Tuesday, October 29, 2019

Activate Indesign server when the trial version expired in Mac os

1. Go to the https://helpx.adobe.com/indesign/release-note/indesign-server-cc-march-2018-13-1-release-notes.html

2. Click Adobe Provisioning Toolkit Enterprise Edition for CC (Mac)

3. Create a path as /Users/nuwan/apk

5. Install the adobe_prtk inside the apk folder

6. Open terminal inside the apk folder

7. run the following command

adobe_prtk --tool=StartTrial --leid=V7{}InDesignServer-13-Mac-GM
ex:./adobe_prtk --tool=Serialize --leid=V7{}InDesignServer-13-Mac-GM --serial=1155-0001-4993-6222-3770-4086 --adobeid=nperera@typefi.com

8. If trial is successfully activated, the following message is displayed:

StartTrial Successful

Return Code = 0

Saturday, October 20, 2018

What is MEAN stack?

What is MEAN stack

MEAN stands for Mongo,Express,Angular,and Node. In software developing there are two main category parts Front End and Back End that is depend on Client side and Server side. MEAN stack has all the technologies for develop both server side and client side.

MongoDB - Mongo is not like traditional database. The nosql term comes from Mongodb. It has dynamic schema and much more better and faster for some applications. Most of the real world applications like Dolby,e-bay,Linkedin are using Mongodb. Developers who familier with Javascript and Json are using Mongodb.
Issues found when installing the Mongodb software. After download and install the Mongodb to pc and try to run our mongo server using the command "mongod" in command prompt. It shows an error "The program can't start because api-ms-win-crt-runtime-l1-1-0.dll is missing from your computer.Try reinstalling the program to fix this problem."
How to fix? First of all check under Program files and features if there is C++ 2015 Redistributable software exist or not. If it is their uninstall it. Then check the windows update. If it is out of date update it and resart the computer. Then reinstall the C++ 2015 Redistributable again. Then try to run the command mongod for run our mongo server. It worked.

Express JS

Express.Js is a Node.js platform. Most of the time JavaScript can be used inside the web browsers. But the Node.js is a platform that allows JavaScript to be used outside the web browsers. We can create the server and server side code for an application using JavaScript. Express.js helps to organize our application routing and use any templating solution with minimal effort.

How to install expressjs to your project.

1. Install the node.js to your pc first.

2.Create a directory for create your application.

3.Open the command prompt their inside the directory and type “npm init”

4.Then it will create packege.json file for your application.

5. Now type “npm install express –save” and hit enter.

6. Then it will save in the dependencies list

Angular JS

Angular is a front end JavaScript framework. We can create dynamic web application to run on the web browser. It is more suitable for single page applications.The other main thing is the AngularJS is extend from HTML. There for we can get all the behaviors of HTML when we using Angular as well. This extend is happen by through ng-directives. There are three main directives.
1. ng-app
When we use ng-app inside the HTML page, it tells it defines an AngularJS application.
2. ng-model
HTML controllers such as selections,text areas, inputs are binds to application data using ng-model.
3. ng-route
ng-bind will binds the application data to HTML view.

There are more AngularJS directives.
ex:-ng-init, ng-repeat

Sunday, October 7, 2018

Accessing Google Drive API Using OAuth 2.0

Accessing Google Drive API Using OAuth 2.0 + JavaScript + NodeJS

Previously, I explained two ways of protecting a web application from CSRF attacks. In this blog post, I will explain about another authorization mechanism called OAuth. OAuth stands for Open Authorization Protocol. The latest version of this protocol is 2.0. OAuth 2.0 provides users with the ability to grant third-party access to web resources without sharing a password.

OAuth 2.0 - What is it?

OAuth acts as an intermediary on behalf of the end user, providing the service with an access token that authorizes specific account information to be shared. Let’s take a simple real-world scenario. When we apply for a bank loan, the bank requires one or more guarantors to guarantee us.

The reason for that is, even though we want the loan the bank doesn’t know us. So the bank wants someone to recommend me to the bank as a trusted person. The person or the people who recommend us to the bank is/are called the guarantor/guarantors.

Before diving deeper into OAuth 2.0, it is important to understand what the following keywords mean.

Authentication — validating if the person is who he says he is.

Authorization — what actions a person is allowed to perform when he/she has been authenticated.

OAuth 2.0 provides,

Federated Identity — Allowing users to log in to an application with another account.
Delegated Authority — Allowing another service to access resources on another service on behalf of the user.

The same scenario happens in OAuth as well.

The Flow

Before OAuth 2.0, if an application wants to access your data from another application, you have to provide your account credentials, from which the data is to be accessed, to the application who wants to access the data. For example, if an application wants to suggest you your friends from Facebook you will have to provide your credentials of Facebook and then the said application will impersonate you and handle your Facebook account. Not to forget, this gives them full control of the account. That application may even store your credentials. In a time where data security is crucial, we cannot simply trust the applications. Therefore they needed a protocol to do this without compromising user’s data safety.

OAuth 2.0 overcomes this. If an application, let's say its called ‘Sample App’, wants to access your friend list, Sample App will ask if you can permit them to access your Facebook friend list. If you grant permission, you will be redirected to a page prompt by Facebook informing you that Sample App wants to access your friend list and asking you if you would want to give your consent to do so. If you allow, Facebook will provide the relevant details to ‘Sample App’. This is how OAuth 2.0 works very briefly.

Following are the main roles in an OAuth flow.

Resource Owner: User who authorizes the third-party application to access their account.
Resource Server: Hosts the user accounts
Authorization Server: Verifies the identity of the user and issues the access token to the application.
Client Application: The application that needs to access the user's resources on resource server.

There are four grant types that OAuth 2.0 supports. They are,

Authorization Code: Used with server-side applications
Implicit: Used with mobile or web applications
Resource Owner Password Credentials: Used with trusted applications, such as those owned by the service itself
Client Credentials: Used with application API access.

I’m going to access some data from an API, but it’s another party which authorizes me to the API to access the needed data.

The flow of OAuth 2.0 process

Working Application

The source code for the application is available at GitHub.

How Does This Work?

Sign in by clicking on the ‘Sign In’ button

Proceed further by entering your username and password

After the access is revoked the app will fetch all the necessary information from Google Drive API

Note: If you are already signed in and have a valid Google session on your browser, you will not be redirected to Google Sign In page.

Thursday, October 4, 2018

Double Submit Cookies Pattern

Securing Your PHP Web Application Using Double Submit Cookies Pattern

In the last article, I discussed CSRF attacks and protecting a web application from CSRF attacks using Synchronizer Token Pattern.

I use this post to describe Double Submit Cookies Pattern. It is another way of protecting a web application from CSRF Attacks. The Double Submit Cookie Pattern also known as the Stateless CSRF Defense and you can go through this blog and get a clear idea about what is this Double Submit Cookie Pattern and how it works.

Double Submit Cookies against Synchronizer Tokens

Both of these methods use a CSRF token and Session ID to validate a session. As discussed previously Synchronizer Token pattern, the server will store the CSRF tokens against the session IDs.

In Synchronizer token pattern, both are saved in server-side storage, but in Double Submit Cookies pattern, they are stored in the browser as browser cookies. This is the main difference between these two approaches.In Double Submit Cookie Pattern, the server will not store the tokens, hence called Stateless CSRF Defense.

Double Submit Cookies Pattern - how does it work?

Image – google.com

Upon login, a session identifier will be generated and set as a cookie in the browser. At the same time, the CSRF token for the session will be generated and set as a cookie in the browser.

Code to generate the Session ID and the CSRF token

After a successful login, it will redirect you to another page which consists of a user update form.

When the form is submitted to the action the CSRF token cookie will be submitted and also in the form body the CSRF token value will be submitted.

In the web page that accepts the form submission (the URL of the action), the CSRF token received in the cookie and the message body will be obtained. Then the two values received will be compared and if they match, a success message will be shown. If not an error message will be shown.

Matching the two values

Working Example

To demonstrate how the above theory works in real life, I have implemented a sample web application using PHP with bootstrap front end development.This sample contains a monolithic web application which has a front end with few HTML pages and PHP back end to process the incoming requests.
The source code is available at GitHub. The same flow is there as the previous application in synchronizer token pattern.

Step - 01

Step - 02

The CSRF token is set as a cookie and sent unlike in the Synchronizer pattern because this value is not persisted in the server. But cookies cannot be manipulated by any third party. A client-side script will retrieve this value and inject it to a hidden field on the form loading to be submitted along with the form.

Step - 03

Step - 04

Synchronizer Token Pattern

Securing Your PHP Web Application Using Synchronizer Token Pattern

There are a lot of security vulnerabilities in web applications. SQL injections, Cross Site Scripting (XSS), Broken Authentication and Session Management are a few to be mentioned. In this blog post, I’m going to explain about the Cross-Site Request Forgy (CSRF) attacking and about securing a PHP web app from CSRF attacks.

CSRF Attack - What is it?

Almost all of the web applications use client-server architecture to communicate between the client (front-end) and the server (back-end). This process happens in the form of network / API calls or requests. For example, imagine a banking application where you can transfer money from your account to another. When the request is made by clicking the transfer button after entering the necessary details, the client application will send this request to the server to perform the transaction.

Here is where a CSRF attack can take place. Simply what happens in a CSRF attack is, a similar unauthorized request is sent from the client application to the server without the knowledge of the user. There are a lot of ways to do CSRF attacks. You can get a good idea about them here from Wikipedia.

CSRF Attack

Image – google.com

Synchronizer token pattern is one of the many ways to protect a web app from CSRF attacks. Here I will explain about Synchronizer Token Pattern and how to implement this using PHP.

For a better understanding, you should have some preliminary knowledge of cookies and how they work. If not please get some knowledge by referring MDN site.

Synchronizer Tokens - How Do They Work?

Image – google.com

I have built a simple web application to demonstrate how synchronizer tokens work. Upon successful login, a user can post something including first name and last name.

If the server validates the user credentials on login, the server generates a session ID and a CSRF token for the session. The generated session ID is set as a browser cookie.

Code to generate the Session ID and the CSRF token.

When the user enters the data and submits the form, the Cookie with Session ID and CSRF token is sent to the server. This is done using a hidden input field. The server validates the Session ID and CSRF token and updates the data.

The hidden field which sends the token to the server.

Working Application

The source code is available at GitHub.

Login Screen

Update User Form

User update success

Wednesday, May 3, 2017

Weekly report in 3rd week and 4th week

Weekly report in 3rd week and 4th week.

Pharmacy module

Assistance Pharmacist (login as sahan)

Issue

1. When updating selected drug, the remarks field does not loaded from the database.

jqPharmacyDC.js file changed

DrugResource.java api file changed.

2. When the assistance pharmacist send drug request to the chef pharmacist, the Pharm_drugrequest table is not updated.

3. After made a request chief pharmacist can’t view the request.

Request_Controller.php file changed.

When creating the session the ‘userId’ is not added to the json object. We added it as ‘userId’ =>$this ->session->userData(‘userid’);

After changing we can do following steps.

· Login as assistant pharmacist (nisha) and send drug request to the chief pharmacist (sahan)

· Pharm_drugrequest table will be update.

· Then login as chief pharmacist (sahan) and view request.

· Check the requested drug and approve.

· Then the selected request will remove and pharm_asst_stock table will be update.

4. Login as assistant pharmacist and before dispense drugs check whether the drug and the required quantity is available.

Priscribe_controller.php file changes

dispense.js file changes

UI Changes

Tuesday, March 7, 2017

New Internship Program in Sri Lanka Health Information System

About the technologies of HIS Project.

1. The project is basically developing health information system.The back end of the project we use MySQL and the for front end we use hybernate. Hybanate is a kind of persistence framework.

2. Other than that it use Java base Jason web services for the back end. For the front end we use PHP. Actually it is a framework of PHP call php framework codeigniter.

First week

For the API we wrote test cases. The main technology that I learnt was JSON object.

JSON technology

JSON (JavaScript Object Notation) is a data interchange format and it is easy to humans to read and write and also machines to parse and generate. It s based on a subset of the Javascript programming Language.

JSON is build on two structures:

1.A collection of name/value pairs.Most of the time this realized as an object,record,struct,dictionary,hash table,keyed list, or associativ array.
2.An ordered list of values. In most languages, this is realized as an array,vector,list or sequence.

Second week
Error Codes when write test cases.

HTTP status codes prominently found when testing an API
200 OK

Standard response for successful HTTP requests. The actual response will depend on the request method used. In a GET request, the response will contain an entity corresponding to the requested resource. In a POST request, the response will contain an entity describing or containing the result of the action.

202 Accepted

The request has been accepted for processing, but the processing has not been completed

204 No Content

The Server successfully processed the request and is not returning any content. This might be due to no return type on the method accessed in the API.

400 Bad Request

This might be one of the major error faced when writing test cases for API. Caused due to server cannot or will not process the request due to an apparent client error. (These error can range from: common syntax error in both url or the requesr message, The request message not formed properly etc.)

403 Forbidden

The request was a valid request, but the server is refusing to respond to it. This might be caused due to user not having the necessary permission to access the resource.

404 Not Found

This Commonly occur due to request resource could not be found. (Bad URL)

405 Method Not Allowed

Cause by a mismatch of request method and requested resource. for example, a GET request on a form method which requires data to be presented via POST.

415 Unsupported Media Type

The request entity has a media type which the server or resource does not support.

500 Internal Server Error

A generic error message and on of the harder one to pin-point is triggered due to various reasons on both server-side or client. (few examples are: server is not up, user trying to insert a value which is already existing in the database and constraint by primary key)

Hint: Use POSTMAN for your API testing, https://www.getpostman.com/

Inward API testcases in HIS that I built.
1.TemperatureChartResourceTestCase.java
2.DiagnoseResourceTestCase.java
3.LiquidBalanceChartResourceTestCase.java
4.TempPrescribeResourceTestCase
5.WardAdmissionResourceTestCase.java