in the system I'm working on we allow the user to store more than a payment card and then select one to use during checkout.
The card token is a natural identifier for the card so it may seem a good key to use (we store nothing in our app).
Is it safe to render in HTML to card token so we can identify which card to use or are there security concerns?
Please note that I pass the customer id to the gateway to make sure that the card belongs to the customer:
var request = new Braintree.TransactionRequest
{
Amount = order.Total,
CustomerId = braintreeCustomerId,
PaymentMethodNonce = nonce,
PaymentMethodToken = cardToken,
OrderId = order.OrderId,
Options = new Braintree.TransactionOptionsRequest {
StoreInVault = saveCard,
SubmitForSettlement = false
}
};
Including the payment token in the form could be insecure if you submit it to Braintree without validating it against a customer id. That is, if an attacker manipulates the token to one that corresponds to another of your customer's payment method token, the other customer will be charged. If you include the customer id in the transaction request (as you have done), then we will validate that the token matches the customer, so as long as the user can’t manipulate both the customer id and the token, this method is secure.
Related
I have a page (index) with an #ActionLink that opens another page to edit an invoice, the page will appear correctly, but the [Url-address] shows the number for the invoice, and when I change the number for the invoice in the [Url-address], it means that he opened another invoice, and I want the modification page not to open from By modifying the [Url-address] or using a direct link, I found a nice way, but it is used with [Post] and not Get. Is there a way to protect the [Url-address] of the page from being modified and its values?
View Index:
#Html.ActionLink(
linkText: "Edit_Invoice",
actionName: "Invoice_Edit",
controllerName: "Invoice",
routeValues: new { ID_Invoice = 2 },
htmlAttributes: new { area = "Pro"})
Controller :
[HttpGet]
public ActionResult Invoice_Edit(int id_invoice)
{
Table.Invoice invoice = (from i in Cn.Invoice
where i.ID_Invoice == id_invoice
select i).FirstOrDefault();
return View(invoice;
}
View Invoice_Edit:
#Html.TextBoxFor(m => m.ID_Invoice)
#Html.TextBoxFor(m => m.Date_Invoice)
<button>save</button>
When you open the invoice modification page, its number will appear in the address as in the link below
https://localhost:44320/Pro/Invoice/Invoice_Edit?ID_Invoice=2
I only want to open invoices that are selected from the page only.
Update 1 : Change Title Answer
if you what users to open only invoices that they are allowed to open, antiforgery token has nothing to do with it. You neeed server side validation, authentication and authorization. All of these should be implemented on the server side. Client side javascript code is not enough.
Anti-Forgery Tokens don't make a lot of sense for any request where you're not modifying and persisting data. So I recommend to remove [ValidateAntiForgeryToken] from your GET since GET request will be returned to the user, not the attacker.
AntiForgeryToken is designed for POST requests and it expects the token in Request.Form collection. You can just use post instead of get to receive data. Or you can use ajax. Google and you will find some examples.
But make sure that you are using them when you're creating, updating or deleting data.
My company allows employees to have multiple email addresses in their account.
I am attempting to write an input form where someone can enter any of the emails for a contact and we'll resolve it to the same person.
I've tried doing this via ContactsApp.getContact(email).getPrimaryEmail() to resolve all different inputs to the same primary email, but it doesn't work as expected. Each email I search for returns a different Contact object with only a single email (the one I used to search).
Even if I use ContactsApp.getContact(email).getEmails() to list all emails to the employee, I can see it only returns one at a time.
When going to contacts.google.com, I see the information I expected. Searching for any of the emails will return the same contact, with the same primary email and all other emails listed.
Is there something I'm doing wrong? Or is this how ContactsApp works. If so, is there a workaround?
Thanks!
getPrimaryEmail() will only return an email address if the contact in question has had a default email set and this can only be done via the Google Contacts App, not on the web (go figure).
To solve your problem I would suggest loading all the contacts into an array variable first and then searching this for matching email addresses. I would do the data retrieval on page/view load (so it can be reused without multiple server calls) but have included it all together here for conciseness.
What I found strange about the ContactsApp (and presumable People API too) is that the contacts returned are just empty objects (when logged) with just a bunch of methods on them. However, once you have an array of objects you can write your own properties to those objects for easier access of data.
Therefore I would first of all retrieve all the users contacts, then add a property of .emails to each contact object in the array and then use .some, perhaps, to check if a match appears in .emails (which will also be an array).
Something like:
let strSearch = 'someone#somewhere.net' // EMAIL address to search based on user input
let arrContacts = ContactsApp.getContacts();
let contacts = arrContacts.map(contact => {
let emails = contact.getEmails();
contact.emails = emails.map(email => email.getAddress());
return contact;
});
let foundContact = contacts.filter(contact => contact.emails.some(email => email === strSearch));
Remember .getEmails() returns another array of objects that have the method .getAddress() on them in order to retrieve the actual address, that's why I'm getting an array of email objects with let emails = contact.getEmails(); then using emails.map here to put the actual email addresses into an array stored in the contact.emails property (that doesn't exist so we're actually creating it here).
After that we're filtering the contacts array down to a contact where the searched email address is matched to one of the email addresses in the contact.emails array. I haven't tested it so the last line might need playing around with slightly but I've used something very similar so would expect it to work.
You can then use foundContact[0] to reference the contact found and use the further methods of .getFullname() .getId() etc. to retrieve their data as required. If you need the contacts phone numbers or geographical address that's a whole other process of returning an array of objects using .getPhones() or getAddresses(), but I think that's beyond the scope of this question.
I retrieve an appointment by its unique ID. Now I want to find out which mailbox it is in.
I tried using appointment.Organizer, but this does not work for meetings, or for normal appointments - since appointments can be moved around between mailboxes, the Organizer can be different from the user that has the appointment in his calendar.
Is there a function to get a folder, given only an appointment and an ExchangeService?
If you want to get the SMTP address of the mailbox associated with a particular EWSId one way that should work is using convertId to convert the EWSId to a StoreId and just use generic mailbox address in the Mailbox field then the results you get back (if that ID is good) should contain the Mailbox its associated with eg
String EWSId = "AQMkADY4ZDQ4M2UyLTRhYjItNDhkYy1hMG...";
AlternateId aiRequest = new AlternateId();
aiRequest.UniqueId = EWSId;
aiRequest.Mailbox = "user#mailbox.com";
aiRequest.Format = IdFormat.EwsId;
AlternateId aiResultsStore = (AlternateId)service.ConvertId(aiRequest, IdFormat.StoreId);
Console.WriteLine(aiResultsStore.Mailbox);
Cheers
Glen
Tinkering around with verifying a couple of domains and found the manual process rather tedius. My DNS controller offers API access so I figured why not script the whole thing.
Trick is I can't figure out how to access the required TXT & CNAME records for DKIMS verification from boto, when I punch in
dkims = conn.verify_domain_dkim('DOMAIN.COM')
it adds DOMAIN.COM to the list of domains pending verification but doesn't provide the needed records, the returned value of dkims is
{'VerifyDomainDkimResponse': {
'ResponseMetadata': {'RequestId': 'REQUEST_ID_STRING'},
'VerifyDomainDkimResult': {'DkimTokens': {
'member': 'DKIMS_TOKEN_STRING'}}}}
Is there some undocumented way to take the REQUEST_ID or TOKEN_STRING to pull up these records?
UPDATE
If you have an aws account you can see the records I'm after at
https://console.aws.amazon.com/ses/home?region=us-west-2#verified-senders:domain
tab: Details:: Record Type: TXT (Text)
tab: DKIM:: DNS Record 1, 2, 3
these are the records required to add to the DNS controller to validate & allow DKIM signatures to take place
This is how I do it with python.
DOMINIO = 'mydomain.com'
from boto3 import Session
session = Session(
aws_access_key_id=MY_AWS_ACCESS_KEY_ID,
aws_secret_access_key=MY_AWS_SECRET_ACCESS_KEY,
region_name=MY_AWS_REGION_NAME)
client = session.client('ses')
# gets VerificationToken for the domain, that will be used to add a TXT record to the DNS
result = client.verify_domain_identity(Domain=DOMINIO)
txt = result.get('VerificationToken')
# gets DKIM tokens that will be used to add 3 CNAME records
result = client.verify_domain_dkim(Domain=DOMINIO)
dkim_tokens = result.get('DkimTokens') # this is a list
At the end of the code, you will have "txt" and "dkim_tokens" variables, a string and a list respectively.
You will need to add a TXT record to your dns, where the host name is "_amazonses" and the value is the value of "txt" variable.
Also you will need to add 3 CNAME records to your dns, one for each token present in "dkim_tokens" list, where the host name of each record is of the form of [dkimtoken]._domainkey and the target is [dkimtoken].dkim.amazonses.com
After adding the dns records, after some minutes (maybe a couple of hours), Amazon will detect and verify the domain, and will send you an email notification. After that, you can enable Dkim signature by doing this call:
client.set_identity_dkim_enabled(Identity=DOMINIO, DkimEnabled=True)
The methods used here are verify_domain_identity, verify_domain_dkim and set_identity_dkim_enabled.
You may also want to take a look a get_identity_verification_attributes and get_identity_dkim_attributes.
I think the get_identity_dkim_attributes method will return the information you are looking for. You pass in the domain name(s) you are interested in and it returns the status for that identity as well as the DKIM tokens.
I am wondering how can I do the following about MS CRM 4.0:
I want to know for a campaign if a contact from a specific marketing list has not replied yet.
The field custom in the campaign response form is a partyfield. CRM doesn’t allow a PartyList field to be queried using a QueryExpression
Any ideas?
Thanks,
Katya
You cannot retrieve activityparty records directly, but you can use them in LinkEntities:
private bool contactHasResponded(Guid idCampaign, Guid idContact)
{
QueryExpression qryCampaignResponses = new QueryExpression("campaignresponse");
qryCampaignResponses.ColumnSet = new AllColumns();
qryCampaignResponses.Criteria = new FilterExpression();
qryCampaignResponses.Criteria.AddCondition("regardingobjectid", ConditionOperator.Equal, idCampaign);
LinkEntity leContact = new LinkEntity("campaignresponse", "activityparty", "activityid", "activityid", JoinOperator.Inner);
leContact.LinkCriteria = new FilterExpression();
leContact.LinkCriteria.AddCondition("partyid", ConditionOperator.Equal, idContact);
qryCampaignResponses.LinkEntities.Add(leContact);
List<gcCampaignresponse> lstCampaignResponses = gcCampaignresponse.RetrieveMultiple(m_svcCrm, qryCampaignResponses);
return (lstCampaignResponses.Count > 0);
}
This will tell you whether there's a campaign response for a given campaign and contact. (I use entity classes generated by Stunnware Tools, so the RetrieveMultiple call looks a little different, but I think you get my point).
If you turn this QueryExpression/LinkEntity construct upside down, you can also get all contacts that have responded to a given campaign (you can also restrict that to contacts in a certain marketing list through a second LinkEntity).
The only thing that's not possible directly with a single query is the "negative" check you are looking for, so you'll have to take this result and do an "outer join" against your marketing list to get the contacts that have not responded.