I have created an Android application with C# on the server side. Following this tutorial, I am using Json web service. Everything is working well, but the only issue is if someone hits www.mydomain.com/Handler.ashx?ANDROID, then all the methods written on server side are downloaded as a text file and the code can be read easily.
What I want to do is that the server should respond only if request is being made from my android application. If someone(hacker/cracker) hits the url, then he should not be able to download the code and should be redirected to some specific page saying unauthorized access prohibited.
Can someone help me with this? Let me know if this question is not clear.
What you can do is to pass a key from your android app for check.
I don't know C# but in PHP it can be something like this -
In your C# file, somewhere near the top of the file, check for a key value sent with a post method. If there is no key passed or wrong key passed, redirect to some other page.
$required_key = "Udsd728392jsakk22";
if(($_POST['key'] == null) || ($_POST['key'] != $required_key)){
//redirect to some other page
header("Location: www.myexampledomain.com/error.php");
}
And from your android app, when you are sending request to the URL, send with a key.
Related
I have a Blazor app that will be opened via a parent site into a child window. I then want the Blazor app to Post information back to the parent site using this function:
function OpenDocument(URL) {
window.opener.postMessage(URL, "*");
return false
}
This function is triggered by a switch case depending on what file the user clicks on. This is the switch statement code.
string res = "url string" ;
await JSRuntime.InvokeAsync<string>("OpenDocument", Res);
This is the error message that I am getting in Chrome when the javascript function is triggered.
blazor.server.js:formatted:2869 Uncaught (in promise) Error: Cannot send data if the connection is not in the 'Connected' State.
I have looked around for information on this problem and can't seem to find much on it. Any help would be appriciated.
Discovered a work around for anyone that might encounter this problem. Open a blank webpage with a url paramater as the message you want to post and have the blank web page post the message for you. If anyone has any better solutions please post them anyway.
I'm starting to develop an application for fun that uses OAuth2. I'm using this API from Trakt http://docs.trakt.apiary.io/#reference/authentication-oauth/authorize/authorize-application
Right now, what I want to do is the authentication, but having some problems with the code.
I have no nuget packages helping, and here's the code I have.
System.Uri myUri = new System.Uri("https://api-v2launch.trakt.tv/oauth/authorize?response_type=code&client_id=" + CLIENT_ID + "&redirect_uri=urn:ietf:wg:oauth:2.0:oob");
webBrowser.Visibility = System.Windows.Visibility.Visible;
webBrowser.Navigate(myUri);
CLIENT_ID is given by the website API, and it says to put "urn:ietf:wg:oauth:2.0:oob" for local tests.
When I run the application, I get a page to login, then I get the "Authorize" and "NO" question. If I click the authorize, It gives me a code, which i'll need to use after.
Though, I'm having an hard time to do a GET method to get that code, or to get the error if the person clicks "NO"
Can you guys help me? With a single GET method, I should be able to do the POST method and continue to develop the application.
Thanks for help
There are two things you need to do.
1) You need to set the URI to: ms-app://{package-security-identifier}
The package identifier is your unique app id.
2) In Trakt you need to add this redirect URI (you do this in your application settings).
Check this Facebook Developer post for details about using their login flow, it is similar: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.2
I'm using Google Apis, instead of Google Sign In, to connect to Google on my app because I'm developping with Xamarin.
This is the library I'm using : https://github.com/xamarin/google-apis
When I'm logging in, i get this error :
Authentication Error
Unexpected character '<'. At line 1, column 0.
Maybe it's because my AccessTokenUrl is not good, but I've tried many things. I know for a fact that my ClientId, my RedirectUrl and my Secret are okay.
When logging in, Google asks correctly for the good permissions that I want, but after I accept, this is when I receive the error.
I've tried finding the request to see if there was the '<' in it but had no luck accessing it.
Is there a good way to connect to Google with Xamarin using this library or I'm just doing something bad?
Should I just do it nativaly on iOS and Android?
Thanks
I just encountered a similar problem using Xamarin.Auth to hit a custom OAuth service (i.e. not Google). In my case, the accessTokenUrl pointed to an action on a controller that was entirely protected by the [Authorize] attribute. Naturally, the user was required to login before hitting the /oauth/authorize endpoint using a web browser, but the request to /oauth/token to exchange the resulting authorization code for an access token was not inside the same web browser/session. It was trying to get back token data in JSON format but was being redirected to an HTML login screen. Once I changed the token endpoint for anonymous access, things started working (Note: A valid authorization code cannot be obtained without authenticating).
General Recommendations
The error message strongly suggests that the response coming back is HTML (or at least some form of XML). This could be an authentication redirect as it was in my scenario, or possibly some sort of error page. I would first start by setting up a proxy. I used Charles Proxy to uncover some interesting information. You will need to configure SSL on the proxy to see anything except high level information. This will show the exact requests coming out of your app to the OAuth application.
Another technique I used was simulating the requests that the OAuth2Authenticator would be making in a web browser and/or Postman. The first request would be to authorize:
https://your.domain.here/oauth/authorize?client_id=<some_client_id>&redirect_uri=https%3A%2F%2Fyour.domain.here%2F&response_type=code&scope=<some_scope>&state=<some_state>
That endpoint should be protected, so you will likely be redirected to something like this:
https://your.domain.here/Account/Login?returnurl=%2Foauth%2Fauthorize%3Fclient_id%3D<some_client_id>%26redirect_uri%3Dhttp%253A%252F%252Fyour.domain.here%252F%26response_type%3Dcode%26scope%3D<some_scope>%26state%3D<some_state>
After authenticating, the authorize endpoint should redirect to your redirect URI with the authorization code and state included as query string parameters. You will use the code in the next step.
Lastly, using a fresh web browser (i.e. new session), you should hit the token endpoint with your new authorization code and other client information.
https://your.domain.here/oauth/token?client_id=<some_client_id>&client_secret=<some_secret>&grant_type=<your_grant_type>&code=<your_authorization_code>&redirect_uri=https%3A%2F%2Fyour.domain.here%2F
If the response is not JSON data, it should give you an indication about what is failing with Xamarin.
Got the same error.
Solved by using https://accounts.google.com/o/oauth2/token as AccessTokenUrl
This is my first time developing this kind of system, so many of these concepts are very new to me. Any and all help would be appreciated. I'll try to sum up what I'm doing as efficiently as possible.
Background: I have a web application running AngularJS with Bootstrap. The app communicates with the server and DB through a web service programmed using C#. On the site, users can upload files and reference them later using direct links. There's no restriction to file type (yet), so just about anything is allowed.
My Goal: Having direct links creates a big security problem for me, since the documents/images are supposed to be private data. What I would prefer to do is validate a user's credentials when the link is clicked, then load the file in the browser using a more generic url path.
--Example--
"mysite.com/attachments/1" ---> (Image)
--instead of--
"mysite.com/data/files/importantImg.jpg"
Where I'm At: Not very far. My first thought was to add a page that sends the server request and receives a file byte stream along with mime type that I can reassemble and present to the user. However, I have no idea if this is possible using a web service that sends JSON requests, nor do I have a clue about how the reassembling process would work client-side.
Like I said, I'll take any and all advice. I'd love to learn more about this subject for future projects as well, but for now I just need to be pointed in the right direction.
Your first thought is correct, for it, you need to use the Response object, and more specifically the AddHeader and Write functions. Of course this will be a different page that will only handle file downloads, so it will be perfectly fine in your JSON web service.
I don't think you want to do this with a web service. Just use a regular IHttpHandler to perform the validation and return the data. So you would have the URL "attachments/1" get rewritten to "attachments/download.ashx?id=1". When you've verified access, write the data to the response stream. You can use the Content Disposition header to set the file name.
I'm trying to parse through and obtain my (my personal account not my app) albums from Facebook using the Facebook C# SDK. My goal is to grab the 10-12 most recent photos on my account. However, I understand I have to grab the albums first.
So, I've tried numerous things and ended up with the following url which returns a 400 Bad Request:
https://graph.facebook.com/{my_user_id}/albums?access_token={my_access_token}
The token was obtained by calling:
https://graph.facebook.com/oauth/access_token?client_id={0}&client_secret={1}&grant_type={2}&scope={3}
Any ideas why I'd be getting the 400?
When using grant_type = client_credentials you're requesting the an app access token. This will allow you to do various administrative actions for your application. See App Login in http://developers.facebook.com/docs/authentication/.
However, when using the user-parts of the Graph Api you need to perform a User Login using the oAuth Dialog. There are different ways of doing this such as with the Javascript SDK which should be straightforward to use.
I've not found a nice way of doing this in a standalone web app using Facebook C# SDK without the Javascript SDK (it's easy in a canvas app using the CanvasAuthorize attribute).
Here's an example of how to do it i a WinForms app http://blog.prabir.me/post/Facebook-CSharp-SDK-Writing-your-first-Facebook-Application.aspx. It might work in a Asp.Net app if you could use the WebBrowser control. I've tried with WebClient but didn't have any luck.
Update
By looking at the sample here http://facebooksdk.codeplex.com/SourceControl/changeset/view/534da45e108f#Samples%2fCSMvcWebsite%2fControllers%2fHomeController.cs it looks like you should be able to use the FacebookAuthorize attribute in a standalone site.
Error code 400 means that the request was not correctly formatted. Verify that that the Final URL looks OK and try it in a browser.
The request could not be understood by
the server due to malformed syntax.
The client SHOULD NOT repeat the
request without modifications.
I.e. that you try the following https://graph.facebook.com/someuser/albums?access_token=1234 You would pre presented with the following:
{
"error": {
"type": "OAuthException",
"message": "Invalid OAuth access token."
}
}
If you provide an OK token and a real user, the result will probably look a bit different, but in your case you get a 400 because there is something wrong with the request.