Is there a way to use the MYOB API to get the user login my.MYOB account information, get the login name and password in the picture below, can not write dead, if you can not get this information, then how to assign X-myobapi-CFTOKEN Give her, do you need to write death in the program?
Is there any way to get information about user login?
Thanks!
Related
Hello, StackOverflow Community.
I am currently programming an electron Application which contains a login.
My login is working perfectly but now I do not know how to correctly save the information from the user.
The user should not be able to edit the file or the cookie type of thing so that he cannot abuse the system to be another user without knowing his password.
I hope you can understand my problem and help me out!
When storing user data you shouldn't store it locally at all you should make an authentication key and store it in your database with your user, you then need to store this on the client side too. Normally people store this in memory therefore once the user exists the system they "sign out" if you don't want them to you could save it to some sort of settings file using something like electron-settings or a cookie using the electron API. Once you have this key you should use that to authenticate calls to your API and when doing so you should check that the key is valid for the user who is performing the action.
Example:
When UserA sends a message to UserB you should check that UserA's auth key equals the key which represents UserA in your database.
Using this method will make it hard for other users to "guess" other users keys and also keep user data safe from user interaction.
NOTE: Change the users auth key every time they login to prevent someone from stealing it!
To can consume Gmail api, application needs to be authorized by the owner of the gmail account, providing his consent:
https://developers.google.com/gmail/api/auth/about-auth
My question is: is there any way to avoid ask the user for his consent? My aim is get the credentials to use Gmail Api just using username / password of target gmail account.
Do you mean you want your application to store the username and password and then use them to access user data? If so, then no, you must obtain authorization from the user (at least once) in order to use the API. And it's a good thing, too, for the sake of security!
Or, do you mean that you're just trying to access your own account? Even then, you need to authorize yourself, because Google doesn't know who is running your code.
Is there a reason you don't want to go through the authorization process? Knowing that might provide some insight into your question for anyone who tries to answer it.
To rephrase the question: "How can I bypass the whole process of 2 factor authorization?"
Answer: "Please do let us know if you manage it ... or report it to Google for a bug bounty, 'cause you're not supposed to be able to do so."
I'm trying to keep in my app which user is connected. I'm really not sure if I'm doing this correctly. So here is how I plane to do it:
First I use my Slim API to check if the username and password are correct and if has access privilege.
If it returned the username and his privilege level, I will store them in a cookie and use those two information in the app.
The problem is that I'm afraid that if I store the username in a cookie, someone could try to change the cookie and put an other username instead.
Is it alright to only use the username for my requests to the DB as soon as the user is connected (like get all item of a user using the name of the user), or should I use a more secured and efficient way, if there is one?
P.S: I'm not asking how to have my site remember the user when he go back to the site. I'm asking how I should remember the username and other information while my user is still on my site in a secured way.
You should generate a long random number password and store that in a cookie. This random number is essentially just another unique password for this user. So, on the server side, you only store a properly salted hash of this random number. Think of this like a Hash key for that user stored in DB, and you use this HASH key to decrypt the long ramdom password.
You could encrypt these informations in the cookie, so nobody can steal these ones. Each time a user is trying to launch your application check if the credentials in the cookie are still correct (Is this username in your databse ? Is the accreditation level correct for this user ?). So you know if these informations have been changed. If they aren't correct you invite the user to login again.
I have a project in mind, but i thinking of the part when a user can log in. I am going to do a login & register window frame in javaFX, and now comes the tricky part?
Im not sure how to to the login correct, the username is supposed to save in a database. And the password to be secure i need to use a crypt algorithm(like blowfish, or md5hash?) but im not sure where to save that, in a array or how you do it.
WOuld really appriciate if someone could give me some good advices:D
I have in my web application a role called "Administrator". Users who have this role should be able to modify the information about the registered users.
I am thinking about displaying a table with the user details such as e-mail, username, and be able to change them but I don't know what should I do if a users comes to the office physically, goes to an admin and asks for a password change (yes they can do that). Should the admin just press a reset button over the row and tell the user to check his e-mail when he arrives home and proceed with the recovery? (reset link for example) Or should the administrator reset the user's password and give him his new password in that very moment? The second approach is preferable as I was asked to do that...
I know that the admin shouldn't be able to see the original password as it should be hashed and unknown.
What are your thoughts about this? How would you implement this functionality? Thanks for your help.
There is no one perfect answer for this question. The question of workflow will always be dependent on the specific use-cases of an application and will depend on the context it is built in.
That being said, you are right about one thing - it is horrible, and I do mean horrible, security breach to let an Admin or any other user view a clear text password for someone else. So that's definitely off the table.
In your case, it seems giving the admin the right to change someone's password is the way to go. If you're worried about how it looks, don't be. Google Apps allows domain administrators to change the password for any email account under that domain.
Finally, I would suggest a small additional safety measure. When an Admin changes another user's password, store the old encrypted password in a column, don't delete it. When the admin set's the new password, shoot out an email to the user saying "Your password was changed by the Administrator, if you did not request for this, please click here". When they click on the link in the email, simply overwrite the new password with their old one.
That way in case an Admin is changing passwords without the user requesting it, you have a recourse for the user and the logs will keep you informed of how many time an admin has had a password reset revoked by the user.