I want to query the eth balance and all token balances of a public key. So far I managed to load web3 and call the getBalance method.
Now, I want to see the balance for ERC20 tokens which are stored with the same public key? E.g. I want to see the balance of OMG tokens?
So far I found that each token contract address has to be queried:
https://ethereum.stackexchange.com/questions/15372/how-can-i-view-all-the-tokens-and-contracts-associated-with-an-ethereum-address
omgContractAddress = "0xd26114cd6EE289AccF82350c8d8487fedB8A0C07"
OmgContract = web3.eth.contract(abi)
omgContract = OmgContract.at(omgContractAddress)
someUsersAddress = "0x75087d9faa28d653750f3e4c86e7dcf6aff0a916"
omgContract.balanceOf someUsersAddress, (err, balance)-> #some owner
console.error err
console.info balance.toNumber()
Questions:
1) Do I need the abi of each token? Or can I use a standardized abi for ERC20 tokens as long as I just want to use standardized methods?
2) Where do I find the abi? Or do I need to recompile each contract?
E.g. OMG: https://etherscan.io/token/OmiseGo
I could find the abis of several tokens on https://etherscan.io/address/<token_address>#code so far they have the same method common in their abi. I just copied the method directly into my source code without reading the original abi. E.g.
abi = [{"constant":true,"inputs":[{"name":"_owner","type":"address"}],"name":"balanceOf","outputs":[{"name":"","type":"uint256"}],"payable":false,"type":"function"}]
Related
I am new to the JWT tokens, and I am trying get information from a jwt token. The thing is I don't have issues when I am the one generating the token, but, for some reason, when I generate the token at JWT.io with exactly the same information, the token is different and, therefore, the validation fails. I guess the problem may come from the key I am using, as, when using a simple key like "HELLO", this disparity does not happen. This is my code:
<?php
namespace App\Controller\Component;
use Cake\Controller\Component;
use \Firebase\JWT\JWT;
use Cake\ORM\TableRegistry;
class JWTComponent extends Component
{
public function check_token($token){
$decoded = [];
$key = openssl_pkey_get_details(openssl_pkey_get_private('file://'.APP.'private.pem'))['key'];
try {
$decoded = JWT::decode($token, $key, array('HS256'));
$decoded = (array) $decoded;
} catch (Exception $e) {
$decoded = ['error' => $e->getMessage()];
}finally{
return $decoded;
}
}
public function get_token($data) {
$key = openssl_pkey_get_details(openssl_pkey_get_private('file://'.APP.'private.pem'))['key'];
return JWT::encode($data, $key);
}
}
Your intuition is good. The integrity of the token is verified by checking the signature. Tokens are signed by the party which issued them. You can use different algorithms to sign those tokens. As #jps pointed out you can have symmetric and asymmetric signing. In symmetric signing the same key is used to sign and verify the key. HS256 is a symmetric signing algorithm. You can use a certificate to do that (like in your code), but it's a bit of an overkill in my opinion. Anyway, if you want the key generated at JWT.io to be valid in your code, you will have to paste the private key in JWT.io so that it can be used for signing. Then the token should be valid in your code. That's why it worked when you used a simple string as the key.
The token that you generate in your code and in JWT.io can, in the end, look a bit differently. That is, they will both be long strings, with three parts separated by dots, but the strings does not have to be equal. This does not mean that this is a different token. The encoded JWT can differ depending on whether you used line breaks in the input, or how many spaces you used. Even though, the encoded final JWTs may look differently, these tokens have still the same value. If you decode them, you will get the same JSON, maybe slightly differently formatted.
As for the use of the symmetric algorithm, it's usually better to use asymmetric signing, so if you are able to go with that option I would definitely recommend it. Also, have a look at some libraries for PHP to issue and validate JWT, unless you write the code to learn more about JWT itself. You can find a list of libraries on JWT.io.
If you're planning to secure your APIs with JWTs, have a look at this security best practices article I wrote, to learn about the dos and don'ts of JWTs.
I'm creating my own BEP20 token and want to implement a function to airdrop tokens to multiple addresses at once to reduce gas fees. Use case would be a giveaway of free tokens to selected users after the launch.
This is the code that I have so far, however there seems to be something missing for it to work properly:
contract Airdrop is Ownable {
IERC20 token;
struct PaymentInfo {
address payable payee;
uint256 amount;
}
constructor(address _token) public {
token = IERC20(_token);
}
function batchPayout(PaymentInfo[] calldata info) external onlyOwner {
for (uint i=0; i < info.length; i++) {
token.transfer(info[i].payee,info[i].amount);
}
}
function transfer(address to, uint256 amount) external onlyOwner {
token.transfer(to, amount);
}
}
Can I use code snippets from ERC20 examples? Will they work with BEP20?
Ethereum and Binance Smart Chain use slightly different token standards, so most of the Solidity code designed for Ethereum virtual machine need minor changes, including replacing mentions of IERC20 with IBEP20 and using the correct Solidity file for IBEP20 interface.
If you use correct version of Solidity compiler, it should tell if the code needs further changes. For real life testing, it's better to test the code on testnet of Binance Smart Chain.
You do not need to include batch send in the token itself. Because smart contracts are composable, there exist third-party smart contracts that can do batch send on behalf of any token.
One example service with open-source smart contracts is Token BulkSender. The source for the bulk send smart contract is here.
Has anyone an idear what to use as a general Authorization Service and have an working code example or good implementation steps how to implement such of thing.
It takes a lot of time to look what I am after, but didn't found any satisfied solution yet.
IdentityServer is not an option, while my permissions can not be stored as claims, because of the size of the token. It comes with about 200 persmissions, so it should be done in a dbcontext or something.
I looked at the PolicyServer, but it wasn't working as I expected. When I installed it at the IS4 application, it works on the IS4 controllers, but when the Authorize is called from an external application, it doesn't call the Authorize override at all were it should check the permissions.
And it seems that the permissions aren't set in the external application either in the User.Claims or what so ever. I'm missing some settings I think.
What I want to accomplish is that I have one permissions store (table) (which for example contains a bunch of index, add, edit or delete button or what so ever). The should be given to the autheniticated user which is logged in. But this single persmission-store should be available at all applications or APIs I run, so that the Authorize attribute can do his job.
I think it shouldn't be so hard to do, so I'm missing a good working example how to implement something like this and what is working.
Who can help me with this to get this done?
I wrote some code to get the permissions by API call and use that in the IsInRole override. But when I declare it with the Authorize attr, it will not get in the method:
[ApiController]
1) [Authorize]
public class AuthController : ControllerBase
{
private readonly IdentityContext _context;
public AuthController(IdentityContext context)
{
_context = context ?? throw new ArgumentNullException(nameof(context));
}
[HttpGet()]
[Route("api/auth/isinrole")]
public bool IsInRole(string role)
{
2) if (User.FindFirst("sub")?.Value != null)
{
var userID = Guid.Parse(User.FindFirst("sub")?.Value);
if([This is the code that checks if user has role])
return true;
}
return false;
This is the IsInRole override (ClaimsPrincipal.IsInRole override):
public override bool IsInRole(string role)
{
var httpClient = _httpClientFactory.CreateClient("AuthClient");
3) var accessToken = _httpContextAccessor.HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken).Result;
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
var request = new HttpRequestMessage(HttpMethod.Get, "/api/auth/isinrole/?id=" + role);
var response = httpClient.SendAsync(request, HttpCompletionOption.ResponseHeadersRead).Result;
etc...
This isn't working while it is not sending the access_token in the request
The 'sub' isn't send
Is always null
The open source version of the PolicyServer is a local implementation. All it does is read the permissions from a store (in the sample a config file) and transform them into claims using middleware.
In order to use the permissions you'll have to add this middleware in all projects where you want to use the permissions.
Having local permissions, you can't have conflicts with other resources. E.g. being an admin in api1 doesn't mean you are admin in api2 as well.
But decentralized permissions may be hard to maintain. That's why you probably want a central server for permissions, where the store actually calls the policy server rather than read the permissions from a local config file.
For that you'll need to add a discriminator in order to distinguish between resources. I use scopes, because that's the one thing that both the client and the resource share.
It also keeps the response small, you only have to request the permissions for a certain scope instead of all permissions.
The alternative is to use IdentityServer as-is. But instead of JWT tokens use reference tokens.
The random string is a lot shorter, but requires the client and / or resource to request the permissions by sending the reference token to the IdentityServer. This may be close to how the PolicyServer works, but with less control on the response.
There is an alternative to your solution and that is to use a referense token instead of a JWT-token. A reference token is just an opaque identifier and when a client receives this token, he has go to and look up the real token and details via the backend. The reference token does not contain any information. Its just a lookup identifier that the client can use against IdentiyServer
By using this your tokens will be very small.
Using reference token is just one option available to you.
see the documentation about Reference Tokens
We have an external vendor that requires us to include a bearer token in the http request header when we communicate with the API. This token shouldn't be left in the code unencrypted so where is the best place to store it? The Named Credential type doesn't seem to support storing a simple token and the Custom Setting option seems overly complicated and unnecessary. This is a single token string that will be used for every API call regardless of which user. I have searched high and low on google and haven't found an obvious solution that works.
There are some options but they're limited for your code as end user. A determined developer/sysadmin will learn the value eventually.
If you'd build a managed package you could use a protected custom setting (managed package's code could see it but not the client code, even sysadmins)
Check some of these:
https://developer.salesforce.com/page/Secure_Coding_Storing_Secrets
https://salesforce.stackexchange.com/questions/226110/what-is-the-best-way-of-storing-username-and-password-in-salesforce
https://salesforce.stackexchange.com/questions/478/using-transient-keyword-to-store-password-in-hierarchy-custom-setting
https://salesforce.stackexchange.com/questions/55008/is-encrypting-passwords-in-protected-custom-settings-a-security-requirement
You could make a custom setting with 2 text fields, 1 with encryption key and 1 with encrypted value in it. Look at Crypto class.
Blob exampleIv = Blob.valueOf('Example of IV123');
Blob key = Crypto.generateAesKey(128);
Blob data = Blob.valueOf('Data to be encrypted');
Blob encrypted = Crypto.encrypt('AES128', key, exampleIv, data);
Blob decrypted = Crypto.decrypt('AES128', key, exampleIv, encrypted);
String decryptedString = decrypted.toString();
System.assertEquals('Data to be encrypted', decryptedString);
Your initialisation vector could be org's id or something else that's easy to access and unlikely to change (I don't know if your vendor's API has test and prod endpoints but it's an added bonus that after sandbox refresh this will fail to decrypt OK until you change the custom setting... you wouldn't want to send test messages to production API), you'd generate key once & store it in setting.
In my GAE app I add rows to Google Spreadsheet.
taskqueue.add(url='/tabletask?u=%s' % (user_id),
retry_options=taskqueue.TaskRetryOptions(task_retry_limit=0),
method='GET')
class TableTaskHandler(webapp2.RequestHandler):
def get(self):
user_id = self.request.get('u')
if user_id:
try:
tables.add_row(
user_id
)
except Exception, error_message:
pass
def get_google_api_service(scope='https://www.googleapis.com/auth/spreadsheets', api='sheets', version='v4'):
''' Login to Google API with service account and get the service
'''
service = None
try:
credentials = AppAssertionCredentials(scope=scope)
http = credentials.authorize(httplib2.Http(memcache))
service = build(api, version, http=http)
except Exception, error_message:
logging.exception('Failed to get Google API service, exception happened - %s' % error_message)
return service
def add_row(user_id, user_name, project_id, question, answer, ss_id=SPREADSHEET_ID):
service = get_google_api_service()
if service:
values = [
[
user_id, user_name, project_id, question, answer # 'test1', 'test2'
],
# Additional rows ...
]
body = {
'values': values
}
# https://developers.google.com/sheets/api/guides/values#appending_values
response = service.spreadsheets().values().append(
spreadsheetId=ss_id,
range='A1:E1000',
valueInputOption='RAW',
body=body).execute()
I add many tasks with different row values.
In result I get critical errors 'Exceeded soft private limit of 128 Mb with 158 Mb' after servicing 5 requests in total.
What could be wrong here?
At first glance there’s nothing special in your code that might lead to a memory leak.
I don’t think anybody can locate it unless he’s very deeply familiar with the 3rd party libraries used and their existing bugs. So I’d approach the problem as follows:
First lets find out where exactly memory is leaking and whether it’s leaking at all.
Refer to tracemalloc, memory_profiler, heapy or whatever else you’re familiar with. Most profilers available are listed here Which Python memory profiler is recommended?
Expected outcome: you clearly know where exactly the memory is leaking, up to a code line / python expression
If the problem is in a 3rd party code, try to dig deeper into its code and figure out what’s up there
Depending on p.2 outcome
a. Post another SO question like ‘why this python code excerpt leads to a memory leak’ - ideally it should be a standalone code snippet that leads to a weird behavior free of any third party libraries and reproducible locally. Environment specification - at least python version, is appreciated
b. If the problem is in a 3rd party library and you’ve located the problem, open a bug report on github/anywhere the target project is hosted
c. If the problem is clearly in a 3rd party library and you’re unable to find the cause, open a ticket describing the case with the profiler's report attached
It seems to be that you are running instance class B1 or F1, which has a memory limit of 128 MB.
A possible solution would be to use a higher instance class. But please keep in mind that choosing a different instance class will have impact on your pricing and quotas.