In my react application, when Im rendering the Docusign clickwrap, I need to supply the accountId and the clickwrapId. Is there a secure way to reference the accountId/clickwrapId without actually putting those values in. I dont want to expose those credentials in my react application
function App() {
React.useLayoutEffect(() => {
docuSignClick.Clickwrap.render({
environment: 'https://demo.docusign.net',
accountId: '...',
clickwrapId: '...',
onMustAgree(agreement) {
// Called when no users have previously agreed by the above client user ID for the most recent required Clickwrap version
},
onAgreed(agreement) {
// Called when either 1) the clientUserId has previously agreed 2) the clientUserId has clicked agree and completed successfully
},
onDeclined(agreement) {
// Called when the clientUserId has declined successfully
}
}, '#ds-clickwrap');
}, []);
return <div id="ds-clickwrap" />
}
Ah, you can use the server-side API to generate an agreement URL instead if that is desired.
POST /clickapi/v1/accounts/.../clickwraps/.../agreements:
Only the clientUserId is required to make this API call. You would do this from your server and then pass the URL from the response to the client.
{
"clientUserId": "..."
}
This would return an agreement URL to then be used in the snippet of JS:
{
...
"status": "created",
"agreementUrl": "https://...."
}
This agreementUrl could then be used in the snippet:
docuSignClick.render({
agreementUrl: '...agreementUrl from REST API response...',
onAgreed...
}, '#ds-clickwrap');
Related
So I'm fairly new with using Keycloak and I'm using this tutorial to install it with my React & TS app.
https://blog.devgenius.io/security-in-react-and-webapi-in-asp-net-core-c-with-authentification-and-authorization-by-keycloak-89ba14be7e5a
That author says we should set the Access Type to confidential.
I've done the settings he says there (literally the same) and I get
{"error":"unauthorized_client","error_description":"Client secret not provided in request"}
my keycloak.json (which is in the public/ folder)
{
"realm": "best-realm",
"auth-server-url": "http://localhost:28080/auth/",
"ssl-required": "external",
"resource": "best-react",
"verify-token-audience": true,
"credentials": {
"secret": "secret"
},
"use-resource-role-mappings": true,
"confidential-port": 0
}
KeycloakService.tsx
import Keycloak from "keycloak-js";
const keycloakInstance = new Keycloak();
/**
* Initializes Keycloak instance and calls the provided callback function if successfully authenticated.
*
* #param onAuthenticatedCallback
*/
const Login = (onAuthenticatedCallback: Function) => {
keycloakInstance
.init({ onLoad: "login-required" })
.then(function (authenticated) {
authenticated ? onAuthenticatedCallback() : alert("non authenticated");
})
.catch((e) => {
console.dir(e);
console.log(`keycloak init exception: ${e}`);
});
};
const KeyCloakService = {
CallLogin: Login,
};
export default KeyCloakService;
Why am I getting this error? I've read some posts that access type confidential doesn't work anymore with a JS adapter. But those posts were older than the posting date of that tutorial (it is written in may 2022). So I don't know what to believe.
Can anybody help me understand this error and teach me how to fix it?
Thanks.
In keycloak.js removed "credential" access type option.
Official comment about this since Keycloak 8.0.0
https://www.keycloak.org/docs/latest/release_notes/#credentials-support-removed-from-the-javascript-adapter
You should be use public option in front-end side.
The public option with PCKE(Proof Key for Code Exchange) is protect to steal token that is intended for another app.
Understanding benefits of PKCE vs. Authorization Code Grant
This web site shows how to use PCKE from Keycloak
https://www.appsdeveloperblog.com/pkce-verification-in-authorization-code-grant/
I'm working on a Next.js/Django project, which the user is able to add some redirect logic from the admin panel like:
[
{ source: "/about", destination: "google.com" },
{ source: "/about1", destination: "google1.com" },
{ source: "/about2", destination: "google2.com" },
]
and the web application should be able to handle these dynamic redirects.
As the Nextjs docs says, we can do this in next.config.js. The problem is that we can't have dynamic data in next.config.js. With every change in this file, server must be restarted.
Here we need a logic that gets the urls using an API on website load, loops through them and listens for every route calls to see if they match the redirect data or not.
I have tried some other ways too, like trying to use useEffect, but this way causes the website to render 404 page first and then it redirects to the desired url, which is not that nice for user experience viewpoints.
You can use Next.js Middleware to fetch the dynamic redirects array from the API, and add your own logic to handle the redirection.
Unlike redirects in the next.config.js that run at build time, Next.js Middleware runs on each incoming request to your pages and is able to dynamically fetch the redirects every time.
export async function middleware(req) {
// Fetch redirects array from API
const res = await fetch('https://example.com/api/redirects');
const redirects = await res.json();
/* Assuming the returned `redirects` array would have the following structure:
[
{ source: '/about-us', destination: '/about' },
{ source: '/google', destination: 'https://google.com' }
]
*/
// Find the matching redirect object
const redirect = redirects.find((redirect) => req.nextUrl.pathname === redirect.source);
if (redirect) {
if (redirect.destination.startsWith('http')) {
// Handle external URL redirects
return NextResponse.redirect(new URL(redirect.destination));
}
// Handle internal URL redirects
return NextResponse.redirect(new URL(redirect.destination, req.url));
}
// Continue if no matching redirect is found
return NextResponse.next();
}
I`ve tried to register my app as Web application, generate the user id and implement it in my code but get an error when I press my button for log in with google:
[Unhandled promise rejection: Error: Please provide the appropriate client ID.
enter image description here
If you're using expo, you have to configure the google sign-in like this. This is my configuration. You have to create androidClientId and iosClientId from your account and use it here.
Disclaimer: This is a standalone function only for signingin/signingup a Google user and fetching details. To configure it with firebase you have to add other functions too.
Also, make sure that you're importing this package. I faced a similar problem when I used another package.
import * as Google from 'expo-google-app-auth'
Additionally, are you using the latest version of expo SDK?
async signInWithGoogleAsync() {
try {
const result = await Google.logInAsync({
androidClientId:
'your-id',
iosClientId:
'your-id',
scopes: ['profile', 'email'],
permissions: ['public_profile', 'email', 'gender', 'location']
})
if (result.type === 'success') {
/*put your logic here, I set some states and navigate to home screen
after successful signin.*/
const googleUser = result.user
this.setState({
email: googleUser.email,
name: googleUser.name,
})
this.navigateToLoadingScreen()
return result.accessToken
} else {
return { cancelled: true }
}
} catch (e) {
return { error: true }
}
}
We are using PayPal in order to enable subscription in our platform.
I set up the product and plans inside PayPal and integrated the "PayPal Smart Buttons" using the "react-smart-payment-buttons" package (https://github.com/erksch/react-smart-payment-buttons).
I managed to create the subscription successfully but the first payment is not captured immediately or at all.
When I'm using the PayPal Subscription API in order the see when will be the next billing cycle, it shows a timestamp that has already passed.
For example, this is part of the JSON I got from the API:
"billing_info": {
"outstanding_balance": {
"currency_code": "USD",
"value": "0.0"
},
"cycle_executions": [
{
"tenure_type": "REGULAR",
"sequence": 1,
"cycles_completed": 0,
"cycles_remaining": 12,
"current_pricing_scheme_version": 1
}
],
"next_billing_time": "2019-07-01T10:00:00Z",
"failed_payments_count": 0
},
"auto_renewal": false,
"create_time": "2019-07-01T15:34:02Z"
}
As you can see, the next_billing_time value is before the create_time which doesn't make sense.
What I already did:
After the user approves the subscription, I'm getting the ID of the order and also the subscription. When trying to capture the payment by using the PayPal Payments API and the order id I got, I'm getting back an error.
I checked the status of the created subscription and it shows ACTIVE.
createSubscription(data, actions) {
let plan_id = process.env.REACT_APP_PAY_PAL_BASIC_PLAN_ID;
return actions.subscription.create({
plan_id
});
}
onApprove(data, actions) {
const Http = new XMLHttpRequest();
let url = process.env.REACT_APP_UPGRADE_USER_URL;
Http.open("POST", url);
Http.setRequestHeader("x-access-token", this.state.token);
Http.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
Http.send(`plan=${this.state.plan}&subscriptionId=${data.subscriptionID}`);
}
I'll be happy if someone can assist me with this problem.
Thanks in advance.
In my stack I am using redux-token-auth to authenticate users with my rails backend (devise_token_auth). In my app I need to allow authenticated users to upload images, for this I'm using react-fine-uploader.
My problem is that I'm not seeing a way to have ract-fine-uploader to POST the images in an authenticated way. and in general how to use redux-token-auth to upload data to my backend with authentication.
I found that redux-token-auth stores authentication tokens in the localStorage, so I'm kinda able to retrieve it and authenticate my requests. Though I don't like accessing such data directly with a localStorage.get("access-token") (It's written by the package, it just seems fair to use the package to handle it).
Also with react-fine-uploader the response object doesn't contain the headers from the server response, so I'm not sure on how to get the new tokens to store them.
Here's the code I got so far:
my ImagesUploader:
import React from "react";
import PropTypes from "prop-types";
import FineUploaderTraditional from "fine-uploader-wrappers";
import Gallery from "react-fine-uploader";
import { backend } from "../../libs/itemTools";
import "react-fine-uploader/gallery/gallery.css";
const ImagesUploader = props => {
const uploader = new FineUploaderTraditional({
options: {
multiple: false,
validation: {
itemLimit: 1
},
request: {
endpoint: backend.createImage,
customHeaders: {
"access-token": localStorage.getItem("access-token"),
"token-type": localStorage.getItem("token-type"),
client: localStorage.getItem("client"),
uid: localStorage.getItem("uid")
}
},
session: {
endpoint: backend.loadImages(props.itemId)
},
deleteFile: {
enabled: true,
endpoint: backend.deleteImage(props.itemId)
},
cors: {
expected: true
},
callbacks: {
onComplete: (id, name, response, xhr) => {
if (response.success) {
response.image.id;
//TODO save new access-token
// ####### THIS DOESN'T work, #########
//fine-uploader doesn't include headers in the response object.
localStorage.setItem("access-token", response.headers["access-token"]);
localStorage.setItem("token-type", response.headers("token-type"));
localStorage.setItem("client", response.headers(client));
localStorage.setItem("uid", response.headers(uid));
} else {
// [...]
}
},
onSessionRequestComplete: (...params) => {
console.log(
"onSessionRequestComplete: " + JSON.stringify(params, 0, 2)
);
}
}
}
});
return (
<div id="upload-area">
<Gallery uploader={uploader} />
</div>
);
};
ImagesUploader.propTypes = {
userId: PropTypes.number.isRequired,
itemId: PropTypes.number.isRequired
};
export default ImagesUploader;
It seems strange to me that redux-token-auth packages doesn't account for authenticated backend calls, and that fine-uploader doesn't give access to the response headers..
Is there maybe something I'm missing?
From taking a look at redux-token-auth, it expects to handle all auth calls and doesn't give you an escape hatch in the code - so yanking the localstorage seems like a prudent thing to do there. You can see in the code that it sets it for every request: https://github.com/kylecorbelli/redux-token-auth/blob/8c5a8fe573918d406a733ca1b21c0b4349f137ab/src/actions.ts#L160
As for fine-uploader it looks like you can grab the rawheaders by using xhr.response
https://github.com/FineUploader/fine-uploader/blob/master/client/js/traditional/traditional.xhr.upload.handler.js#L59
The response variable that you get back has been JSON parsed via the qq variable you pass in: https://github.com/FineUploader/fine-uploader/blob/master/client/js/traditional/traditional.xhr.upload.handler.js#L109