Slack offers a simple oauth method (sign in with slack) for existing slack users to cross-authenticate to "my platform," whatever that may be. I've been able to do everything on the slack side, including getting a real name and email address from slack's identity scope and finding my user in the drupal mysql database users table.
But how can I actually log this user in and create/regenerate a session programmatically? Is there a way to do this from command line using drush or something, without having to edit the php, because that's not my preference. I thought I could just modify the timestamps in the database, but it looks like the session object requires more than that.
So given a drupal uid, and access to the drupal DB, what do I do?
You can use Masquerade module to generate session for any Drupal user no matter what was his creation source
It sounds like you're looking for Selenium. It's a command line browser interface used to create test scenarios and web scraping tools. You can build code which implements selenium with java, python, and I think a few other languages. The tool has been such a life saver for me! I hope this helps.
Since both systems are on the same server, I wrote a python script to modify the drupal7 mysql database and "log them in" without using any drupal environment tricks. By updating the access timestamp for the user, the system treats as logged in. I also added code to run drush -user-create from the command line if the slack user's email doesn't match the drupal users table in the database.
This was definitely not my preferred route, but it seems drupal's own tricks are more along the line of a bot impersonating a user anyway.
I did not figure out how to create a session cookie and provide it to the user during login, so if you know how to do that, I'd love to know!
Related
I am trying to work out an application using
Dotnet Core 1.0
MySQL as the data store
Authetication and Authorization
Entity Framework
Ubuntu 16 machine
I have succeeded in creating a sample API to fetch data from MySQL database using entity framework. Now I want to introduce Authentication using email as username and Password.
I tried several method from different blogs but unable to achieve this.
What I am trying to achieve is Custom Authentication for the api where user will send username and password to login Api. The login Api will return an access token and refresh token. Using this access token, the user can call other APIs.
Later on I want to add Google and Facebook Authentication too.
Is there a way to do this?
Everything you want to achieve is possible. However there are some caveats.
Yes you can do this. You will need to use the resource owner grant which is turned off in identityserver 4 by default. I suspect the reason for this is because passing user credentials into an application is an anti-pattern, it is there to typically support legacy systems, also it does not authenticate users in the explicit sense because the credentials could come from an un-trusted source (as an example). You can read up about the grant's generic value here. You can find samples here.
The safer pattern is to use something like Implicit Flow which is good practice if you cannot guarantee trust between clients and your API.
As for social logins this is possible. There are tonnes of samples online but here are the official docs.
There is a project on github, https://github.com/diogodamiani/IdentityServer4.MongoDB and a corresponding nuget package that will send you in the right direction. It's obviously MongoDb, but the same premise applies.
I have a regular users DB and a phpBB support form.
The only feature I care to integrate is making sure the a user gets added to phpBB database when they register on my regular user database.
How do I synchronously add a user to phpBB from the cli as a user registers on my regular users db?
You could always use php, adapt and existing mod they have https://github.com/phpbb/phpbb/blob/3.1.x/phpBB/includes/ucp/ucp_remind.php#L87-L100
I want to use Zapier to register a new Wordpress user — the trigger will be a new purchase on Gumroad.
This plugin — https://wordpress.org/plugins/json-api-user/ — allows you to register users using a public JSON interface, eg by hitting
https://example.com/api/user/register/?username={{email}}&email={{email}}&nonce=blahblahblah
I'm new to all this, but know that I can get Zapier to insert the purchaser's email from Gumroad into {{email}}.
My question is, how can I do this in a secure way?
(At the moment anyone can hit example.com.com/api/get_nonce/?controller=user&method=register and get the key they need)
And maybe it can even be done without using Zapier?
I'm assuming that the nonce is only good for a short period of time, like a couple minutes? If so, what you want to do is lock down the /api/get_nonce/ endpoint to require a password. That way only authenticated users can get a nonce, which can then be used to create the user.
As for how Zapier fits in, it's a bit complicated to custom build a two-request process like this. You would have to make your own app on the Developer Platform do the nonce call and then the user creation.
I use the following plugin to create users (via Zapier) on my WordPress sites after someone signed up on my Teachable school: WP Webhooks Pro
This plugin allows me to either POST the data to my WordPress site via JSON, XML or a simple form data. In my case, I don't need a nonce, since the plugin generates API keys that I can use to push my data to.
I'm working on a an application where my back-end server will push and pull data over the google drive sdk. So, the back-end will only ever need a authorization via a single admin user's set of credentials.
Is the best way to do the authorization for this use-case to do what's described here?
https://developers.google.com/drive/web/auth/web-server
It looks like I would manually authorize my back-end's user once and store the refresh token for later offline access, thereby not needing manual/human interaction ever again.
But is that actually the best way for this use case? Is there another authorization workflow that I've overlooked?
The method described at the link you sent is appropriate when you are authing several end users. I find it's overkill if you only ever need to auth a single user. Too much code and faffing around for something that will only be used once.
Check out How do I authorise an app (web or installed) without user intervention? (canonical ?) which is a one-time procedure which gets you the same result, without writing any code.
Having worked on it some, I think the best way for my application is this:
https://developers.google.com/api-client-library/python/auth/service-accounts
You create a Service Account through the admin console. There's no messing around with a manual authorization step that could later break the app.
First I apologize if I'm a dolt and am missing something obvious, but I've spent a few hours scouring documentation and am lost.
I'm trying to write a python script that will upload a bunch of images to a single user's Google Drive. The user already exists and will never change. I am not writing a web app and don't plan to use any user interface whatsoever. Everything will be done through code.
As best I can understand from the Google documentation, I have two choices:
1) Write a web app and register it to use the Drive DSK. This of course requires having urls and such for the web app.
2) Create a service account, which ties my "app" to a new service account email.
Neither of these options works for me. Is there any way to simply log in to a single user account and access their drive through python scripting?
There is a deprecated API called ClientLogin that would enable you to use the username and password for a login to access that Drive data.
But the basic idea is that you should be using something more secure -- from your users' point of view -- that allows them to authorize you without giving you their password.
For your use case it is possible that the user is you or someone you know and that you are accessing their account through a more personal kind of authorization. In that case, ClientLogin may be your best choice. If this is an application designed to be used by arbitrary users, the deprecation of ClientLogin is for a good reason and I would urge you to bite the bullet and choose one of the supported options.
The correct solution is to separate the authorization phase from the access phase. The authorization process needs to be run one time only, and can be done from a simple web site. The result of this is a refresh token which is analogous to a username/password. You will need to be aware of the security implications. Make sure you only grant drive.file scope to minimise the impact of a security breach.
Since you are uploading images, you might also want to look at the picassa api.