Archive

Archive for February, 2022

Determine the country code from country name in C#

If you are trying to determine the country code (“IE”) from a string like “Dublin, Ireland”, then generally the best approach is to use a Geolocation API, such as Google Geocode, or Here maps, or the plethora of others. However, if speed is more important than accuracy, or the volume of data would be too costly to run through a paid API, then here is a simple script in C# to determine the country code from a string

https://github.com/infiniteloopltd/CountryISOFromString/

The code reads from an embedded resource, which is a CSV of country names. Some of the countries are repeated to allow for variations in spelling, such as “USA” and “United States”. The list is in English only, and feel free to submit a PR, if you have more variations to add to this.

It’s called quite simply as follows;

var country = Country.FromString("Tampere, Pirkanmaa, Finland");
Console.WriteLine(country.code);
Categories: Uncategorized

Send email from #SQL server using a #CLR function

Send Email SQL CLR

Send Email from a SQL CLR function

Although you can, and should use sp_send_dbmail to send email from SQL server, it’s often not quite as flexible as you need it to be. So here is a .NET CLR Function that you can install in your MSSQL server, in order to send an email using whatever additional configuration that you need.

You need to run these commands before installing the assembly

EXEC sp_changedbowner 'sa'
ALTER DATABASE <your-database> SET trustworthy ON


CREATE ASSEMBLY [SendEmailCLR]
    AUTHORIZATION [dbo]
    FROM 0x4D5A90000300000004000000FFFF000.....
    WITH PERMISSION_SET = UNSAFE;
  
CREATE PROCEDURE [dbo].[SendEmail]
@smtpServer NVARCHAR (MAX) NULL,
@smtpUsername NVARCHAR (MAX) NULL, 
@smtpPassword NVARCHAR (MAX) NULL, 
@from NVARCHAR (MAX) NULL, 
@to NVARCHAR (MAX) NULL, 
@subject NVARCHAR (MAX) NULL, 
@body NVARCHAR (MAX) NULL
AS EXTERNAL NAME [SendEmailCLR].[SendEmailCLR].[SendEmail]

The full binary string is redacted here to save space, but you can get this from https://github.com/infiniteloopltd/SendEmailSQLCLR/blob/master/bin/Debug/SendEmailCLR_4.publish.sql

Categories: Uncategorized

Verify an Email address without sending an Email via an #API for free

One of these two email addresses is valid : gianluca.91@gmail.com or gianluca.92@gmail.com – how can you tell which one? Regexes will say both are valid, even a DNS MX lookup will say that @gmail.com is valid.

Here’s the trick: https://avatarapi.com/avatar.asmx?op=VerifyEmail

It’s a free API, that does not require registration, or authentication, and does not store the email addresses supplied to it. It does not send an email, but just checks the mailbox.

Here is a result for gianluca.92@gmail.com

<EmailVerificationResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://avatarapi.com/">
<Verification>FAIL</Verification>
<MailExchange>alt4.gmail-smtp-in.l.google.com.</MailExchange>
<SmtpResponse>550-5.1.1 The email account that you tried to reach does not exist. Please try</SmtpResponse>
</EmailVerificationResponse>

And here is the result for gianluca.91@gmail.com

<EmailVerificationResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://avatarapi.com/">
<Verification>SUCCESS</Verification>
<MailExchange>alt4.gmail-smtp-in.l.google.com.</MailExchange>
<SmtpResponse>250 2.1.5 OK hf21-20020a17090aff9500b001bc3052777csi2002522pjb.42 - gsmtp</SmtpResponse>
</EmailVerificationResponse>

It also works with every email host, not just Gmail. However, some mail exchangers do not give information on their mailboxes, in which case the result can be inconclusive.

Categories: Uncategorized

Decoding binary #WebSockets data using C#

On some websites, you may notice data being exchanged between server and client, with no evident Ajax calls being made, in which case there may be activity on the WebSockets (WS) channel, and in this channel, if you are greeted by a jumble of binary data, then you may feel like giving up, but you may find it is easier to decode than you think.

The first clue I noticed was that there was a request header called

Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits

Where deflate is a compression mechanism, which is similar to GZip, and can be decoded easily in C#, First step, though is to view the binary data as base64, so you can copy & paste it, then using this function;

public static byte[] Decompress(byte[] data)
{
	MemoryStream input = new MemoryStream(data);
	MemoryStream output = new MemoryStream();
	using (DeflateStream dstream = new DeflateStream(input, CompressionMode.Decompress))
	{
		dstream.CopyTo(output);
	}
	return output.ToArray();
}

Which is called as follows;

var binInput = Convert.FromBase64String(b64Input);
var bDeflate = Decompress(binInput);
var output = Encoding.UTF8.GetString(bDeflate);

And from there, you see much more familiar JSON text.

Categories: Uncategorized

Handling #SCA (Strong Customer Authentication) with #Stripe and C#

Strong customer Authentication is where your bank (card issuer) will show a popup during your purchase to offer an added level of protection for the consumer, to make sure it really is you, and not someone who’s cloned your card details.

It’s also a massive headache for developers!

Massive disclaimer: This was my approach at fixing it, follow Stripe documentation unless you’re really stuck!

So, capturing a customer (cus_xxxx) token is unchanged, what changes when you try to subscribe that customer to a subscription, then it fails. Here I’m adding “allow_incomplete” to allow the subscription to return data even if the customer has SCA enabled.

  const string strUrl = "https://api.stripe.com/v1/subscriptions";
  var postData = "customer=" + customerId;
  postData += "&items[0][price]=" + priceReference;
  postData += "&payment_behavior=allow_incomplete"; // NEW*SCA*

If we check the return value, and the status says incomplete then we have to jump through a few more hoops before we can get the money from the customer.

First, we get the latest_invoice value from the return, and call the stripe API “https://api.stripe.com/v1/invoices/<id here>” and from the response, we get the payment_intent id.

Then with the payment_intent id, we call the stripe API : “https://api.stripe.com/v1/payment_intents/<id here>” and get the client_secret

Now, we pass the client_secret back to our client side, and then we need to call the Stripe SDK, which is included as follows;

<script src="https://js.stripe.com/v3/"></script> <!-- SCA -->

Then it’s initialized as follows; (I’m using JQuery here)

   $(init);
    var stripe = {};
    function init() {
        stripe = Stripe("pk_test_xxxxxxxxxxx"); // SCA
    }

Then once we get the client_secret back somehow; we call the javascript

stripe
.confirmCardPayment(data)
.then(function (result) {
// Handle result.error or result.paymentIntent
console.log(result);
alert("SCA OK!");
});

And it works in test anyway! – let me know if you spot any glaring issues.

Categories: Uncategorized

Automate #Google login using C# and MasterDev ChromeDevTools

Automating a Chrome login in C# is difficult, because Google is clever enough to detect if you are using an embedded WebBrowser – either the embedded InternetExplorer Control, or CEFSharp, and probably others. It’s also a multi-step process, so you have to get the synchronisation right.

So, this is where ChromeDevTools by MasterDev comes in; The original repo is here:

https://github.com/MasterDevs/ChromeDevTools

I’ve forked this, and made my own changes and fixes here;

https://github.com/infiniteloopltd/ChromeDevTools/blob/master/source/Sample/Program.cs

How MasterDev ChromeDevTools differs from CEFSharp, is that chrome is spawned in a separate process, and it uses WebSockets (WebSocket4Net.WebSocket) to communicate between the host application in C# and Chrome. This also means you can run it in AnyCPU mode, and you don’t have to worry about x86 or x64 CPU types. Oh, and of course, Google can’t detect that you’re listening in to what Chrome is doing.

Some organisational changes I made to the sample code, so that it would run in a synchronous manner was this helper function WaitForEvent<T> which effectively does nothing until a given Event is received from the browser

private static void WaitForEvent<T>(IChromeSession chromeSession) where T : class
{
	var waiter = new ManualResetEventSlim();
	chromeSession.Subscribe<T>(eventFired =>
	{
		waiter.Set();
	});
	waiter.Wait();
}

This method will block indefinitely if the event is never received, but that’s another issue.

I also added this helper method to run Javascript on the page, since I would be calling it repeatedly;

private static async Task<string> ExecuteJavascript(IChromeSession chromeSession, string javaScriptToExecute)
{
	var evalResponse = await chromeSession.SendAsync(new EvaluateCommand
	{
		Expression = javaScriptToExecute,
	});
	if (evalResponse.Result.ExceptionDetails != null)
	{
		return evalResponse.Result.ExceptionDetails.ToString();
	}
	return evalResponse.Result.Result.Value == null ? "" : evalResponse.Result.Result.Value.ToString();
}

Here, I am returning everything as a string, regardless of type – even errors. I’d leave it up to the client application to deal with unexpected values. In my case, I didn’t even need return values.

Everything else is quite straightforward. It’s a matter of navigating to the login page, wait for the page to load, enter the username, press next, wait for the next frame to load, then enter the password, press next, wait for a login, then I can process the page.

Of course, Anything unexpected will make the process hang indefinitely, so this is in no way robust, but it’s a proof of concept, that I hope it helps someone.

Categories: Uncategorized

How #CloudFlare detects #AWS Lambda request

In the constant cat and mouse game between bots and site owners, there are the “guardians”, such as DataDome, CloudFlare, Akamai, and various other WAF systems to try and keep the bots at bay.

Many “bots” are implemented as AWS Lambda functions, and when suitably routed via a proxy, with realistic looking headers, then they are hard to detect by CloudFlare. However, a http-header that is injected into outbound HTTP requests by AWS has become an indicator to CloudFlare that the request is coming from AWS Lambda, and not a user’s browser.

Here, the header being “x-amzn-trace-id” which is used by AWS X-Ray, is hard to disable, and is a give-away to CloudFlare indicating some likely bot action. If it is removed, then the trap resets, and the mouse gets away again!

Categories: Uncategorized
%d bloggers like this: