Alexa account linking - How to store more than access token - alexa

When I link an account with a third party they send an access token as well as the user's username.
Alexa automatically saves the access token and gives it with each request. How can I get it to save the username as well?

This is intentionally not supported in order to protect the user's privacy. That is a good thing.
Alexa does provide a userID with each call. This id is specific to each user, and the same every time they use your skill. It doesn't give you any personal information, but it does allow you to save information for each user to your own database. You can associate that user's data with the userId and recall it every time they use your skill.
So for example, you can ask the user for a name, save it to your database keyed by the userId, and recall it at a later date using the userId.
Search on "alexa user information" for more info, for example this post.

Just encode the user name and/or any other information to the token itself.
For example you can use JSON Web Token - https://jwt.io/ - wich is an RFC 7519
It is intended exactly for the use case when you you don't want to make an additional request(s) just to retrieve some rarely changing info.
Regards caching/refreshing you can issue token for limited amount of time (an hour?).

Related

YouTube API | How do you reliably find channel's username or channelId?

For my application I need to retrieve a channel's ID, which can be done using a channel's username via channels().list(..., forUsername=username, ...).
The issue I have is that a channel's username is not as obvious as you would think. For example, talkSPORT's channel's username is actually talkSPORTMagazine. The only way I have been able to extract this is from their main page's URL.
talkSPORTMagazine
talkSPORT
However, a channel's main page's URL does not reliably include their username: sometimes it does, sometimes it includes their ID, or sometimes nothing at all.
If I don't use a channel's actual username then I cannot extract their channelID, something I need to request videos.
Is there a way I can reliably find a channel's username?
The answer to your question is unfortunately negative: there's no reliable way to find a channel's user name.
That's because user names are a legacy feature of the API v3: not every channel has one attached and no channel is required to have one attached. (See this official statement from Google staff from 2013-07-11.)
I warmly recommend to make your app such that it not rely on user names identifying channels; do arrange your app logic (both internal and external) such that to base it on channel IDs.
For what concerns channel URLs using user names, please follow this answer of mine: How to find the forUsername parameter for a specific channel.

Do I need to hash refresh token stored in database?

I am working on a web application that is using Go in the backend and JWT based authentication. When users logged in, I send them access token with a short expiration time and a refresh token with a long expiration time. Both of these tokes includes username as their payload. They are created with different secrets. My question is about log out. When a user sends a log out request, I want to invalidate it's refresh token so that they are needed to log in again after log out. For solution, I am going to store that refresh token in a blacklist table in my database. My question is that should I need to hash that refresh token before storing it in the database. Thanks.
One of the standard JWT claims (RFC 7519 ยง4.1.7) is "jti", which is a unique identifier for the token. If you include a unique identifier in your refresh token, then it's enough to store the "jti" and "exp" (expiration) claims in the database. (I'd default to using ("github.com/satori/go.uuid").NewV4 to generate the "jti" as a random UUID, and that's internally backed by the "crypto/rand" random-number generator.)
Now if you're presented a refresh token, you can do your usual checks that it's correctly signed and unexpired, and then look up the "jti" in the database. If it's not on the blacklist, then it's good for reuse. You only need to keep "exp" in the database to know when it's safe to clean records out. Since the "jti" is just a random identifier, you can't get back from the "jti" to any identifiable information so there's no particular need to hash or encrypt it.
If you don't have a "jti" and can't add one, I'd probably either hash the token or just keep a copy of the claims. Partly this is for space reasons, and partly you don't want to store something that's actually a valid credential. Keep enough information that you can uniquely identify a token; possibly the "sub" and "exp" time together are enough information (if two tokens issued to the same subject expiring at the same second are indistinguishable).

Allowing users limited access only if they purchased successfully from stripe

I am building a react site where users can purchase a "day", "weekly" or "monthly" pass for the content on the page. I only want to allow them access for a day if they purchase a day pass. Same for weekly and monthly. I am using JWT to keep users logged in. I have no idea how to create the functionality to verify if they should still have access or not. Would love some help. I am also using redux if that helps.
You need to start thinking about Authentication and Authorization separately. Your JWTs are (hopefully) performing the Authentication duty. The "limited access" you're asking about are the concern of Authorization. In other words: now that you know who this user is, what are they allowed to do?
You need to map your JWTs to some form of internal user id, and then determine if they can or cannot access the requested resource/endpoint/etc.
For example, you might allow all users to GET from /jobs to view the listing of job postings, but if they try to POST to /apply for a job, you verify that they are a "premium" user, with time remaining on their paid subscription.

Does exposing a user's uid in the url pose a security threat for Firebase?

I've got a small review system built in AngularJS and Firebase and the only way to identify which review is made by which user is via the uid of the user. The idea is when you then click on the user's name, you should be taken to the profile of that user.
So I would then create a route looking like /profile/{{review.author.uid}} which could translate into /profile/facebook:123234243 for example.
My question is, does it pose a security threat showing the uid in the url like this? Can it be used for any malicious actions against a user's third party account etc?
I've tried looking through their website but I can't find anything on this subject.
EDIT: Note that I need a Firebase specific answer, not a generic one about database id:s.

How to shibbolize a website

I have an application that uses email addresses for user authentication.
I know that some universities use Shibboleth for user authentication, and I was wondering what the process is for being able to read emails from the university database that is used for Shibboleth. Note that I do not care about authentication through Shibboleth, I only need to be able to read the email addresses.
Is it general for all universities that use Shibboleth, or is each a unique case?
Any links to documentation on how to do this process would be greatly appreciated. Thank you.
Shibboleth can be configured (IdP-side) to release user attributes along with authentication data, for example the user's email address. Client-side, assuming you're going though shibd, you'll need a setting in your attribute-map.xml that says "map attribute with OID x.y.z.a to environment variable USERMAIL" and then you get the result in that environment variable. The example config should already contain it.
This would be the same for everybody insofar as the OID for "email" is always the same, but you'd have to negotiate with the IdPs (universities) or their federations so that they will actually release that attribute to you.
Shibboleth is used by many institutions, but by no means all. Many use Athens, proxies or IP recognition, among other things.
As far as I am aware, a user's email address is not tied directly to the Shib system. When a user tries to access a Shibboleth-protected resource they are taken to their institution's login page to authenticate themselves. They might enter their email address to authenticate or they might enter a username, they might be auto logged-in based on their IP address, or something else.
The institution does send back an affiliation through Shib data transfer upon successful login, something like student#brown.ac.uk but this is not necessarily the email address the user used to login. I guess they could send that but it has not been used in system's I've worked on.
Shibboleth is commonly used to check that the user is from an institution that has purchased access to a protected resource rather than identifying a particular user from that institution so the user's email isn't needed.
Not sure if this helps at all: http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html#eduPersonAffiliation

Resources