How can I programmatically confirm a Cognito user without knowing its confirmation code? I can create the user using Signup() but when I call AdminInitiateAuth() to try to get a session value, I get the UserNotConfirmedException. To respond to the challenge, I try to call AdminRespondToAuthChallenge() but that requires a session parameter. Seems like a bit of a catch-22. I just need to create a confirmed user without any intervention from the user himself.
Related
I have a social media app written in Flutter. Users can see the profiles each other and block/unblock them. I'm using MySQL to keep that data. Now I want to implement chat feature using Firebase Firestore (or maybe MongoDB). When a user sends a message to another user, should I check if user blocked another user from MySQL every time, so user can't send new message. Is this a good practice in chat application, or should I store the "blocked" data at Firebase also.
I researched this subject deeply but didn't find any solution.
Like when user is trying to send a message to another user so in the list of the recipients you are also retrieving the value for (is particular user is blocked by the current user), if it's so you are checking this on that time.
Secondly, if you want this to check when sending to server. So, you can manage this using firestore transaction in which you might get the object of the sender and check to whom the sender has blocked and you may throw an exception. The other thing you might manage it using Firestore Security Rules as well.
So you can code like most of the current social media works.
Simply let the user send a message but put a condition on the receiver
user side so if the user is blocked by the receiver then it should not show
the chat in the user chat list also should not send a notification if the user
is blocked by the receiver.
I need to change the way of verifying the logged user so that instead of using a session, use a verification of a token sent in the url. The problem is that I can't find which part of the code that checks if a user is logged in when accessing the Mediawiki.
I am trying to send a login payload which is
{"username":"EMAIL","password":"PASSWORD","wnaMode":"modal"}
to https://www.zalando.nl/api/reef/login I am doing this so my program can login and get all my orders and put it in a spreadsheet automatically, however when I send the post request I get this back
Access Denied
You don't have permission to access "http://failover.www.zalando.de/waf_deny_shop.html?" on this server.
Reference #18.9f633e17.1577580584.7b7612d
What could I do?
This is a result of a bot-protection solution they use, it is working against login automations just like the one you wrote. Consider a scenario where someone is brute-forcing the password of a specific user or just tries to re-use credential dumps (AKA "credential stuffing") - this is why this defense mechanism is in place.
I'm working on a project that consumes Service Now API (Rest). To do so our client has registered us as a user in order to login and make all service calls we need to. This project has an interface where users can login once they have an account on Service Now as well, the username they type to log in has nothing to do with service now by the way, but later they associate theirs service now users to it. They can do some operations through this interface, where all of them are done using the integration user/pass not their service now users theirselves, even because they do not need to share their passwords with us. But it's needed to track the correct user to register on service now and I'm in trouble specifically about commenting on an incident. The endpoint to comment is the following :
http://hostname/api/now/table/incident/{sys_id}
where request body is a json object just as simple as :
{
"comments": "My comment is foo bar"
}
but when this comment is registered on Service Now it is under integration user instead the user which commented. Is there any way I could keep a specific user, considering I already have the user id on Service Now ready to inform it on the request the way it should be.
I tried reading Service Now documentation but had no clue how to solve it, altought I've found something about impersonate
This is happening because you're being proxied through the "Integration User" instead of your own account. As long as this is the case, your comments are going to be attributed to the Integration User.
I can think of two ways to fix this issue.
Ask the client to log you into their system directly as a user.
Implement a special API (Scripted REST API, available in Geneva or later) that allows you to identify the Incident and enter the comment, and then the script forges the comment on your behalf, attributing authorship correctly.
The first solution can be expensive due to possible additional licensing costs.
The second solution will require a willing client to devote 2-3 hours of development time, depending on the programmer.
Firstly, you need an integration user with suffient rights. Our integration user has suffient rights out of the box, but your story could be different. A quick check is to try impersonate as other user using menu.
Login as integration user to ServiceNow instance.
Go to https://{instance}.service-now.com/nav_to.do
Click on username at top right corner. This is a drop down.
There should be at least three menu items: "Profile", "Impersonate User", and "Logout". If you do not have "Impersonate User" in this menu, your integration user miss some permissions. Contact system administrator if you miss this menu item to configure appropriate permissions.
Then you need to find sys_id of user that you want to impersonate. For example:
https://{instance}.service-now.com/api/now/table/sys_user?sysparm_query=user_name={username}&sysparm_fields=sys_id
If you have suffient privileges, you could invoke the folling endpoint with sys id of user that you want to impersonate:
HTTP POST to https://{instance}.service-now.com/api/now/ui/impersonate/{user_sys_id} with body "{}" and content type "application/json". You need to provide HTTP basic authentication to this query as your integration user.
The response code on success is 200. The response body could be ignored. The interesting result of this response is a set of cookies for impersonated user in response headers. These cookies could be used for subsequent REST API calls until they expire. Use some HTTP rest client dependent method to capture them and to provide them to next calls.
For Apache HTTP Client (Java), I'm creating http client context using:
HttpClientContext context = HttpClientContext.create();
context.setCookieStore(new BasicCookieStore());
Pass thing context to impersonation request and to subsequent API calls until I get 401 reply, after that I'm reaquiring cookies. Setting new cookie store is important, as otherwise some default cookies store is used.
Two things to note:
This API looks like internal one, so it could change at any time. If it happens, look for what "Impresonate User" menu item does, and repeat it youselves.
ServiceNow permissions are quite fine-grained, so the target user could lack permissions to perform operation. In some cases, if there is no permission to update the field the operation PATCH on object returns reponse 200, but field is not updated. This introduces a surprising mode of failure when you use impersonation.
I have a requirement to generate an email to administrator whenever a user sign up. Administrator will approve the registration by clicking on a link provided in email and database should get updated, without admin to login to administrator console.
I am looking for best practice to code this scenario with keeping application security intact. I can generate email with dynamic rendom value attached to the link(provided in email) URL, but i am not sure how to keep a track of this on application side?
Any thoughts?
You could generate a random validation number when the user signs up, and store it in the database with the user record. Then generate an email with a link such as
http://foo.bar.com/approveUser.action?userId=<theUserId>&validationToken=<theRandomNumber>
When the approveUser action is invoked, check if the validation token stored in the database for the given user ID matches with the token sent as parameter, and if so, approve the user.