Authentication with Box on iPad - box-api

I'm adding Box support to an iPad app. I tried the official SDK and I don't want to use it for the following reasons:
Login page is too wide for a modal controller with UIModalPresentationFormSheet style on iPad. The SDK hosts UIWebView which loads content of https://m.box.net/api/1.0/auth/, which perhaps returns HTML with min width set to 768px (although I didn't check the HTML, speculating here).
HTML in login page doesn't show Google Apps authentication option. The full desktop version of the page does.
Because the login page is hosted in UIWebView the user cannot be sure that he's supplying the credentials to Box, and not to an app author.
I don't need the whole SDK functionality, just authentication, folder/file listing and content download. Since my app also uses other cloud storage providers I'd prefer to provide uniform file browsing experience.
Here's what I'm going to do:
Add a custom URL scheme for my app, let's say "myapp".
In Box's Application settings for my app set Redirect URL to myapp://RedirFromBoxAuth.
When the user chooses to browse Box from inside my app, I'm going to:
Get a ticket by calling GET https://www.box.com/api/1.0/rest?action=get_ticket&api_key={API_KEY}
Extract the ticket, then call openUrl with https://www.box.com/api/1.0/auth/{TICKET} This will open Safari and let the user enter his credentials. This is the full, desktop version of the login page.
On successful login Box's server will tell Safari to redirect to myapp://RedirFromBoxAuth?ticket={TICKET}&auth_token={TOKEN}, which in turn will tell iOS to yield control to my app.
My app receives handleOpenURL notification and I can extract the authentication token and use REST API from now on.
Please comment, is it a good plan? I created a quick prototype and it seems to work, but maybe I'm missing something?
Box team, could you please tell us will an app using this authentication model be eligible for inclusion in OneCloud?

This seems like a good strategy and will probably make for a better UX/easier implementation than the normal redirect. Please let us know if you run into any weird edge cases by implementing it this way.

Related

How to get the URL to fully reload each time?

Issue: appears to be that banno framework is "remembering" the urls. This is happening in a mobile browser when the user does not close the tab or browser. When the user opens the page, banno is remembering the url from last time and trying to load the same url.
What needs to happen is that banno needs to fully reload the page so that we can go retrieve a new url and log the user in again.
Could it be how they treat plugins when a browser is left open. A url that is loaded is not good forever.
Odds are good that the situation you're encountering is described in https://stackoverflow.com/a/71267143/6680761
Essential info from that link is:
Part of keeping state of the page is keeping authentication data. The OAuth flow used to initially authenticate the user is not intended to be used on every page refresh. It's expected that the embedded web application will keep its own authentication state. How this is done is usually very specific to the language and platform used for the embedded web application. However all strategies almost exclusively use a cookie which is destroyed when the application closes.
The Oauth callback URL with an authentication code should be redirected away from once the code is exchanged for an access token. From that point forward your app should be using its own authentication mechanism.

How to login a user through their browser from AIR?

I'm working on an AIR app that logs a user in to a remote website. At certain points during the session the user may need to open a page in their browser. When they do that they are not logged in according to the browser so the user must login again. I'm trying to login them in through the browser when they login in the application.
I've read that AIR can manage cookies. I think it's doing that but I'm not sure. Is there a way to share cookies with the browser? Is that what manage cookies setting does?
If none of that is happening could I create a mx:HTML instance or stage web view and double login with that? A stage webview should be using the system browser correct? The same browser that will launch when navigateToURL() is called.
UPDATE:
It looks like cookies are shared across browsers except in a few cases such as Firefox and Linux. Update again, cookies are shared less often than initially thought. It looks like I might be able to login a user by creating a StageWebView instance. I will have to double check to make sure it's a default browser and not the internal webkit.
UGH. It looks like StageWebView on the desktop uses the internal webkit. There is a useNative property though. But even if I can use a native system browser I'm not sure how to log someone in with it because I don't think I can post to it? I think I can only set the URL which would be a get...
...It looks like I can create a post request and then use navigateToURL() to load that request. It would be hacky but it might work.
ARG. It looks like AIR doesn't support post through navigateToURL().
I don't know why you want to complicate things by thinking just to use POST ?! You can use GET by sending some temporary identifier ( token, hash, ... ), like some websites do with their user's newsletter when they give you the possibility to log in just by clicking a simple link in that newsletter, which will be generated by your server side script after that your user has been successfully identified, then when the user opens that link in the browser you can verify that information and then create your cookies ...
Hope that can help.

How to find out element names within pop-up windows?

I'm testing a website. When I enter the URL, before the homepage loads, I get a pop-up window asking me to log in with a username and password. I need to find the names of the elements in this pop-up window.
Unfortunately, it is one of those "block everything else" pop-up windows that doesn't let me change tabs or open Firefox' menu.
I normally use Firebug for identifying a page element's name, but in this instance it's doing nothing to help.
I tried RESTClient and JMeter Proxy Recorder (aka HTTP(S) Test Script Recorder / HTTP Proxy Server), but neither of them could give me the information I need. I'm running out of ideas.
Any help is appreciated.
Modal dialogs prompting for credentials usually stand for authentication challenge which can be:
Basic
NTLM
Kerberos
Modal dialogs are part of the browser UI and can't be inspected using Firebug, because Firebug can just inspect elements within a website.
Basic Authentication can be bypassed by injecting credentials into URL like:
http://username:password#host.domain
However the right way to deal with all aforementioned authentication challenges is using JMeter's HTTP Authorization Manager. Being properly configured it constructs and sends a correct HTTP Header containing authorization details along with the request.
For details on how to configure HTTP Authorization Manager for different authentication types see Windows Authentication with Apache JMeter guide.

How Chrome App (not Extension) can read DOM element of page hosting app install button

For my Chrome App, I followed Using Inline Installation guide, and when a website user clicks the installation button the app gets installed.
At the installation time (i.e. chrome.runtime.onInstalled.addListener(function() {}) in background.js), how can the app read a value (of DOM element or JavaScript variable - an ID of the logged in site visitor) from the HTML page hosting the installation button?
All online advise I found, is to use content scripts for extensions. The above-mentioned guide says: "Extensions can communicate with the embedding page via content scripts".
What is a solution for apps?
Sorry, but I don't believe that apps are able to get to the underlying page that they are installed from at all. The idea is that they should be sandboxed in their own private universe and not be able to affect anything outside their own window.
Extensions, on the other hand, are made to be able to access DOM of web pages.
So, I believe to do what you ask you will need to make an extension instead of an app.
If you just need to communicate some small piece of information from the web page to your app, look for another (out of band) method to do this.

PhoneGap index page

i know that the index.html page (the PhoneGap startup page) needs to reside on the device. but if we want to create an app who uses third party user authentication before proceeding to core application, so then what we have to do?
Thanks in advance
On android you can change the starting page in the main activity or you can make a redirect in index.html
Well, you don't say if you are platform specific..
And there are lots of third party auth options..
But I can offer two solutions (admittedly my own code etc),
both of them use PhoneGap for Android and PhoneGap Plugins. The key piece of code for me has been the onLocationChange callback feature of the ChildBrowser plugin. Your app can take the user to other sites for auth or whatever, but still get control back.
Tutorial on Using Twitter REST API (OAuth 1, ChildBrowser, jsOAuth plugin)
Free Android App + Source on github : AppLaud App (OpenID, ChildBrowser, custom server)
For authentication, you can have a form in your index.html (maybe under login div) to do a post to an actual webserver.
Then, fetch the data returned from the webserver to let your user access the functionality of your native phonegap application.
You can have the functionality disabled until you receive the successful login from the webserver. If you post via ajax, the webview won't even blink, but you will still get the successful login response from webserver and simply enable functionality on your app after this.
Let me know if this is confusing and I'll try to explain more clearly and
I hope this helps.