The couchbase sync gateway REST API allows for the inclusion of an email address in the JSON that is PUT at the registration URI _user/<foo>. In my use case I'd like to implement phone number registration via SMS and to include the phone number in the sync gateway user record created in the bucket. This will avoid my having to create a separate document to store a phone number in. Is there any way to specify custom fields that can be included in the JSON sent via the PUT method?
Related
I want to use from my android/ios app the autocomplete api. For this I need to call url like:
https://maps.googleapis.com/maps/api/place/autocomplete/json?input=paris&key=<myapikey>
the problem is: What can make that someone else will not extract from my app my api key and use it for his own purpose ? It's important because at the end it's me who will be billed by google for the usage ...
Your intention is to call a Places API web service. Google Maps web services support only IP address restrictions.
You can check what type of restriction is supported by each API on the following page:
https://developers.google.com/maps/faq#keysystem
In order to protect an API key that is used with your sample request you should create an intermediate server and send your requests from this server. So your application should send request to intermediate server, intermediate server should send Places autocomplete request with protected API key to Google and pass response back to your app. In this case you can use an IP address of your intermediate server to protect unauthorized access with your API key.
I hope this helps!
What if you create and intermediate server and create a token for each single user, and also create a monitoring service which block suspicious behavior?
for example, a normal user would request x times/per day || hour || ...
Or
when a user runs application for the first time, application receives the [encrypted api + decryption key] and store them to a safe place like keychain(for iOS)
As I know, if you request directly to google-map-api there is always a way to sniffing packets.
I'm considering crating a simple API to serve my app. Basically it would be a very simple monitoring system (sending a true/false value) and uploading it to database or BigQuery. According to the Firebase documentation, the Functions service stores the IP address temporarily (which is considered personal data) - https://firebase.google.com/support/privacy/.
Does it mean that I would need to ask the users for the consent to use this API to comply with GDPR?
I have a firebase data link located in app say, https://appname.firebaseio.com/.
There is no authentication to firebase links, all data is public.
We have a custom authentication system. But I am unable to add authentication via custom tokens to firebase because they expire after one hour and I can't force the user to login again.
But I secure the data by adding a sha1 hash for each user in data as label.
So data will link for user will be like:
https://appname.firebaseio.com/356a192b7913b04c54574d18c28d46e6395428ab.json
Is this a good method?
Can a user get all data from https://appname.firebaseio.com/, without providing my sha1 embedded url? Is there a way to get all the data or something that I should worry about?
No it no a good method.
All data from a public app can be retrieved by this using .json with app url.
https://appname.firebaseio.com/.json
I need to implement electronic signatures from an Access database without using a signature pad. I do not have an actual document that needs to be signed - just a field on an Access form. We currently use a Topaz signature pad but are needing to get away from that.
Thanks in advance,
Karen
Yes, you can. There are several .net api to access DocuSign.
You can use them to create the DocuSign envelope. You will also need to implement something to retrieve the signed envelopes. There are two options:
a cron job that calls DocuSign to get all the updated envelopes since the last call
a REST service that DocuSign will call to inform your application of every event that happens on your envelopes.
If you want to use the second option, your REST service should be open to Internet (you can find the subnet to open in the DocuSign documentation).
DocuSign is used to sign documents, not data. Since your database is holding a form's worth of data, I suggest that you:
Create a template in DocuSign that represents the Access form
When you make the Envelopes: Create call to DocuSign, populate the template's data fields with the data from the Access db.
The result will be a signing request that looks like the form in your database.
Once the document is signed in DocuSign, you can record the envelope ID in Access. It can then be used to view the signed document. Or you can download the signed documents and store them locally.
Ask further questions here if you have any difficulties.
I have a website where you can request data using ajax from our servers as json (only to be used on our site). Now i found that people start using our requests to get data from our system. Is there a way to block users from using our public json API. Ideas that i have been thinking about is:
Some kind of checksum.
A session unique javascript value on the page that have to match server-side
Some kind of rolling password with 1000 different valid values.
All these are not 100% safe but makes it harder to use our data. Any other ideas or solutions would be great.
(The requests that you can do is lookup and translations of zip codes, phone numbers, ssn and so on)
You could use the same API-key authentication method Google uses to limit access to its APIs.
Make it compulsory for every user to have a valid API key, to request data.
Generate API key and store it in your database, when a user requests one.
Link: Relevant Question
This way, you can monitor usage of your API, and impose usage limits on it.
As #c69 pointed out, you could also bind the API keys you generate to the API-user's domain . You can then check the Referer URL ($_SERVER['HTTP_REFERER'] in PHP), and reject request, if it is not being made from the API-user's domain.