I want to integrate cybersource as a HOP i.e. the user will be redirected to the service provider to complete the payment. I am not able to find proper APIs for generating the hosted order pay for redirecting the user. Have gone through a documentation of Cybersource:
https://developer.cybersource.com/library/documentation/dev_guides/Secure_Acceptance_Checkout_API/Secure_Acceptance_Checkout_API.pdf
But it doesn't seems to be helpful. Can anyone help me with this.
a better way to do this is through java script redirect. You don't have
to use the gateway to host anything.
This method is completely PCI compliant in that it will keep you out of scope.
You generate the payment page from your web site and use a java script to
redirect PAN data to the payment server.
I don't know if Cyber Source supports this. This is the same pattern that is
used by wallet payments. Your Direct debit payments can use the same method even though PCI requirements do not apply there ( yet ).
If you want a sample java script to do this let me know
Related
I'm trying to integrate LinkedIn API v2 to the app I'm developing for my client and I need help with it. Basically, I need to allow users to fetch some of their LinkedIn profile data and save it to the platform. As I understood, the first version of the API will no longer be supported. https://developer.linkedin.com/docs
So, the problem is that the default field set I was able to retrieve is extremely limited. And it seems like I should apply for the Developer Program here to gain additional API access
https://business.linkedin.com/marketing-solutions/marketing-partners/become-a-partner/marketing-developer-program
I already submitted the application but haven't yet received any response. The frustrating part is that I'm not even sure if this is what I should do to get access.
Here's what I already discovered
Here it's said that the partner's program isn't available
https://www.linkedin.com/help/linkedin/answer/97491
Here it sends me to the partner program
https://developer.linkedin.com/support/faq
Should I choose marketing? https://developer.linkedin.com/partner-programs
I suppose so because other options seem to be irrelevant. So I already applied here
https://business.linkedin.com/marketing-solutions/marketing-partners/become-a-partner/marketing-developer-program
But still no answer
Here are the developers facing the same issues with no answer as well
https://www.linkedin.com/help/linkedin/forum/question/712591
https://www.linkedin.com/help/linkedin/forum/question/711176
https://www.linkedin.com/help/linkedin/forum/question/711027
Here seems to be the answer to a similar question but still, no specific link or steps to apply for a partner's program
LinkedIn API V2 - Can't get summary, skills and headline
Here they also tell about some partner's program but again without specifics
Linkedin oauth2 r_liteprofile not being returned from api
Here in the official doc, it's also said that I should apply to the program (which I did)
https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/migration-faq?context=linkedin/consumer/context
I applied on the 23rd of January and I'm still waiting for the approval without even knowing if this program will give me the API access I need
So I need to know one of the following
If my application will be approved it'll give me the extended access to the API v2 (r_fullprofile permission)
If the application I submitted isn't enough what else should I do in order to get the extended access to the API v2 (r_fullprofile permission)
It feels to be a simple process and I don't really understand why it has to involve the Marketing Developer Program when I only need to access some of the fields. I'm sure there is a reason for that. Could anybody from support provide some steps that I or my client should take on order to get the API access?
I already created the app as a developer here and successfully tested it
https://www.linkedin.com/developers/apps
So, just to be clear, the problem is not in something not working technically. It's just that I receive a very limited set of field of a user's profile and I need to expand it
I'm a hobbyist student developer playing around with the Actions on Google to create a simple "text adventure" game on Google Home. Since Google Home will be speaking to the player rather than the player reading the text, I'm hoping this will create an experience similar to the "Dungeons and Dragons" roleplaying game, with the computer working as the "Dungeon Master." With the natural language assistance offered by API.AI and Actions on Google, it seemed like a good fit, since the player can respond "naturally." Here's an example of an Amazon Alexa skill that does essentially what I'm going for.
However, every time I boot up the game, it's always a new game. I'd like to store a savegame with the user's previous state in a JSON file hosted on the user's Google Drive -- Since I'm just a student doing this for fun, I don't actually have an official website or anything beyond a free Heroku server I'm running the app from, making storing saves on my end pretty much out of the question.
I've walked through the Google Drive REST quickstart for Node.js, and I've gotten that working in the console just fine. The only problem is in that quickstart, the user has to click a link to authorize the application to read the stuff in their Google Drive account, and I'm not sure how I'd be able to "click a link" and give back an access token via voice on Google Home.
Is there a way to do this via Google Drive? Or is there a better way to provide persistent data between sessions? I don't normally work in web development, so any help would be appreciated.
The bad news is you won't be able to get away from the need for a user to use his web browser to authorise your app to access his Drive.
The good news is that you only need to do this once. When your app requests authoirsation, it should specify "offline", which will result in you being given a refresh token. You should save this somewhere in your database of users. Whenever you need to access the user's Drive, you can use the saved refresh token to request an access token and you're good to go.
You have a few problems that you need to solve here, and while they seem related, they're not as related as you might hope:
You need to get authorization to access a user's Drive space
You need to authenticate the user's Home (so you know this person has come back)
You have to connect the two relationships - so you know what Drive space to use for the Home device that is talking to you
You've found the answers to (1) already, and as noted, you'll need to use a browser for them to authorize you to access their Drive. You'll then store the refresh token and will be able to access it in the future.
But that is only part of the problem. Home does not provide you access to the user's Google account directly, so you'll have to manage your own account mechanism and tie it to Home. There are a few solutions here:
Home provides anonymous user identity in the JSON sent to your webhook. You can access this using getUser().user_id if you're using the Actions API library, or access this in the data.user.user_id field in the JSON. While this is similar to a browser cookie, it only stores the user ID and can't store additional data. There is also no concept of "local storage". On the plus side, this ID is consistent across devices.
You can request user information such as their name and address. But it doesn't have anything unique or account information, so this probably isn't useful to you.
You can implement an OAuth2 server and do account linking. Note that this is the other side from what you need to do with Google Drive - you'll be providing the access and refresh tokens to authenticate and authorize access to your account and the Google Home device will send these tokens back to you so you can determine who the user is. You don't actually need to store account information - you can provide token information using JSON Web Tokens (JWT) or other methods and have them store account information in a secure way. Users will use the Google Home app to actually sign-in to your service as a one-time event.
In order to handle (3), you may be thinking that (1) lets you get tokens and the OAuth solution for (2) requires you to hand out tokens. Can the two be combined? Well... probably, but it isn't as straightforward. You can't just give the Google OAuth2 endpoints to Home - they explicitly block that and you need to control your OAuth2 endpoints. You may, however, be able to build proxy endpoints - but I haven't explored the security implications of doing so.
I think you're on the right track - using Drive is a good place to store users' information. Using Home's account linking gives you a place where they have to come to your web site to authenticate and authorize their Home, and you can use this to do the same for their Drive.
I am trying to work out an application using
Dotnet Core 1.0
MySQL as the data store
Authetication and Authorization
Entity Framework
Ubuntu 16 machine
I have succeeded in creating a sample API to fetch data from MySQL database using entity framework. Now I want to introduce Authentication using email as username and Password.
I tried several method from different blogs but unable to achieve this.
What I am trying to achieve is Custom Authentication for the api where user will send username and password to login Api. The login Api will return an access token and refresh token. Using this access token, the user can call other APIs.
Later on I want to add Google and Facebook Authentication too.
Is there a way to do this?
Everything you want to achieve is possible. However there are some caveats.
Yes you can do this. You will need to use the resource owner grant which is turned off in identityserver 4 by default. I suspect the reason for this is because passing user credentials into an application is an anti-pattern, it is there to typically support legacy systems, also it does not authenticate users in the explicit sense because the credentials could come from an un-trusted source (as an example). You can read up about the grant's generic value here. You can find samples here.
The safer pattern is to use something like Implicit Flow which is good practice if you cannot guarantee trust between clients and your API.
As for social logins this is possible. There are tonnes of samples online but here are the official docs.
There is a project on github, https://github.com/diogodamiani/IdentityServer4.MongoDB and a corresponding nuget package that will send you in the right direction. It's obviously MongoDb, but the same premise applies.
I am building a basic app using node.js and mysql and just getting a hang of it, I would like to secure the api,like only allow certain people to access the data, maybe by passing a certain token each time a user requests for some information, I tried searching for certain tutorials which used node.js and mysql database and security, I am confused as to which security measure to use, I even read about Json Web Tokens but din't find a proper tutorial for that.Please point me in the right direction.
EDIT
What I meant to say was, only authenticated users are allowed to get access to data in the api, when a random visitor tries to access a URL he shouldnt be alowed to without proper authentication,what I am mostly looking for now is when a user is authenticated the user should be a sent a token of some sort so then gets access to private data,I don't exactly know how to go about this whole thing.Would be glad if you could clear it up for me.
I would look at implementing Oauth2 server in your app. I found this article useful:
http://blog.papersapp.com/oauth-server-in-node-js/
No sure what your exact question is about, but I think the below will help:
Node.js security tips: http://blog.risingstack.com/node-js-security-tips/
Secure Express apps with various HTTP headers: https://github.com/helmetjs/helmet
Go on an educational Web security adventure: https://github.com/toolness/security-adventure
Node.js Security presentation: http://www.slideshare.net/d0cent/nodejs-security?qid=c450507b-e491-4e9a-9b05-89d0c82ea10b&v=default&b=&from_search=6
Take a look at http://passportjs.org/ . Passport has support for alot of authentication methods, however, for your API, you will probably want to use OAuth (http://passportjs.org/docs/oauth2-api). OAuth is what most popular APIs use to authenticate consumers.
For simple projects, You can also use basic authentication, which is what you see when you see the browser prompt asking for username and password. This authentication information can be sent in the header when API consumers makes requests.
Hi I have an HTML5 app which has a User Login. The app has a Notes option. I am looking for a service which would help me to sync the notes for that user account. So the same user can login in a different device and see the Notes in their device. I cannot use iCloud as Android doesnt support it.
We tried to store the notes in the user db using jsonp but still had some issues.
Someone mentioned about Pusher.com but looks like the service is expensive for a starter like us. Is there any more reliable and cheap options for us? W
Parse is probably more in line with what you are looking for. Pusher provides a service for sending push notifications, but you mentioned the need to store data in the cloud. Parse can accomplish this and does have a free basic plan that you can get started with.