I have my application running nicely, I use Paypal WPS, I left the default values untouched, I tried with the sandbox and everything works nicely, but now, I want to release it, and I'm not quite sure about the credentials...
Default credentials are
<?php
define("DEFAULT_DEV_CENTRAL", "developer");
define("DEFAULT_ENV", "sandbox");
define("DEFAULT_EMAIL_ADDRESS", "sdk.seller#gmail.com");
define("DEFAULT_IDENTITY_TOKEN", "6vwLEY_ogPGnoQac2a0x4PRsSGrmzJPMkyGbJtpiCSwrkYsNSYxWfPY2ZLO");
define("DEFAULT_EWP_CERT_PATH", "cert/my-pubcert.pem");
define("DEFAULT_EWP_PRIVATE_KEY_PATH", "cert/my-prvkey.pem");
define("DEFAULT_EWP_PRIVATE_KEY_PWD", "password");
define("DEFAULT_CERT_ID", "B62GVU8RWNBFC");
define("PAYPAL_CERT_PATH", "cert/paypal_cert_pem.txt");
define("BUTTON_IMAGE", "https://www.paypal.com/en_US/i/btn/x-click-but23.gif");
define("PAYPAL_IPN_LOG", "paypal-ipn.log");
?>
How can I get real credentials? I don't find paypal help very useful... and I'm not used to using SSL, for what I could understand I need to get a private key, a public key, upload my public key to paypal and get a paypal certificate, but I don't know if that's right and, what to do with the other values.
Having just done this myself, it depends on what you're doing with it.
If you're encrypting your buttons dynamically, you need the EWP variables.
This PayPal help file explains how to get the various keys you need using your server command line.
I also found a tutorial and a certificate builder (linked in the tutorial, but I didn't use, so can't confirm how secure it is...)
The first step is to generate a private key and public certificate for yourself. You can use various online resources to do this for you rather than needing to figure out how to do this from command line on your server.
Once you've generated your key and certificate, you need to put them on your server with your website files and set DEFAULT_EWP_PRIVATE_KEY_PATH (private key) and DEFAULT_EWP_CERT_PATH (your public certificate) to the relevant file paths.
Upload the public certificate to PayPal (instructions in linked tutorials, but basically find the EWP settings and upload a new certificate), and set DEFAULT_CERT_ID to the Certificate ID it gives you for that file. It'll also give you a file you can download (their public certificate) - add that to your server and set PAYPAL_CERT_PATH to the path for that file.
PAYPAL_IPN_LOG isn't necessary unless you're using Instant Payment Notification, but is the location of the file you want to use for logging IPN records (if you want to use the default behaviour of the sample IPN listener (IPNListner.php).
BUTTON_IMAGE is obviously enough the image you want to use for your button.
DEFAULT_DEV_CENTRAL can stay as is. I think DEFAULT_ENV is a bit useless outside of development, as I don't know of an alternative to "sandbox" that works, since the standard URI is www.paypal.com/blah
Change DEFAULT_EMAIL_ADDRESS to your own PayPal account. You can also use your Merchant ID, but that seems a bit buggy on the Sandbox with EWP.
I've yet to find anything I'm using that uses DEFAULT_IDENTITY_TOKEN.
Related
I've written an IOT project, but I'm missing the last piece. I need to be able to get the number of likes (in json format) of a public page.
I tried looking into FaceBook developer info, but it seems they make it really hard to understand on purpose.
I tried creating my app. But I can't get my app approved since I don't know / understand how to "create" an app. What kind of files, etc...
I have a server hosting a website with ftp access so no issues hosting any file.
I'm actually looking on comprehensive info on how to create an app I'm pretty good at retro engineering so any example code is actually welcome.
Dealing with facebook approval process can be a hassle for sure, these few steps are key to get your app approved.
sign in to your developer account and create a new app.
submit it to review and ask for Page Public Content Access
permission, this permission is easy to get approval for and is the one you need.
Now usually you need to add a short video showcasing your app "user experience" but since they are giving out this permission to public fields im not sure you need one, try submitting first without it and hope it gets approved. otherwise you need to create a demo, i recommend just screen cast a simple text box input that receives an id and returns a name (just keep it simple and fake it, theres no need to actually use your server or anything except for hosting the file).
once you get approved you can use the permission to access public fields on public pages.
I have a PHP backend and an Android client. With the client the users can log into my app using either Google or Facebook, both via Firebase. I get the token from the FirebaseUser and send it to my server. It is straightforward that the first section (the header) contains the algorithm (which is RS256) and the second one (the payload) has all the user related data. There's a third section which is the signature of the first two to enable verification on my backend. The problem is, I don't know how to do that. More specifically with what.
I used JWT.io to check my token and tried to verify it with no luck. Since the algorithm used is RS256, the verification should be done via the public key. But what public key? I tried with my app's keystore, tried it with Google's certs, but it just keeps saying it's invalid. I understand that the header's kid field is the signing key's ID and I should look for it, but I don't know where.
The Firebase docs don't help either. There is a guide about ID token verification, but that's just useless because it's Java / Node.JS and it still doesn't say anything about public keys.
So the question is: where do I get the public keys from?
Okay, so I dug into the source of the Firebase Server SDK and found the location of the public keys:
https://www.googleapis.com/robot/v1/metadata/x509/securetoken#system.gserviceaccount.com
Don't really know why they just couldn't put it on their website...
Anyways, I'm not sure, but I guess that these keys change on a daily basis (just like the OAuth2 keys do), so you must check and re-cache them on your server every now and then.
Also, you have to check the following values:
alg == "RS256"
iss: https://securetoken.google.com/<firebaseProjectID>
aud: <firebaseProjectID>
sub is non-empty
Found these at this similar question (just scroll to the bottom of the answer), which was found by searching for that specific googleapis.com URL.
I have a hybrid WordPress plugin that fetches all data using curl from the main server. Let's call it A.
B is the client that requests for data and also can send data to A.
Now every request is encrypted and authenticated using a API access keys.
But the problem here is if I copy the plugin from B to a new client site C, the moment I use the same access keys etc. the plugin starts working.
I want to be able to restrict the access of one API access key to one domain name. How can I attain that?
I'd say to include the allowed host's IP address (B) in your access key administration.
So: when B does a call, you can validate the key and the IP it's calling from.
On A, you can use something like $_SERVER['REMOTE_ADDR'] to test the IP calling the script.
Two downsides: when sites move servers, the plugin will stop working. And of course, people can still spoof their IP, so there is a way to get around this, but at least you make it a lot more complicated and probably not worth the hassle for most cases.
A suggestion by TJHX
Make it part of the license you give your customers. The honest ones will follow it, the dishonest ones will find a way to break your DRM. This is a problem technology can't really solve confidently, especially when with things like wordpress people can just see your code - By TJHX
I have also looked into a lot of options but the mere fact is that the user always has access to the code in the wordpress plugin and can easily make amendments to the CURL request Headers even if you encrypt it.
All we can do it add it in our Licenses.
In my plugin, there are iframes that will be loading the data on the frontend so I am going to accept the domain name when the user buys the plugin and will check the referrers to my iframe to sort this issue out.
Thanks a lot guys for your help.
I am using IXCBA's Inline Checkout by Amazon plugin for a Magento store. I have a secure encrypted connection to Amazon using SSL. Every time I am trying to make a purchase I keep on getting the same error:
<pre>Simple XMLElement Object
(
Error => SimpleXMLElement Object
Type = > Sender
Code = > SignatureDoesNotMatch
Message = > The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
)
RequestID => id-name
)
<pre/>
I checked the AWS secret key and other data and replaced them countless times, but had no luck. I also asked the extension author for help and posted a question at the Seller Central of Amazon, but no clues given yet how to solve the issue.
Amazon recommends some scripts including a JavaScript to check out issues with the signature.
I was considering using this JavaScript:
function getSignatureKey(key, dateStamp, regionName, serviceName) {
var kDate= Crypto.HMAC(Crypto.SHA256, dateStamp, "AWS4" + key, { asBytes: true})
var kRegion= Crypto.HMAC(Crypto.SHA256, regionName, kDate, { asBytes: true });
var kService=Crypto.HMAC(Crypto.SHA256, serviceName, kRegion, { asBytes: true });
var kSigning= Crypto.HMAC(Crypto.SHA256, "aws4_request", kService, { asBytes: true });
return kSigning;
}
as I at least have some basic knowledge of JavaScript using libraries like jQuery.
But I wonder now what data I need to replace to make the test. I also wonder if I can just use the Firebug JScript console to run the test or if I need to do it differently. The latter I can figure out by testing, but with the former I could use some help.
Update
I ran the script in FF Scratchpad and saw the key was missing so I added the AWS Access Key ID and ran it again, but nothing happened. I got no errors nor output.
Update II
I got another error when I replaced the access key secret key and merchant ID:
Important Message
We're sorry, but there's a problem processing the order from this website.
Please contact the seller for help on placing this order.
perhaps the config at Seller Central is not OK? Link is https://payments-sandbox.amazon.com/gp/cba/v2/widgets ... Perhaps wrong version?
The changes in the database do seem like they helped so perhaps the data I entered in the backend was not stored properly by IXCBA.
Update III
Code in backend was OK after all. After changing it the code got all mangled so I had to do it from the Magento backend again. But then I got the same XML error. Amazon mentioned this:
This now looks really strange. To complete an order, there are several
API calls that your website will have to make. 2 basic ones are
setPurchaseItems to put the order data into the order, and
completePurchaseContract to process the order. In your case, the
signature error is returned by the completePurchaseContract but the
setPurchaseItems worked fine.
In this case, as long as you made sure that the merchantID, Access Key
and secret key field doesn't have leading/trailing spaces in your
magento backend, you will have to reach support from magiex your
plugin provider to take a look. We don't have access to the code thus
can't really help you to fix it.
So I contacted MageIx again. Waiting for a response while I try to figure things out.
In the end there were three issues. One, the installation was somehow not done properly. I had to get it redone. Two, the AWS Merchant ID, key and secret key were not added properly. That I adjusted. And three, there was a server stamp issue that caused and issue with the self signing of the cart. The MageIx developers made a custom extension to circumvent the timestamp issue. Other issues with the entering of the keys and re-installation were not hard to solve. CBA works now
NB
The only issue now is that Inline Checkout by Amazon does not seem to work with FBA. But at Amazon half of the devs say it does and the others say it doesn't. But this is an issue for another thread.
I have some ajax page with php post (so that CAPTCHA is not a good idea).
some fsockopen or curl could set POST value to steel data with cross domain.
So php / apache, is there any way to block cross domain post?
You are publishing the data. You can't stop people requesting it.
If you want to keep it secret, require authorisation before allowing access.
There are various barriers you can put in people's way—while still keeping the data public—but none of them are difficult to bypass. Testing the user agent doesn't stop the requestor specifying a user-agent that matches a common browser. Requiring a cookie from another page on your site doesn't stop them requesting that page and getting a cookie for their tool. Etc.
A lot web services that offer an API, but don't want just any old person to access the API, use public / private keys via CURL. You would have to do a little research on public / private key encryption if you are not familiar. I am sure there are PHP libraries that get all if not most of this done for you.
Credit card merchants like Authorize.net, and several customer database services that handle PII (Personally Identifiable Information) that I've worked with over the years allow you to post to a URL and retrieve the result. They protect their services using public / private key encryption. They issue me a key and I have to post that key along with my request data. The key is usually sent in a header, hence the need to use CURL.
Background Information:
http://computer.howstuffworks.com/encryption3.htm
PHP Examples:
http://www.joeldare.com/wiki/php:php_public_private_key_cryptography
Note: the benefit of this system is that you have absolute control over who is allowed to post to the PHP script on your server. If you don't need that level of control, you can just use something called "http basic auth". Place your sensitive scripts in a directory and protect it with .htaccess authentication. Here is a tool to get you started. http://www.htaccesstools.com/htaccess-authentication/
When you make requests via ajax (jquery, I take it) you can pass the login and password. Just make sure you use an SSL connection in your ajax (HTTPS). Otherwise, people can sniff out your login and password as it will be sent in plain text without the use of SSL.
If you do use basic auth instead of public/private keys, your domain will need an SSL cert if it does not already have one. You can buy one from someplace like Thawte.com (not cheap), or self-sign your own certificate. However, if you're going to go through all that trouble, you're 80% to the point of just going the public/private key encryption route. Self-signed certificates usually prompt the user's browser with a warning. This scares away a lot of people.