceaccount.com". Although this appears to work - the correct numerical ID appears (as shown in screenshot) - I was getting 401 errors.
However, when I entered the "client_id" from my private key file, in my case a number ending in 0381, and used the same scope, THEN I could authenticate successfully.
It's frustrating that entering the service account id didn't throw an error., but all's well that ends well.
How long have you waited after step 6? Getting access after it's entered into the admin console can sometimes take a few hours.
My question is how do I use laravel 4 with sentry 2 to authenticate users that is calling my API? What are the proper ways in doing this?
Example: a user in native iOS app calls my Laravel Web service (returns JSON response), how can laravel+sentry authenticate the user?
Thanks in advance and comment if you need more info.
Like mentioned by Antonio, if the client is able to persist cookies you should be set to go.
But,I will tell you my research on this topic. I looked for API Token Implementation with Laravel. One I could find was by Terry Appleby and his implementation is a composer package with name tappleby/laravel-auth-token. I implemented a much simpler version of the package using Sentry 2 at http://rjv.im/post/78940780589/api-token-authentication-with-laravel-and-sentry.
I called it a dirty one because I didn't consider much about security, expiration of tokens etc., but to answer your question, the above version does work and it is not secure unless you are in https environment.
To help you more I suggest github.com/kippt/api-documentation. It is the API Documentation for an app called kippt.com. I picked this one because it is really simple and could be a starting point if you are new to developing APIs. See how they support different kinds of authentication. To summarize on what Kippt supports: Browser Session (I am guessing iOS does support cookies), HTTP Basic Auth (Pass username and password every time in the header) and Token (Pass a token in header of every request). On Token implementation of Kippt, it just returns a token to the client after a successful authentication and one can save and use that token. That token never changes. In my blog post, I create a new token every time user logs in.
Hope I could help.
If the client is able to persist cookies, you just login with Sentry and it should work. Otherwise, after a common Sentry authentication, create and store an authentication token in your users table:
$table->string('api_token',96)->nullable();
Then use it in all other calls:
{
"token": "a358dafd256cb5b26a944eacc1c7428a97f6d1e079c3f1972696f1bea7fff099",
"user": {
"id": "3",
"email": "joe#doe.com",
"permissions": [],
"activated": true,
"activated_at": null,
"last_login": "2014-03-08 11:17:48",
"first_name": null,
"last_name": null,
"created_at": "2014-03-08 10:29:08",
"updated_at": "2014-03-08 11:17:48",
"api_token": "a358dafd256cb5b26a944eacc1c7428a97f6d1e079c3f1972696f1bea7fff099"
}
}
An article about this: http://rjv.im/post/78940780589/api-token-authentication-with-laravel-and-sentry