I was looking into implementation of Exchange/O365 mail notification service using the exchange push notifications. To subscribe to notifications one has to use the subscribe web service/REST API with a call back URL. Upon successful subscription Exchange will call the URL with notification events for the user.
Suppose the call back URL will be hosted as a Web service in our environment (cloud), it has to be publicly accessible. That raises security concerns. I browsed through MSDN and couldn't find any way to secure this (security key/tokens/auth)call back notification event.
I want to know what are the options available to make this notifications in secure way OR is the push notifications approach not recommended at all in such scenarios. Streaming notifications approach is not possible because it requires admin credentials and and the third party client who would like to use email notifications via our service will reject such an option.
Do let me know if any clarifications is required.
Thanks in Advance!
Related
In my app, after a user sends a message to someone, another function is triggered to notify the receiver. For that, the sender has to have the receiver's push token (front end). My question is: Is that safe? Is there a better approach?
I'm using Firebase but I couldn't figure out a way to send this notification through Google Cloud Functions...
Yes you can treat it as sensitive information. Tokens could contain information that when a malicious user accessed, it can be used to impersonate your app and send their own messages to users. While there's no reported instance (yet), it would be wise to follow the best security practices.
According to this documentation on Sending Notifications with Expo's Push API
We offer the use of an access token alongside the push token as an additional layer of security.
If you're using the expo-server-sdk-node, upgrade to at least v3.6.0 and pass your accessToken as an option in the constructor. Otherwise, pass in the header 'Authorization': 'Bearer ${accessToken}' with any requests to our push API.
Any requests sent without a valid access token after you enable push security will result in an error with code: UNAUTHORIZED.
You can check this blog on Implementing Push Notifications with Expo and Firebase Cloud Functions on how to push notifications securely.
I need advice after looking a lot about receive push/toast notifications regardless of the status of the application (closed or open).
The application communicates with a NodeJS API.
The idea is that a user logs in once to the application and then can receive notifications (depending on his account): i the user restarts his system for example, at startup he receives notifications without having to open the application (like the Mail application for example).
Most tutorials on MSDN use Azure and I don' use this. I would like to know if you have tips or links (tutorials, ...) for doing this in an UWP (or WinRT) application.
Thanks in advance for your help.
Regards
You can send push notifications from your NodeJS api via Windows Notification Service. This service has nothing to do with azure but when using Azure Notifications Hub it will be easier to get it implemented, but again this is not required;
In essence:
- register your app in dev center
- obtain a client id and client secret to use WNS in the dev center
- When your app launch it obtains a push notification channel uri and sends this to your backend. Your backend need to save all the URI's for the different devices
- When you have a notification select the uri's of the devices you want to send the push notification to
- post a xml message (based on what you want to update, tile, toast, badge or raw) to the URI's. To be able to post you need to authenticatie with the client id and client secret
more detailed read: https://msdn.microsoft.com/en-us/windows/uwp/controls-and-patterns/tiles-and-notifications-windows-push-notification-services--wns--overview#
Which is the correct way to perform a sign in on O365 Exchange in order to use EWS?. I know that exists ADAL to perform authentication against O365, but since the code it's highly tied with the tenant ADAL is not a solution for my problem.
I'm developing an iOS App that needs to interact with Exchange (O365) and I'm unable to perform the authentication correctly.
To use Exchange Web Services in Office 365, you can either use Basic authentication or OAuth. OAuth (which I think is what you mean by ADAL) is the recommended method. It's not tied to a tenant, but it does require that you register your application in a tenant (can be your own developer tenant) to get a client ID.
Is it possible get notification on application level on client side in iOS(and Android) whenever some changes happens like new file/folder added or removed on Box.net? Please confirm if SDK supports this behaviour, if not then is there any way to implement this behaviour on client side.
Thanks.
You should be able to get notifications about events happening in a user's account by using the /events endpoint:
http://developers.box.com/docs/#events
Essentially, you'll need to authenticate as the user via OAuth2 and issue an OPTIONS request to the /events endpoint to get a realtime server URL. You should set up a long poller to poll that realtime server, and when it issues a response that notifications are available, issue an authenticated GET request to /events?stream_type=....
Both the iOS SDK and the Java/Android SDKs should support this.
https://github.com/box/
Either I'm dense, or the docs assume I already know what they're telling me, but I need some clarification on doing authentication for a box.com app. I really don't understand whate's going on. As I read it:
the app running on the user's machine sends a request to Box, including all the little secrets (Which aren't all that secret any more if the user knows how to read the code).
The user is directed to the Box login page, which then sends the user to my server (with no page specified) attaching an authentication code.
The app somehow magically gets that code back from my server and sends a request to Box for the access token.
Box sends the access token to my server?
The app again magically gets the access token from my server and sends its APT requests.
Obviously I got lost somewhere.
And, why do I have to have a server involved in the process? The article on making a JavaScript app refers to a direct request for a token. Is there documentation on that somewhere?
You register your application on Box
After registration you receive clientId and clientSecret once on Box website
You hardcode your credentials somewhere in your application
First time your application needs to access Box API it should redirect user to https://www.box.com/api/oauth2/authorize, specifying your clientId, clientSecret and redirectURI as parameters. About redirectURI see below.
The box.com website opens. User enters his own credentials in the web form on box.com
User allows your application to access his files via API on the box.com website
Box redirects user back to you application using redirectURI specified before. One of the parameters to this request is "code". This is a very short-lived (30 seconds) access code that is only aligable for obtaining real access token.
During next 30 seconds your application should make another call to Box API to next URL: https://www.box.com/api/oauth2/token, specifying the previously obtained code. If everything was correct, your application receives an access_token, a refresh_token and "expires" values.
Now your application can make requests to Box API, specifying access_token every time
access_token expires in number of seconds, specified in "expires" field. It should be about 3600 seconds or 1 hour. Each time your application sees that access_token has expired, it should make another request to Box with the refresh_token and obtain a fresh access_token for another 1 hour.
refresh_token itself expires in 14 days
Note: if you develop a desktop application, then you should open browser for user on the step 4, redirectURI should be something like http://127.0.0.1:8080/Callback and you should run a small webserver just to catch the redirect with the code as in step 7.
Box requires that you specify a redirect_uri in your application's profile, and it must be an HTTPS URL.
As a result, it is not possible to use box with what google's oauth2 documentation calls "Client Side" or "Installed" applications, only "Web Server Applications" are allowed. Web Server applications do not have the secret leaking problem, because only the server knows the secret. You can pass the access token from your server to javascript on the client after
the oauth transaction is complete, if you want the client to make api requests directly.
In your question you are not totally clear in what you are actually trying to produce.
I however suspect that you are trying to write a client application what needs to authenticate to box using the OAUTH2 solution they have delivered in API V2.
If this is for an IPhone for example BOX has a great example of how to handle it.
In a WinForm application you would need to capture the resulting code sent back by box in the browser1.isnavigating event.
Windows console application you register a custom URI registration to collect the code.
Neither of these need to be registered in the API developers Application on box as you would pass the redirect required in the request to box.
If this does not point you in the right direction and your writing a .NET app then post again and I will try to clarify a little more.
Box requires some form user interaction which is short sighted in my opinion but try a web service that simulates a user interaction which then you can save/pass the token to your application to sync up with the Box "Cloud".