Does the C# .NET client library for the open source self hosted parse-server have support for calling Cloud Code functions? If so, how can this be done?
EDIT: I did find this http://parseplatform.github.io/docs/cloudcode/guide/ which does give an example of using the .NET library for calling a Cloud Code function, however it doesn't seem to provide any information on the client app providing authentication information so the Cloud Code function can check user permissions for a specific action. Is this possible?
Thanks!
You can access all your cloud code function from the client after you initialize Parse SDK with you appId and serverURL.
If your requirement is that only logged in users will be able to access one or more cloud functions then in your cloud code you can check the following:
if (request.user) {
// user is logged in
}
because in parse-server there is not Parse.User.current() anymore so the logged in user is being sent as part of the request.
Now in order to allow/prevent a user to read/write a specific object you need to use ACL (Access control list). When you create new ACL you can specify which users/roles can read/write this object. You can even decide if this object is public read or public write and it is any user will be able to read or write from/to this object.
You can read about ACL's and Roles in here
Related
I'm working on a small application to connect to Microsoft Azure, list all databases belonging to a certain resource group, and export all said databases. I'm using the Microsoft.WindowsAzure.Management.Sql library for this.
Following this guide, I've managed to set up an app registration in AD for my application and assign it the Owner role (for testing), authenticate with Azure and get an access token.
However, when I try to use that token to perform any operations on the database (such as listing all databases, using IServerOperations.List), I get the following exception:
ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.
The tenant ID, subscription ID, client ID and client secret are all correct, and changing any of them results in a different exception, already at the authentication stage.
How can I fix this? If the correct answer is "switch to Microsoft.Azure.Management.Sql" I'm perfectly fine with that, but if possible I'd at least like to understand why this is happening.
HIf the correct answer is "switch to Microsoft.Azure.Management.Sql" I'm perfectly fine with that, but if possible I'd at least like to understand why this is happening.
Microsoft.WindowsAzure.Management.Sql implements the ASM API(Azure old API).
The reason you're getting this error is because you're trying to authenticate/authorize an Azure Resource Manager (ASM) API with application permission.
But Service Management API is a delegated permission and not an application permission.
For more detail information about how to authenticate for ASM and ARM Rest API, please refer to another SO thread.
How can I fix this?
Microsoft.Azure.Management.Sql implements the ARM API. As you mentioned that you could use the Microsoft.Azure.Management.Sql to instand of Microsoft.WindowsAzure.Management.Sql
or you could use X509 Certificate based authorization to authorize your ASM API requests.
For more information about how to authenticate using a management certificate, you could refer to this tutorial.
Note: It is recommanded that to use Microsoft.Azure.Management.Sql to instead of Microsoft.WindowsAzure.Management.Sql
Trying to follow this tutorial to connect to Firestore but i got this error
"System.InvalidOperationException: 'The Application Default
Credentials are not available. They are available if running in Google
Compute Engine. Otherwise, the environment variable
GOOGLE_APPLICATION_CREDENTIALS must be defined pointing to a file
defining the credentials. See https://developers.google.com/"
They dont explain how to Authenticate to use the FireStore. Can you please let me know how to do it and avoid this error.
Thank you.
The tutorial you linked does point to the authentication mechanism, which is here.
In summary you will have to do following-
Create a Service account for your project from Google Cloud Console. Make Sure the service account has appropriate Role assigned so that it has permission to access firestore.
Create and download a service account key file for that service account.
Save the key file in a secure location in your server.
Create an environment variable named GOOGLE_APPLICATION_CREDENTIALS in your server, and use the file location of the key file as it's value.
For example, using powershell-
$env:GOOGLE_APPLICATION_CREDENTIALS="C:\Users\username\Downloads\service-account-file.json"
After that, requests will be automatically authenticated using those information.
Remember that You must keep your downloaded service account key absolutely secure and not distribute it.
Also as per the library documentation, if your server is in Google Cloud Platform, no action needs to be taken to authenticate.
My company has an internal application where I need to pull/display pictures of all the employees from office 365 with out user intervention.
From what I read online I think I need to call Microsoft graph getphoto API in daemon application to achieve this as per this link (https://developer.microsoft.com/en-us/graph/docs/authorization/app_only).
Will this be a right approach? If yes please point me to any C# sample codes related to this.
Appreciate your responses.
Yes, this is exactly the type of application you will want to build. App-only (machine-to-machine) authentication should be used anytime you don't need a user present to execute functionality.
You can take a look at the ASP.NET Core App Only sample to get a sense of how to register and set up your app to use app-only authentication. The sample goes on to use this access token to set up webhooks, but you can replace this logic with your custom code. You will want to select the scope User.ReadBasic.All to have access to users' profile photos.
EDIT:
Please note two things: application will be publicly available and users won't need to have any accounts. You can also suggest other solution than WCF, if it's better.
I'm developing an application in C# which could install other applications easily. The list of programs supported by this application will be stored on a database on a public server. Only my application should be able to access this database. Everyone can install this application, and users do not need to have any accounts.
Now, I'm wondering how should the communication between app and server look like. I'm thinking of developing a WCF service, but everyone can connect easily to this service (only my program should access this service).
Is there any way to protect WCF service from unauthorized access? Or maybe do you have any better idea how should the communication between this app and server look like?
Thanks in advance for any help!
You can check below links for help in this topic
https://msdn.microsoft.com/en-us/library/ms731925.aspx
https://msdn.microsoft.com/en-us/library/aa702565.aspx
You can configure your bindings to perform username and password based Authentication where you validated if the username and password are valid then only you can grant access to the service.
NET has built in features for ensuring that the code calling yours is authorized to do so. For example, take a look at this snippet of code:
[PrincipalPermission(SecurityAction.Demand, Role = "MyLocalSecurityGroup"]
public SearchResults Find(string contractNumber)
{
// ...
}
Notice the [PrinciplePermission] attribute. This attribute tells .NET that only principals who are members of the "MyLocalSecurityGroup" role are allowed to run this method (where a principal is a user/service account, and a role is a locally defined security group on the server). In other words, in order to run this method, the caller must be running under an account that is a member of the local security group specified.
For more details of how to create the group click here: https://msdn.microsoft.com/en-us/library/ms731200(v=vs.110).aspx
I'm writing a set of Powershell Cmdlets that allow a user to run admin functions on their domain. Using gData I have been able to do provisioning calls to create new users, list groups and other things of that nature. When trying to list another user's documents (as admin) I hit a roadblock with the DocsList api, so I turned to the Google Drive api instead.
I've since been able to get the Drive API working and have a Cmdlet running based on their QuickStart for DotNet and File List Example. However, I can't seem to figure out how to make it list docs for another user. Everything I've found so far seems to point to the use of Service Accounts for delegation or using the old DocList api instead which is depreciated in favor of the Drive API anyways.
My problem is the Service Accounts seem to be an alternative to the Installed Application, not something I can use at the same time. Or, if I were able to get it working I would have to have each user create their own project and service account, if I'm understanding things.
How can I do this without inconveniencing the users? They've already authenticated themselves as admins, I don't understand why they have to create an API project and service account to achieve the same thing. Would I create a single service account for my API Project? If so, how do I handle the public key it generates and needs access to? That doesn't seem very safe if I'm throwing around the key file.
You can impersonate a user only with service accounts. Once you configure your service account for domain-wide authority, you can make requests with your administrator account as you mention. But, I'm not sure Google Apps allow multiple administrator accounts or not. If they do, all you need is setup a single project and a single service account.