I have a model called Request. A request is created with a parent User like so:
request = Request(parentUserKey)
Now, the key_name for a User is that user's email, so when I create a new user, I do:
user = User(key_name = 'abc#gmail.com')
So what I want to do now is to create a key using Key.from_path for a Request, so I try:
requestKey = Key.from_path('User', 'abc#gmail.com', 'Request', 1)
I put 1 because I will use this key to fetch all Requests with ID higher than 1 (or any other arbitrary int) via the following:
requestQuery.filter("__key__ >", requestKey)
Then for testing purposes, I try to convert the key to a string via keyString = str(requestKey), but I get the following error:
Cannot string encode an incomplete key
What am I doing wrong?
To elaborate on what Guido wrote, doing all of this work to manually create a key probably isn't the best approach to solve your problem. Rather, if you store all of User's Request entities in User's entity group, you can simply and straight-forwardly retrieve them with an ancestor query.
First, to make all of the Request entities children of User, we're going to slightly change the way that you instantiate a Request object:
request = Request(parent=parentUser) # Where parentuser is a User already in the datastore
# Do whatever else you need to do to initialize this entity
request.put()
Now, to get all of the Request objects that belong to User, you just:
requests = Request.all().ancestor(parentUser).fetch(1000)
# Obviously, you want to intelligently manage the condition of having
# more that 1000 Requests using cursors if need be.
Having the ability to manually create Keys using all of the path info is great, but it is also often more work than is necessary.
Does this solve your use-case?
A key with a 0 id is not valid. Instead of that filter, use an ancestor query.
Related
For example I have app on Flask with Postgresql. I have a some TOKENS and KEYS that stored in table companies. I need to get that tokens and keys in different places of my app. What the right way to do that? Any lazy approach?
Now I use app.config (but don't sure about app_context or before_first_request), for example:
with app.app_context():
if current_user:
app.config["CURRENT_COMPANY_ID"] = current_user.company_id
app.config["YANDEX_TOKEN"] =Company.query.filter_by(id=current_user.company_id).one().yandex_disk_token
or that:
with app.app_context():
if current_user:
g.company_id = current_user.company_id
g.yandex_token =Company.query.filter_by(id=current_user.company_id).one().yandex_disk_token
But that approaches sometimes lead to error that caused by current_user is None, or Company is None etc. And I can't recognize where and how I need store and get that TOKENS and KEY so all the users can use it after they are logged but not before that?
Find out:
It needs to update app.config constants before every user's request done. But if the current_user is not allowed (is None) then it will arise error so to make the current_user to not None we must use decorator #login_manager.request_loader
for example that code is placed in __init__ of app folder, and it solve two problems:
no empty current_user before every request we made to database via ORM.
no one request with empty app.config constants.
def set_config():
app.config['CURRENT_COMPANY_ID'] = current_user.company_id
app.config['YANDEX_TOKEN'] = Company.query.filter_by(id=current_user.company_id).first().yandex_disk_token
#login_manager.request_loader
def load_user_from_request(request):
user_id = request.headers.get('User-ID')
if user_id:
return UserModel.query.get(user_id)
return None
#app.before_request
def before_request():
if current_user.is_authenticated:
set_config()
We have an external vendor that requires us to include a bearer token in the http request header when we communicate with the API. This token shouldn't be left in the code unencrypted so where is the best place to store it? The Named Credential type doesn't seem to support storing a simple token and the Custom Setting option seems overly complicated and unnecessary. This is a single token string that will be used for every API call regardless of which user. I have searched high and low on google and haven't found an obvious solution that works.
There are some options but they're limited for your code as end user. A determined developer/sysadmin will learn the value eventually.
If you'd build a managed package you could use a protected custom setting (managed package's code could see it but not the client code, even sysadmins)
Check some of these:
https://developer.salesforce.com/page/Secure_Coding_Storing_Secrets
https://salesforce.stackexchange.com/questions/226110/what-is-the-best-way-of-storing-username-and-password-in-salesforce
https://salesforce.stackexchange.com/questions/478/using-transient-keyword-to-store-password-in-hierarchy-custom-setting
https://salesforce.stackexchange.com/questions/55008/is-encrypting-passwords-in-protected-custom-settings-a-security-requirement
You could make a custom setting with 2 text fields, 1 with encryption key and 1 with encrypted value in it. Look at Crypto class.
Blob exampleIv = Blob.valueOf('Example of IV123');
Blob key = Crypto.generateAesKey(128);
Blob data = Blob.valueOf('Data to be encrypted');
Blob encrypted = Crypto.encrypt('AES128', key, exampleIv, data);
Blob decrypted = Crypto.decrypt('AES128', key, exampleIv, encrypted);
String decryptedString = decrypted.toString();
System.assertEquals('Data to be encrypted', decryptedString);
Your initialisation vector could be org's id or something else that's easy to access and unlikely to change (I don't know if your vendor's API has test and prod endpoints but it's an added bonus that after sandbox refresh this will fail to decrypt OK until you change the custom setting... you wouldn't want to send test messages to production API), you'd generate key once & store it in setting.
Is it possible to somehow extend IdentityServer4 to run custom authentication logic? I have the requirement to validate credentials against a couple of existing custom identity systems and struggle to find an extension point to do so (they use custom protocols).
All of these existing systems have the concept on an API key which the client side knows. The IdentityServer job should now be to validate this API key and also extract some existing claims from the system.
I imagine to do something like this:
POST /connect/token
custom_provider_name=my_custom_provider_1&
custom_provider_api_key=secret_api_key
Then I do my logic to call my_custom_provider_1, validate the API key, get the claims and pass them back to the IdentityServer flow to do the rest.
Is this possible?
I'm assuming you have control over the clients, and the requests they make, so you can make the appropriate calls to your Identity Server.
It is possible to use custom authentication logic, after all that is what the ResourceOwnerPassword flow is all about: the client passes information to the Connect/token endpoint and you write code to decide what that information means and decide whether this is enough to authenticate that client. You'll definitely be going off the beaten track to do what you want though, because convention says that the information the client passes is a username and a password.
In your Startup.ConfigureServices you will need to add your own implementation of an IResourceOwnerPasswordValidator, kind of like this:
services.AddTransient<IResourceOwnerPasswordValidator, ResourceOwnerPasswordValidator>();
Then in the ValidateAsync method of that class you can do whatever logic you like to decide whether to set the context.Result to a successful GrantValidationResult, or a failed one. One thing that can help you in that method, is that the ResourceOwnerPasswordValidationContext has access to the raw request. So any custom fields you add into the original call to the connect/token endpoint will be available to you. This is where you could add your custom fields (provider name, api key etc).
Good luck!
EDIT: The above could work, but is really abusing a standard grant/flow. Much better is the approach found by the OP to use the IExtensionGrantValidator interface to roll your own grant type and authentication logic. For example:
Call from client to identity server:
POST /connect/token
grant_type=my_crap_grant&
scope=my_desired_scope&
rhubarb=true&
custard=true&
music=ska
Register your extension grant with DI:
services.AddTransient<IExtensionGrantValidator, MyCrapGrantValidator>();
And implement your grant validator:
public class MyCrapGrantValidator : IExtensionGrantValidator
{
// your custom grant needs a name, used in the Post to /connect/token
public string GrantType => "my_crap_grant";
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
// Get the values for the data you expect to be used for your custom grant type
var rhubarb = context.Request.Raw.Get("rhubarb");
var custard = context.Request.Raw.Get("custard");
var music = context.Request.Raw.Get("music");
if (string.IsNullOrWhiteSpace(rhubarb)||string.IsNullOrWhiteSpace(custard)||string.IsNullOrWhiteSpace(music)
{
// this request doesn't have the data we'd expect for our grant type
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
return Task.FromResult(false);
}
// Do your logic to work out, based on the data provided, whether
// this request is valid or not
if (bool.Parse(rhubarb) && bool.Parse(custard) && music=="ska")
{
// This grant gives access to any client that simply makes a
// request with rhubarb and custard both true, and has music
// equal to ska. You should do better and involve databases and
// other technical things
var sub = "ThisIsNotGoodSub";
context.Result = new GrantValidationResult(sub,"my_crap_grant");
Task.FromResult(0);
}
// Otherwise they're unauthorised
context.Result = new GrantValidationResult(TokenRequestErrors.UnauthorizedClient);
return Task.FromResult(false);
}
}
I'd like to start syncing a users mailbox going forward so I need the most recent historyId of the users mailbox. There doesn't seem to be a way to get this with one API call.
The gmail.users.history.list endpoint contains a historyId which seems to be what I need, from the docs:
historyId unsigned long The ID of the mailbox's current history record.
However to get a valid response from this endpoint you must provide a startHistoryId as a parameter.
The only alternative I see is to make a request to list the users messages, get the most recent history id from that, then make a request to gmail.users.history.list providing that historyid to get the most recent one.
Other ideas?
Did you check out https://developers.google.com/gmail/api/guides/sync ?
Depending on what your use-case is, to avoid races between your current state and when you start to forward sync, you'll need to provide an appropriate historyId. If there were a "get current history ID" then anything between your previous state and when you got those results would be lost. If you don't have any particular existing state (e.g. only want to get updates and don't care about anything before that) then you can use any historyId returned (e.g. on a message or thread) as you mention.
Small example for C# users (mentioned in comments by #EricDeFriez).
Nuget package Google.Apis.Gmail.v1 must be installed. See also quickstart for .NET developers.
var service = new GmailService(new BaseClientService.Initializer()
{
HttpClientInitializer = credential,
ApplicationName = ApplicationName,
});
var req = service.Users.GetProfile("me");
req.Fields = "historyId";
var res = req.Execute();
Console.WriteLine("HistoryId: " + res.HistoryId);
This answer is related to the Java Gmail API Client Library using a service account.
I found that the gmail.users.getprofile() will not work as the object that it returns is of type Class Gmail.Users.GetProfile which does not have an interface to getting a historyId.
com.google.api.services.gmail.model.Profile actually has a getHistoryId() function, but calling service.users().getProfile() will return a Class Gmail.Users.GetProfileobject instead.
To get around this, I use the history.list() function which will always return the latest historyId as part of its response.
Gmail service = createGmailService(userId); //Authenticate
BigInteger startHistoryId = BigInteger.valueOf(historyId);
ListHistoryResponse response = service.users().history().list("me")
.setStartHistoryId(startHistoryId).setMaxResults(Long.valueOf(1)).execute();
I set the max number of results to be 1 to limit the unnecessary data that I get returned back and I will receive a payload that looks like:
{"history":[{"id":"XXX","messages":[{"id":"XXX","threadId":"XXX"}]}],"historyId":"123456","nextPageToken":"XXX"}
The historyId (123456) will be the current historyId of the user. You can grab that historyId using response.getHistoryId()
You can also see that the latest historyId is given in the response if you use the API tester for Users.history: list
https://developers.google.com/gmail/api/v1/reference/users/history/list
I have some problem with CGI::Session.
I try to create a new session with an existing session id passed with the cgi object. Normally the session should reuse the existing session in the database, but it doesn't. Instead it creates a new session database entry with the exact same session id.
Here are the relevant parts of my code:
CGI::Session->name("DCGISESSID");
$session = CGI::Session->new('driver:mysql', $cgi,
{
TableName=>'DSESSIONS',
IdColName=>'id',
DataColName=>'a_session',
Handle=>$dbh,
});
$sessioncookie = CGI::Cookie->new(-name=>'DCGISESSID', -value=>$session->id, -expires=>'+1h', -path=>'/');
The code works as long as I do not set the cookie name with the name() method and use the default value CGISESSID as cookiename. But for some reason, after changing it to DCGISESSID with CGI::Session->name("DCGISESSID"); it doesn't work.
Does someone got the same problem or has any advice for me?
Solved the problem. I configured the table false, that's why id wasn't a primary key too.