I wanted to verify phone numbers before using them for communication with registred users. However, I am unclear If I'm doing it securely. i.e
Steps I'm taking:
Ask user for phone number
Send SMS verification code
User enters Code
Code verified using SMS Service(Sinch or/Twilio)
correct code triggers callback function(client side) that adds the number to backend Database
Incorrect code does nothing
My concern is step 5. Should I have the success callback function perform the number save on client side or should I trigger some backend(server-side) function that performs the save operation?
So with sinch it works like this, all the steps 1 to 6 is correct on the client.
side,
But step 5/6 is more like this
5 Client enters code and send it to Sinch Backend
- Return to client with Success or Fail (do ui logic)
- Make a callback to your server with status, take action if correct or incorrect.
So the code is never in your possession, injecting the add to database on client side not possible, since you can get Success to the client and then in the client reload you data from your backend that has been updated by the server to server method. Makes sense?
https://www.sinch.com/docs/verification/rest/#howtousetheverificationapis
Twilio developer evangelist here.
I'd definitely do the code verification on the server side and then if that is successful save the number to the database. Any verification and success callbacks on the client side could surely be bypassed by an attacker with knowledge of JavaScript.
Rather than using Twilio directly for this, might I suggest you check out Authy's phone verification API. Authy is part of Twilio, but is more specific to verification and two factor authentication workflows.
I'm not sure what your backend is written in, however there are tutorials for verifying a phone number with Authy on the Twilio site. We have examples in Node, Ruby, Python, .NET, PHP and Java.
I'm not sure if this helps at all. Let me know if you have any other questions.
Related
I am making an event organisation platform. Whenever user creates an event, the candidate gets an email notification as well as sms notification asking whether the suggested time fits or not. The problem is that since it is event organisation, there may be more than one occurance of candidate's mobile phone. So I need to have some unique information to identify to which event candidate is responding to.
I have tried identify using Message SID, but then I realised that Message SID is different on reply message.
So my question would be: is there any way to authenticate to which message candidate is replying to?
Hi Twilio developer evangelist here.
Because every message is idempotent, you wouldn't be able to track them just via the call sid. however, there's way to get around that such as passing a code that goes with each message which you can then read, or using cookies.
I think you are probably going to be more successful using cookies, and luckily enough there is an article on twilio's website that describes just how to do that. And because I noticed you're using PHP, I'm pointing you directly to the PHP article on tracking SMS conversations.
Hope this helps you
1. Goal
I want to use parse.com to receive Trello webhook.
1a. Why?: Because I want to monitor my trello model and receive say a push notification on my android device and do neat things from the push notficiation (I'm an Android Dev)
2. What I've tried
2a. Setup on parse.com
I've created an app on parse.com
Obtained the keys (REST keys for the REST api)
Checked the above endpoint with Postman, works perfectly.
2b. Setup on trello.com
I've obtained an api appkey and secret; with full write on all boards, never expires
Tested the above with Postman, works perfectly fine.
PROBLEM: Posted to the following using Postman (of course with proper details for key, token, model, etc.
Request=
$.post("https://trello.com/1/tokens/[USER_TOKEN]/webhooks/?key=[APPLICATION_KEY]", {
description: "My first webhook",
callbackURL: "https://api.parse.com/1/functions/webhookReceiverTrello",
idModel: "4d5ea62fd76aa1136000000c",
});
Response Try=
URL (https://api.parse.com/1/functions/webhookReceiverTrello) did not return 200 status code, got 401
3. What is the problem?
Parse.com expects auth keys, etc as header. AFAIK Trello can NOT DO that.
How do I get a trello webhook to call a parse.com cloud function ?
Use a proxy (a simple web app will do)
This is how I did it:
Receive the webhook on a simple web app and make the necessary post call to parse.com
I used heroku for hosting
I used MeteorJS for the web app
Note: An issue you could encounter:
Trello.com sends calls to webhooks in proper order i.e. a card was created, the same card was updated, etc.
When you receive the webhook and make (proper) post calls, they will be received out of order at parse.com i.e. a card was updated and then it was created. This is just due to the way internet works, if you need an explanation, it's another SO question. ;)
This took me a while to figure out; mentioning so that you don't also spend your time with this.
A Fix: I don't know a simple/efficient way to fix this. Please let me know if you do. One possible solution is to queue all POST calls i.e. make POST call 1 and when a successful callback is gotten do the next one. Trello.com seems to do this in a more quicker fashion, it doesn't seem like they wait for a callback given how quick successive calls are received.
Compared to using CAPTCHA, would using a phone number to prevent spam/bots improve the user experience.
I'm building an ecommerce app that does not require a user to create an account, when a user writes a product review they enter there phone number and a verification code is sent which the user sends back so that the review is successful.
It is not typical to use CAPTCHA for a app login. The better UX for app users is to get the phone number and send a verification code to authenticate if the request is coming from a real user. When an SMS arrives it normally shows up at the top (on notification window) which shows the verification code at the top. So the user doesn't even have to switch the app to read the verification code in SMS. All he has to do is wait until the SMS arrives and key in the code in your app.
There are several SMS verification API providers available to make it easy for sending out verification code.
I have used Nexmo Verify API before which makes it easy to generate the code and completes the verification.
I'm testing an app which accepts payments through Sagepay.
It all seems to be working OK but I would like to test various types of non-successful responses in the Sagepay sandbox.
For example, each test I have done so far has returned a status of OK. It is also possible to receive statuses like REJECTED, NOTAUTHED, INVALID etc
Is it possible to simulate these responses in some way?
Entering incorrect details repeatedly just returns me to the failure URL I specify in the API settings.
If you login to your simulator account on Sagepay via https://test.sagepay.com/simulator/ you can tell it which responses to return. You can instruct it to return random responses, or MALFORMED, INVALID, ERROR, NOTAUTHED, REJECTED, 3DAUTH.
Unfortunately you have to change these through the admin panel and then they apply for each transaction rather than using different details to trigger different responses.
In addition to Steve's answer, if you use the SERVER integration you can click different buttons to SIMUALATE (on the SIMULATOR server) a reply from SagePay gateway.
I'm wondering how it's implemented in Gmail, that every time you receive e-mail, the list of mails is automatically refreshed. It looks like the server is sending some kind of event to the browser, but how is it possible? Or maybe it’s simle: the browser ask the server for new messages every let’s say 2 seconds? But it would probably kill the performance…
Anyone have some ideas?
EDIT: OK, so if it's the simple answer, how do they manage performance? When I send an email from an other account to the gmail account the view is "refreshed" almost instantly. You were saying about a simple function that returns true / false, but it must have some logic (db connection or reads some files). How they manage it?
See also: How is GMail Chat able to make AJAX requests without client interaction?
Dont know exactly which technoloy Gmail uses, but the concept is to open a channel - using reverse AJAX, comet or sprocket based techniques.
Think of it as the client requesting the server for data, but the server does not return for one minute unless it has new mail. Using this technique, the client can almost show the results in a real time manner and it does not have to poll every 2 secs. Makes sense?
gmail is, in fact, polling the server for updates. Not as often as every two seconds, though. That would be madness. A bit of testing with Tamper Data makes it look like maybe every 20 seconds, though there seem to be multiple events going through that confuse it a bit.
Regarding your edit, I imagine they might have a last-activity timestamp on the account tracking in their database, with the client polling query retrieving that via Ajax and comparing with its last sync to determine whether it needs to do a full update.
You have right with simple answer. Google Mail checking new messages on server via AJAX.
It must be some kind of ajax listener that get informations every X seconds.
I already set something like that for one of my projects. What I was doing is calling a function that was returning true or false. True if the page needed to be refreshed, false otherwise. Then if you have an update, you do another call to get the actual update. This way you don't have to refresh everything every time... but it's still intense on the server if you have a lot of users.
In other words and like chaos said, it's polling the server.