38 Matching Annotations
  1. Last 7 days
  2. Dec 2019
  3. Nov 2019
  4. Oct 2019
    1. When using account linking it is important to be aware that some limitations exist. First, only two accounts can participate in a link. If an attempt is made to link to an account which is already linked, the new link will replace the original link. It is also not possible to link two accounts associated with the same authentication provider. While a Facebook account may be linked with a Google account, for example, it is not possible to link two Google provider based accounts. An attempt to link accounts from the same provider will result in an exception containing a message which reads as follows: User has already been linked to the given provider. Account linking can only be performed at the point at which a new account is created. It is not possible, in other words, to link two pre-existing accounts. A workaround to this limitation is to delete one of the two accounts and then establish the link while re-creating the account

      so user cannot have 2 phone numbers or 2 emails :( :(

    1. foundation of empathic design is observation and the goal to identify latent customer needs in order to create products that the customers don't even know they desire, or, in some cases, solutions that customers have difficulty envisioning due to lack of familiarity with the possibilities offered by new technologies or because they are locked in a specific mindset. Empathic design relies on observation of consumers

      people don't always know what they want

    1. recommend using Firebase when the API calls involve any user data and the API is intended to be used in flows where the user has an user interface
    2. An API key is a simple encrypted string that identifies a Google Cloud Platform (GCP) project for quota, billing, and monitoring purposes. A developer generates an API key in a project in the GCP Console and embeds that key in every call to your API as a query parameter
    1. This is useful if just a subset of the operations need the API key

      can we do wildcard paths at all?

    2. PI keys are supposed to be a secret that only the client and server know. Like Basic authentication, API key-based authentication is only considered secure if used together with other security mechanisms such as HTTPS/SSL
    1. API keys are generally not considered secure; they are typically accessible to clients, making it easy for someone to steal an API key. Once the key is stolen, it has no expiration, so it may be used indefinitely, unless the project owner revokes or regenerates the key

      hmmm... what about client-API architectures where there are no username/pwd pairs?

    2. Cloud Endpoints handles both API keys and authentication schemes, such as Firebase or Auth0
    1. Access control for GCP APIs encompasses authentication, authorization, and auditing. Authentication determines who you are, authorization determines what you can do, and auditing logs record what you did
    2. Application credentials provide the required information about the caller making a request to a GCP API. Valid credential types include API keys, OAuth 2.0 client credentials, or service account keys.
    1. OAuth can be many things. It is most commonly used to allow an application (the consumer) to access data or services that the user (the resource owner) has with another service (the provider), and this is done in a way that prevents the consumer from knowing the login credentials that the user has with the provider
    1. For each call to your API, user should send token with every API request and you should validate the encoded toke and either deny or send back the response.
    1. Cloud IAP enables you to configure Cloud IAP policies for individual resources in a Google Cloud Platform (GCP) project. Multiple apps within a project can each have different access policies
  5. Sep 2019
    1. deploying an App Engine standard or flexible environment application and securing it with Cloud Identity-Aware Proxy (Cloud IAP)

      isn't IAP sufficient to secure apps, then?

    1. On the App Engine flexible environment, ESP is automatically deployed for you when you add a few lines to your app.yaml file. For more information, see Deploying your API and ESP. For the App Engine standard generation 1 environment, you must use Endpoints Frameworks. If you instead deploy the container to one of the compute options above, you can proxy to either generation of App Engine standard runtime.

      ??

    1. Endpoints is a distributed API management system. It provides an API console, hosting, logging, monitoring, and other features to help you create, share, maintain, and secure your APIs
    1. Use your favorite API framework and language, or choose our open source Cloud Endpoints Frameworks in Java or Python. Simply upload an OpenAPI specification and deploy our containerized proxy

      oh so maybe endpoints framework is just their open source implementation that is limited to java 8 & python 2.7, otherwise endpoints is available to any stack?

    1. Endpoints Frameworks for Python is integrated with the App Engine standard Python 2.7 runtime environment. Endpoints Frameworks consists of tools, libraries, and capabilities that let you generate APIs and client libraries from an App Engine application

      this doesn't seem to be about security per se

    1. Endpoints Frameworks is supported only on the App Engine standard Python 2.7 and Java 8 runtime environments

      seems like endpoints frameworks is different from endpoints itself

  6. Jul 2019
    1. you should be mindful how often you request updates to avoid annoying or tiring your users. That is, you should limit requesting in-app updates to only the changes that are important to the functionality of your app
  7. Jun 2019
  8. Apr 2019
    1. App Engine features a local UNIX socket interface for accessing your Cloud SQL instance with automatic authorization using the App Engine service account
  9. Feb 2019