I do not know how to explain this in technical terms. So let me begin with an example:
Story
I have an online e-commerce site www.ABCStore.com . I built this using MVC 4 (Razor) in Dot Net.
My friend has a travel agency for which his online site is www.DEFAgency.com . He got it built in Java.
Both our websites were up and running. One fine day I got a call from a company FicticiousServiceProvider and they asked me if I would be interested in getting customer feedback as a functionality on my website without having to write any code myself. What they offered was, I would have to include just a single line of code in the footer of my Masterpage(or layout page) and then the customers who log on to the site would see a small icon on the pages and would be able to provide their feedback.
The feedback will not be available directly to me. The FicticiousServiceProvider guys will analyze the data and provide them to me on a regular basis or on a need basis.
There were other services too which they offered.
I was really happy to have a functionality like that, specially without having to write any code. I tried it and it worked fine in my .Net website. My friend(with a java website) also added a single line to his code and it worked for him too.
My questions here are:
What is this process called ?
If I were FicticiousServiceProvider, how would I have developed this using .Net ? I mean, how to develop a functionality so that a consumer can consume the service using a single line provided by the service provider. Data transfer from my site in the form of feedback to the FicticiousServiceProvider is also happening, without me being able to see anything.
How was it possible for FicticiousServiceProvider to provide the functionality to a .Net app and a java app without any change in the line provided by them?
I have given the description from a consumers perspective. Please suggest from a developer's perspective. Many Thanks.
These things, like Google Analytics tracking code, are usually some kind of javascript injecton. It will use javascript to 'inject' a bit of code that sends a request to their servers (what their server side is coded in is irrelevant really). They then handle the request that includes the information they've gathered in javascript on the client side and store it, then use server side software to analyse that data to give out reports, etc..
So to try and answer your question separately.
I'd call the process javascript injection.
You would have to find the best way to send a request to your servers and handle that request. Could be done with ASP.Net MVC quite easily but any server side technology/code that can handle requests and send data to a store.
They use javascript which is separate to any server side code and works across browsers on the client side.
Related
I want to create a game within the Unity game engine in C# with .NET where I can securely connect out to a private server, and read and write data from/to the server. I understand how to do this in a non-secure way, where I would setup a private SQL database with a webpage interface between the two.
My problem comes here, I know if I want the web interface to be public, I need credentials to connect to the server, such as an Auth key, or username and password. However, in order to use those, then the auth-key would need to ship with the game as a file, or would need to be written directly into the codebase. I know that users can decompile games, and access these files and get the credentials if I include them, which means that option is off the table as far as I am aware.
It is my understanding that even with this layer between the database and the client, someone could still find the url for the interface between them, and then send custom function calls to this url as I will be doing in the game program. Wouldn't this lead to the same conclusion as having the database be open?
If anyone has answers to this, or resources where I can learn about this process, please let me know! I have never done server-side programming before and have also never thought about security before in my life.
You're correct in that you should not embed authentication keys into your apps. Where you're falling down is in exposing your database to the world. Don't do this. Instead, hide it behind a web server that serves only json data files. This way you can take advantage of the web server's authentication and session protocols.
Since you're already working with C#, I would suggest looking into ASP.NET Core MVC and specifically about WebAPI. But I would probably recommend node.js for lightweight microservices.
Im using gtm.js to track some data into my site. This is front-end part. But I need to create server-side logic(.NET) to track my data. I can;t find any information on the Google guide about server-side. Please, tell me is this possible and maybe some examples. Thanks
GTM is a client-side Javascript injector. It's also not a tracking/analytics software, although it can be used to deploy such software.
If you want to track information to Google Analytics you can use the measurement protocol, a language agnostic protocol that can be used in any language that can issue http requests.
If you need to trigger other tags from the server a service like https://segment.com/ might help you (comes for a fee. I am not affiliated or anything).
Update Feb 2020: Google has announced a closed beta for server-side tracking, where you run a container in a cloud environment that then distributes the requests. Simo Ahava has a little info in his twitter feed: https://twitter.com/SimoAhava/status/1222459714614841346. This is not yet a production feature.
GTM runs only on the front end (meaning on the client's browser side). But, as I can't determine based on your question what you are trying to accomplish, I can say that you can put some information in the dataLayer in the backend and then use that info on the frontend and manipulate with it in the GTM, before sending it further to any other scripts or tracking engines.
I would like to add a password protected page to my WPF modernUI application and could use some help with it.
First of all I don't really have a clue how to handle this stuff correctly in my case.
My application is used on several machines. The protected page should be some kind of admin-page to edit a database that is used by the app.
My idea is, that there is only one Admin-account. But this account can be used from any machine. The admin should be able to change his password. So there must be some kind of encrypted password file on the server which can be accessed from any machine. I don't want to store the password within the application, as this would mean that the admin has to change his password on every machine.
So my question is: What is the best/safest solution for my idea? I'm just looking for hints as I don't have a clue what to search for.
The best Practise nowadays for distributed client applications who share a Database is indeed not to have direct access to the Database.
What you need is a WebService. A web service can be anything. It just has to be hosted somewhere. It can be an ASP.NET application, a WCF Service, or even something not .NET related like a PHP or Java application.
The communication between your application and your WebService depends on what you decide to use. Today a lot of people are using so called REST APIs which use either XML or JSON as data transfer format and use the HTTP protocol.
Its not hard to implement such an API since there are ton of Libs and Solutions out there.
You could use RestSharp for the communication at your client side. Which is straight forward and simple. You could also consume a WCF Service. Which is hosted in IIS somewhere.
However your Problem is nothing special and there are several solutions available. The decision is on your side since it depends on a lot of things such budget, available infrastructe etc.
Your question is quite broad but as far as WPF is concerned you could implement custom authentication and authorization in your application by creating classes that derive from the IIdentity and IPrincipal interfaces and overriding the application thread’s default identity. Please refer to the following blog post for more information an an example.
Custom authorization in WPF: https://blog.magnusmontin.net/2013/03/24/custom-authorization-in-wpf/
The actual credentials should be stored on some remote server that may be accessed through a web service, WCF service or some other kind of API. The details of how to actually get the credentails would be implemented in the AuthenticationService class in the sample code from the above link.
I have a C# Azure Web API backend where data is retrieved from a front-end Ionic Mobile App (which is basically an Angular App)
The authorization of users is done via Ionic's cloud service, so they handle the heavy lifting of registering users via FB, Twitter, basic (username/password).
My question is, when I go to call services from my backend API, how can I make sure someone just doesn't read a hardcoded username/password inside of the internal javascript code to access the backend data?
I know it's pretty far fetched, but is there anyway for the API to know the request is actually coming from the app (Android and iOS) and not just from someone trying to insert data and comments from a web browser that is unauthorized?
Since you're calling the API from JavaScript that is available for end users, you can assume that your JavaScript and all the logic/credentials contained within are accessible to all.
There are fairly secure ways around this, and FB/Twitter and their ilk have implemented it (using OAuth). Essentially, on passing credentials to the API, a token is generated, which is then used for subsequent calls to the API instead of the credentials.
You can avoid people randomly firing off 'unauthorized' requests using nonces which are generated when you render the form, and can be used only once to submit the form in question. You can then time-limit the validity of the nonce on the API end. Unfortunately, it's not foolproof, but this will limit the damage of any sort of 'brute-force' attack that you might get.
Again, with any shared 'secret' (that would guarantee the origin of requests), you have to assume that anyone with enough willpower will be able to extract it from apps, thus any method you implement here will be 100% foolproof. Probably the best you can do is have a shared secret generated for each user on each device.
Short answer: you can't.
Long answer: you can (and must) validate the behaviour of a client but not the client itself.
For example we can take a look on Pokemon Go: after a few hours there were bots able to play, after a couple of weeks Niantic started assuming Machine Learning software engineer and encrypt its API using unknown6 algorithm for stopping the bots, but after a few days of hard working the bots came again online.
You can use all the secure method of this universe (whit an high expense) but if someone (that have good knowledge of software engineering) want emulate your client at the end I will reach his objective
I'm having trouble getting the authentication portion working, particularly the external authentication. I'm using a client project to call my API, which then handles all the OAuth processing.
My issue is that once you authenticate through Facebook, it wants to redirect to my API url, and that redirect url has the access_code needed for authorization of subsequent API calls from the client. Is there a best practice for dealing with this situation? For instance, should I parse the access_code out of the url and somehow send it back to the client project?
Searching for how to handle this yields me vague results. Most everything I come across leads back to one of two links:
This is helpful understanding the high level concept
This implies that you should just dig around in the SPA template and figure it out on your own
neither of which really help me out much in a "how-to" sense.
The client project I'm ultimately working with is a Xamarin project, so I'm looking for C# or Xamarin library code how-tos in particular. If anyone can help, I'd appreciate it.