Recently I decided to develop a web application about giving away accounts for a game (a meta-community) and chose Parse as my backend service. I was a newbie in network security. At first I implemented all the authentication as variable in client code and soon realized by myself that I could bypass them easily.
Then I moved every authentication step to Cloud Code, set up CLP and ACL. Now the client is only responsible for collecting data, putting them as parameters and calling Cloud Functions, and finally receiving the response and represent it. This was all achieved through pure JavaScript (both client and cloud code).
Now come the other part: PHP. My friend has always advised to try working with PHP instead. I also have my own dedicated server which supports PHP (and also an SQL database, but we are not going into that). Now I'm really teared up as I'm aware of some limitations with Cloud Code (like execution time limit).
So my question is, what can PHP and Cloud Code do that the other cannot, and should I be too worried about either one of them? Also, if you use Parse, what responsibility do you often give to PHP and Cloud Code?
EDIT: the code is not really relevant but I will try to provide some examples. This is a code segment in the client side:
$('#login').click(function () {
FB.login(function (response) {
if (response.status == 'connected') {
Parse.Cloud.run("facebookAuth", fbResponse.authResponse, {
success: function (response) {
console.log("User logged in through Facebook!");
Parse.User.become(response.sessionToken).then(function (loggedUser) {
// The current user is now set to user.
console.log("facebookAuth: Authentication completed.");
activityLog("User logged in through Facebook!");
}, function (error) {
// The token could not be validated.
console.log("The token could not be validated.");
activityLog("An error has occurred: " + error);
});
},
error: function (error) {
console.log(error);
activityLog("You need to be a group member to use the application!");
Parse.User.logOut();
}
});
}
});
});
This is the Cloud Functions for them:
Parse.Cloud.define("facebookAuth", function (fbAuthRes, response) {
// I implement the Facebook authentication here.
// If user is logged into Facebook (and is member of my group), then the user is logged in then:
response.success({user: user, sessionToken: user.getSessionToken()});
// The full code is too long.
}
Related
I am actually developing application for bank cash management.. It must be real-time... Once there is a change in db it must be sent to the client... I don't want to use long polling or ajax etc... (Because It puts load on the server by repeating requests)...
Cant use nodejs or other server related technology... (Not installed in server)... Question is that I want to develop server pure in php... Can anyone post code and give the details about it... Searched internet a lot but nothing there... Suggestions will be appreciated
[Edit]
I am putting my angularjs code for long polling here:
function dataCtrl($scope, $timeout, Data) {
$scope.data = [];
(function tick() {
$scope.data = Data.query(function(){
$timeout(tick, 1000);
});
})();
};
and I call tick function in the following code
$http.get('url').success(function(data, status, headers, config) {
data.response = data;
$('.serverStatus').text(data.response.message);
data.calls++;
$timeout(poller, 1000);
});
};
You must use sockets in your application... You can find Php socket library named Rachet over here
http://socketo.me/
There must be socket connection between users. So socket will listen until the data comes
I have an app that has a full angularjs frontend with a codeigniter backend (with thishttps://github.com/philsturgeon/codeigniter-restserver)
I am using the codeigniter backend just to make api requests essentially.
The problem I am having now is managing a navigation view based on whether or not a user is logged in.
I have the navigation in its own navCtrl with a userService and loginCtrl.
I am storing loggedIn true or false in a cookie with a $watch on it in the navCtrl so it will update the navigations appropriately.
Any insight on why this may not be working? Any code i need to provide to clarify? Is there a "better" way to do this?
EDIT: The $watch is not actually catching when I update the value using the userService.
Thank you!
We have a very similar setup as you. What we do is have Codeigniter send a HTTP Status code of 419 (not logged in) or something like that. And then you'll use Angular Interceptors to 'listen' for the response from the backend.
app.factory('loggedIn',function($q,$location){
return {
/*
* Intercept all response errors & handle them
*/
responseError: function(response) {
if (response.status == 419) {
console.error("You are not logged in");
$location.path('/login');
}
return $q.reject(response);
}
};
});
Then push it to the $httpProvider:
app.config(['$httpProvider', function($httpProvider){
$httpProvider.interceptors.push('loggedIn');
}]);
This should handle your front-end navigation pretty easily.
There are also other things that you can do for the $http requests before sending & before response is returned. Makes for a slick setup.
Checking sessions in Angularjs and CI using AJAX:
Javascript function called in angular js controllers:
function check_session()
{
$.get(base_url+"admin/check_session/check", function(data, status){
if(data=="1") /* error 1 => un-athorized user */
{
window.location.href=base_url+"login";
}
});
}
Expaining AJAX request:
check_session is CI controller and check is function in that.
I'm trying to integrate PayPal payments within my Phonegap app. I can't see a cross platform way to do it.
I can only see OS specific plugins which I can't use in Phonegap build. Is there a way of integrating it using the childbrowser? Also, I failed to find a plugin for Blackberry.
Note: I use Phonegap build, so I prefer a plugin-less solution.
what you can do is the in app browser to connect to a php driven page online and there do your paypal stuff.
http://docs.phonegap.com/en/2.3.0/cordova_inappbrowser_inappbrowser.md.html
function onDeviceReady() {
var ref = window.open('http://apache.org', '_blank', 'location=yes');
ref.addEventListener('loadstart', function() { alert('start: ' + event.url); });
ref.addEventListener('loadstop', function() { alert('stop: ' + event.url); });
ref.addEventListener('exit', function() { alert(event.type); });
}
Remember to white list the url that you will be using within phonegap else you will not to be able to make a connection.
On the php side write your own restfull api to handle the processing of the payments try to minimize the data sent to and from the api also try to use a secure connection if possible.
paypal examples can be found here:
https://www.x.com/developers/paypal/documentation-tools/paypal-code-samples
its a solution but i do advise to use plugins for every platform, with those you can better guarantee safety, less bugs and less development time.
I am trying to add loing with facebook feature to my website, I used javascript to connect to facebook API, As you know facebook sends object named "response", I want to pass this object to my index.php page to read its content their.
could you please tell me how to pass and read this opject
If you need to work with facebook from your server, you can't use just js auth.
You need to implement "server login", described at Login for Server-side Apps
You need not implement all that complicated things, just find any library from internet, FB have its own library for php as I know, and use it to make server login. You can find many examples how to do it.
You can done with it by using jQuery.ajax() or jQuery.post() function. but it is not secured. Because js is open for all browser. Bad guys can send unexpected data and take chances to harm your app / web. Anyway it is your choice.
You can add a function here i have used replace_login() in FB.getLoginStatus() as following:
FB.getLoginStatus(function(response) {
if (response.status === 'connected') {
// connected
replace_login();
} else if (response.status === 'not_authorized') {
// not_authorized
} else {
// not_logged_in
}
});
Now write replace_login() in same file and after FB.getLoginStatus() as below:
function replace_login(){
FB.api('/me', function(response) {
$.post("http://yourdomain.com/ajax_post_login",{ username: response.username, name: response.name, fb_res: response }, function(data) {
alert(data);
})
});
}
Check facebook server-side-login, it will help you more.
I have a PHP page that needs to make a call to a external web service. This Web service call takes a bunch of sensitive data from a html form on the PHP page, e.g. SSN, and returns info related to that person.
The problem is that the web service call should be made as soon as the customer fills in the SSN field and the field loses focus, so the page cannot be reloaded in any way. I was thinking about using jQuery to make a call to the web service, but AJAX unfortunately requires that you are on the same domain as the requested resource. So I'm thinking about creating an local PHP page that makes the call to the web service and then use JQuery to call this new page.
Questions:
How do I use JQuery to call the local PHP script that makes the call to the web service?
Because the JQuery code will take sensitive data from a html form and send it to the PHP script, how can I encrypt the data?
To call your PHP file:
var url = "http://localhost/data.php";
var params = {
"SSN" : theSSN
};
$.get(url, params, function (){
// Do whatever you need here, once the data arrives.
});
To call the external webservice from PHP, I'd suggest using cURL.
To encrypt, I'd suggest using the HTTPS protocol instead of encrypting manually from JavaScript.
1) $.get("myscript.php", function(response) { alert(response) });
2) I wouldn't encrypt using jQuery, it would be slow and easy to decrypt. Enabling SSL on the server would be a better solution.
1: Ajax request example:
$.ajax(
{
type: "GET",
url: "http://yourdomain.com/yourpage.php",
success: function (msg) { //does something }
});
More details here
2: php XOR is a pretty good encryption algorithm, I use it myself for a project with sensitive data. you can find the function here.
Enjoy! :)
This probably won't help you in particular, but some webservices support something called JSONP, which adds a callback name to a normal JSON request.
However, chances are you will need to make some sort of local proxy, as not many JSONP services exist yet.
The way to go is enabling SSL on your domain, and doing the xmlHTTPRequest to the https of the remote service