I'm trying to make some test with this nice library.
I have made successfully tests with yowsup-cli but now I'd like to create a small python script to manage in a smart ways events (with listener/callback).
I'm trying the code explained here https://github.com/tgalal/yowsup/wiki/Yowsup-Library-Documentation:
def onAuthSuccess(username):
print "Logged in with %s" % s
# make a call to method ready to be able to receive messages
methodsInterface.call("ready")
y = YowsupConnectionManager()
signalsInterface = y.getSignalsInterface()
methodsInterface = y.getMethodsInterface()
signalsInterface.registerListener("auth_success", onAuthSuccess)
methodsInterface.call("auth_login", ("username", "password"))
Is clear that username should be nationNumber + phoneNumber without other symbols. But is not clear to me where the password should be found.
With cli the authentication mechanism is different and it need a registration.
Can you help me please? Thanks
Just incase someone has the same problem that authentication isn't working though you're passing the right username and password as argument, You have to base 64 encode the password like is done in the Command Line client.
You have to get the password by registering using Yowsup or WART OR from your phone ( https://github.com/tgalal/yowsup/issues/234 ? )
import base 64
password= 'randomletters+somenumbers=' #Get this by registering
password = base64.b64decode(bytes(rawPass.encode('utf-8')))
This is not obvious and i forget often and might be what's going wrong.
you probably want to write
import base64
Nevertheless, this is still not working for me, though sending messages with yowsup-cli works fine.
There still seems to be a difference in authentication I have not understood.
Related
Problem: is here any ways to keep my login and password away from the code of a program (the program parse Instagram post info) that will be used by users? The code below takes info of the post, BUT if i make many requests to Instagram, it doesn't work. So i need to login in anyway instagram_web_api.login(LOGIN, PASSWORD), but my program will be used by another users.
Question: If my program will be used by another users, how can i hide my login and password from the code? I mean the program will be Desktop GUI, using code below partly, so users wouldn't see the code, BUT if they somehow look in the code, i want my login and password be hidden. Any ways, please?
Code:
...
def _parse_instagram_post(self):
instagram_web_api = Client()
instagram_web_api.login(LOGIN, PASSWORD)
media_pk = instagram_web_api.media_pk_from_url(POST_URL)
post_info = instagram_web_api.media_info(media_pk)
...
you can use Telegram Bot API
Why ?
Customers cannot access the source code.
More useful and easy
But if you don't prefer this way, you can
Obfuscate
Encrypt
Compile
your code.
I can suggest a few tools for these operations:
https://www.pyinstaller.org/
https://github.com/astrand/pyobfuscate
https://github.com/PyObfx/PyObfx
https://github.com/pycrypt123/pycryptor
I am just trying to create a python package on testPyPI for some testing (using twine), following this official guide. I am using a token, which succeeded exactly one time (username __token__, password is the token itself). Then I made a change and wanted to repeat that process, it doesn't work anymore.
related post
This seems to be a common issue, however I couldn't fix it so far. I'm on Windows 10, this is what I tried...
different ways of pasting into the console and different consoles (so that's not the issue)
using a .pypirc file for authentication details
a new token
a new account
a new email
also directly inserting username and password into the twine command (which should be avoided, I guess)
And I'm running out of ideas. Any clue?
I was struggling with the same issue. The tutorial OP referred to is, in my opinion, not explicit enough, because there tend to be two ways, which can easily be mixed (as I was doing, however, I am a newbie following the tutorial for a reason ;) ).
Solution:
Assuming a /home/.pypirc file is created you can either
use credentials (i.e, use username and password for logging into the website):
[testpypi]
username = <your username>
password = <your password>
or use the API token created on the website:
[testpypi]
username = __token__
password = pypi-<Rest of token>
Hope that helps others following the tutorial.
HttpPlatformHandler supports forwarding the auth token by enabling the forwardWindowsAuthToken setting in the web.config.
This sounds like a useful feature when needing to use Windows Integrated Authentication.
The document on this is very vague and does not go into explaining how one could use this token to get the authenticated user name.
If this setting is set to true, the token will be forwarded to the
child process listening on %HTTP_PLATFORM_PORT% as a header
'X-IIS-WindowsAuthToken' per request. It is the responsibility of that
process to call CloseHandle on this token per request. The default
value is false.
In my use-case, I needed to use Windows Integrated Authentication with Python, so did a setup with IIS fronting and using HTTP Platform Handler forward requests to Python.
The question is, how do I get the user name from the provided token in Python ?
The token in the 'X-IIS-WindowsAuthToken' header seems like a 3 char hex like 22b.
Okay, so I've researched this a bit and ended up reviewing how Microsoft.AspNetCore.Server.IISIntegrateion.AuthenticationHandler did it.
Then after figuring out one way, I wanted to post this answer so 1) I can find it later, 2) at least it's up on SO in case anyone else is wondering.
Okay, so the hex value is the handle and with the handle we can call impersonate user then get username, done.
All you need is the pywin32 package:
pip install pywin32
Complete example in Python:
import win32api
import win32security
if 'x-iis-windowsauthtoken' in request.headers.keys():
handle_str = request.headers['x-iis-windowsauthtoken']
handle = int(handle_str, 16) # need to convert from Hex / base 16
win32security.ImpersonateLoggedOnUser(handle)
user = win32api.GetUserName()
win32security.RevertToSelf() # undo impersonation
win32api.CloseHandle(handle) # don't leak resources, need to close the handle!
print(f"user name: {user}")
I'm currently working on a python-based app engine website and am looking to add google identity toolkit functionality but am getting stuck on the implementation of password resets and changes to email address..
Have been able to get the python quickstart example (https://developers.google.com/identity/toolkit/web/quickstart/python) working properly but even using this, I haven't been able to properly set up the password reset and email change components
I've been going through the google groups for this at https://groups.google.com/forum/#!forum/google-identity-toolkit but can't seem to be able to find detailed steps or sample code based off python
Would anybody have any ideas or can point me in the right direction? Much appreciated!
After some trial and error, I've been able to get this to work by:
creating a gitkit instance using the gitkit server config json
calling the GetOobResult function, which sends back a dict containing the reset link, among other information (This is the crux)
finally, to get the user notification to work properly you'll need to return a json dump with {'success' : true}
Here are the key lines of code I used -- should note that this doesn't include the email sending portion with the password reset link, which you have to implement separate from gitkit..
server_config_json = os.path.join(os.path.dirname(__file__), 'gitkit-server-config.json')
gitkit_instance = gitkitclient.GitkitClient.FromConfigFile(server_config_json)
output = gitkit_instance.GetOobResult(self.request.POST,self.request.remote_addr)
if output:
self.response.headers['Content-Type'] = 'application/json'
self.response.out.write(json.dumps({'success': True} ))
I have a client app that interacts with a web service to retrieve account information. There's a requirement that the user is notified if they mistyped the username/password. I'm modifying the web service to return something to my client to provide a hint to the user that there's an error in input.
How do I correctly implement the "username/password" not found for a web service using Python?
Do I tell the user that the username exists, but the password is incorrect?
Do I tell the user that there is no such username, but the password matched something?
Do I show a generic username/password combination is not found?
Do I use different status codes for different situations or provide a JSON payload with the error?
here's my code so far:
from flask.ext.httpauth import HTTPBasicAuth
accounts = [
["user0", "password0"],
["user1", "password1"],
]
#app.route('/accountlist')
#auth.login_required
def accountlist()
username = auth.username();
if ... : #check if accounts does not have the given username
#notify the sender that there is no such username
return Response('Not Authorized', 401, {'WWW-Authenticate': 'Basic'})
else:
#proceed to check password and retrieve/return account information
Do I show a generic username/password combination is not found?
Yes. Why do you think this is "generic"? Because it is the standard. This is the correct way because than a hacker can't go phishing for usernames.
Do I tell the user that the username exists, but the password is incorrect?
No, letting the user know that the username is correct is a user enumeration vulnerability. You are letting an attacker know which usernames are valid allowing them to narrow their target range. This would be useful if they later decided to try a brute force attack as they already know the usernames are correct and now they only need a working password.
Do I tell the user that there is no such username, but the password matched something?
Definitely not. This would mean that the attacker now had a valid password and could use any other username enumeration vulnerability on your site in order to try and find a valid username. Another common username enumeration location is the forgotten password form - many sites report back that there is no such username allowing an attacker to refine their list. Alternatively, they could use this password and brute force a username from it which may be a much easier job as usernames shouldn't benefit from being complex.
As an aside to this, you should be storing your passwords salted and hashed using a secure, slow algorithm such as bcrypt. This should mean it is not possible for you to practically check to see if any password matches the one entered.
Do I show a generic username/password combination is not found?
Yes!
Do I use different status codes for different situations or provide a JSON payload with the error?
Your JSON could return true or false to let the calling JavaScript know whether authentication was successful. If you ever develop any brute force protection, this should be accomplished by introducing a delay in the response rather than hard locking accounts. Hard locking accounts leads to a DoS attack as an attacker can lock out a valid account by repeatedly using the wrong password on purpose. For this reason, only a true/false response is really needed to let the user know if they were successful. Even if the account was hard locked, I would return false but include in the message that the user should contact technical support if they believe they should have access with the password provided.
You don't mention what kind of data you're serving but if you're working in financial or health care data: make it so either the user can log in or they cannot, you shouldn't endeavor to give them any information as to why.
If you want you can tell them that the username is incorrect but you cannot suggest other usernames. And, of course, you cannot give any information about what might be wrong with the password, just tell them that it's incorrect.
About the code you presented, I realize you didn't really ask for coding advice, still, I do tons of code reviews and consistently see the same issues over-and-over with these roll-your-own authentication schemes. If your code is ever audited the auditor will likely find the following issues:
You must never hardcode passwords.
You must never persist a password in cleartext, always use an irreversible hash (SHA-1 or greater) when a password is received and only work with the hash value
Your applicatoon should 'fail-closed', meaning set up the accountList() function to return a 'not authorized' prior to the if statement and prior to calling any functions that would throw an exception (like a database access). Make the auth check in the if statemnt. That way if something fails in the things that the if statement calls (say an exception in data access or file i/o) the user fails to log in.