For an open source project I'm currently working on, I need people to trust a website. Basically, the user would write "foo" on his phone. It would go on the website which would take the message "foo" and send it to a server running on this user's PC. I want people to be sure that the server did not change "foo" into "bar". I know I'm not malicious but potential users don't know it so I need them to trust me.
There are 2 possibilities. The first one is to use cryptography. The user would encrypt on his phone "abc" and the server running on the user's PC would decrypt it. But it's cumbersome for the user (he would need to encrypt it in another app). The second possibility would be to convince the user I'm not malicious by showing him the code running on the server. I can show the code on Github easily. The question is how can we ensure that the code running on Github is the same as the code running on Heroku?
It depends on your deployment, to achieve this is to make a deployment process that will fetch the whole repository and do the production or environment build. This is pretty the same with NPM setup were you will have entry file and build script.
Related
I've written a Windows TCP (NOT IIS) server program in VB that provides the backend for an enterprise iPhone app that I have also developed. The system utilizes Apple Push Notifications, and that works fine, unless the server reboots for whatever reason.
Part of the Push Notification system is the inclusion of Apple certificates on the server. I followed the steps shown here to install the necessary certificates, and even though it's for ASP.NET applications, it works for my Windows-based server. Except, as I said, a reboot requires installing the certificates all over again.
I found this page on Server Fault that suggests adding a user to the certificate through the MMC snap-in, but that didn't work either.
Two questions: Following the steps shown on the Server Fault page, do I need to add a specific user? The only users that pop up are SYSTEM (which I tried), Administrators(ComputerName/Administrators) (also tried) and "S-1-1-5-blah, blah" (didn't try). Would there need to be a different user added to make it work?
Q2: If this won't ever work, is there a different way?
Full disclosure: This is the second time I have submitted this question, but the previous one (four months ago) was never responded to. I'm hoping someone who knows will see this.
Thanks for any advice.
AFTERTHOUGHT: The instructions I linked to above say to install the certificates to Personal/Certificates. Maybe this is wrong? This stuff is way over my head, so I don't understand the function of all the different stores.
Found the problem.
The page on Server Fault left out something. I needed to add a user that the system would recognize to the Permissions list. I added my user authentication, selected it, and after that the certificate persisted after a restart.
It is at least working on my development server. I haven't tried it yet on my production server.
Update: Works the same on the production server. Also, instead of using my user authentication, I used the IUSR authentication, meaning that it should work even after my name is removed from the active directory.
I have basically two URL's http://xyzwebsite.com (for Development Testing) and http://abcwebsite.com (For Production). I have a simple Login mechanism where a user can click on Google Plus icon to log in rather than using their Username and Password. I created one Project for Development with obviously different Client ID and different for Production with a separate client ID.
But I tested both the URL's above with the client ID of Development project and it worked fine. I am wondering why there is a need ot having multiple projects in Google API console?
There is no particular need. A single project can have several URLs and client IDs for use.
Some reasons you might use multiple projects include:
Changing project settings in dev without worrying about breaking production
If you have a development script that gets into an endless loop or something it might use up all of the quota and the production app might start throwing errors
You might want clear branding on the dev app that explicitly identifies as not production.
Some unknown reason I can't think of.
Is there any easy way to repeatedly test the installation process of a Google Marketplace App on a new domain? It seems as though when you try to install an app to a domain to which it's already been installed, parts of the process are short-circuited, even if the app's permissions on that domain have been revoked. Is there any way around this short of registering a throwaway domain for every test? Being able to automate this test would be even better, but even a repeatable manual test would be very useful.
Unfortunately you need to delete the application and install it again each time from what I gather.
You can revoke the auth here: https://www.google.com/a/your-domain-here/IssuedAuthSubTokens
You definitely don't need to register throwaway domains every time.
If you're trying to test your integration, there is "TEST INSTALL FLOW' button right in the Google APIs Console that starts a test flow. Here's a screenshot:
That's especially useful when you want to test your integration before it is published to the Google Apps Marketplace (but it still works once it is published.)
If you actually install it from the Marketplace as a tester or once published, you can go to the app listing and remove the app. Since we've launched I've added and removed my apps that way quite a few times :) Here's a screenshot:
#aleckz suggestion won't actually work since tokens are Admin authorized and not revokable by the domain user.
I generated a self-signed cert, exported and uploaded to the subscription. When I deploy to staging, all works well when I navigate to the app (MVC) it redirects to https appropriately, I get the warning but all works perfect when I continue to the site. When I deploy same package to production, none of my roles responds, to web requests or tcp, I can't even RDP into the VMs.
Any ideas?
EDIT: I'm going to say this is closed. I gave it an hour (watched tv to clear my head).. and it started functioning correctly. Perhaps it just took an extra long time to spin up the VMs.
Some time it take longer then expected for the role to start and if you are interested to know why I have explained in the following SO question:
Is there a way to reduce time between Azure deployment start and role OnStart() code being invoked?
Want to know more let me know and I would love to explain in much finer details.
Our organization has a number of Rails applications (websites) deployed to Heroku. A former devleoper has left the organization, and as good practice we want to change the Heroku API key associated with our account to prevent any modifications to the apps via the Heroku CLI.
I know that the Heroku API Key is used for Heroku CLI access (it gets cached in ~/.heroku/credentials), but not certain what else it is used for. Specifically, do 3rd-party add-ons in the Heroku platform (e.g. New Relic, Hoptoad/Airbrake, Sendgrid, etc) use this, and therefore require reconfiguring if the API Key is changed? Heroku throws up a fairly generic (and non-informative) error message when you click the "regenerate" button to change it.
Because the term "API Key" is so generic, want to be clear that this is the single API Key associated with each Heroku account accessible via "My Account" link. Image (and warning message) below.
Asked Heroku Support. This is what I got back:
"you can safely change your API key at any time, as we don't give it to any add-on providers. That alert is meant to remind you that if you added your API key to any application or service (ie for auto scaling, manually provision workers, etc) it will stop working until you provide it a new key."
I requested that they update the interface/documentation to make this more clear.
Also remove him from being a collaborator on all your projects so he can't push to them via git.
Out of curiousity (i'd never seen reset key in the admin) I tried it. When I then tried to use the CLI against one of my apps I was asked to reauthenticate - but i can't now get back in - doh! The same username/password works via the site. I'll ping support and report back,
UPDATE:
So it appears my problem is entirely due to the Heroku Accounts (https://github.com/ddollar/heroku-accounts) plugin that I'm using which stores a copy of the key in the ~/.heroku/accounts/ file. Support got me to remove the folder and it all works now - just something to be aware of if you reset your API key.