Forgive me, but this is a vague question:
I am wanting to build an Android and iOS application to interact with my web application.
For example: Within my Android and iOS app, I am wanting to authenticate the users through my current web application, which currently is Laravel 4.2. The only tutorial I can find (which I'm sure is out of date) is - TutsPlus
My question is, do you have any more recent tutorials on web authentication (registering users with their tokens) / push notifications (sent from a server) etc... The script I can see on the above example is both vulnerable to MYSQL injection and has a lack of SSL.
Many thanks for your help in this. I know there is no right and wrong answer, this is mainly just for guidance for someone starting out in mobile development!
Try using HttpClient
Appcelerator has an example in there.
In essence, you're posting to the same URL as your web page, or another with a more mobile appropriate response
As for SQL injection, you can perform basic validation yourself, but remember for Http requests, clients can be bypassed, which is why you want your validation to be server side
Related
Please forgive my (perhaps naive) question, I am still a beginner!
I have a website on asp.net core that is essentially a CRUD website. There are some Razor pages and some controllers. When the user is logged in, they can create and update the data they own (through javascript and said controllers).
Login is organised via Cognito's built-in UI. I redirect the user to it with the [Authorize] attribute on certain controller actions. The token (I think this is what it's called?) coming from Cognito is automatically stored in the browser cookie and is passed between the browser and the backend (controllers and Razor pages). In the backend controllers and Razor pages, I have very convenient methods like User.IsAuthenticated(), and can get claims and fetch cognito:username and similar fields.
The website is working well enough.
I am now working on native mobile apps (Android and iOS), and I am wondering how to deal with authorisation in them as well. I want the user to have the same experience in the mobile app as on the website: they would log into the mobile app and see and edit the data they created earlier on the website, and vice versa. I'm not sure how to implement this correctly. I see several options:
Option 1. Use the AWS amplify framework in the apps. I am sure it will work nicely; but how will I then pass the token to my backend controllers? Asp.net core needs it to build this User object, I understand. I think asp.net core stores it in the cookie appropriately named .AspNetCore.Cookies, but I'm not sure as to its format and whether it'll stay stable in the next releases?..
I'm currently reading about JWT bearer tokens, maybe that's the thing that should be used instead of .AspNetCore.Cookies?..
Option 2. I could "pretend" that the mobile app is the same as the browser and send exactly the same requests as my web frontend does. I suppose this sounds very complex - I'd need to store cookies, follow redirects (to the cognito built-in ui, for example) - I don't know if there is a built-in mechanism? However, in this case the app doesn't have anything to do with cognito, talks only with my backend, and is just following redirects. AppAuth states that Authorizing the user occurs via the user's web browser, so perhaps it can be used here?
Perhaps there are other options that I overlooked; I'm almost sure there is a simple solution I just can't see at the moment. Sorry it's all over the place, this is a very new topic for me. Thank you in advance!
I have a web application developed with RoR, and I was wondering if it was plausible to use it as the backend for an Android application that I would develop in Java or Kotlin?
For example, if the web applications authentication is handled with devise, can I get the Android application to send the name and password to my web application and have it return the user as a JSON?
Absolutely you can.
Usually the Android app would call an API rather than a web page. That is you don't exchange HTML like a browser does, just the essential JSON. Lots of things work the same as a web site. For example you can use the same authentication mechanism for the API as for the web-site.
This is a good starting point for RoR to create an API.
https://guides.rubyonrails.org/api_app.html
Here's a starter for Android making a web-service call:
https://developer.android.com/training/volley/simple
That's just a get, which you might use to get a list of something that's publicly available. It's probably worth understanding the other pages just there because with web calls it's really easy to do bad things like lock up the UI thread, so best to use the example patterns and methods.
I'm a 3rd year BSIT student who wants to pursue a career of Web Development in the near future. We decided for our thesis to make a Web App about a certain topic using Ruby on Rails since it's the tool that we used during our WebDev class. I've had several experiences and accomplished projects using RoR thanks to the help of this site.
Our Adviser suddenly suggested us to make an Android version of the app for the customer's side to utilize it's portability. what we would like to happen is the Customers can input and retrieve data through that android app from a database, on the other hand, the admin can also do the same using a Desktop Web App utilizing also the the same database used by the customers.
Is there any other recommendations of lightweight development and database tools that can help us make the desired Web App beside Android Studio and Eclipse? Much better if it can support Rails or Ruby.
Note: Also, we're planning to include a GPS feature where you can locate certain shops using the said android app
What you are looking for is an API. You have a Rails app, now you have to expose API endpoints from your Rails App which your Android App can access and send requests to.
I don't know if you learned about APIs yet but in short, you set up new links that retrieve information from the parameters and respond using either JSON or XML. Your android app will for example have a login form:
Name = john
Password = anything
When they submit the form, you take the name and password and send it using an HTTP request from Android to your Rails App.
#stupid example but this is how the link would somehow look like
http://www.your-site.com/api/login?name=john&password=anything
Your rails app should be setup to receive request via an API controller:
class ApiController < ApplicationController
def login
#authenticate user
#respond with json
end
end
Your Android app receives a JSON response from Rails, usually a status code telling Android that the authentication was successful or failed and then you have access to your Web App using Android but nothing is secure and you will have to setup tokens for each request, etc because API's don't have sessions like a browser. But since you are talking about a school project and not a production app maybe you can ignore the security part.
Read this blog post on how to build an API:
https://labs.kollegorna.se/blog/2015/04/build-an-api-now/
Unfortunately I haven't any tried and tested code for this, simply because I think there may be various ways to do this, but I am simply looking advice on which is best, as security and authentication is not my strong point.
I wish to have initially 2 clients - an android app and a grails based web client, both hitting grails RESTful web services. I have REST resources currently returning some data from the domain when using the web client, next step is to get the same data back into the android app. At the same time I want to integrate some user authentication so that the user must be logged in in order to receive back this JSON data from the REST layer.
In the past I have used Apache Shiro when creating a grails app when only using the grails web based client, is it possible to do the same with an android ap as the client?
In my Grails project with web/android front-ends I'm using for android auth a slightly extended version of SPRING_SECURITY_REMEMBER_ME token (yes, I'm using spring-security-core++ plugin). This fits well in the application, is an easy to implement, tried and tested solution.
I have a MVC application that I would like to port at least a small part of it to a mobile app (android first). My first objective was to try to figure out how to authenticate the users.
It seems that forms based authentication uses cookies and that is not usable by mobile apps? Definitive confirmation would be appreciated.
But it seemed that you could do some form of authentication using a WCF service to create a token. Now I found a lot of sites that discussed how to create and secure the service end point but none really discussed the token generation.
Then quite by accident I stumbled upon WIF and the usersecuritytoken, which seems to what I am looking to accomplish.
So if some could please confirm this is where I need to be looking so I can actually get back to coding rather than reading I would appreciate it.
The way I see this working is:
Secure WCF service.
Using the System.IdentityModel it generates a token for a valid user and passes it back to the mobile app.
Then the app passes the token along anytime a service requiring privilege is called. For example updating the user's profile.
Is that how it is suppose to work? If not could you please point me to an example of how it is suppose to work.
One other question, looking at the WIF site it seems to provide a lot of token types, what is the preferred type for android and iOS?
UPDATE As it was pointed out it would be helpful if I provided more context.
The original website is a MVC3 web app.
I am attempting to write an app for some of the backend administration features using mono touch.
WCF seems to be a bad solution for cross platform and a package called ServiceStack is what I am now leaning towards for my web services. ServiceStack has its own authentication module but it does not interface with the .net membershipprovider which is an issue since the web app was designed with the membership provider.
I have to be overthinking this. It can't be this complicated to have an android or iphone app securely authenticate to a .net membership provider through some form of web service.
Thank you in advance,
Chris