I have a community connector which uses an API key to get data.
So you go to https://lookerstudio.google.com/u/0/datasources/create?connectorId=xxxxxxxxxxxxxxxxxxx
and then need to enter the API key manually in a text input.
Is there a way of pre-filling this input with a value via its URL (https://lookerstudio.google.com/u/0/datasources/create?connectorId=xxxxxxxxxxxxxxxxxxx&apiKeyParam=apiKey)?
Related
Within a custom Alexa skill hosted as a lambda service, I need to call an external API with an API key, that changes for each device. So I can't put the URL or the API Key hard-coded into the skill's code.
Whats the best practice to store user settings locally like an API Key for an Alexa skill? I tried to create an intent, where the user can dictate e.g. the API key, but it doesnt really work quite well and is not that user friendly. Unfortunately, I dindt find a way to create some sort of user preferences site, that might be accessabble for example through the Alexa app on the connected iPhone.
Each request comes with a User ID that uniquely identifies the owner of the device. I use that as a filename for an S3 bucket, retrieving that json file on my Launch intent and storing the info in the session vars. You can store anything you like in the S3 file and retrieve it per user.
There is no way to save any info without writing the code to do so. When the skill is first loaded, all session vars are empty. You need to write code to use the user id to lookup necessary info.
I am building a facebook messenger bot which needs to take multiple inputs from the user. One way of storing all the inputs is to store them in database. However, I found a field "metadata" in the Send API request. The description of this field is also very promising - "Custom string that will be re-delivered to webhook listeners". However, when I fill this field with user inputs, I don't get them back with the next call.I used the sample app provided by Facebook to do this test.
Has anyone found a use for metadata property? Is it working?
The SAML assertion from an IDP contains user profile information like name and email that can be used by the SP to set up a user profile and keep the profile attributes up to date. Is there also a possibility to provide a user avatar / profile image in the context of an SAML assertion? Either as binary / base64 stream or at least a URL? Even if not defined in the standard, is there any IDP or SP out there that supports that?
The standard is completely open on what attributes to pass. You can any attribute in there with any data and name. So passing a URL or BASE64 data is perfectly find according to the standard. Each deployment (SP+Idp) decides on what attributes there are and what formats they should have.
That said, in the most common cases the entire SAML message is bounced over the client browser by posting the data from a hidden form field. It's not a suitable approach for a large set of binary data. Passing a URL to the image as an attribute is a perfectly fine approach to get around that. You can also look at the artifact binding, where the posted data just contains a token and the SP does a direct download of the actual SAML data from the Idp over a SOAP connection.
I have the following code in my angular app declaration - an API key for Facebook (to implement Share button):
.run(function($FB){
$FB.init('9xxxxxxxxxxxx94');
})
So i know the general answer to this - 'API keys should be kept on the server side', however I don't see how i actually implement this.
The share call-method is made on the front end, so even if my server kept the API key and sent it, surely it's still visible on the front end, else how would the share button work?
So my question, how do I hide that Facebook API Key?
Thanks.
Requesting the key
The first thing that happens is that the client will request a key. This will only happen on certain pages like the sign up and log in pages. The idea here is that we want to make sure that only users browsing with a known client (in this case the official website or core client as it’s called) are allowed to take actions like creating or authenticating a user.
So when the client app requests the login page the server generates a unique token based on information sent in the request. The information used is always something the server knows, something the client knows, and something both know. So for example the server can generate a unique key based on User agent + current time + secret key. The server generates a hash based on this information and then stores a cookie containing only the hash on the client machine.
Setting permissions
At this point our key really isn’t a key anymore. It has been transformed into an access token. The server should then take this access token and store it for later retrieval. You can put the key in a database but since data of this type needs to be retrieved often I would suggest using a key-value store like Redis to cut down on database reads/writes and boost performance.
When you store the token you should also store a separate piece of data to indicate what permissions are associated with the token. In this case our token is acting only as a way to register and authenticate users so we store it next to a value that indicates who the token belongs to (the app’s web UI) and what permissions it has (limited to create and authenticate users). We treat it just like we would any other API client that way we can capture stats and control how it is used.
Authorizing a request
When the client then makes the POST request to create a new user or log in the server will check to see if the client sent an identifying cookie along with the request. If not, we reject the request. If it does send the cookie, the server should once again generate the hash using the values used previously (these values are either already known or sent with the request anyway so we’re not really taxing the server much) compare it to the cookie being sent to us, and if the values match allow the request to proceed.
Sources - Securing API Keys
OR
Simply send a request to your Server and let him handle your request with the hidden API-key and just return the result of your request to your front-end.
I have usersettings directory in my plugin that add automatically configure your tools section. users can create secret and qrcode of this secret.
I wrote action for saving secret and when click save button the secret have been saved in textbox.
how can I be sure that my secret is stored in database?Does anyway to see it in database?Is there in metadata?
thanks
You can connect to database manually and see for yourself using ie. phpmyadmin or mysql cli interface. Look at table private_settings
Alternatively you can just use elgg_get_plugin_user_setting to dump the setting value.