I'm currently working on a python-based app engine website and am looking to add google identity toolkit functionality but am getting stuck on the implementation of password resets and changes to email address..
Have been able to get the python quickstart example (https://developers.google.com/identity/toolkit/web/quickstart/python) working properly but even using this, I haven't been able to properly set up the password reset and email change components
I've been going through the google groups for this at https://groups.google.com/forum/#!forum/google-identity-toolkit but can't seem to be able to find detailed steps or sample code based off python
Would anybody have any ideas or can point me in the right direction? Much appreciated!
After some trial and error, I've been able to get this to work by:
creating a gitkit instance using the gitkit server config json
calling the GetOobResult function, which sends back a dict containing the reset link, among other information (This is the crux)
finally, to get the user notification to work properly you'll need to return a json dump with {'success' : true}
Here are the key lines of code I used -- should note that this doesn't include the email sending portion with the password reset link, which you have to implement separate from gitkit..
server_config_json = os.path.join(os.path.dirname(__file__), 'gitkit-server-config.json')
gitkit_instance = gitkitclient.GitkitClient.FromConfigFile(server_config_json)
output = gitkit_instance.GetOobResult(self.request.POST,self.request.remote_addr)
if output:
self.response.headers['Content-Type'] = 'application/json'
self.response.out.write(json.dumps({'success': True} ))
Related
For over a year, I have connected to Salesforce using the simple_salesforce package in order to pull some data from various objects and load it to a data lake.
I have used the authentication method using username / password / security token.
client = Salesforce(
username="****************",
password="*************",
security_token="****************"
)
On the 1st of February came the enforcement of multi factor auth. Starting on that day, I consistently hit the same error over and over.
[{'message': 'This session is not valid for use with the REST API', 'errorCode': 'INVALID_SESSION_ID'}]
After some research, I tried to add a permission set with API Enabled and then API Only user. Result: still the same error, but now I am locked out of the UI.
Has anyone else encountered similar issues and could point me towards the right resources, please? Thanks!
MFA shouldn't matter for API access according to https://help.salesforce.com/s/articleView?id=000352937&type=1 (Ctrl+F "API"), it's probably something else your admin did.
Username, password+token sounds like you're use SOAP login method.
See if you can create a "connected app" in SF to use the OAuth2 login method, more natural for REST API. I wrote a bit about it in https://stackoverflow.com/a/62694002/313628. In the connected app you should be able to allow API access, even full if needed. No idea if Simple has natural place for the keys though, it's bit rubbish if you'll have to craft raw http requests yourself.
Simple's documentation also mentions using JWT to log in (and that requires connected app anyway), basically instead of username + pass you go username + certificate + the fact admin preauthorised this user... You'll be fine until certificate expires.
The text part of https://gist.github.com/booleangate/30d345ecf0617db0ea19c54c7a44d06f can help you with the connected app creation; sample code's probably not needed if you're going with Simple
Gist of the problem is, I'm not developing an SPA, I'm developing a mobile app, with a backend in Flask. FlaskSecurityToo has provided me with some great features, and I'm now trying to use their password reset functionality. Here's my gripe.
I want to have the email send a deeplink, which users on the mobile app will click and get sent to the password reset form on the app. There's no UI view for this. But FlaskSecurityToo has logic that requires the server is first hit to validate the token, then redirects them to whatever has REDIRECT_HOST set. Which works great when I set the REDIRECT_BEHAVIOR as spa
Is there a way to tell Flask "Hey, don't worry about the need to validate the token from the initially provided password reset email, let the UI/Mobile app make the call to determine that whenever they want" from the provided configuration? Thus, relaxing the constraint on the host name / details of the url for a password reset, as long as a token exists? Or is this abusing some of the principles of FlaskSecurity that I don't grasp yet?
My current plan is to let it open a mobile browser, and hopefully the redirect forces the app open? I have little experience with deeplinks, so I'm testing and probing things as I learn.
You are correct about current FS behavior - here is a suggestion (not clean but it would be interesting if it was all you need) - the POST /reset/ endpoint is stand-alone - you don't have to call GET first - the POST will ALSO verify the token is valid. So the issue becomes how to generate the link for the email that has what you want. FS currently doesn't allow to configure this (that could be an enhancement) - but in 4.0.0 you can easily replace the MailUtil class and have your implementation of send_mail look for template='reset_instructions'. Now - at this point the email has already been rendered - so you would have to parse the body and rewrite the url (keeping the token intact). Ugly but doable - is this sufficient? If so I can see a few simple improvements in FS to allow more flexibility around emails.
I am not sure if i can ask about the Spotify API but saw no other subreddit to put in.
I am trying to connect to Spotify API without the use of external packages (like Spotipy).
I am reading their documentation here:
I decided to use the PKCE since I want to distribute a software and the user only needs to give their client_id (its open source)
In that case, I need to create a "code challenge", this is what I have:
SpotifyCodeChallenge = base64.b64encode(hashlib.sha256(SpotifyCodeVerifier.encode()))
Yet this is the error I get:
How would I fix this?
SpotifyCodeChallenge = base64.b64encode(hashlib.sha256(SpotifyCodeVerifier.encode('utf-8')).digest())
This will prob do it.
To address the close votes, all I'm asking for here is how to check that a user has verified their email in python on app engine.
The relevant bit of backend python code is:
id_token = request.headers['Authorization'].split(' ').pop()
claims = google.oauth2.id_token.verify_firebase_token(
id_token, HTTP_REQUEST, MY_PROJECT_ID)
if not claims:
return 'Unauthorized', 401
logging.warn('email verified? {}'.format(claims['email_verified'])) # always False
Original post:
I'm messing around with the firenotes example code. I've disabled everything but email log in, and want to make sure on the backend that the user has verified their email address. Inside frontend/main.js, checking user.emailVerified gives me the correct value.
However, this is not the case inside of backend/main.py.
Inside of list_notes() if I add a logging.warn(claims) I invariably see a key-value pair u'email_verified': False. I've tried restarting the server after verifying to avoid caching issues (which if they exist would still suck) but can't seem to actually detect whether the user has clicked the verification link in their email on the backend.
Is there something I need to add or configure to get the backend to be able to see (or maybe check for) email verification?
I just ran into exactly the same issue. The problem seems to be that the attributes associated with a particular firebase token become stale, and this problem only affects token-based verification on the back end. Solution: If the user signs out and back in after email verification, then the information is updated.
More precisely, here is the current behavior. In Javascript, on the front end, firebase.auth().currentUser.emailVerified is correctly true immediately after user verifies email and the page is refreshed. However, when the corresponding firebase token is sent to the server via user.getIdToken().then(function(token) { sendToServer(token); }), and then verified using Google App engine python library on the back end as uinfo = google.oauth2.id_token.verify_firebase_token(token, google.auth.transport.requests.Request()), then uinfo['email_verified'] remains False until user re-signs in and an updated token is issued.
I've playing around in Python and the Facebook API - I'm fairly new to it! I'm copying and pasting an access token into my Python app from the Graph API Explorer as oauth_access_token manually just before execution. The simple app is a loop which performs some actions based on the status of some inputs. The loop also refreshes the token so that once the app is started with a new token, it should keep going for a longer amount of time. Snippet posted below, with IDs anonymized:
oauth_access_token="ABCDEFGHIJL"
auth_str="/oauth/access_token?grant_type=fb_exchange_token&client_id=XYZ1ABC&client_secret=[ABC2XYZ&fb_exchange_token="+oauth_access_token
graph = facebook.GraphAPI(oauth_access_token)
oauth_access_token = str(graph.request(auth_str)['access_token'])
print oauth_access_token
profile = graph.request("/me/notifications")
profile2 = graph.request("/me/inbox?fields=unseen")
I realize this isn't particularly elegant way of doing it. Bizarrely, when I do this on Windows, it works fine and I have access to the my notifcations and messages. When I do this on my Mac or Ubunutu it doesn't work and I get this error...I think it has something to do with Encoding, but I'm not sure what nor how to fix it?
Malformed access token ABCDEFGHIJK?access_token=ABCDEFGHIJK