An #API for #Google #Authenticator – add free #2FA to your app.

2fa

Two factor authentication is a way to level up your security, beyond username and password. Using Google Authenticator is also a great way to do this for free, since it doesn’t incur costs such as doing 2FA via SMS.

It does require a basic tech awareness, so if your typical user is elderly, then this is not the way to go.

You can of course use Google Authenticator without using an API, you can implement the crypto code yourself, but using this API at AuthenticatorAPI.com does save you alot of development time, since it’s just two API calls.

So, how does it work?, well first you have to generate a random code. This could be just any random code that comes to your head, or perhaps better, to generate a random code per user, and store this.

You now need to show a QR code to a user, which they scan into the Authenticator App. The QR code is generated using the API, and is just a block of HTML you display on your page. It’s 300×300 pixels in size.

To do this, you call;

https://www.authenticatorApi.com/pair.aspx?AppName=MyApp&AppInfo=John&SecretCode=12345678BXYT

Once the user has paired, and they go to log in, you prompt them for their pin. You then have to send the PIN and the SecretCode from earlier to our API, and it will return either True or False.

By Calling;

https://www.authenticatorApi.com/Validate.aspx?Pin=123456&SecretCode=12345678BXYT

The pin is time dependent, so the same PIN won’t work the following day. This defeats key loggers and replay attacks.

 

 

Categories: Uncategorized

Car License plate search #API for #Latvia

latvia-photo

Latvia is a small baltic country, with a population of 1.92 million, and a car ownership rate of 342 per 1,000 – so an estimated car count of 650,000 vehicles. Today, we have expanded our API coverage to include Latvia, you can read more about this at our Latvian website http://www.autoapi.lv 

Car registration plates in Latvia use the /CheckLatvia  endpoint and return the following information:

  • Make / Model
  • Age
  • VIN number
  • Fuel
  • Engine size
  • Representative image

Sample Registration Number: 

GZ3425

Sample Json:

{

  “Description”: “VW BORA”,

  “Variant”: “BORA (1J2) (98-13)”,

  “RegistrationYear”: 1998,

  “CarMake”: {

    “CurrentTextValue”: “VW”

  },

  “CarModel”: {

    “CurrentTextValue”: “BORA”

  },

  “MakeDescription”: {

    “CurrentTextValue”: “VW”

  },

  “ModelDescription”: {

    “CurrentTextValue”: “BORA”

  },

  “VehicleIdentificationNumber”: “WVWZZZ1JZXW273563”,

  “EngineSize”: 2324,

  “Power”: 110,

  “FuelType”: “Benzīns”,

  “ImageUrl”: “http://autoapi.lv/image.aspx/@VlcgQk9SQQ==”

}

 

Categories: Uncategorized

Get the board members of a UK #Company using the Companies House #API in C#

2Crmrq84_400x400

The UK have a very open attitude to their Company registration data, they have bulk data downloads, and a very open API that allows you to read lots of public domain data about UK companies. This is an example in C# that uses this API to return a list of officers (Board memebers) of a UK company, given a UK company number.

private static List GetOfficers(string companyNumber)
{
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
var strUrl = “https://api.companieshouse.gov.uk/company/{0}/officers”;
strUrl = string.Format(strUrl, companyNumber);
var credentials = Convert.ToBase64String(Encoding.ASCII.GetBytes(“xxxxxxxx:”));
var wc = new WebClient();
wc.Headers[HttpRequestHeader.Authorization] = string.Format(“Basic {0}”, credentials);
try
{
var strResult = wc.DownloadString(strUrl);
var jResult = JObject.Parse(strResult);
return jResult[“items”].Select(jOfficer => new Officer(jOfficer)).ToList();
}
catch (WebException ex)
{
var resp = new StreamReader(ex.Response.GetResponseStream()).ReadToEnd();
Console.WriteLine(resp);
return null;
}
}

You will need your own API key, and change the “xxxxxxxx” in the code above. Also, you’ll need to implement your own Officer class, which is outside the scope of this example.

Categories: Uncategorized

Detecting #TempEmail Addresses using C#

temp-mail

If you are providing a freemium service online, and you find yourself giving away repeated free trials to users registering with disposable email addresses, then you can find yourself loosing money.

There will always be a cat-and-mouse game between service providers and disposable email address providers, so this particular “mouse trap” will not last long. However, I do welcome comments on other temp email providers, and detection mechanisms

Most temporary email addresses can be spotted by using a simple (long) list of known domains, which you can get from github here; https://gist.github.com/adamloving/4401361

However, certain providers, such as temp-mail.org register new domains every day, so yesterday’s domains are already obsolete. So, for the cost of a few thousand domain registrations a year, they can bypass most static detection.

If you check the Whois of the domains registered by this company, you can see that the domains they use are only 5 days old, i..e they are registered, then used on their website within 5 days, then disposed. They also use DNSOwl as a nameserver, which is operated by NameSilo, but is shared by a million other domains, so this could lead to false positives. – see https://securitytrails.com/list/ns/ns1.dnsowl.com

However, what I discovered is that the mail. subdomain points to the IP address 89.38.99.80, which appears to be their hosting provider, WorldStream BV. The mail. subdomain, is not necessarily their MX (Mail Exchanger), but the domain seems to be present. This could be a default DNS setup, but it’s a give away, and specific enough that it’s unlikely to lead to many false positives.

Here’s some C# code to check this

private void CheckForBlacklistedMX(string domain)
{
try
{
var address = System.Net.Dns.GetHostAddresses(“mail.” + domain)[0].ToString();
if (address != “89.38.99.80”) return; // black-listed https://temp-mail.org/en/
… Do something to warn user.
}
catch {}
}

 

Categories: Uncategorized

ModuleNotFoundError: No module named ‘flask’ #IIS #Windows

PYTHONPATH

If you’re trying to run a Flask based Python Web app in IIS, and you get the following error,

Traceback (most recent call last):
File “C:\Python37\wfastcgi.py”, line 790, in main
env, handler = read_wsgi_handler(response.physical_path)
File “C:\Python37\wfastcgi.py”, line 630, in read_wsgi_handler
handler = get_wsgi_handler(os.getenv(“WSGI_HANDLER”))
File “C:\Python37\wfastcgi.py”, line 613, in get_wsgi_handler
raise ValueError(‘”%s” could not be imported%s’ % (handler_name, last_tb))
ValueError: “index.app” could not be imported: Traceback (most recent call last):
File “C:\Python37\wfastcgi.py”, line 597, in get_wsgi_handler
handler = __import__(module_name, fromlist=[name_list[0][0]])
File “.\index.py”, line 1, in <module>
from flask import Flask
ModuleNotFoundError: No module named ‘flask’

Then, here was my solution.

  1. Activate the virtualenv by typing myApp\Flask\Scripts>activate
  2. open a Python terminal, by typing python
  3. type import sys
  4. type print(sys.path)
  5. Copy all the paths (remove the escaping, and put ;’s instead of commas)
  6. Go to IIS > FastCGI Settings > Edit > Environment variables
  7. Then enter all the paths into the PYTHONPATH variable.

For reference, here is the github repo:

https://github.com/infiniteloopltd/HelloWorldFlask

Categories: Uncategorized

#OneStream BTWholeSale Service Information error #ADSL #Broadband

IMG_6858

If you use OneStream ADSL broadband, and when you try to connect, you get the above error message; which reads;

SERVICE INFORMATION
You have been connected to this page due to one of the
following reasons. You must now shut down your internet
browser and internet applications before attempting to
reconnect. This may clear the issue immediately, if not then
please select the appropriate action from list below.
1. Your service provider is currently unable to accept your
connection request, please wait and reattempt later or
contact your service provider for more information.
Or
2. You have attempted to access an invalid Service Provider
domain, check your user details.
Or
3. You are testing your connection using
bt_test_user@startup_domain. Please proceed to next ste
as advised by your Service Provider
Or
4. You are testing your connection to your service provider
using bt_test user@domain. where “domain” is your
Service Provider domain name. Please proceed to next
step as advised by your Service Provider.
Or
5. The access circuit to your Service Provider is currently
down. Your service should be resumed soon. Please try
again later or contact your Sewice Provider
Page maintained by BTWholesale

The solution is as follows;

1.       Connect to your router via WIFI or hardwired (hardwired preferred)

2.       Open a browser and type in the address bar 192.168.1.1 (Safari may have some issues)

3.       Sign into the router using the username: ‘admin’ and password located on the back of the router. The password is the access key located in the bottom left of the label on the router. (not the WIFI password)

4.       Click the section names ‘Gateway’

5.       Scroll to the bottom and select ‘Gateway Set up’

6.       About half way down the page select update the information in the username field by placeing dots between the words:  onestreamltd.vodafone.net

7.       Then click save at the bottom.

8. Restart the Router

Categories: Uncategorized

Simple bootstrap-themed website in .NET

IrlandaDoNorte.com

This simple one page website, I put together in 2 hours, which displays information on tourist attractions in Northern Ireland, in seven different languages;

It’s developed in Bootstrap, with a .NET / SQL server backend. Nothing special.

Categories: Uncategorized