Skip to content

Security: Hacknocraft/AppFriendsDocs

Security

docs/security.md

Authentication and API Requests

When you access AppFriends REST API via our SDK, you only need to provide the correct App_ID and App_Secret when you initialize the SDK. However, when you want to make direct REST API requests using a http client, the requests need to be structured correctly and signed by the appropriate secret.

Request Header

In the request http header, These fields need to be present:

APP_ID - Your App_ID. You can find it in the admin panel after your app is created there.

TOKEN - When you are sending the requests on a user's behave, the user's auth token should be included here. Auth token is returned after the user signup or login to AppFriends. See user authentication.

Authorization - Your request signature. See signature creation.

Sample Request Header

Your http header can contain other fields, but they need to include:

APP_ID: "SVXJKXjXUGOkEFBWDK8NCwtt"
TOKEN: "BE82LbEu_bGNnwXmy5KObw"
Authorization: Bearer <signature token>

App ID and Secrets

For each application you create on AppFriends, there's going to an App_ID, an App_Secret and an Admin_Secret.

App_ID is used to identify your application.

App_Secret is the secret used to sign the requests coming from your application.

Admin_Secret is the secret used to sign the requests coming directly from your server. For example, your server can send a request via AppFriends REST API to update a user's token or you can export all the social graph data with your admin secret.

These values play very important role in authenticating your requests, so please keep them away from the bad guys.

Signature Creation

The signature is creation is using JSON Web Tokens (JWT), which is an open, industry standard RFC 7519 method for representing claims securely between two parties. You can use this website to verify your signature.

//signature creation
HMACSHA256(
  base64UrlEncode(JWT header) + "." +
  base64UrlEncode(payload),
  <your secret here>
)

The signature created here will be used in the Authorization header using the Bearer schema.

Authorization: Bearer <signature token>

JWT Header

JWT header is not your request http header. It is used just to sign the request. The JWT header will look like this:

{
  "alg": "HS256",
  "typ": "JWT"
}

JWT Payload

Put timestamp (seconds) in your payout

{
  "timestamp": "1462117651"
  "token": 
}

Screenshot

Above: JWT example on jwt.io

User Authentication

Create a User

Users on AppFriends are simply mirror images or copies of users in your app. There are two ways to create users on AppFriends, sign up user in the app or batch create users using the admin api. To create a user, you need to provide the user's id and user name. There are other optional properties of the user you can provide, such as email, avatar(recommend) and real name:

Sign-up or Sign-in user in the app

In your app, call the SDK's login method. At minimum, you need to provide an user ID and an user name.

Swift

// for the param, you need to provide user id and user name
// for example, [HCSDKConstants.kUserID: "random-id", HCSDKConstants.kUserName: "sample user name"]
public func loginWithUserInfo(params: [String : AnyObject]?, 
completion: ((response: AnyObject?, error: NSError?) -> ())? = default)

Android



Batch create user using the admin api


With admin API, you can batch create users.


 



    








    
  

    

      

      
        There aren’t any published security advisories