Hi
We're on a project where we've got a Calender and events in it. Users are
allowed to add shown events into their Google Calender by simply hitting a button.
I see that it's possible to add an event using URL and it works great since today. There's an event with a little big description (about 1000 characters or more) and it crashes on Google's side when he evaluate the URL because it was truncated as it was too large.
So, I know there's an API than can be use but if my memory's still good, to add an event to the calendar, you must have access to username and password of the user's Google account.
Question
Is there any way to use API with an non-authenticate user or what is the best solution here without asking user's email and password? Because, I can for sure continue with URL, but the max lenght of my description is a bit confusing because my events are written in french. So, an "É"(1 char) is "&ecute;"(7 chars).
I'm familiar with using the Google Calendar API (in C#) and I'm pretty sure that it just wraps the http post/get request in an object oriented way. This means that you'd still hit your URL length limit even using the API.
It looks like there is a 256 character limit on event descriptions when added via URL: http://www.google.com/support/forum/p/Calendar/thread?tid=4e8d5d012dadc7b9&hl=en
Without knowing how your users interact with Google Calendar (individual users or google apps account, console or web app) its difficult to say. The calendar API does allow you to add events without authentication if you make the calendar public and allow everyone to add events.
What you could do is have a service account which has access to said calendar to add events and use that to authenticate to the calendar api. Again without knowing how your users interact with google it's hard to say.
Related
I have a web app (rest API) on azure, and I have a B2C setup that is securing it, requiring you to be signed in to access the API. This is good, as i wanted the API to be restricted to members. Basically, the entire web app requires authentication, and will prompt you for a sign in.
Heres the problem - my app has users (who have accounts) and clients (who do not have accounts). These clients might receive an email about a new appointment being set up with one of the users - this email should have one or more links/buttons (ie, a button to Confirm appointment, one to Decline, and one to request a reschdeule) and upon clicking this link I would like to update a field in my database via the rest api, so the USER knows the CLIENT's response. The trouble is, since the client wont have an account, I have no idea how I can give them a link they would be allowed to go to, and have the update happen.
I have tried to do a bunch of research - ive looked into AD external identities with a one time passcode - but i cant seem to find any info on how i would actually get this to work for my purposes.
Does anyone know how I might implement this in azure? Is there a way to call to azure form c# to generate a one time authentication that i can encode into a URL or something?
Any thoughts would be greatly appreciated.
Thanks!
You could do an anonymous authentication by using a magic link. The users account won’t even need to live in the directory. The link can be short lived, and potentially one time use. We call it id_token_hint or a magic link.
Sample here
https://github.com/azure-ad-b2c/samples/tree/master/policies/invite
And reference here
https://learn.microsoft.com/en-us/azure/active-directory-b2c/id-token-hint
I just want that my users have the possibility to access their (not my!) google calendar within my application. I do NOT need any data from their google calendar. So first i tried with just a simple iframe, but google blocked this.
I tried this: https://developers.google.com/calendar/quickstart/js. It's working, but I just can access the data from the google calendar, but I do NOT have the calendar view..
So what is the easiest way to show the google calendar of the user?
You need to look into how the X-Frame-Options header works. Google Calendar responds to requests for a calendar in two possible ways:
If the calendar in question is marked Public, the response is returned with no "X-Frame-Options" header, and thus you can render it in your site.
If the calendar in question is not marked as Public, the response includes the "X-Frame-Options" header with a value set to DENY. According to the HTTP specification, this means that you are not allowed to show the response inside an IFrame, and nothing you can do is going to change that assuming you're using standards-based browsers.
The other application you mentioned likely includes a Web Browser control, and thus is rendering the calendar directly, meaning that the frame options don't impact it, but there's not a good way to simulate that inside a browser (again, part of the HTTP spec, and intended).
Your best option here if you really want to be able to show them their calendar is to consume the data from the API endpoint you mention and then produce your own view of it.
Basically we have an iOS app and also a Server application. iOS app would like to get some search result for the end user from SharePoint, so iOS app would submit search request to our server application which would perform the search by using web services (client API) on SharePoint by using a system account. The problem for us is to how to do the security trimming of search results for end user on iOS app.
We could send up the end user's user name and password from iOS app to our server and use that credential to call the search web services, however it is not desirable to do so. I also looked the custom security trimming (CST, Trim SharePoint Search Results for Better Security at SharePoint, it looks like that it won't solve our problem since at ISecurityTrimmer2:CheckAccess method, there is the claims for user who performed the query which is a system user, however we would need to be able to call our application back to find out the real user which seems not practical here:
public BitArray CheckAccess(IListdocumentCrawlUrls, IDictionarysessionProperties, IIdentitypassedUserIdentity)
Any other thoughts about how we could implement the trimming here for our situation? It is really appreciated for any suggestions.
By the way, the iOS app does use the SharePoint Web Services directly, however we want to avoid that since we want the API for search to be generic and not be limited to SharePoint, we are also thinking about sending the authentication header/cookie from iOS app to server for search, however it seems to me that it might not be a good idea and could be think of a security hack.
Update 1:
based on this post: Security trimming in search web service and Creating a Custom Pre-Security Trimmer for SharePoint 2013, there is ISecurityTrimmerPre which we could add more claims to the user, in theory, it could call back our web services to add the claims the correct end user although I don't really know how it would know which end user this search is for if there are multiple searches going on the same time. Another worry is that it seems that we would affect general SharePoint search as well which we don't want to do since we are adding ourselves to the search query pipeline.
I'm using PayPal's Website Payment Standard in my ASP.NET website.
What I do is when the user clicks on the "Pay Now" button, I do the following in the codebhind:
DB status changes
Generation of the PayPal form, hidden fields for the items
Call ScriptManager.RegisterClientScriptBlock() to call the javascript function that submits the PayPal form to PayPal.
I'm worried that the user can press stop on the web browser and then edit the values in the hidden forms and then submit the form. Is there a way to prevent this? Or a better alternative?
Thank you so much in advance!
I haven't done PP Standard. I've used Gateway and Pro/Express Checkout but its been quite a while - still, your question can be handled in a more "generic" way...
Unfortunately your plan will not do anything to protect you - just like any other HTML Form on the web, HTTP requests and responses can be inspected and tampered with using readily available tools.
The common way to prevent tampering is to do server-side validation of submitted values coming from any client/browser (the rule of thumb is "trust no one"). In your scenario, you are doing things on the server side, but that's still prior to the actual submission target of the data - which is PayPal. The step that actually sends the data to the "target" is still the browser/client - and there lies the issue so to speak. The data to be validated is meant for a system other than yours (so you can't validate for PayPal).
Unless there is an added layer of security, e.g. signature or encryption, it will always be vulnerable to tampering (viewing is a foregone matter, it can be viewed).
I don't believe (but I could be wrong) PP Standard has a server-to-server option for POSTing data. This would effectively "hide" the data altogether from the client/browser - nothing to see, nothing to tamper with. Data transfer is in the background - client/browser knows nothing of it.
However, their PayPal Payments Standard and Button Manager API seems to be the right/secure way of doing this.
In essence you will be creating what they call "encrypted buttons" on the fly. This way the data will look like gibberish to anyone inspecting it - it will only make sense to PayPal because they can decrypt the data accordingly. That's how the data is secured/protected from tampering (not viewing - but again, what can be seen is gibberish)...
Hth...
Update:
Also, you should consider PayPal IPN for storing data. You are making the assumption above (I think) that everyone who clicks the button will actually go through with the payment (or can pay successfully). With IPN, you will "listen" for data coming from PayPal only after successful payment (which is where you should store order related data and/or inventory updates, etc.) ....
Even though I'm working with PHP, using the NVP API you can get links to redirect using a token which can only be used by paypal. All the links will look like https://www.sandbox.paypal.com/webscr?cmd=_express-checkout&token=TOKEN, where TOKEN is a token retrieved previously by calling the PayPal API.
I've only developed it for ExpressCheckout. You can check the API here:
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/howto_api_reference
I am writing an app using WPF 3.5 and I need twitter integration.
I know that there are many API's for C# and most of them seem to be on the right track.
But one, painfully annoying (seemingly 100% required) step of the twitter posting is that you need to redirect the user to the twitter website, in which they need to login and click "allow" which then shows a PIN number which the user must enter in to my client app in order to simply tweet.
This is so cumbersome and annoying for each run of the app, I dont mind a once off thing, but each time?? Am I not doing this right, why isnt it just a once off allowance of a registered app? How do apps like TweetDeck do it so that they dont have to re-approve each time I load the app?
You need to store the token and the key provided by the server when you perform the OAuth authentication. You can continue to sign your requests using those keys. I'm not entirely sure which library you're using, which makes it hard to say, but there should be a means of retrieving the key/token that Twitter provides you with and passing this back in as a means of authentication.
One other alternative is to use xAuth, which makes it a little easier for your app to authenticate the user. The downside is that it's pretty oblique and might not be supported by the library you're using.
Good luck!