Consider the following web application flow.
user hits login/sign up page
user signs up and logs in
browser redirects to their profile page
My question is, using firebase authentication services, how do I restrict usage of the profile page without authorization to the web application?
Moreover, can I host this web application on firebase, and this functionality will be taken care of for me?
Well profile pages for example are generally sites that are dynamically filled with data. You don't have to restrict access to the page itself but instead restrict the API with the JSON restrictions settings firebase offers. This way nobody can access any other profile pages than their own. To prevent annoying users which have for example saved a link to their profile page but are not logged in you can add a redirect users that are not logged in.
Yes, you can create a new project using firebase console and deploy your application to it. You can also enable email authentication to the application on firebase. Follow this link for more information: https://firebase.google.com/docs/web/setup
Related
Issue: appears to be that banno framework is "remembering" the urls. This is happening in a mobile browser when the user does not close the tab or browser. When the user opens the page, banno is remembering the url from last time and trying to load the same url.
What needs to happen is that banno needs to fully reload the page so that we can go retrieve a new url and log the user in again.
Could it be how they treat plugins when a browser is left open. A url that is loaded is not good forever.
Odds are good that the situation you're encountering is described in https://stackoverflow.com/a/71267143/6680761
Essential info from that link is:
Part of keeping state of the page is keeping authentication data. The OAuth flow used to initially authenticate the user is not intended to be used on every page refresh. It's expected that the embedded web application will keep its own authentication state. How this is done is usually very specific to the language and platform used for the embedded web application. However all strategies almost exclusively use a cookie which is destroyed when the application closes.
The Oauth callback URL with an authentication code should be redirected away from once the code is exchanged for an access token. From that point forward your app should be using its own authentication mechanism.
I have developed an android game, it stores user scores in firebase. How do I access the user scores from wordpress website?. Is it possible to create a login for my android app using play store account, and have the play store google account to login to my site to check their score?
Yes, you can retrieve data from Firebase and display it on the WordPress website.
https://firebase-wordpress-docs.readthedocs.io/en/latest/retrieve-data-from-firestore.html
There is also an option to log in with Google on a WordPress site, so the user will only see the data based on their security rule.
I will host a static site (just a few pages actually) on Netlify, a cloud hosting provider. It would be my notes and may have sensitive code and API keys. I want it set up so that only I can access this site from internet and no one else. How can I block access to the static site for others?
Alternately, if I do the same with with Github Pages, is it possible to restrict access there?
You need an access control mechanism to protect your notes.
If you are running the web server doing the hosting, most web server programs (Apache and nginx are the two most popular) have built-in access control mechanisms, see link given by Carsten H or see Access Control with Apache or How to Set Up Password Authentication with Nginx (Digital Ocean guide).
If you are using Github Pages, it is possible to do access control, but a bit more tricky. You can create a Github OAuth application and ask people to authenticate using your Github OAuth app. The app will ask for their username, and check if that username matches a list of allowed Github users (probably just your Github username). If the usernames match, static content is served up, otherwise the user is redirected to a 403 forbidden page.
Also see the github-heroku-attack-rabbits project page for details of how to create the Flask app mentioned above (using flask-dance to authenticate users via your Github OAuth app). The Flask app can be hosted for free on Heroku.
Two more things to note regarding public/private repos:
If you are using Github Pages, the repository containing your notes will need to be private, otherwise the contents of your notes will be in a public repository (even if the Github Pages static page has an access control layer).
Just because a repo is private does NOT mean its Github Pages page is private. By default, a private repo's Github Pages page is accessible/readable by the public. It is up to you to put an access control mechanism in place to protect the page.
You can try the encryption route. Here, the name staticrypt really says everything (I have a demo here). It allows you to create a password for each page for your website. It used AES-256 encryption, so as far as I am concerned, a long password should suffice.
If you don't share the password, you will be the only one to view the webpage.
These are actually two questions and is good practice to ask them individually.
This is a frequently asked question and depends on your server, e.g. for Apache you can edit your .htaccess following this instructions
you need to create a private repository by checking the private repository option during the repository creation
I'm adding Box support to an iPad app. I tried the official SDK and I don't want to use it for the following reasons:
Login page is too wide for a modal controller with UIModalPresentationFormSheet style on iPad. The SDK hosts UIWebView which loads content of https://m.box.net/api/1.0/auth/, which perhaps returns HTML with min width set to 768px (although I didn't check the HTML, speculating here).
HTML in login page doesn't show Google Apps authentication option. The full desktop version of the page does.
Because the login page is hosted in UIWebView the user cannot be sure that he's supplying the credentials to Box, and not to an app author.
I don't need the whole SDK functionality, just authentication, folder/file listing and content download. Since my app also uses other cloud storage providers I'd prefer to provide uniform file browsing experience.
Here's what I'm going to do:
Add a custom URL scheme for my app, let's say "myapp".
In Box's Application settings for my app set Redirect URL to myapp://RedirFromBoxAuth.
When the user chooses to browse Box from inside my app, I'm going to:
Get a ticket by calling GET https://www.box.com/api/1.0/rest?action=get_ticket&api_key={API_KEY}
Extract the ticket, then call openUrl with https://www.box.com/api/1.0/auth/{TICKET} This will open Safari and let the user enter his credentials. This is the full, desktop version of the login page.
On successful login Box's server will tell Safari to redirect to myapp://RedirFromBoxAuth?ticket={TICKET}&auth_token={TOKEN}, which in turn will tell iOS to yield control to my app.
My app receives handleOpenURL notification and I can extract the authentication token and use REST API from now on.
Please comment, is it a good plan? I created a quick prototype and it seems to work, but maybe I'm missing something?
Box team, could you please tell us will an app using this authentication model be eligible for inclusion in OneCloud?
This seems like a good strategy and will probably make for a better UX/easier implementation than the normal redirect. Please let us know if you run into any weird edge cases by implementing it this way.
i know that the index.html page (the PhoneGap startup page) needs to reside on the device. but if we want to create an app who uses third party user authentication before proceeding to core application, so then what we have to do?
Thanks in advance
On android you can change the starting page in the main activity or you can make a redirect in index.html
Well, you don't say if you are platform specific..
And there are lots of third party auth options..
But I can offer two solutions (admittedly my own code etc),
both of them use PhoneGap for Android and PhoneGap Plugins. The key piece of code for me has been the onLocationChange callback feature of the ChildBrowser plugin. Your app can take the user to other sites for auth or whatever, but still get control back.
Tutorial on Using Twitter REST API (OAuth 1, ChildBrowser, jsOAuth plugin)
Free Android App + Source on github : AppLaud App (OpenID, ChildBrowser, custom server)
For authentication, you can have a form in your index.html (maybe under login div) to do a post to an actual webserver.
Then, fetch the data returned from the webserver to let your user access the functionality of your native phonegap application.
You can have the functionality disabled until you receive the successful login from the webserver. If you post via ajax, the webview won't even blink, but you will still get the successful login response from webserver and simply enable functionality on your app after this.
Let me know if this is confusing and I'll try to explain more clearly and
I hope this helps.