I'm going nuts over here! I've got a website I am making in CakePHP that will form the back end of a mobile application. It is not a mobile website, it's designed purely to be used for a smartphone application.
That being said: The application needs the user to login. But I just cannot seem to find the right way to implement this. The BasicAuthenticate AuthComponent seems to hate me and doesn't make debugging easy. There's an OAuth 2.0 Provider plugin for CakePHP 2.0, but I can't figure out how to make it 2 legged, as the app won't be relying on the website to display a login form.
I really need to figure out which of these paths to take and how to make it work but just neither one wants to work. Anybody have any info on what I need to do?
Update The Basic Auth issue turned out to be due to Virtualmin preferring to use FCGId to allow the process to run as the same owner as the content of the website. I have since switched it back to mod_php and it works fine.
So my question is now more about using cakephp-oauth-server in a 2 legged setup.
public function beforeFilter() {
parent::beforeFilter();
$this->Auth->allow('index','view');
$this->set('logged_in', $this->Auth->loggedIn());
$this->set('current_user',$this->Auth->user());
if($this->name == 'Specific') {
// for the specific controller
$this->Auth->authenticate = array('Basic');
} else {
// everything else
}
}
checkout KVZ's rest plugin it may be of interest https://github.com/kvz/cakephp-rest-plugin
Related
I want to see analytics in my android application, but am struggling to set Adobe Launch and Analytics up.
I have Mobile Core and Analytics set up in the app itself. And it isn't producing any errors on run.
MobileCore.setApplication(this)
MobileCore.setLogLevel(LoggingMode.DEBUG)
try {
MobileServices.registerExtension()
Analytics.registerExtension()
Lifecycle.registerExtension()
MobileCore.start { MobileCore.configureWithAppID("app-id-here") }
} catch (e: Exception) {
// Log
}
And have created the property in Adobe Launch adding the relevant extensions needed, setting up environments and publishing a library. I now have a library published. But have no idea how to view the data gathered from the app? Am I miss understanding what Launch is? Any help on this would be appreciated.
Once registeration is done you can able to see the logs in App logs "AdobeExperienceSDK" but to see the actual event you need to login on AEP dashboard portal.
For setup and instruction please visit below official url from Adobe Launch
https://experienceleague.adobe.com/docs/launch-learn/implementing-in-mobile-android-apps-with-launch/configure-launch/launch-install-the-mobile-sdk.html?lang=en#prerequisites
I may be misunderstanding your question, but if you're asking how to see an aggregation of the data you sent to Adobe, your request contains the address of the repo where you're sending your info. You need to log into Adobe Analytics to see what you sent.
You need to set the events to track the screen views. Example:
Analytics.trackState("Screen Name", null);
The oficial documentation:
https://docs.adobe.com/content/help/en/mobile-services/android/analytics-android/states.html
You can also use https://aep-sdks.gitbook.io/docs/using-mobile-extensions/adobe-experience-platform-assurance , which can let you see Adobe Launch console/debugging notes in the Adobe Griffon interface. A bit overkill for a one-time thing, but if you're going to be spending a lot of time withLaunch in your app, it might be worth setting up.
As we know, there have been changes in access to the twitter API referring to callbacks URLs.
So far, I have been using the identification callback with firebase, as I indicated here:
This has been working perfectly so far.
I read in the documentation that now you have to indicate the callback, according to android or iOS in the following way:
twitterkit- : // if using Twitter Kit for iOS or
twittersdk: // if using Twitter Kit for Android.
My application is only developed for android.
I have tried all the possible variants, but I always get the following error:
The client application failed validation: Not a valid callback URL format.
The tested options have been:
twittersdk://pfa89MGYola62VIln ........ (MY_CONSUMER_KEY)
twittersdk://MY_APP-android.firebaseapp.com/__/auth/handler
twittersdk://https://MY_APP-android.firebaseapp.com/__/auth/handler
I have activated and deactivated the check "enable callback locking" ...
I've tried everything, I'm a little desperate
For another test, I tried to register the URL callback as if it were the iOS platform
twitterkit-MY_CONSUMER_KEY://
and it was accepted on the first attempt.
I do not mind losing the relationship with firebase, the truth is that I was not using it, but I have a serious problem if I can not connect with twitter again.
I appreciate any help.
I found the solution, I put it here in case it can be of help to someone.
The truth is that it is not well specified in the documentation, you have to take two steps.
First: activate the "enable callback locking" checkbox
Second: indicate the android sdk for twitter, WITHOUT CONSUMER KEY, unlike iOS users.
It would be like this:
I hope it helps
Google provides a convenient API to implement "in-app purchase" features on an Android app.
Along with these docs, there is also a dedicated chapter regarding the security level of this system and the good ways to design it.
The web is full of articles about this step, from public key protection to remote server validation, but I really can't understand why all of these techniques should work when the main problem is, simply, code hacking.
Maybe there is a better term to explain it, but let me do a quick example. The basic idea of my application is that, at certain points, the user can't proceed unless he has purchased an item.
Something like:
public void accessTheVeryCoolFeature() {
boolean haveIt = checkIfPurchased("verycoolfeature");
if (haveIt) {
// YEAH! let's open this very cool feature I paid 200 bucks for
}
else {
// ok... where is my wallet?
boolean purchased = startPurchaseFlow("verycoolfeature");
if (purchased) {
// my wallet is now empty but happy
}
}
}
Following the previous guidelines, the developer can protect his app during the purchase process, letting the startPurchaseFlow method to query a remote, trusted, server that validates the receipt.
Purchases done using a "fake marketplace" should be avoided by this.
Another method is to protect the unlocked content by obfuscating the code. This is really simple with tools like ProGuard and should make the life of an "hacker" a bit harder.
Now, I tried to act the part of an hacker that want to read my code, especially the billing phase.
It took me like 1 minute to spot the code I wrote in the previous example. Now the best part: what if I edit the (obfuscated) source code to do this?
public void atvf() {
boolean hi = cip("verycoolfeature");
hi = true; // <------------------------ AHAH!
if (hi) {
// YEAH! let's open this very cool feature for free
}
// ...
}
All the good words about remote verification and code obfuscation are totally gone. So why spend hours on trying to implement them when the very first problem is in a boolean value?
Am I missing something?
Unless your app is heavily dependent on its functionality being in a server - as in each functionality stays on the server and the app is just a client tool to call those server APIs, there is nothing you can do. If indeed it's a server-based app - you can check each incoming request (e.g. the app can send a one time session hash) if a valid transaction exists for it and is paid. If not, deny the request.
The app's code is running on the client's phone. If the hacker gains access to that code and is free to modify it to override any billing validations - there is nothing you can do. You should make sure he doesn't gain access to that source code in the first place.
I managed to post status updates on facebook walls and log in via the following code:
facebook.authorize(this,
new String[]{ "publish_checkins", "publish_stream"},
new DialogListener() { /*crazy stuff here*/ }
);
My problem is the very first time logging in. Because it seems that the facebook is is not supporting logins from test accounts I can't talk about SSO but consider the "normal", web based, login screen popping up.
Is there a way get around this screen and let the application perform a login via username/email/password combination - provided the user is willing to handle this data to the applications.
E.g. something like facebook.authorize(this, permArray, userName, password,
I ask because I'm not sure if this is even possible at all, read: if fb API is providing hooks for this. I can imagine it is kinda security concern and thereby switched off.
In this case it would be cool if someone could provide a link to some documentation listing all possible login methods (not "all" but the important ones for smartphones) - this would definitely be helpful in the next meeting.
The main document one should work with, in my opinion, when implementing the Authentication part for FB, is their tutorial (for Android this one) - seems you're familiar with it. There you can see how facebook expects you to get logged in.
And here (for Android here) is the list of the methods they provide for these purposes.
To be shorter, NO, they don't have some simple function, which would allow you to do something you mentioned. Looks like you must use browser/their official app to login, in order to save cookies there; or you can use UIWebView to save them in your app.
I worked with FaceBook API some time ago and I didn't like it a lot. Perhaps this is because of the changes they've been doing lately in the API, but their documentation seems to be just immature; not speaking about their official example client (HackBook), which just doesn't work as expected (e.g. post video on the wall doesn't work).
Somehow even after reading carefully their documentation I had quite a lot of questions like what can be done with this API and what's forbidden at all.
Hope this helps!
I would like to integrate Twitter into my Android application so that I can post messages to Twitter.
It really depends on how you want the interaction to work. You can:
Use their API (helped by a library such as twitter4j, as suggested by Heiko Rupp), or
Find a way to integrate with the Twitter app, although there is no published protocol for this as far as I know. This is also not a good idea because many people use other apps such as Twidroyd, TweetDeck and so on, but it would definitely be cool, or
If you don't expect the user to do this very often, you can just open up http://twitter.com/?status=<what-to-tweet> using a simple intent.
Method 3 can be easily described here:
Intent i = new Intent(Intent.ACTION_VIEW);
i.setData(Uri.parse("http://twitter.com/?status=" + Uri.encode(message)));
startActivity(i);
You can also combine 2 and 3. You can try a few known apps (official Twitter, TweetDeck, ...) and if all of them fail (because they're not present or because they have been updated and broke the protocol) you resort to opening up the browser.
Also note that it might be possible for method 3 to actually launch an app instead of the browser (or at least give the user a choice between the two), if the app handles the correct intents.
Another thing worth mentioning is that it's very possible that you will not be able to integrate with any Twitter apps. What I've said here is purely hypothetical, I have no idea whether these apps support such integrations. You should consult each app and see if they expose some intents that you could use. If they don't, you can still hack around a little and you might find them, but that will be unreliable because they will most probably break after a couple of updates.
You could use the twitter4j library to talk to twitter. Since Twitter has changed over to oAuth, the initial authentication is not trivial.
Basically you need to register your app with Twitter (go to your profile and then to the developer page to register your app - you will then get consumer token+secret). Then follow this example to authenticate with Twitter.
You may have a look at Zwitscher (rev 0.65, code of oAuth has not been updated for the nw internal changes after 0.65), which is an open source Twitter client for a larger example.
You may have a look at one of my examples of how to get Sign-in with twitter working on android.
It uses twitter4j, and with slight modification, you can make it post tweets too!
find it here.
UPDATE: there's one question specific to this issue: twitter,update status
I use twitter4j and oauth-signpost to create facebook like oauth authorization (webview dialog). Checkout this post
You can send the appropriate Intent to start the default twitter application
You can do this without Twitter4j, thus avoiding the massive headache of implementing the OAuth flow.
String tweetText = "We be tweetin!";
String url = "twitter://post?message=";
try {
Intent i = new Intent(Intent.ACTION_VIEW);
i.setData(Uri.parse(url + Uri.encode(text)));
startActivity(i);
} catch (android.content.ActivityNotFoundException e) {
Toast.makeText(this, "Can't send tweet!", 2).show();
}
Other supported twitter:// urls are listed here.
If the user has the Twitter App installed on their device it'll open it directly to a share view. When cancelled or shared it'll return direct to your App. Super simple. Similar to how iOS handles sharing now (with Facebook and Twitter integration).
This doesn't handle cases where the user uses another App as their primary Twitter client.