I am working on a chrome bookmarking extension with google app engine as the backend. I am the only user now but I thought that if in the future there are other users the url needs to include the user name for the extension to interact with the backend. So I was thinking to change
http://ting-1.appspot.com/useradminpage
to
http://ting-1.appspot.com/user_name/useradminpage
where "user_name" is the gmail user id.
But I looked at twitter url and I see that they have
http://twitter.com/#!/user_name/
What is the purpose of "#!"? Is my scheme good enough in this case?
The # in a URL signifies the 'fragment identifier'. Historically this has been used to identify a part of a document identified by an 'anchor' tag, but recently webapp developers have begun to use it to pass information about the page state to Javascript code running in the page. This is used because it's possible for Javascript code to modify the fragment of the current page without causing the page to reload - meaning it can update as you browse through the webapp, and go right back to where you were when you reload the page.
The fragment is not sent to the server when the browser loads a page, so Twitter's server just sees a request for twitter.com; it's up to the Javascript code in the page to examine the fragment and determine what to do after that.
In your particular case, assuming you're using the App Engine User service to authenticate users, you have a number of options for how to distinguish users in your URLs:
Use their email address. In theory this can change, and users may not want their address in a URL they will share. If the URLs are private, this is more or less a moot point.
Use their user_id. This is opaque and reveals no useful information about the user, so it's safe, but it's also meaningless and hard to remember.
Let users pick a nickname for their URLs, like Facebook and other services do, on a first-in, first-served basis.
Related
My scenario:
I have an application within which users keep their own journals. For some of the journal records, i want to enable them to post to their facebook timeline.
It was rather straightforward with an old api (obtaining token and posting) but with a new Sharing Product, it seems impossible because its intended to use ograph data and backlink from facebook post to the page within the app but since the journal post itself is for logged user only, i don't see a way how could it work.
So, the question is:
How to enable users to share (actually, "replicate" is more accurate word) content from their authorization protected area within my application to their facebook timeline?
PS.
I am aware of solutions like: Auto post (user behalf) on facebook but that's an old api.
You can not create new content like this any more in any automated way, you can only let your users share links.
But you can point the Share button to any URL you like (parameter href), it does not have to be that of the current page.
Facebook will follow whatever you have set as og:url or canonical, so that would have to be the version without authorization then.
That would also be the URL that users clicking on the link in that post would be redirected to.
I need to put a link into email. When user clicks on it, angularjs app should open specific page and entity. I suppose that the link should contain id of the entity. This allows to find the record on backend side and then open page.
Is it safe to publish such a link in email(I mean id of the record in DB)? Do we need to hash id?
I don't really see much trouble.
There are a lot of web pages (angular or not) which provides direct links to pages using the entity id as parameter.
In the case of angular, when another - non-authorized - user tries to enter, it will ask the backend, the backend with reject its petition and you can redirect the user to the home page. So if some user tries to access that route, he well just see the home page.
It is also true that in general (I mean, not angular specifically) some people likes to hash the id, but I don't see that as really needed.
So it comes down to the use case / personal preference. From the point of security, your backend won't give any entity even if you know every piece of it. You need to be logged in AND able to retrieve it.
I'm working on this application where the user is supposed to answer a bunch of questions.
What I want to do is protect the page that has the JSON of the question Objects, which also contains sensitive information, such as the answer(s) to the questions.
What I'm trying to do is restrict access to that page for non-admin users on the client-side (they should not be able to type and go to that URL and see the JSON on that page, they should get a 403), while allowing HTTP GET requests from non-admin users on the server-side, so I can get the questions for them to answer.
This is what I have on the client-side:
$routeProvider
.when('/questions', {
resolve: checkRoleForRoute.admin
})
And this is what I have on the server-side:
application.get('/questions', questions.getQuestions);
Both work well for separate routes, but once the route is the same, the server-side code is always executed, while the client-side code isn't. Therefore, any user that is not an admin is able to see the plain JSON when they access the URL, which is not desirable.
Any ideas on why is this happening?
Thank you.
you should add some security check on server side, before providing the JSON data back, i.e. the server should check if the data can be provided to the requesting user.
Moreover, in my opinion, the route is hackable in client-side too.
In fact, using browser's dev tool one can change or skip the 'resolve' field, if he's smart enough.
I would like to use Oauth 2 for an application in Google App Engine with Java, but I dont find any good example of that use, I would be very thankful if somebody could help me please, it is something frustrating dont find good examples, thnak you.
My 2c is avoid oauth2 libraries. Of course opinions may vary, but for me they provide very leaky abstractions, so you end up being dragged into understanding oauth by the back door. For me at least, taking an hour to read the the two pages that tell you all you need to know, and carefully avoiding all the others, will get you where you want to be.
In simple terms, the steps are :-
Call the auth URL with your app/client ID and the scopes you require. Include the "email" scope.
Google will walk the user through login, and (if the first time through) authorisation dialogues
Eventually the browser will redirect back to your oauthcallback url, and pass you an auth code
Call google to convert the auth code to a refresh token. This will also return the user's google ID and an access token.
Store the user ID in your session so you can identify the user subsequently
Persist the refresh token alongside the google user id in a database
On subsequent visits...
If you have the google user id in the your session, you can retrieve the refresh token from your database and use it to generate access tokens as you need them.
If you do NOT have the google user id in your session, go through the steps above. This time, google will NOT prompt the user for authorisation (since it's already authorised), and the refresh token will be blank (since you already have one stored).
Everything you need to know is within the oauth playground page. If you click through the buttons, you will see that it is following the steps I outlined above.
You then need to deal with the possible error situations, eg
user declines permission
user withdraws permission
google expired the refresh token (happens a lot) so you need to re-auth
timeouts
The two pages you need to read are :-
https://developers.google.com/accounts/docs/OAuth2WebServer and the oauth playground at https://developers.google.com/oauthplayground/
Trust me, as long as you know how to form a URL, store a refresh token (it's just a string) and parse a JSON response, then everything you need is on those pages. Except ...
all the documentation skips over the need to preserve the user ID in your session so you know who it is that is accessing your app. If you're on AppEngine, you may be confused by the appengine sample code which uses a separate appengine login. Ignore it. You will be using oauth to authenticate the user so the appengine stuff doesn't apply and is somewhat confusing.
It's actually much simpler than some of the documentation would lead you to believe, and like I said, imho the leaky libraries don't help.
I'm trying to do exactly the same thing and I agree - it is extremely hard to find a good example of this.
I did find this youtube video however and I think it would help: https://www.youtube.com/watch?v=tVIIgcIqoPw.
Its from Google and it is called Getting Started with Google APIs. The last segment of the video deals with authentication.
There are several OAuth 2 client and server libraries for Java listed on this page: http://oauth.net/2/
Here's quick-start documentation for using Apache Otlu: https://cwiki.apache.org/confluence/display/OLTU/OAuth+2.0+Client+Quickstart
If you're accessing a Google API (as a client), you can use the Google client library for Java, which does OAuth as well as API set-up: https://code.google.com/p/google-api-java-client/
In my app, I have to serve huge secure files ( svg drawings etc ) that I want to show only to logged in user. File do not change much, and if it does, It do have different url, so I would like to use edge cache on google app engine for faster loading to already logged in user.
My question is, how do I make it secure ? i.e. if the user logged out and if someone else use his browser can he see that content ? if so, how do I prevent it ?
Related: How do I prevent browser from remembering a url of a content on my website.
One of the solutions could be using Google Cloud Storage with ACL, i.e. in the way that only a particular logged in user has access to that file. This solution is limited to Google Accounts though.
UPDATE: Google Cloud Storage now has a short-life signed URLs:
"...you could provide a signed URL to a user which would allow the user to access that resource for a limited time. Anyone who knows the URL can access the resource for a limited time. (You specify the expiration time in the query string to be signed.)"
- so, that could be even closer to what you need.
Another solution is that you serve your huge file from your dynamic handlers. This however will consume a lot of CPU and bandwidth. Also, you'll still be limited by GAE quotas.
Related: you can't prevent browser from remembering visited URLs or any other kind of history. It depends solely on the specific browser and user preferences (not accessible to your app / javascript/whatever). The only thing you can ask your users is to clear their history, cookie and whatnot when they log out.
You could set expiration in the appconfig
Sorry I just have a german link (just try, maybe google switches to your language)
http://code.google.com/intl/de-DE/appengine/docs/java/config/appconfig.html
As long as not expired the browser could cache the file locally. This results in a small load time. However, if the cache is too small, the browser will request the file again.
A good browser will only make secured file to the logged user available.
However, you have no guarantee which browser is in use. Your user could always download secure file and publish them anywhere.
When a user give the login to third users, they could all the time access the secured files.
I don't think you could avoid to remember any links. In some way it is a contradiction to the above.