push user location manually to piwik - matomo

I am using piwik to track my website's user interaction. The main pain point with this is I am not able to track exact user location which is very important for me.
When I use default location tracking of piwik, it shows wrong user location, may be this is because it decides user location based on the user browser language. Due to this for users from India, where mostly browser uses US English language, piwik thinks user is from USA and mislead the tracking.
I see there are different other mechanism where I can get exact user location using some IP2Location database etc.
But these doesn't work for me as for me user ip is private ip, and for which location it shows is unknown.
So I am trying to manually set the location (I have set user location in browser cookie and I want to push this data to piwik) and looking for the function/ api (_paq method) where I can manually push the Country/ state/ city etc.

Related

Site guest user cannot run Get Record element

In my site the guest users have access to the flow and they able to run the flow and even create records. When the flow try to find the created record the next error accrue:
Because Get_Record is passed to an action, subflow, or Lightning component, store the values of all Request_for_ChemTox__c fields that the running user has access to.
I gave access to every field for that user and still keep getting this error.
Any ideas?
It's probably not field level security (~table columns) but whole record's security (~table rows).
Check your site/community/experience settings as described in this article: https://help.salesforce.com/s/articleView?id=000352970&type=1. If there's something set - the ownership of created record is immediately transferred over to that internal user and guest loses visibility. It sucks but it's there to protect you, makes sure that if you have for example Leads or Cases submitted by guest users - they immediately "disappear", guest/hacker can't report on them, experiment with IDs in the url to learn other people's data...
You can Check Setup -> Sharing Settings for this object and create new sharing rule. (I can't upload image right now but start making new sharing rule with step 2 "rule type = Guest user access, based on criteria")
https://help.salesforce.com/s/articleView?id=sf.networks_guest_record_default_owner_best_practices.htm&type=5 has some good tips too:
If you’d like to create a different experience for guest users, use
flows in System Mode to redirect guest users to a different custom
screen after they create a record

Is it safe to store user information in Localstorage?

I built an app with authentication, and upon navigation to private route, I'm checking in the redux store if user object exist. when reloading the page, obviously the store clears. I thought of persist-state solution with redux-storage , but I see that the data is being stored in the LocalStorage.
is it safe that all data is being shown there? information like user id, name, email, etc..
Thanks
Do not store plaintext values (user name, id, password etc.) in localstorage. Assume the following:
Someone with access to the physical machine: he can either grab the Chrome profile files, containing my localstorage, or he can open Dev Tools in my browser and see stuff he shouldn't.
A malicious browser (or app with a browser control) can gain access, by getting you to browse to the site and copying the values.
Never rely in your app on info you got back from localstorage. Assume someone manipulated it. Crass, imaginary example: if you store my cart total in localstorage, to save time on recalculating it later, assume I changed it to a lower number on the client.
Finally, assume some of your users will use a private tab to browse to your site, at which point you wont be able to utilize localstorage. So why not design to work without it?

Session ID validation - Security - Ionic/Angular

I have been struggling for the past month on the solution to this.
When the user get's logged in, a session token is created in the DB and stored in the localStorage. This enables me to validate the user (by sneding the sessionID to the server and comparing its value to the value stored on the DB) every time a critical server call is made, but if I copy a particular session ID from the localStorage of any user I can paste on my localStorage and be validated too. This is a very big gap that I need to fill. What is the correct approach to validate the sessionID and avoid someone from copy and pasting it? How to I make the localStorage encoded to the user?
Notes: SessionID is created using JWT,
session token is completely random and created after logging in,
the value gets stored on a column of the user's column and saved on the localStorage
There is not anything you can do to completely protect against something like this. If an attacker has physical access to a machine to be able to copy and paste from local storage, there is nothing you can do to stop them.
There are a few things you can do to slightly mitigate it, but they are more window dressing than anything else, and they usually cause more problems than they solve. One of this is pinning the session to an IP address. If the session begins at one address, and then moves to another address, you can invalidate the session and force the user to re-authenticate. However, this causes many problems with legitimate users as their machine hops across networks. Mobile devices have exacerbated this, but even stationary machines have trouble keeping a steady IP address.

Online GAE Application User

How to know if a user is currently logged-in in your Google App Engine application?
The application allow its users to browse other users' profile. If the viewed profile is also using or logged-in in the application, i want a notification that the viewed profile is online.
How to achieve this requirements?
If you are managing user profiles, you know when a user logs in. At the end of the login process, just save the user's log-in information in the memcache somehow.
You will later be able to check if a user is logged-in just by searching for him in your memcache.
This way is easy to catch and track the connection events, but you also have to react when a user disconnects, to have your list up to date. To achieve this, you can use a Channel. See the google documentation.
You could, as Gaël suggests, use the Channel API to track this, but it's probably overkill. If you wanted to go that route, just listen for the connected & disconnected messages, and update a field in the db that indicates that the user is signed in.
A less expensive route might be to just update a field in your user's record that's something like "last time this user requested a page." If it's been more than n minutes since the last time the user requested a page, assume they're signed out. Indeed, you could even do this in memcache with a map from userid to last access time.
It comes down to what you want to do with the "signed in" information: if you just want to give a general sense of whether a user's around, or how many users are online, using the datastore or memcache solution is probably good. On the other hand, if you want to reflect the user's presence so they can respond to eg. IMs, then you'll probably want the Channel API anyway so you can immediately deliver messages to them.

How to add the user name in the url for a Chrome extension?

I am working on a chrome bookmarking extension with google app engine as the backend. I am the only user now but I thought that if in the future there are other users the url needs to include the user name for the extension to interact with the backend. So I was thinking to change
http://ting-1.appspot.com/useradminpage
to
http://ting-1.appspot.com/user_name/useradminpage
where "user_name" is the gmail user id.
But I looked at twitter url and I see that they have
http://twitter.com/#!/user_name/
What is the purpose of "#!"? Is my scheme good enough in this case?
The # in a URL signifies the 'fragment identifier'. Historically this has been used to identify a part of a document identified by an 'anchor' tag, but recently webapp developers have begun to use it to pass information about the page state to Javascript code running in the page. This is used because it's possible for Javascript code to modify the fragment of the current page without causing the page to reload - meaning it can update as you browse through the webapp, and go right back to where you were when you reload the page.
The fragment is not sent to the server when the browser loads a page, so Twitter's server just sees a request for twitter.com; it's up to the Javascript code in the page to examine the fragment and determine what to do after that.
In your particular case, assuming you're using the App Engine User service to authenticate users, you have a number of options for how to distinguish users in your URLs:
Use their email address. In theory this can change, and users may not want their address in a URL they will share. If the URLs are private, this is more or less a moot point.
Use their user_id. This is opaque and reveals no useful information about the user, so it's safe, but it's also meaningless and hard to remember.
Let users pick a nickname for their URLs, like Facebook and other services do, on a first-in, first-served basis.

Resources