Flash UrlLoader - prevent or suppress authentication dialog box - actionscript-3

I have a rssfeed application made in Adobe AIR. It uses the UrlLoader to read the feeds. I need the application to never prompt the user to enter password for a website or accept a certificate of a website if is no longer valid. I prefer to have it fail instead.
I have setup the event listeners for IO+Error and Security_ERROR but that is not enough
Sample urls(this may not work in future)
http://www.dawnanddrew.com/rss2.xml (asks for user and pass atm)
I had another issue with a feed that even if it was a http url the website redirected the loader to https and then the certificate validation failed and the user was asked to accept the certificate. I need this to fail (I mark failed feeds and the user can check them when they want to find the issue and fix them or remove them)

Using AIR (which you are), you can actually tell the application to NOT handle authentication.
var request:URLRequest =new URLRequest("http://www.dawnanddrew.com/rss2.xml");
request.authenticate = false; //default is true, so you need to tell your request to not handle authentication
Then it will fail with an IO error instead of prompting for credentials.
Documentation
Note however, this will only work in AIR and is not a supported property for flash player.

You cannot do it this way. Now, the server returns specific status and the browser reacts to it by showing you a login dialog box. You cannot do this directly in flash and you cannot get default login button. You need to implement this by your own. The perfect way to do so is to check (server side) if the user is logged in and if not - return status ok (200) with an error message (let's say JSON). This specific message would be read by the flash client and a login screen would be shown (custom made). You will also need to implement the login feature by yourself :)
Sorry for the bad news, but this is the way it is with flash.

Related

VimeoUpload not re-authenticating After Deletion of App Access on Vimeo.com

I was able to connect and upload videos using the library but when I deleted the app connection on Vimeo.com (as a test) the app didn't authorize again.
the upload looks like it's working but nothing is uploaded as the app is no longer connected.
I deleted the app on the phone and restarted but it still won't re-authorize the app.
This comes up in the output:
Vimeo upload state : Executing
Vimeo upload state : Finished
Invalid http status code for download task.
And this is in OldVimeoUpload.swift: ( didn't include the actual access code!)
import Foundation
class OldVimeoUpload: VimeoUpload
{
static var VIMEO_ACCESS_TOKEN :String! // = "there's a string of numbers here"
static let sharedInstance = OldVimeoUpload(backgroundSessionIdentifier: "") { () -> String? in
return VIMEO_ACCESS_TOKEN // See README for details on how to obtain and OAuth token
}
// MARK: - Initialization
override init(backgroundSessionIdentifier: String, authTokenBlock: AuthTokenBlock)
{
super.init(backgroundSessionIdentifier: backgroundSessionIdentifier, authTokenBlock: authTokenBlock)
}
}
It looks like the access token number is commented out. I deleted the 2 forward slashes to see if that would fix it but it didn't.
I spoke too soon.
It sounds like you went to developer.vimeo.com and created an auth token. Used it to upload videos. And then went back to developer.vimeo.com and deleted the auth token.
The app / VimeoUpload will not automatically re-authenticated in this situation. You've killed the token and the app cannot request a new one for you. You'll need to create a new auth token and plug it into the app.
If this is not accurate and you're describing a different issue let us know.
If you inspect the error that's thrown from the failing request I'm guessing you'll see it's a 401 unauthorized related to using an invalid token.
Edit:
Disconnecting your app (as described in your comment below) has the same effect as deleting your auth token from developer.vimeo.com.
Also, VimeoUpload accepts a hardcoded auth token (as you see from the README and your code sample). It will not automatically re-authenticate, probably ever.
If you'd like to handle authentication in your app check out VimeoNetworking or VIMNetworking. Either of those libraries can be used to create a variety of authentication flows / scenarios. Still, if a logged in user disconnects or deletes their token, you will need them to deliberately re-authenticate (i.e. you will need to build that flow yourself). In that case, the user has explicitly stated that they don't want the app to be able to access information on their behalf. It would go against our security contract with them to automatically re-authenticate somehow.
Does that make sense?

External authentication doesn't work in Datazen

I set the authentication in control panel as below:
and i call the viewer by this code:
$.ajax({url: 'http://192.168.17.31/viewer',
headers: {'thisistheheadername':'thisistheheadername'},
type : 'GET'
});
but still request redirects to login page:
http://192.168.17.31/viewer/login
I'm not totally sure what you're trying to do. I've never seen AJAX used with Datazen like this, although I suppose I can understand how it might work. Of course, it won't be secure, because the browser could always indicate who the user should be--there's no checking.
The top chart in this answer might help you. But beyond that, what tells you it's sending to the login page? Where are you trying to display the results?
The two things I would check on outside of those, though, are:
Your header is not correct, unless you've got a user named "thisistheheadername" as well. You should be passing a username through that value. I don't recall specifically, but it could send you to the login page if it doesn't recognize the username.
Are you sure external authentication is enabled? I would check in the "Configuration" section on the server to ensure it isn't still "default." The core service must be stopped before changes are persisted.

Chrome Extension, messaging: getting port status

I am trying to get a port's status in an application (not a content script). When I do :
this.port = chrome.runtime.connect("okcbadfdlhldjgkbafhnkcpofabckgde");
I get a valid port object but I can't find anyway to determine if the port can be used at all (I don't even get a disconnect event if the extension can't be reached).
The only way I figured out to have the connectivity state is to actually trap an exception when performing a this.port.postMessage.
Is there a better way ?
https://developer.chrome.com/extensions/runtime#method-connect
Update
Running Version 48.0.2564.97 (64-bit) on Linux Ubuntu
No cross-extension messaging, just application to/from extension
Extension source code but note I have since moved on to implement another strategy for the extension because of the issue raised in this question.
Your extension uses a background-script that provides listener function for the chrome.runtime.onMessageExternal event. This event is used to listen for incoming messages, send from external webpage-scripts (or other extensions) by calling the chrome.runtime.sendMessage method.
Since your extension does not provide a listener function for the chrome.runtime.onConnectExternal event, chrome.runtime.connect cannot work for your extension.
As far as knowing the connection status is concerned, in this case a simple try-catch block would do enough to know whether the extension supports port or not. If it does, you need to view the manifest corresponding to this extension - to see if a particular host is allowed to send messages or not.
I was able to send message to your extension (see the enclosed figure) by adding the following lines of code in the background-script. In addition to this, I also added the matches string for the host - www.example.org in the manifest.
chrome.runtime.onMessageExternal.addListener(
function(request, _sender, sendResponse) {
console.log(request);
...
}
);

How to clear AIR cache for working Facebook logout?

I am developing an AIR application that is supposed to run on desktop and mobile platforms.
For most Facebook functionality, I use the official GraphAPI for Flash, version 1.8.1.
To use the app, the user must login to Facebook, this works easily by first calling FacebookMobile.init(), and if it reports that the user is not logged in, logging in like this:
var webView :StageWebView = new StageWebView();
webView.stage = stage;
webView.viewPort = new Rectangle(0, 0, stage.stageWidth, stage.stageHeight);
FacebookMobile.login(handleLoginResult, stage, new Array(), webView);
All of this works very well, but logging out does not work as expected. Calling
FacebookMobile.logout(handleLogout);
does log out the user from Facebook, it seems, and handleLogout is always passed a true as first parameter. After this logout, when FacebookMobile.init() is called, it also correctly reports the user as not logged in. So I call the login() method from above again.
Then, the WebView opens, but closes itself immediatly, automatically logging in the user that just logged out, without showing any kind of Facebook login screen. But I want to be able to log in another user, by having to type in email and passwort.
Probably I should mention that the logging out happens when the application starts. The user can't log out himself, the application does so when starting, so that the user should be forced to login each time. Yes, this has a reason ;)
I'm sure this is some kind of caching problem, but how can I solve it with Flash/AIR?
Bit late but better than nothing right? I have seen this issue before when I was experimenting with the OAUTH api...
Found the potential solution while looking for a separate issue but with regards to caching/cookies...
This post explains what you need to do:
http://cookbooks.adobe.com/post_Cannot_logout_from_Facebook_on_Android_devices-19254.html
Basically its not a very pretty solution, but what it does is you manually delete the folders where the caching is happening.
Hope this helps.
Implementing "reallyLogout" from this answer for a similar issue worked for me:
https://stackoverflow.com/a/8199505/952779
Clear internet explorer cache & cookies, .. and it will log you out from StageWebView facebook login
UPDATE: Change also the app id from the descriptor xml file

implementing captcha in Flash

I'm developing a flash registration form and I need to incorporate dynamic 'captcha' images for confirmation.
Can anyone recommend a best solution for doing this?
Captcha is used to prevent bots from submitting html forms which is easily accomplished since html is easily understood and processed programmatically. The same is not true for a Flash application. It would be difficult for a bot to generically submit Flash forms if it was not specifically made to target your site.
Therefore you don't need to worry about the spam problem captcha solves when working with a Flash application.
Making a strong captcha is not a trivial task. It must be hard enough for bots to fail, but easy enough for humans to succeed... I would take a look at existing systems and possibly use them. reCAPTCHA is popular http://recaptcha.net/ . It might be possible to use it through flash, but I have not looked into it.
It's not that different from a captcha in an HTML form, really.
Suppose you're using php on the server and you have a captcha.php scritp that generates the captcha image and saves its value in the session. In an HTML form, you'd use an element and set its src to captcha.php. The user would fill up a field with the text they see in the image. In the script that receives the post, you'd check if the user input matches the session value.
In a flash form, it's exactly the same. You load the image calling captcha.php and ask the user to type the extra field. Then, when you post the data to the server you pass the value typed by the user in the captcha field and the server matches that against the value it has stored in the session when you called captcha.php.
So, basically, it's the same as in an HTML form.
Chances are, bots aren't going to be written for your website. If the need ever arises, a simple "add these two numbers for me, k?" would be simple enough.
In all honesty, i doubt someone would write letter recognition to sign up a few hundred times on your website =/
You should be more worried about someone disassembling [or whatever the flash term is] your .swf s and simply sending "register" messages to your server =/
And yes, by that, i tried to imply that Captcha must be applied server side, or, really, its not that hard to go around.
We had a strong need to implement CAPTCHA into a flash animation/form.
The most important point to note is that either FF or IE (can’t remember which one) doesn’t send any cookies back with a web service call. So if you’re submitting your form to a .Net web service you can’t use the session state of the http request to store the captcha text and then compare the user entered captcha value on submttion to the web service (session enabled web method)
We implemented the following:
Set a unique token value (Guid) on the web page
pass this token as a flashvar to the flash movie
load the captcha image into the flash with the token as a url param. Ie captchaImg.aspx?t=xxxxxxx
during that request save the random captcha text in a table with the token
when the user submits their form, compare the token and user entered captcha value with the one in the table
This approach works very well for us.
It’s also web farm safe.
public class Captcha extends Sprite{
private var question:String = "How do you feel?";
private var _answer:String;
private var isRobot:Boolean;
public function Captcha(answer:String){
_answer = answer;
}
public function checkAnswer():Boolean
if(answer != "sad"){
isRobot = true;
return isRobot;
}else{
isRobot = false;
return isRobot;
}
}
}