I have an Android app where I use Firebase Auth API to confirm the user's phone, also I have my own server to store user data.
I'm planning to make cross-platform app using kmm. But problem is that Firebase Auth API require call setActivity(activity) method to be called, which depends on the Android activity.
I would like to share the authorization code between Android and iOS. Are there any solutions that allow you to use common Kotlin client side code or Kotlin server side code to do this?
I ended up have implemented 2 endpoints (/send_code and /check_code) on my server and have used a third party API to send SMS. An important part of the implementation was the IP limit on the number of requests, since all third-party APIs are paid.
Related
So, I know the paypal sdk for Android is deprecated. I decided to use rest api, but I'm not sure how to hide the secret key that I need to get access tokens from paypal's server. I thought maybe I could set up a function in "firebase functions" but I discovered that outbound connections are possible only if one has the premium plan...obviously. Now I dont know how to do this with a simple php server; so that new users that sign in on my android app will be registered in the "firebase database" after receiving the paypal id-token from my php server. All of that without exposing the api secret and without using firebase functions for outbound connections.
Come on guys, just tell me how should I set the question. I don't need the code.
You could use sqlciper to store any sensitive information, like the secret key, on the Android device.
As for the network calls, it's not a complete solution, but running queries over https should be the start.
I am using Django and we are planning on opening some of our API for 3rd party usage.
Till now we have been using DRF along with session authentication for our Django Web App and DRF with JWT for our Android application.
What I would like to know is whether the call is from our own app (webapp/android app) or from 3rd party apps (they can call from their own applications, which can be other webapps/phone apps). Is there any way this can be distinguished? We want to count the no.of 3rd party API call to our server.
Your android app can add header User-Agent with app version. So you may distinguish requests. However it is not very reliable - as any web client can send such headers. Here you can sign your requests. Take URL add some secret value calculate md5/sha2 from this values and add to request.
Protection is based on idea only you know secret value. It is ok for non-critical tasks but may be risky for financial apps.
I'm integrating Stripe Payment Gateway to an Android App and facing some questions and issues.
Following the Stripe Documentation it seems like having its own Server is required.
Digging for a few Hours, Firebase Cloud Functions can do the Server work...Great !!
But from what I can find, it can be done in at least two ways:
HTTP Trigger
A write to Firebase Database that would trigger a Cloud Function
So first, which one to use?
The good old Industry trusted http endpoint with good old Retrofit?
Or the much more simple Write to Firebase Database to trigger the function?
Also, as for the next step, I could not find any Android tutorial for the next steps. Only this Web app: https://github.com/firebase/functions-samples/tree/master/stripe.
From what I can see, it would need Node.js, npm etc etc...
Nothing more simple from Google?
Cheers guys
First of all, either way you're going to have to write backend code in JavaScript to handle payments.
So the process that works for us with Cloud Functions is -
1) Android provides card details to Stripe using native SDK
2) Stripe provides a token which Android sends it to your Firebase backend
you could store it in stripeTokens/userId/yourToken
3) Firebase cloud function then triggers a function and uses this token to create Stripe customer (See saving for later and Customer)
you could store it in stripe_customers/userId/stripeCustomerId
4) Remember to remove yourToken because it's only valid once
5) finally you can use this stripeCustomerId to make payments and update related nodes in the backend
Important concept here is to create a customer and store it in your backend for future payments.
So steps after 2) are all cloud functions, so yes most of the work is done in backend. Only thing Android is doing is entering card details, sending token, triggering and listening for future charges.
As far as HTTP is concerned, concept is similar but only thing different is you wait for the response and if there is any errors you get it there, whereas if you were to do with Cloud Functions, you would have to write those errors somewhere and read those from client.
Hope this helps.
As per LinkedIn documentation I see that we cannot use the mobile access token to make REST API calls which LinkedIn provides. I have a use case, where, in my mobile app, I use LinkedIn's mobile SDK for logging in to linkedin and I need to fetch certain data like logged in user's connections etc on the backend. This should ideally be done on backend instead of mobile because I do not want too many calls going from app to our servers. Is there any work around to do this?
Actually, there is a way to do requests from backend to linkedin via mobile SDK token.
Such configuration worked for me:
GET https://api.linkedin.com/v1/people/~?format=json
Headers:
Authorization = Bearer ${token}
x-li-src = msdk
Using the Mobile SDK, there's really no way around this at the moment. If you require back-end call capability, your best bet is to use an existing auth library that implements OAuth 2.0 in the mobile environment rather than using the official SDK. That way, the access tokens you get back from the process are usable in either situation.
I'm building a Android/iOS/Web app which authenticates with a provider to receive an access token and then uses the token in the API calls to the node.js backend. I've already got it working for facebook using Passport and the Facebook-Token strategy (https://github.com/drudge/passport-facebook-token)
Now I'd like to repeat the process with this library https://www.npmjs.org/package/passport-google-token
Should be easy, right? But google's developer console for android doesn't provide a client secret. Infact there is very little documentation on what to do if you would like to authenticate on the device and use a token to communicate with the server. It was so simple with facebook, is there something I am missing?
FB's (or Google's) access_token is for their API, not yours. Also, most flows with 3rd party providers like FB and Google are intended for web sites (this is the auth code grant). Devices (and SPA) typically use the implicit flow that doesn't require secrets on the client.
You might want to consider authenticating users with Google or FB (or whatever) in your website (using either strategies which are optimized for web flows), and then issue an API specific token derived from that. I would recommend issuing JWT, which are lightweight and simple to use.
On the API side you could use express-jwt. See here for additional details.