How does API signature authentication work as implemented by Mashery? - algorithm

Mashery allows authentication via digital signature as follows:
First, concatenate the following components:
API key
Shared secret
UNIX Timestamp
Then, create an MD5 hash of the concatentated string.
The documentation states that the unix timestamp only needs an accuracy of +/- 5 minutes. Details: http://support.mashery.com/docs/read/mashery_api/20/Authentication .
Assuming this is not a trade-secret, what is the algorithm for performing authentication like this?
Specifically, how is it possible when the unix timestamp can vary by 5 minutes? A "brute-force" technique might be to calculate a signature for every possible timestamp value until finding a match (or not), but that doesn't seem practical for authenticating frequent API calls.

Yes, that appears to be what it does. The documentation link you gave states, " A five-minute wiggle is permitted on either side of the current timestamp on the Mashery server to allow for reasonable clock drift." That means they need to check up to 600 hashes to see if the submitted one is valid. 5 minutes is 300 seconds. Plus or minus makes it 600 checks.
It seems practical to me. 600 MD5s is not a lot of processing to do. In fact, a modern password validator (like something that uses bcrypt) would perform much more work to validate a password.

Amazon give a good example of request signing and in quite alot detail which should make the mechanics obvious (I realise its not mashery - but i think it's what your after, or will at least help on your journey to API security happiness)
http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAuthentication.html

Mashery could also pre-generate the list of valid signatures or cache each sig on demand. The signature is global to all API's that Mashery is protecting for that API Key / Shared Secret, so there is no need to validate the API call uniquely for every request.

sha256 is pretty fast. Even in php, you can calculate 830K sha256's a second, so they very likely just brute force it.
<?php
$COUNT = 6000000;
$start = microtime(true);
for($i = 0; $i < $COUNT; $i++) {
$out = hash('sha256', 'wefjklwfekjlewfjklwefjklfwejkwefjklwfekjl' . $i);
//print("$out\n");
}
$total = microtime(true) - $start;
print("Time: $total\n");
print("sha256's per second: " . ($COUNT / $total) . "\n");
?>

Related

Initialize Variables in Power Automate Flow

I am wondering about power automate flow and I issues I had.
I am trying to set up initialize variables for checking time (european standard time) in my rules.
Expression looks like this -
startOfHour(convertFromUtc(triggerOutputs()?['body/receivedDateTime'],'Central European Standard Time','t'), 't')
Under variables I have condition which (True/Not) like this -
YES - time is greater than 22:30 PM
NO - time is less than 8:00 AM
If condition is true, my e-mail is forwarded to another outlook mailbox.
If not, nothing happened.
But this flow doesn't work :D
Can you help me resolve it ?
Thanks a lot !
First part prtscrn
Second part prtscrn
Given the information provided, I suggest the following:
Get the current time.
Convert it to the desired time zone. You can use the built in function to avoid calculation errors.
Convert only hour and minute to Integer. For example, 14:33 would be 1433.
Compare integers. This is: if time is greater than 2230 and less than 830, then forward email.
The flow might look like this:

How to get Object idle time using Spring boot Redis

I am trying to implement session management, where we store jwt token to redis. Now I want remove the key if the object idle time is more than 8 hours. Pls help
There is no good reason that comes to my mind for using IDLETIME instead of using the much simpler pattern of issuing a GET followed by an EXPIRE apart from very trivial memory requirements for key expiry.
Recommended Way: GET and EXPIRE
GET the key you want.
Issue an EXPIRE <key> 28800.
Way using OBJECT IDLETIME, DEL and some application logic:
GET the key you want.
Call OBJECT IDLETIME <key>.
Check in your application code if the idletime > 8h.
If condition 3 is met, then issue a DEL command.
The second way is more cumbersome and introduces network latency since you need three round trips to your redis server while the first solution just does it in one round trip if you use a pipeline or two round trips without any app server time at worst.
This is what I did using Jedis. I am fetching 1000 records at a time. You can add a loop to fetch all records in a batch.
Jedis jedis = new Jedis("addURLHere");
ScanParams scanParams = new ScanParams().count(1000);
ScanResult<String> scanResult = jedis.scan(ScanParams.SCAN_POINTER_START, scanParams);
List<String> result = scanResult.getResult();
result.stream().forEach((key) -> {
if (jedis.objectIdletime(key) > 8 * 60 * 60) { // more than 5 days
//your functionality here
}
});`

CPU is utilizing 100% resource and therefore Queue failed

My code is like below.
for($i = 0; $i <= 100; $i++) {
$objUser = [
"UserName" => $request["UserName"] . $i,
"EmailAddress" => $request["EmailAddress"] . $i,
"RoleID" => RoleEnum::ProjectManager,
"Password" => $request["Password"],
];
$RegisterResponse = $this->Register->Register($objUser);
$Data = $RegisterResponse["Data"];
$job = (new AccountActivationJob($Data));
dispatch($job);
}
Above code is creating 100 users and Each time a queue is being created to send email notification. I am using database default queue.
I have shared hosting account on GoDaddy. Due to some reasons the CPU usage reaches 100. Here is the screenshot.
Finally loop stops in between. Below is the screenshot after 5 mins.
Here, My problem is: It is not able to continue creating 100 users. I am doing this to test the sample queue implementation where multiple users send request for registration. Am I doing anything wrong?
As stated above, GoDaddy has a lot of resource limitations. You can only send 100 Emails an hour is what I have heard.
That also not at a single time. If it detects you are sending a lot of emails, your process is blocked.
Instead, you can queue up the messages to be sent 1 per 20 seconds or 30 seconds. It will help keep the resources in limits, and your emails are sent to the customers without any problem.
You can use the sleep function for this.
Godaddy does have a limit of resources you can use. If you go over it, it will kill the processes on ssh.
The limits are avaiable here
Try running the php process with a different nice parameter.
That's what I do when i need to use an artisan command that does use a lot of resources..
I did the findings and found that I should move to VPS instead of Shared hosting. here are the nice and cheap plans by GoDaddy. https://in.godaddy.com/hosting/vps-hosting

How to Spam Filter Gmail Messages by Recipient Address?

I use the dot feature (m.yemail#gmail.com instead of myemail#gmail.com) to give emails for questionable sites so that I can easily spot spam from my address being sold.
I made this function and set it to trigger every 30 minutes to automatically filter these.
function moveSpamByAddress(){
var addresses = ["m.yemail#gmail.com"]
var threads = GmailApp.getInboxThreads();
for (var i = 0; i < threads.length; i++){
var messages = threads[i].getMessages();
for (var ii = 0; ii<messages.length; ii++){
for (var iii = 0; iii<addresses.length; iii++){
if (messages[ii].getTo().indexOf(addresses[iii]) > -1){
threads[i].moveToSpam()
}
}
}
}
}
This works, but I noticed that this runs slower than I would expect it to (but my expectation may be unreasonable) given that my inbox only contains 50 messages and I am only currently filtering one address. Is there a way to increase execution speed?
Also are there any penalties for running scripts too often? I see that I have the option to trigger a script every minute, and that would increase the likelihood of filtering a message before I see it, but it would also run the scripts uselessly significantly more times.
You can do this using native gmail filters plus apps script.
Script time quotas varies from 1 to 6 hours depending on account type.
To improve performance, first check getInboxUnreadCount and return inmediately if zero.
If you use a 1minute trigger, make sure to use a lock to avoid one timer starting while the other runs. If the lock is in use simply return.
First, make a gmail filter so when "to" matches your special address, apply a special label like "mySpam"
Second, make an apps script with my suggestions above, plus your code no longer needs to search so much, now you just need to find emails with that label (a single api call) and .moveToSpam
There shouldnt be that many at any time in the label if the script runs often.

Web based API that can tell me if a number is a landline or cell phone? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
My application sends SMS messages to people, but the numbers entered in as their cell phone are sometimes land lines (this is user error or the user not really knowing if the contact number they have is a cell phone or landline.)
I found a few websites that can tell me if a number is a landline or cell phone, but they do not offer programatic API's. Is anyone aware of a way a web application can figure out if a number can receive SMS messages?
I guess a test SMS message is one way, but my current SMS gateway fails hard when it gets a landline number and doesn't tell me the landline number it tried to send the SMS to. I'll follow this up with my carrier, but I would love an easy way to let the user entering phone numbers in if they are a landline or cell number.
Update:
There are ways to figure this out. Take a look at http://www.phonevalidator.com, they can query a phone number and figure out if it is a landline or cell phone.
You can have JavaScript open a popup with the url:
"http://www.phonevalidator.com/results.aspx?p=" + phoneNumber
It's not a free service, but a company called Targus (not the bag company) has an API for querying phone information. They can tell if it's landline or cell, even address validation. The charge based on how many queries you do (a few cents a query).
http://www.targusinfo.com/
Followup: I contacted TARGUSinfo on Feb. 24, 2011 and was told by their sales rep that they only work with record sets in the hundreds-of-thousands to millions and generally their customers are plugged into their API for real-time access. Differentiating between cell numbers and land line numbers for smaller record sets is "not something they can assist with."
I am afraid the only real way to find it out is contact SMS gateway service providers. A list of them can be found here for example:
http://en.wikipedia.org/wiki/SMS_gateways
Anyway, instead of that I suggest doing the following:
When user inserts cell phone number into his or her profile, send testing SMS to this number with confirmation code. If number is not verified by user, don't bother sending SMS messages to it later on.
Actually there are land line operators that allow receiving SMS. Either by text2voice gateway or phone terminal with extended capability. Moreover, in Europe cell phone operators have started offering "virtual land lines", which are in fact GSM cell phones assigned to one particular base station. But they do follow land line numbering scheme.
Resuming — not allowing sending SMS to land line number is wrong.
The following script returns
646-826-3879 LANDLINE
for the Stack Overflow hot line.
#!/usr/bin/perl -w
use strict;
use warnings;
use LWP::Simple;
use LWP::Simple::Cookies ( autosave => 1, file => "$ENV{'HOME'}/lwp_cookies.dat" );
my $usage = "Usage: $0 <phone_number>\n\nwhere phone_number is on format XXX-XXX-XXXX or XXXXXXXXX";
die $usage unless scalar #ARGV == 1;
my $number = shift #ARGV;
die $usage unless $number =~ /(\d\d\d)-?(\d\d\d)/;
my $NPA = $1;
my $NXX = $2;
#GET /search.asp?frmNPA=646&frmNXX=826&frmCity=&frmState=&frmZip=&frmCounty=&frmCompany=&search.x=0&search.y=0 HTTP/1.0
my $doc = get 'http://www.area-codes.com/search.asp?frmNPA=' . $NPA . '&frmNXX=' . $NXX . '&frmCity=&frmState=&frmZip=&frmCounty=&frmCompany=&search.x=0&search.y=0';
# html format:
#...
# <td><strong>NXX Use Type:</strong></td>
# <td>LANDLINE</td>
#...
my $next = 0;
my $result = "";
grep {
if (/NXX Use Type:/) {
$next = 1;
} else {
if ($next) {
$next = 0;
$result = $_;
}
}
} split(/\n/, $doc);
$result =~ /<[^>]*>(.*)<[^>]*>/;
print "$number\t$1\n";
I'm not sure if you want to do that really... If you want to tell if a number is reserved by a callphone or landline provider, you should be able to find the ranges in some documents from your country's telco supervising entity (not sure who does that in US - it might be http://www.nanpa.com/). Those documents are usually public.
But the problem is that mobile number != able to receive sms. With number porting and all the "unified communication" ideas nowadays you can easily have local numbers redirecting to mobiles, non-geographical numbers handling smses and local "special" numbers rewriting your incoming smses as facebook messages ;) For example my local "landline" number is redirected to a mobile in another country and couple of other locations.
You shouldn't be charged for a message sent to a nonexisting / otherwise strange number, so it might be a good way to check if someone can receive them. If you have a good control over the SMS gateway, you can send a message with delivery report active and expiry == immediate message (forgot the official name). Just send a test / welcome message - if it's not accepted, you can mark the number as unavailable. Otherwise, you can just ask for a "number that accepts SMSes" instead of a "cellphone number".
Trying to combine some answers here...
Daniel mentioned that
You can have JavaScript open a popup with the url:
"http://www.phonevalidator.com/results.aspx?p=" + phoneNumber
Does this still work? I can't seem to reproduce it. If we can get that to work, then maybe we can use a script like the following...
#!/usr/bin/perl -w
use strict;
use warnings;
use LWP::Simple;
my $usage = "Usage: $0 <phone_number>\n\nwhere phone_number is on format XXX-XXX-XXXX or XXXXXXXXX";
die $usage unless scalar #ARGV == 1;
my $number = shift #ARGV;
die $usage unless $number =~ /(\d\d\d)-?(\d\d\d)/;
my $NPA = $1;
my $NXX = $2;
#GET /search.asp?frmNPA=646&frmNXX=826&frmCity=&frmState=&frmZip=&frmCounty=&frmCompany=&search.x=0&search.y=0 HTTP/1.0
my $doc = get 'http://www.phonevalidator.com/results.aspx?p=' . $NPA . $NXX;
# html format:
#...
# <td class="style16">
# Phone Line Type:
# </td>
# <td class="style13">
# <span id="PhoneTypeLabel">LANDLINE</span>
# </td>
#
#...
my $result = "";
grep {
if (/PhoneTypeLabel/) {
$result = $_;
}
} split(/\n/, $doc);
$result =~ /<[^>]*>(.*)<[^>]*>/;
print "$number\t$1\n";
Another option would be to have the user select their cellphone provider from a list. Just a thought.
Why not make a list of the usual format for the landlines and mobile numbers? For example, where I'm located landlines always follow this format:
9xxxx xxxx
and mobiles are always:
04xx xxx xxx
You can easily make a list of the general format of landline/mobile numbers in the area you are serving. Then, when wanting to find out if a US number is landline or mobile, just compare it and see whether it matches the landline format or the mobile number format.
Another thing that is done often to validate phone numbers, is to send a temporary pin via SMS to the user's mobile, and ask them to enter that pin in order to validate their number.
I can imagine doing this, if I had access to the core mobile network. That's an SS7 API, though, not a Web API. I would bet that any service which offers a Web API acts as a proxy to the SS7 network, instead of relying on databases. The only other alternative would be to query the number porability database. Eventually, to terminate a call, all network operators need to determine which other operator they need to connect to.
we have a service which provides fixed line / cellular detection for USA and Canada, and also detects if the number is Live or Dead, which wireless carrier the number is ported to etc. There's a full web API.
If you sign up for an account at www.hlrcheck.com I'll get it validated and add some free credits for you to test. We're in beta at the moment, but full release candidate is imminent.
All solutions mentioned here are static number pattern lookups but the only reliable way to figure out whether a given cell phone number is valid (and ready to receive SMS) is to perform an HLR Lookup. HLR stands for Home Location Register, which is a mobile network operator database with real time subscriber information. There are several API services for HLR lookups, e.g. www.hlr-lookups.com.

Resources