HttpAuthorizer() for Pusher - android

I need a private channel on Pusher in order to enable a bunch of Android clients to communication with each other. Pusher was recommended to me, although it is really complicated. I've read all the docs many times, so I'm hoping someone (Mr. Leggetter?) could give me a hand.
I've installed the Pusher Android JAR on the client and am able to subscribe to public channels that I trigger from the "Event Creator" (very neat), but in order to get the private channel working, in order to trigger events, I need this:
HttpAuthorizer authorizer = new HttpAuthorizer("http://example.com/some_auth_endpoint");
PusherOptions options = new PusherOptions().setAuthorizer(authorizer);
Pusher pusher = new Pusher( YOUR_APP_KEY, options );
According to http://pusher.com/docs/authenticating_users, the HttpAuthorizer() needs a URL that points to an app server that is going to respond with a JSON authentication token. Do I have to set up my own app server to provide authentication, like the example at https://raw.github.com/pusher/pusher-android-example/master/src/com/pusher/android/example/MainActivity.java, or can Pusher provide this? This seems like something Pusher should provide.
In the Ruby server code example for my app (why is there no Java?) I see this: Pusher.url = "http://{key}:{secret}#api.pusherapp.com/apps/{app_id}". This URL, however, does not exist. I tried it in HttpAuthorizer() and got a java.io.FileNotFoundException. (I just found the "Enable Clients Events" checkbox under Settings - checking it did not help, but I'm guessing that's an important step.)
If I have to set up my own app server for authentication, I'd like to use Java with GAE. http://pusher.com/docs/authenticating_users#implementing_private_endpoints has a Python/GAE example, but no Java, and I don't know Python. Is there a library for this? Will https://github.com/marcbaechinger/gae-java-libpusher# do the trick? It doesn't seem like it would.

token. Do I have to set up my own app server to provide authentication, like the example at https://raw.github.com/pusher/pusher-android-example/master/src/com/pusher/android/example/MainActivity.java, or can Pusher provide this?
You need to set up your own authentication server. The point in this is to allow you to authenticate subscriptions. This means you can authenticate the user in any way you see fit, against any existing or new authentication mechanism you may use e.g. user sessions (more applicable to web apps) or authentication tokens your own application may provide upon initial connection (via some username/password login to your system).
In the Ruby server code example for my app (why is there no Java?) I see this: Pusher.url = "http://{key}:{secret}#api.pusherapp.com/apps/{app_id}". This URL, however, does not exist.
There is a Java server library but Pusher don't directly maintain that. It's a community contributed one.
I'm not sure where you got the URL from. Maybe from the Web API reference, but unless you are writing your own Pusher Web API library I wouldn't expect you to be using that URL directly. There are Pusher and contributed helper libraries for that sort of thing.
If I have to set up my own app server for authentication, I'd like to use Java with GAE. http://pusher.com/docs/authenticating_users#implementing_private_endpoints has a Python/GAE example, but no Java, and I don't know Python. Is there a library for this? Will https://github.com/marcbaechinger/gae-java-libpusher# do the trick?
Yes, you need to set up your own authentication server. You could create a client-side authorizer, but that would mean exposing your app_secret in client code - which you shouldn't do.
The PusherUtil class provides a number of helper methods that you could use to add subscription authentication support to the library. But - you are right - it doesn't appear to offer this functionality.
The Pusher Play module (also Java) does appear to have an appropriate method so this could be ported. See:
https://github.com/regisbamba/Play-Pusher#generating-the-authentication-string
I don't work for Pusher any more, but I would be happy to contribute to an improved Java library.

Related

Custom IoT Endpoint

We need to use a custom IoT endpoint due to firewall restrictions and needing to utilize Static Ips. We followed this AWS doc to get our endpoint with static Ips.. From here we are attempting to call the CreateKeysAndCertificate via Java. Now when we call IoT with our custom domain name, iot.custom.domain.name.com, with the regular Java SDK it works fine. However, whenever we try to use the Android SDK and call setEndpoint with our custom domain we get the following error
com.amazonaws.services.iot.model.ResourceNotFoundException: Not Found (Service: AWSIot; Status Code: 404; Error Code: ResourceNotFoundException
Any help or guidance on this would be appreciated.
When using the Android SDK for establishing IOT connections, the CreateKeysAndCertificateRequest API is available through the AWSIotClient class. If you are using the AWSIotClient for creating new certs/keys, the SDK places this request on the generic iot.<region>.amazonaws.com endpoint. The setEndpoint method just allows you to change the region. This is because the request goes to the Control plane, whereas the endpoint that you have created would mostly likely be on the Data plane. There is no way around to create new certs/keys using the AWSIotClient on the custom endpoint.
There is an alternate option that you can make use of. Almost all "requests" that you place on the IOT endpoint are messages that are published to "reserved topics". If you open up the Java SDK's PublishCreateKeysAndCertificate API, you will see that it is ultimately publishing a message over a reserved topic. You can do something similar on Android using the Android SDK as well.
First, you will have to establish an authenticated connection. We cannot use CognitoCredentialsProvider because of that auth request going to the Control Plane. Instead, you can use the provisioning certificates for the first time authentication. This is through provision certificates generated for a Provisioning Fleet. You can create a Provisioning Fleet and use those certificates in your device's keystore (or, a PKCS12 cert file). Using that, you can create a new awsIotMqttManager object and publish a message on the reserved topic meant for creating new certs/keys. You can also subscribe to reserved topics meant for receiving the "accepted"/"rejected" responses for this request.
TL;DR
Create an awsIotMqttManager using the provision certs
Subscribe to topic for listening for accepted/rejected response for CreateKeysAndCertificates request
Publish a message over the reserved topic meant for CreateKeysAndCertificates
Register the thing using the ownershipToken received in the response
Store the new certs and use them for all future connections (make sure the policy attached to the certs have the necessary permissions)

Lumen App authentication

I am building an App API in Lumen, and I am a bit confused about how to lock down what/who can make requests to it.
At present I have no way of authenticating requests from the app, so anyone who knows the link could make requests from a browser and potentially cause havok. I know in the .env file there is an appkey variable which is currently empty, and after some research I can't seem to find a clear answer on what it actually does and if I need it.
So basically:
If request comes from my app, proceed.
If it comes from anything else, stop it.
That is what I am looking for.
I am using Ionic $http to make the requests.
Any help would be great
App Key is used for encryption which you can read at https://laravel.com/
use below command to generate key
php artisan key:generate
For more info on lumen auth check below github, Lumen 5.3 token auth
github link for lumen token auth

Adding social login to native apps using spring security oauth

I've been following this link https://spring.io/guides/tutorials/spring-boot-oauth2 for implementing security to my own resource server. My final goal was to have custom login oauth server to access resource server from an android app which I've achieved using grant_type=password.
Now I would like to add social logins like Facebook to the same flow. I was able to make it work for web apps easily,I even got the accessToken from facebook in native android app but now what? After so much searching I was not able to find anything good for an android app. So my questions are:
How to add social login using spring oauth2 to an android app. Any links?
Should I be using Spring social with spring security for my goal. If yes, how?
I've been using JDBCTokenStore to persist my tokens in case my server restarts. If I get my token to server somehow how should I store it?
Please let me know if my understanding is incorrect.
Without digging too deep into the details, you can take the token you get from the client and use it to create a new connection via the connection repository. Of course, you'll also need to know which use the connection belongs to. In the end, the code will look something like this:
Code:
UsersConnectionRepository ucr = ...; // probably injected
ConnectionRepository cr = ucr.createConnectionRepository(userId); // you determine the userId somehow
ConnectionData cd = new ConnectionData(...); // lots of params...you'll fill those in.
FacebookConnectionFactory fcf = ...; // create or inject this
Connection<Facebook> conn = fcf.createConnection(cd);
cr.addConnection(conn);
As you can see, the code above is rough...I'm leaving a lot for you to fill in. But that's roughly how you'd do it.

Protecting my Google App Engine API Endpoints

I have been doing a lot of research recently on securing my app engine. Currently, I've been reading through the question below and the links in that question:
How do I restrict Google App Engine Endpoints API access to only my Android applications?
However, it doesn't answer my problem. My question is similar to the question above, restricting access to my endpoint API to only my app. The guy seemed to have got it working when he inputs a correct email into the credentials.
My question is if I can achieve the same results without having to input any credentials. I want it so that only my app can use my endpoint API so to prevent other apps from abusing it and using up my quota. I already got a client id for my android application, and have placed it within my #API annotation. To test if it worked, I made a random value for the client id in the #API notation of another api class. However, my app was still able to use methods from both class. Any help?
-Edit-
From reading from the docs and researching further, the endpoint way of authorizing apps is by authenticating the user and for my API to check if user is null. My question is that in the process of authenticating the user, is Google somehow able to read my app's SHA1 fingerprint and authorize it to its list of client ids? If so, how can I replicate this process in my endpoint so that I check the SHA1 fingerprint of the app making the request and compare it to a set value? I don't understand the mechanics behind the endpoints very well, so correct me if I am understanding this wrong.
If the android app has access, then the user has access. A motivated party has many options for inspecting your protocol, including putting the device behind transparent proxy or simply running the app through a debugger. I do suggest running your app through ProGuard before publishing, as this will make the process [a bit] more difficult.
Ultimately, you'll need to make your appengine API robust against untrusted parties. This is simply the state of the web.
How you can protect your endpoint API is described here: http://android-developers.blogspot.com/2013/01/verifying-back-end-calls-from-android.html
The secret is that you request a token from Google Play using the following scope: audience:server:client_id:9414861317621.apps.googleusercontent.com where 9414861317621.apps.googleusercontent.com is your ClientId.
Google Play will look up the id at your endpoints app and return a Google-signed JSON Web Token if it finds the id. Then you pass that id in with your request. Above article says you should pass it in with the body. I would possibly rather add another parameter for that because otherwise you can't pass your own entities anymore. Anyway, your server backend receives the token, and you ask Google as described if it is authentic, before you process the API request.
If you pass in the token using an extra parameter, you can catch it on the server side by adding HttpServletRequest to your endpoint signature and then using request.getHeader("Yourname") to read it out. Make sure you never add the parameter as a URL parameter as it may be logged somewhere.
public void endpointmethod(
// ... your own parameters here
final HttpServletRequest request
) throws ServiceException, OAuthRequestException {
request.getHeader("YourHeaderName") // read your header here, authenticate it with Google and raise OAuthRequestException if it can't be validated
On the Android side you can pass in your token when you build the endpoint api, like this, so you don't have to do it with each and every request:
Yourapiname.Builder builder = new Yourapiname.Builder(AndroidHttp.newCompatibleTransport(), getJsonFactory(), new HttpRequestInitializer() {
public void initialize(HttpRequest httpRequest) {
httpRequest.setHeader(...);
}})
Hope this helps you make your endpoints API secure. It should.

Pusher on Android

I'm trying to get Pusher working on Android. Here are my needs.
Must support "private-" channels
Must support secure connections
Must be able to override the pusher/auth endpoint.
Note: I've already tried the following routes....
loading pusher.js in a WebView and letting it fall back to SockJS
https://github.com/pusher/pusher-phonegap-android (Does not seem to support secure connections)
https://github.com/EmoryM/Android_Pusher/blob/master/src/com/emorym/android_pusher (Requires a private key to be pushed to the client, also not up to date)
https://github.com/jmschultz/JavaPusherClient (Does not support private channels)
Anyone else have any luck with this?
Pusher have a Java library: https://github.com/pusher/pusher-java-client
There's a very simple sample application here:
https://github.com/pusher/pusher-android-example
You can tell the Pusher instance to use an encrypted connection via PusherOptions. See:
https://github.com/pusher/pusher-java-client/blob/master/src/main/java/com/pusher/client/PusherOptions.java#L24
I think this is likely to be updated to be the default, or at least reconnection will try over SSL if an unencrypted connection fails.

Categories

Resources