[google-appengine] Re: Manual Authentication
On Mar 25, 7:53 pm, r00723r0 r0072...@gmail.com wrote: It seems odd, I know, but I'm not doing anything malicious. I am making a laptop recovery service. The client on the laptop must update the Google App Engine server with the laptop's IP every few minutes to the App Engine server can keep track of it. But I need to make sure what user is sending this IP information. This is where the trouble comes in. The client on the laptop that tries to give the server the IP needs to authenticate but cannot without a login page. Can't you send login information through an HTTP POST? With each update, you just need to send identification information that is unique to the particular user (perhaps a hashed password) and match it to an existing database. You don't need to send the ip from the client, since you can get it from the server. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Manual Authentication
Hey, How about doing interactive login once during installation (e.g. displaying a web browser control in your setup program), then using this session to establish a shared secret between the machine and your application. Something like: secret = md5.md5(str(random.getrandbits(512)).hexdigest() Then use that secret in the client to sign update requests: sig = hmac.HMAC(key=secret, msg=str(nonce, current_ip, webcam_jpg)).hexdigest() And passing that with the request. Store 'nonce' somewhere in Datastore and the local machine, incrementing it once per request (and at the server side, ensure the nonce never decrements - this is to prevent replay attacks). 2009/3/26 r00723r0 r0072...@gmail.com: It seems odd, I know, but I'm not doing anything malicious. I am making a laptop recovery service. The client on the laptop must update the Google App Engine server with the laptop's IP every few minutes to the App Engine server can keep track of it. But I need to make sure what user is sending this IP information. This is where the trouble comes in. The client on the laptop that tries to give the server the IP needs to authenticate but cannot without a login page. On Mar 25, 8:50 pm, Steve Robillard steverobill...@gmail.com wrote: It might help to know why all the subterfuge what problem are you trying to solve? As a user I would be suspicious of any system that forwards me through a series of links and sends secret information. With all do respect it sounds like you are trying to proxy a limited resource or bypass a 3rd party subscription requirement. Steve -Original Message- From: google-appengine@googlegroups.com [mailto:google-appeng...@googlegroups.com] On Behalf Of r00723r0 Sent: Wednesday, March 25, 2009 7:30 PM To: Google App Engine Subject: [google-appengine] Re: Manual Authentication I may have explained myself incorrectly. I need to log in from an invisible client without a web interface, and the login URL is unknown to the standalone client. The client needs to log in and send some data silently. The main problem is that the username and password are saved, so the user will not be manually logging in. Instead the client must be able to log in without a proprietary log in URL that Google provides. A possible solution: * The client connects to someapp.appspot.com/update/, which has only a login URL when a user is not logged in. * The client then connects to the URL and sends magical information to log in. * The login URL redirects back to the /update page, as it always does, and the Google App Engine program stores this visit as programmed. However, this solution is inelegant and annoying to program. Any better solutions? On Mar 25, 6:30 pm, Marzia Niccolai ma...@google.com wrote: Hi, Please see the information in our Google Accounts section which shows you how to request/require login and generate login/logout URLs:http://code.google.com/appengine/docs/python/users/ -Marzia On Wed, Mar 25, 2009 at 11:43 AM, r00723r0 r0072...@gmail.com wrote: I am writing a laptop theft recovery service. The client requests / update on the Google App Engine server, with user credentials, through HTTPS every few minutes. The server stores the IP from which the request was made and the time the request was made in the user information database model. My question is as such: how do I authenticate the user in the Google App Engine server? The username and password are given through POST in the HTTP request but I'd still need a login URL which the client cannot generate. -- It is better to be wrong than to be vague. — Freeman Dyson --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Manual Authentication
secret = md5.md5(str(random.getrandbits(512)).hexdigest() you could just use an uuid to get a unique id. import uuid secret = str(uuid.uuid4()) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Manual Authentication
2009/3/26 dafire daf...@gmail.com: secret = md5.md5(str(random.getrandbits(512)).hexdigest() you could just use an uuid to get a unique id. import uuid secret = str(uuid.uuid4()) Handy tip, thanks :) David -- It is better to be wrong than to be vague. — Freeman Dyson --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Manual Authentication
Hi, Please see the information in our Google Accounts section which shows you how to request/require login and generate login/logout URLs: http://code.google.com/appengine/docs/python/users/ -Marzia On Wed, Mar 25, 2009 at 11:43 AM, r00723r0 r0072...@gmail.com wrote: I am writing a laptop theft recovery service. The client requests / update on the Google App Engine server, with user credentials, through HTTPS every few minutes. The server stores the IP from which the request was made and the time the request was made in the user information database model. My question is as such: how do I authenticate the user in the Google App Engine server? The username and password are given through POST in the HTTP request but I'd still need a login URL which the client cannot generate. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Manual Authentication
I may have explained myself incorrectly. I need to log in from an invisible client without a web interface, and the login URL is unknown to the standalone client. The client needs to log in and send some data silently. The main problem is that the username and password are saved, so the user will not be manually logging in. Instead the client must be able to log in without a proprietary log in URL that Google provides. A possible solution: * The client connects to someapp.appspot.com/update/, which has only a login URL when a user is not logged in. * The client then connects to the URL and sends magical information to log in. * The login URL redirects back to the /update page, as it always does, and the Google App Engine program stores this visit as programmed. However, this solution is inelegant and annoying to program. Any better solutions? On Mar 25, 6:30 pm, Marzia Niccolai ma...@google.com wrote: Hi, Please see the information in our Google Accounts section which shows you how to request/require login and generate login/logout URLs:http://code.google.com/appengine/docs/python/users/ -Marzia On Wed, Mar 25, 2009 at 11:43 AM, r00723r0 r0072...@gmail.com wrote: I am writing a laptop theft recovery service. The client requests / update on the Google App Engine server, with user credentials, through HTTPS every few minutes. The server stores the IP from which the request was made and the time the request was made in the user information database model. My question is as such: how do I authenticate the user in the Google App Engine server? The username and password are given through POST in the HTTP request but I'd still need a login URL which the client cannot generate. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Manual Authentication
It might help to know why all the subterfuge what problem are you trying to solve? As a user I would be suspicious of any system that forwards me through a series of links and sends secret information. With all do respect it sounds like you are trying to proxy a limited resource or bypass a 3rd party subscription requirement. Steve -Original Message- From: google-appengine@googlegroups.com [mailto:google-appeng...@googlegroups.com] On Behalf Of r00723r0 Sent: Wednesday, March 25, 2009 7:30 PM To: Google App Engine Subject: [google-appengine] Re: Manual Authentication I may have explained myself incorrectly. I need to log in from an invisible client without a web interface, and the login URL is unknown to the standalone client. The client needs to log in and send some data silently. The main problem is that the username and password are saved, so the user will not be manually logging in. Instead the client must be able to log in without a proprietary log in URL that Google provides. A possible solution: * The client connects to someapp.appspot.com/update/, which has only a login URL when a user is not logged in. * The client then connects to the URL and sends magical information to log in. * The login URL redirects back to the /update page, as it always does, and the Google App Engine program stores this visit as programmed. However, this solution is inelegant and annoying to program. Any better solutions? On Mar 25, 6:30 pm, Marzia Niccolai ma...@google.com wrote: Hi, Please see the information in our Google Accounts section which shows you how to request/require login and generate login/logout URLs:http://code.google.com/appengine/docs/python/users/ -Marzia On Wed, Mar 25, 2009 at 11:43 AM, r00723r0 r0072...@gmail.com wrote: I am writing a laptop theft recovery service. The client requests / update on the Google App Engine server, with user credentials, through HTTPS every few minutes. The server stores the IP from which the request was made and the time the request was made in the user information database model. My question is as such: how do I authenticate the user in the Google App Engine server? The username and password are given through POST in the HTTP request but I'd still need a login URL which the client cannot generate. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Manual Authentication
Ping the server for a random number (the salt), then hash the salt with the hash of the password and send that to the server. The server stores a hash of the password, and hashes that and the salt and compares it with the sent hash - if it matches, it's authenticated. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Manual Authentication
It seems odd, I know, but I'm not doing anything malicious. I am making a laptop recovery service. The client on the laptop must update the Google App Engine server with the laptop's IP every few minutes to the App Engine server can keep track of it. But I need to make sure what user is sending this IP information. This is where the trouble comes in. The client on the laptop that tries to give the server the IP needs to authenticate but cannot without a login page. On Mar 25, 8:50 pm, Steve Robillard steverobill...@gmail.com wrote: It might help to know why all the subterfuge what problem are you trying to solve? As a user I would be suspicious of any system that forwards me through a series of links and sends secret information. With all do respect it sounds like you are trying to proxy a limited resource or bypass a 3rd party subscription requirement. Steve -Original Message- From: google-appengine@googlegroups.com [mailto:google-appeng...@googlegroups.com] On Behalf Of r00723r0 Sent: Wednesday, March 25, 2009 7:30 PM To: Google App Engine Subject: [google-appengine] Re: Manual Authentication I may have explained myself incorrectly. I need to log in from an invisible client without a web interface, and the login URL is unknown to the standalone client. The client needs to log in and send some data silently. The main problem is that the username and password are saved, so the user will not be manually logging in. Instead the client must be able to log in without a proprietary log in URL that Google provides. A possible solution: * The client connects to someapp.appspot.com/update/, which has only a login URL when a user is not logged in. * The client then connects to the URL and sends magical information to log in. * The login URL redirects back to the /update page, as it always does, and the Google App Engine program stores this visit as programmed. However, this solution is inelegant and annoying to program. Any better solutions? On Mar 25, 6:30 pm, Marzia Niccolai ma...@google.com wrote: Hi, Please see the information in our Google Accounts section which shows you how to request/require login and generate login/logout URLs:http://code.google.com/appengine/docs/python/users/ -Marzia On Wed, Mar 25, 2009 at 11:43 AM, r00723r0 r0072...@gmail.com wrote: I am writing a laptop theft recovery service. The client requests / update on the Google App Engine server, with user credentials, through HTTPS every few minutes. The server stores the IP from which the request was made and the time the request was made in the user information database model. My question is as such: how do I authenticate the user in the Google App Engine server? The username and password are given through POST in the HTTP request but I'd still need a login URL which the client cannot generate. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Manual Authentication
Hello, and thank you. Could you give me an example of such a transaction? On Mar 25, 9:02 pm, GregF g.fawc...@gmail.com wrote: Ping the server for a random number (the salt), then hash the salt with the hash of the password and send that to the server. The server stores a hash of the password, and hashes that and the salt and compares it with the sent hash - if it matches, it's authenticated. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Manual Authentication
This seems to be a client side issue. Why the requirement to authenticate with something other than a Gmail address if at all. Why not just have the client add a header or headers to a request page which can uniquely id the machine that is calling. And ditch all requests without this header(s). One would think your users would need to authenticate to get the info in the event the laptop is lost. So if you feel authentication is a must why not use a Gmail account? -Original Message- From: google-appengine@googlegroups.com [mailto:google-appeng...@googlegroups.com] On Behalf Of r00723r0 Sent: Wednesday, March 25, 2009 10:54 PM To: Google App Engine Subject: [google-appengine] Re: Manual Authentication It seems odd, I know, but I'm not doing anything malicious. I am making a laptop recovery service. The client on the laptop must update the Google App Engine server with the laptop's IP every few minutes to the App Engine server can keep track of it. But I need to make sure what user is sending this IP information. This is where the trouble comes in. The client on the laptop that tries to give the server the IP needs to authenticate but cannot without a login page. On Mar 25, 8:50 pm, Steve Robillard steverobill...@gmail.com wrote: It might help to know why all the subterfuge what problem are you trying to solve? As a user I would be suspicious of any system that forwards me through a series of links and sends secret information. With all do respect it sounds like you are trying to proxy a limited resource or bypass a 3rd party subscription requirement. Steve -Original Message- From: google-appengine@googlegroups.com [mailto:google-appeng...@googlegroups.com] On Behalf Of r00723r0 Sent: Wednesday, March 25, 2009 7:30 PM To: Google App Engine Subject: [google-appengine] Re: Manual Authentication I may have explained myself incorrectly. I need to log in from an invisible client without a web interface, and the login URL is unknown to the standalone client. The client needs to log in and send some data silently. The main problem is that the username and password are saved, so the user will not be manually logging in. Instead the client must be able to log in without a proprietary log in URL that Google provides. A possible solution: * The client connects to someapp.appspot.com/update/, which has only a login URL when a user is not logged in. * The client then connects to the URL and sends magical information to log in. * The login URL redirects back to the /update page, as it always does, and the Google App Engine program stores this visit as programmed. However, this solution is inelegant and annoying to program. Any better solutions? On Mar 25, 6:30 pm, Marzia Niccolai ma...@google.com wrote: Hi, Please see the information in our Google Accounts section which shows you how to request/require login and generate login/logout URLs:http://code.google.com/appengine/docs/python/users/ -Marzia On Wed, Mar 25, 2009 at 11:43 AM, r00723r0 r0072...@gmail.com wrote: I am writing a laptop theft recovery service. The client requests / update on the Google App Engine server, with user credentials, through HTTPS every few minutes. The server stores the IP from which the request was made and the time the request was made in the user information database model. My question is as such: how do I authenticate the user in the Google App Engine server? The username and password are given through POST in the HTTP request but I'd still need a login URL which the client cannot generate. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Manual Authentication
Wait... I didn't say anything about not using a Gmail account. Here, look. Let me break it down as simply as I can. The client, which a program downloaded on the laptop, authenticates somehow and sends the IP address to the App Engine server every few minutes (10 minutes by default). The ISP can determine what internet subscriber was using a certain IP at a certain time. The App Engine service stores the IP address and time of last transmission by the client from the IP. If the laptop gets stolen, the ISP and police will track it down given this information. On Mar 25, 11:09 pm, Steve Robillard steverobill...@gmail.com wrote: This seems to be a client side issue. Why the requirement to authenticate with something other than a Gmail address if at all. Why not just have the client add a header or headers to a request page which can uniquely id the machine that is calling. And ditch all requests without this header(s). One would think your users would need to authenticate to get the info in the event the laptop is lost. So if you feel authentication is a must why not use a Gmail account? -Original Message- From: google-appengine@googlegroups.com [mailto:google-appeng...@googlegroups.com] On Behalf Of r00723r0 Sent: Wednesday, March 25, 2009 10:54 PM To: Google App Engine Subject: [google-appengine] Re: Manual Authentication It seems odd, I know, but I'm not doing anything malicious. I am making a laptop recovery service. The client on the laptop must update the Google App Engine server with the laptop's IP every few minutes to the App Engine server can keep track of it. But I need to make sure what user is sending this IP information. This is where the trouble comes in. The client on the laptop that tries to give the server the IP needs to authenticate but cannot without a login page. On Mar 25, 8:50 pm, Steve Robillard steverobill...@gmail.com wrote: It might help to know why all the subterfuge what problem are you trying to solve? As a user I would be suspicious of any system that forwards me through a series of links and sends secret information. With all do respect it sounds like you are trying to proxy a limited resource or bypass a 3rd party subscription requirement. Steve -Original Message- From: google-appengine@googlegroups.com [mailto:google-appeng...@googlegroups.com] On Behalf Of r00723r0 Sent: Wednesday, March 25, 2009 7:30 PM To: Google App Engine Subject: [google-appengine] Re: Manual Authentication I may have explained myself incorrectly. I need to log in from an invisible client without a web interface, and the login URL is unknown to the standalone client. The client needs to log in and send some data silently. The main problem is that the username and password are saved, so the user will not be manually logging in. Instead the client must be able to log in without a proprietary log in URL that Google provides. A possible solution: * The client connects to someapp.appspot.com/update/, which has only a login URL when a user is not logged in. * The client then connects to the URL and sends magical information to log in. * The login URL redirects back to the /update page, as it always does, and the Google App Engine program stores this visit as programmed. However, this solution is inelegant and annoying to program. Any better solutions? On Mar 25, 6:30 pm, Marzia Niccolai ma...@google.com wrote: Hi, Please see the information in our Google Accounts section which shows you how to request/require login and generate login/logout URLs:http://code.google.com/appengine/docs/python/users/ -Marzia On Wed, Mar 25, 2009 at 11:43 AM, r00723r0 r0072...@gmail.com wrote: I am writing a laptop theft recovery service. The client requests / update on the Google App Engine server, with user credentials, through HTTPS every few minutes. The server stores the IP from which the request was made and the time the request was made in the user information database model. My question is as such: how do I authenticate the user in the Google App Engine server? The username and password are given through POST in the HTTP request but I'd still need a login URL which the client cannot generate. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
