{"componentChunkName":"component---src-templates-blog-list-template-js","path":"/engineering/30","result":{"data":{"allMarkdownRemark":{"edges":[{"node":{"excerpt":"PKCE is an OAuth 2.0 security extension for public clients on mobile devices intended to avoid a malicious programme creeping into the same…","fields":{"slug":"/engineering/pkce/"},"html":"

PKCE is an OAuth 2.0 security extension for public clients on mobile devices intended to avoid a malicious programme creeping into the same computer from intercepting the authorisation code. The RFC 7636 introduction discusses the mechanisms of such an attack.

\n

PKCE has a different specification of its own. It allows applications to use the most reliable OAuth 2.0 flows in public or untrusted clients - the Authorization Code flow. In order to efficiently use a dynamically generated password, it achieves this by doing some setup work before the flow and some verification at the end of the flow.

\n

This is important because getting a fixed secret in a public client is not safe.

\n

In this blog, we will see how PKCE is useful in authorization code flow for OAuth and OIDC and how you can use this with your OAuth and OpenID Connect providers.

\n

What is PKCE

\n

Proof Key for Code Exchange as known as PKCE, is a key for preventing malicious attacks and securely performing code authorization flow.

\n

I would say, PKCE is used to provide one more security layer to the authorization code flow in OAuth and OpenID Connect.

\n

PKCE is mainly useful for the client-side application or any web apps that are using the client secret key and used to replace the static secret used in the authorization flow.

\n

This flow basically works with two parameters Code Verifier and Code challenge. Let's see what are these parameters, how we use them, and generate them.

\n

PKCE code verifier and challenge

\n

The code verifier is a cryptographically random string using the characters A-Z, a-z, 0-9, and the punctuation characters -._~ (hyphen, period, underscore, and tilde), between 43 and 128 characters long.\nOnce the client has generated the code verifier, it uses that to create the code challenge.

\n

For devices that can perform a SHA256 hash, the code challenge is a BASE64-URL-encoded string of the SHA256 hash of the code verifier.

\n

Generate code verifier and code challenge

\n

Here you can see the examples to generate the Code verifier and code challenge in different languages. Either you can find Node and Go Packages for this but I would recommend you to not depend on any package for such small things.

\n

NodeJs

\n
var crypto = require("crypto")\n\nfunction base64URLEncode(str) {\n    return str.toString('base64')\n        .replace(/\\+/g, '-')\n        .replace(/\\//g, '_')\n        .replace(/=/g, '');\n}\nvar verifier = base64URLEncode(crypto.randomBytes(32));\nconsole.log("code_verifier: ", verifier)\n\nif(verifier){\n    var challenge = base64URLEncode(sha256(verifier));\n    console.log("code_challenge: ",challenge)\n}\n\n\nfunction sha256(buffer) {\n    return crypto.createHash('sha256').update(buffer).digest();\n}
\n

Golang

\n
package main\n \nimport (\n    "crypto/sha256"\n    "encoding/base64"\n    "fmt"\n    "math/rand"\n    "strings"\n    "time"\n)\n \ntype CodeVerifier struct {\n    Value string\n}\n \nconst (\n    length = 32\n)\n \nfunc base64URLEncode(str []byte) string {\n    encoded := base64.StdEncoding.EncodeToString(str)\n    encoded = strings.Replace(encoded, "+", "-", -1)\n    encoded = strings.Replace(encoded, "/", "_", -1)\n    encoded = strings.Replace(encoded, "=", "", -1)\n    return encoded\n}\n \nfunc verifier() (*CodeVerifier, error) {\n    r := rand.New(rand.NewSource(time.Now().UnixNano()))\n    b := make([]byte, length, length)\n    for i := 0; i < length; i++ {\n        b[i] = byte(r.Intn(255))\n    }\n    return CreateCodeVerifierFromBytes(b)\n}\n \nfunc CreateCodeVerifierFromBytes(b []byte) (*CodeVerifier, error) {\n    return &CodeVerifier{\n        Value: base64URLEncode(b),\n    }, nil\n}\n \nfunc (v *CodeVerifier) CodeChallengeS256() string {\n    h := sha256.New()\n    h.Write([]byte(v.Value))\n    return base64URLEncode(h.Sum(nil))\n}\n \nfunc main() {\n    verifier, _ := verifier()\n    fmt.Println("code_verifier: ", verifier.Value)\n    challenge := verifier.CodeChallengeS256()\n    fmt.Println("code_challenge :", challenge)\n}\n
\n

Implement the OAuth 2.0 Authorization Code with PKCE Flow

\n

Get the Authorization code

\n

In the OAuth Authorization flow, we need to have the code verifier and code challenge to start with the authentication and obviously an OAuth provider to connect.

\n

For the initial request, we need to pass the codechallenge and codechallenge_method to the OAuth or OIDC provider that supports PKCE based flow.

\n

The request will look like:

\n
Provider + /oauth/redirect?\nclient_id={client_id}\n&redirect_uri={Callback URL}\n&scope={Scope}\n&response_type=code\n&state={random long string}\n&code_challenge={code challenge}\n&code_challenge_method=SHA256
\n

The provider should redirect you to the authentication/login page and where you’ll get the code after successful authentication.

\n

Code Exchange

\n

In the code exchange request, we need to pass the code we have received through the above request and the code verifier that we have generated in our first step.

\n
POST Provider + /oauth/access_token\n\nRequest body:\n{\n   client_id:{client_id},\n   client_secret:{client_secret},\n   redirect_uri:{redirect_uri},\n   response_type:token,\n   Code:{code} // That we have received in authorization request\n   code_verifier: {code verifier // generated in the first step\n}
\n

Once the codeverificer hash matches with the codechallenge of the authorization request, You will get the token in the response with status code 200 OK.

\n
{\n    "access_token": "c5a****b-****-4*7f-a********e4a",\n    "token_type": "access_token",\n    "refresh_token": "5*****82-b***-**82-8c*1-*******7ce",\n    "expires_in": 11972\n}
\n

That's it and you've implemented PKCE flow in your application.

\n","frontmatter":{"date":"September 03, 2020","updated_date":null,"description":"If you are working with OAuth and OIDC authorization code flow and want to setup PKCE flow then this article will help you to understand everything about PKCE.","title":"PKCE: What it is and how to use it with OAuth 2.0","tags":["PKCE","Oauth","OIDC"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/7ba5011bcf44e895dd050e8766d4d005/2a4de/pkce.png","srcSet":"/static/7ba5011bcf44e895dd050e8766d4d005/69585/pkce.png 200w,\n/static/7ba5011bcf44e895dd050e8766d4d005/497c6/pkce.png 400w,\n/static/7ba5011bcf44e895dd050e8766d4d005/2a4de/pkce.png 600w","sizes":"(max-width: 600px) 100vw, 600px"}}},"author":{"id":"Narendra Pareek","github":"pareek-narendra","avatar":null}}}},{"node":{"excerpt":"Big Data - Introduction Earlier, we were only dealing with well-structured data, hosted in large data warehouses, and investing a cost in…","fields":{"slug":"/engineering/big-data-testing-strategy/"},"html":"

Big Data - Introduction

\n

Earlier, we were only dealing with well-structured data, hosted in large data warehouses, and investing a cost in maintaining those data warehouses and hiring expert professional to maintain and secure information hosted in that data warehouse. Data was structured and can be queried anything as per the needs. But now, this exponential growth of data generates a new vision for data science along with some major challenges.

\n

Big Data is something which is growing exponentially with time, and carry raw but very valuable information inside that can change the future of any enterprise. It is a collection, which represents a large dataset, may be collected from multiple sources, or stored in an organization.\nLet‟s understand a real-time example, Big companies like Ikea and Amazon are leveraging the benefit of big data by collecting data from customer‟s buying patterns at their stores, their internal stock information, and their inventory demand-supply relations and analyze all, in seconds even in real-time to add value to its customer experience.

\n

So, extracting information from a large dataset somewhat calls a concept of Data mining which is an analytic process originally designed to explore large datasets. The ultimate goal of data mining is to search for consistency in a pattern or systematic relationship between variables, which helps in predicting the next pattern or behavior.

\n

Now, if we take concepts of data mining forward along with large data set, to some extent it becomes a blocker for our existing approach, because big data may contain structured or unstructured data even it may contain data in multiple formats also.

\n

Big Data Testing

\n

Testing is an art of achieving quality in your software product, in terms of perfection of functionality, performance, user experience, or usability. But for big data testing, you need to keep your focus more on the functional and performance aspects of an application. Performance is the key parameter in any big data application which is meant to process terabytes of data. Successful processing of terabytes of data using a commodity cluster with a number of other supportive components needs to be verified. Processing should be faster and accurate which demands a high level of testing.

\n

Processing may be of three types:–

\n

\n \n \n

\n

And based on which, we need to integrate different components along with NoSQL data store as per the needs.

\n

Big Data Testing - Test Data

\n

Data plays a vital role in the testing of big data applications. Application is meant to process data and provide an expected output based on implemented logic. The logic needs to be verified before moving to production, as the implementation of logic is completely based on business requirements and data.

\n

1. Test Data Quality

\n

Good quality test data is as important as the test environment. In the big data world, data can have any format or size, it may be in the form of a document, XML, JSON, PDF, etc. at the same time data size may go up to terabytes of petabytes. Hence, test data should also have multiple formats and size should be large enough to ensure the handling of large data processing. In big data testing, it needs data with logical values as per the application requirement and format which is supported by the application.

\n

Along with it, data quality is another aspect of big data testing. Ensuring the quality of data before processing through application ensures the accuracy of the final output. Data quality testing itself is a huge domain and covers a lot of best practices which include – data completeness, conformity, accuracy, validity, duplication, and consistency, etc. It should be included in the big data testing and this ensures the level of accuracy application is supposed to provide.

\n

2. Test Data Generation

\n

The generation of test data is again a challenging job, there are multiple parameters, which have to be taken care of while generating test data. It needs a tool, which can help to generate data and should have functions or logic can also be applied over it. Tools like Talend (an open studio) is the best candidate to fulfill the requirements of data generation.

\n

3. Data Storage

\n

After the generation of test data along with quality, it needs to host on a file system. For testing big data applications, data should be stored in the system similar to the production environment. As we are working in big data space, there should have a different number of nodes, and data must be in a distributed environment.

\n

Big Data Testing - Test Environment

\n

In Big data testing, the test environment should be efficient enough to process a large amount of data as done in the case of a production environment. Real-time production environment clusters generally have 30-40 nodes of cluster and data is distributed on the cluster nodes. There must have some minimum configuration for each node used in the cluster. A cluster may have two modes, in-premise or cloud. For testing in big data, it needs the same kind of environment with some minimum configuration of node.

\n

Scalability is also desired to be there in the test environment of big data testing, it helps to study the performance of application with the increase in the number of resources. That data can be used to define SLA (service level agreement) for that particular application.

\n

Big Data Testing can be categorized into three stages:

\n

\n \n \n

\n

Step 1: Data Staging Validation

\n

The first stage of big data testing, also known as a Pre-Hadoop stage, is comprised of process validation.

\n
    \n
  1. Validation of data is very important so that the data collected from various source like RDBMS, weblogs, etc are verified and then added to the system.
    2. \n
  2. To ensure data match you should compare source data with the data added to the Hadoop system.
    3. \n
  3. Make sure that the right data is taken out and loaded into the accurate HDFS location
    4. \n
\n

Step 2: “Map Reduce” Validation

\n

Validation of “Map Reduce” is the second stage. Business logic validation on every node is performed by the tester. Post that authentication is done by running them against multiple nodes, to make sure that the:

\n\n

Step 3: Output Validation Phase

\n

The output validation process is the final or third stage involved in big data testing. The output data files are created and they are ready to be moved to an EDW (Enterprise Data Warehouse) or any other such system as per requirements. The third stage consisted of:

\n\n

Big Data - Performance Testing

\n

Big data applications are meant to process a large amount of data, and it is expected that it should take minimum time to process maximum data. Along with it, application jobs should consume a considerable amount of memory and CPU. In big data testing, performance parameter plays an important role and helps to define SLA's. It covers the performance of the base machine and cluster. Also, for example, In the case of Hadoop, map-reduce jobs should be written with proper coding guidelines, to perform better in the production environment. Profiling can also be done on map-reduce jobs before integration, to ensure their optimized execution.

\n

Tools used in Big Data Scenarios

\n

\n \n \n

\n

Big Data Testing - Challenges

\n

In big data testing, certain challenges are involved which needs to be addressed by the big data testing approach.

\n

1. Test Data

\n

Exponential growth had been observed in the growth of data in the last few years. A huge amount of data are being generated daily and stored in large data centers or data marts. So, there is a demand for efficient storage and a way to process it in an optimized way. If we consider the telecom industry, it generates a large number of call logs daily and they need to be processed for better customer experience and compete in the market. The same goes with the test data, test data should be similar to production data and should contain all the logically acceptable fields in it.

\n

This becomes a challenge for testing big data application, generating test data similar to production data is a real challenge. Test data should also be large enough to verify proper working big data application.

\n

2. Environment

\n

The processing of data highly depends on the environment and its performance. An optimized environment setup gives high performance and fast data processing results. Distributed computing is used for the processing of big data which has data hosted in a distributed environment. The testing environment should have multiple numbers of nodes and data should be distributed over the nodes. At the same time, it also needs to monitor those nodes, to ensure the highest performance with minimum CPU and memory utilization. Nodes should be monitored and there should have a graphical presentation of node performance. So, the test environment has two aspects – distributed nodes and their monitoring, which should be covered in the testing approach.

\n

3. Performance

\n

Performance is the key requirement of any big data application, and of course because of which enterprises are moving towards NoSQL technologies, technologies that can handle their big data and process in the minimum time frame. A large dataset should be processed in a minimum considerable time frame. In big data testing, performance testing is a challenge, it requires monitoring of cluster nodes during execution and also time is taken for every iteration of execution.

\n

Conclusion

\n

Big Data is the trend that is revolutionizing society and its organizations due to the capabilities it provides to take advantage of a wide variety of data, in large volumes and with speed. Keeping the challenges in mind we have defined the approach of testing big data applications. This approach of big data testing will make it easy for a test engineer to verify and certify the business requirement implementations and for stack holders, it saves a huge amount of cost, which has to be invested to get the expected business returns.

\n","frontmatter":{"date":"September 02, 2020","updated_date":null,"description":"With the exponential growth in the number of big data applications in the world, Testing in big data applications is related to database, infrastructure and performance testing and functional testing. This blog guides what should be the strategy for testing Big Data applications.","title":"Big Data - Testing Strategy","tags":["Testing","Big Data","Big Data Testing"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.7699115044247788,"src":"/static/370acda0a8a364ef7098ce2df0537d12/ee604/big-data.png","srcSet":"/static/370acda0a8a364ef7098ce2df0537d12/69585/big-data.png 200w,\n/static/370acda0a8a364ef7098ce2df0537d12/497c6/big-data.png 400w,\n/static/370acda0a8a364ef7098ce2df0537d12/ee604/big-data.png 800w,\n/static/370acda0a8a364ef7098ce2df0537d12/f3583/big-data.png 1200w,\n/static/370acda0a8a364ef7098ce2df0537d12/5707d/big-data.png 1600w,\n/static/370acda0a8a364ef7098ce2df0537d12/eeb1b/big-data.png 1920w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Sudhey Sharma","github":"sudheysharma","avatar":null}}}},{"node":{"excerpt":"Introduction Authentication is the necessary implementation for secure and genuine access to resources of web and mobile applications. It…","fields":{"slug":"/engineering/email-verification-api/"},"html":"

Introduction

\n

Authentication is the necessary implementation for secure and genuine access to resources of web and mobile applications. It helps to authorize the user and provide access control for applications based on the user’s credentials.

\n

There are various authentication mechanisms like Email, Phone numbers, Biometrics, etc. However, Email is still considered the primary means of authentication because other mechanisms are not as optimized or in approach to everyone.

\n

So it is safe to say that most of your application users used email for creating their accounts. With that, some users tend to use disposable email services for fake account creation. These fake accounts result in additional liability to your application resources and servers.

\n

You can effectively reduce such spams for your applications by analyzing the user’s email address during registration for the following aspects:

\n\n

There are some tools available that could help you analyze the above factors, and one such tool is EVA, an Email Verification API. It is a free API and analyzes the user’s email for all of the factors mentioned above.

\n

API Details

\n

The details of Email Verification API (API) is as follows:

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
ParametersValue
URLhttps://api.eva.pingutil.com/email
Query Param{ email: test@mail7.io }
Response{ \"status\": \"success\", \"data\": { \"email_address\": \"test@mail7.io\", \"domain\": \"mail7.io\", \"valid_syntax\": true, \"disposable\": true, \"deliverable\": true }}
\n

Valid_syntax, disposable, and deliverable are three attributes of this API, let’s see how these works:

\n

Output Parameters:

\n

valid_syntax\nThis attribute verifies the syntax of the entered email address matches the standard email address format or not. It is useful in the cases where the end-user might misspell email addresses while typing.

\n

disposable\nThis attribute verifies whether the entered email address domain belongs to the disposable email service. EVA checks the email address against a valid database of more than 4500 disposable email services. Thus, it can effectively help the developer to prevent users from registering using disposable email.

\n

deliverable\nThis attribute verifies whether the email domain has valid MX records or not. The email address is considered deliverable if the valid MX record for the email domain is found.

\n
\n

Note: A mail exchanger record (MX record) specifies the mail server responsible for accepting email messages on behalf of a domain name. It is a resource record in the Domain Name System (DNS).

\n
\n

The response received for the above three attributes of API can help you take further action. These attributes are not just limited to registration use cases, you can utilize them for other use cases like if you have an existing user base but would like to limit the spammers (who have registered using disposable emails) from commenting on the blog or accessing your application resources.

\n

This API tool has been developed and designed as a way of giving back to the developer community initiative by LoginRadius Developers. Your opinion is important to us. This way we can keep improving our product for the developer community. Please share your feedback here

\n","frontmatter":{"date":"August 31, 2020","updated_date":null,"description":"Email authentication, being the traditional way of authentication and used most widely. Increase in the spams has also increased the disposable email registrations. To reduce and identify such unwanted users, EVA(Email Verification API) is the tool, developed by LoginRadius developers.","title":"Email Verification API (EVA)","tags":["Free tool","Developer Resources ","Verification","Email"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.7699115044247788,"src":"/static/4991e427faf331bcbd24d1c66c1cad40/ee604/eva.png","srcSet":"/static/4991e427faf331bcbd24d1c66c1cad40/69585/eva.png 200w,\n/static/4991e427faf331bcbd24d1c66c1cad40/497c6/eva.png 400w,\n/static/4991e427faf331bcbd24d1c66c1cad40/ee604/eva.png 800w,\n/static/4991e427faf331bcbd24d1c66c1cad40/f3583/eva.png 1200w,\n/static/4991e427faf331bcbd24d1c66c1cad40/e4d72/eva.png 1280w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Aman Agrawal","github":"aman-agrwl","avatar":null}}}},{"node":{"excerpt":"In this blog, we learn how to implement the AntiXssMiddleware in .NET Core. First, we will understand about the cross-site scripting. Cross…","fields":{"slug":"/engineering/anti-xss-middleware-asp-core/"},"html":"

In this blog, we learn how to implement the AntiXssMiddleware in .NET Core. First, we will understand about the cross-site scripting.

\n

Cross-Site Scripting(XSS)

\n

Cross-site scripting is a security vulnerability and a client-side code injection attack. In this attack, the malicious script is injected into legitimate websites.\nCross-site scripting allows an attacker to act like a victim user and to carry out the actions that the user can perform. The attacker can access the user's data as well.

\n

Implement AntiXssMiddleware in .NET Core

\n

Step 1: Create Asp.NET Core Web Application project in Visual Studio.

\n

Step 2: Select type as API in the next step and create the project. You will find a default controller which is created in the controller folder named as WeatherForecastController.cs

\n

Step 3: Now create a new folder named Middleware in the root directory.

\n

Step 4 : Create a new file AntiXssMiddleware.cs in that Middleware folder.

\n

Step 5: Now add the Newtonsoft.json package into your solution

\n

By doing the above steps you will have below structure in your solution.

\n

\n \n \"Solution\n

\n

Step 6: Now edit the AntiXssMiddlewars.cs file and paste below code.

\n
using System;\nusing System.Collections.Generic;\nusing System.IO;\nusing System.Linq;\nusing System.Net;\nusing System.Text;\nusing System.Text.RegularExpressions;\nusing System.Threading.Tasks;\nusing Microsoft.AspNetCore.Builder;\nusing Microsoft.AspNetCore.Http;\nusing Newtonsoft.Json;\n\nnamespace AntiXssMiddleware.Middleware\n{\n    public class AntiXssMiddleware\n    {\n        private readonly RequestDelegate _next;\n        private ErrorResponse _error;\n        private readonly int _statusCode = (int)HttpStatusCode.BadRequest;\n\n        public AntiXssMiddleware(RequestDelegate next)\n        {\n            _next = next ?? throw new ArgumentNullException(nameof(next));\n        }\n\n        public async Task Invoke(HttpContext context)\n        {\n            // Check XSS in URL\n                if (!string.IsNullOrWhiteSpace(context.Request.Path.Value))\n                {\n                    var url = context.Request.Path.Value;\n\n                    if (CrossSiteScriptingValidation.IsDangerousString(url, out _))\n                    {\n                        await RespondWithAnError(context).ConfigureAwait(false);\n                        return;\n                    }\n                }\n\n                // Check XSS in query string\n                if (!string.IsNullOrWhiteSpace(context.Request.QueryString.Value))\n                {\n                    var queryString = WebUtility.UrlDecode(context.Request.QueryString.Value);\n\n                    if (CrossSiteScriptingValidation.IsDangerousString(queryString, out _))\n                    {\n                        await RespondWithAnError(context).ConfigureAwait(false);\n                        return;\n                    }\n                }\n\n                // Check XSS in request content\n                var originalBody = context.Request.Body;\n                try\n                {\n                    var content = await ReadRequestBody(context);\n\n                    if (CrossSiteScriptingValidation.IsDangerousString(content, out _)) \n                    {\n                            await RespondWithAnError(context).ConfigureAwait(false);\n                            return;\n                    }\n                    await _next(context).ConfigureAwait(false);\n                }\n                finally\n                {\n                    context.Request.Body = originalBody;\n                }\n        }\n\n        private static async Task<string> ReadRequestBody(HttpContext context)\n        {\n            var buffer = new MemoryStream();\n            await context.Request.Body.CopyToAsync(buffer);\n            context.Request.Body = buffer;\n            buffer.Position = 0;\n\n            var encoding = Encoding.UTF8;\n\n            var requestContent = await new StreamReader(buffer, encoding).ReadToEndAsync();\n            context.Request.Body.Position = 0;\n\n            return requestContent;\n        }\n\n        private async Task RespondWithAnError(HttpContext context)\n        {\n            context.Response.Clear();\n            context.Response.Headers.AddHeaders();\n            context.Response.ContentType = "application/json; charset=utf-8";\n            context.Response.StatusCode = _statusCode;\n\n            if (_error == null)\n            {\n                _error = new ErrorResponse\n                {\n                    Description = "Error from AntiXssMiddleware",\n                    ErrorCode = 500\n                };\n            }\n\n            await context.Response.WriteAsync(_error.ToJSON());\n        }\n    }\n\n    public static class AntiXssMiddlewareExtension\n    {\n        public static IApplicationBuilder UseAntiXssMiddleware(this IApplicationBuilder builder)\n        {\n            return builder.UseMiddleware<AntiXssMiddleware>();\n        }\n    }\n\n\n    /// <summary>\n    /// Imported from System.Web.CrossSiteScriptingValidation Class\n    /// </summary>\n    public static class CrossSiteScriptingValidation\n    {\n        private static readonly char[] StartingChars = { '<', '&' };\n\n        #region Public methods\n\n        public static bool IsDangerousString(string s, out int matchIndex)\n        {\n            //bool inComment = false;\n            matchIndex = 0;\n\n            for (var i = 0; ;)\n            {\n\n                // Look for the start of one of our patterns \n                var n = s.IndexOfAny(StartingChars, i);\n\n                // If not found, the string is safe\n                if (n < 0) return false;\n\n                // If it's the last char, it's safe \n                if (n == s.Length - 1) return false;\n\n                matchIndex = n;\n\n                switch (s[n])\n                {\n                    case '<':\n                        // If the < is followed by a letter or '!', it's unsafe (looks like a tag or HTML comment)\n                        if (IsAtoZ(s[n + 1]) || s[n + 1] == '!' || s[n + 1] == '/' || s[n + 1] == '?') return true;\n                        break;\n                    case '&':\n                        // If the & is followed by a #, it's unsafe (e.g. S) \n                        if (s[n + 1] == '#') return true;\n                        break;\n\n                }\n\n                // Continue searching\n                i = n + 1;\n            }\n        }\n\n        #endregion\n\n        #region Private methods\n\n        private static bool IsAtoZ(char c)\n        {\n            return (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z');\n        }\n\n        #endregion\n\n        public static void AddHeaders(this IHeaderDictionary headers)\n        {\n            if (headers["P3P"].IsNullOrEmpty())\n            {\n                headers.Add("P3P", "CP=\\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\\"");\n            }\n        }\n\n        public static bool IsNullOrEmpty<T>(this IEnumerable<T> source)\n        {\n            return source == null || !source.Any();\n        }\n        public static string ToJSON(this object value)\n        {\n            return JsonConvert.SerializeObject(value);\n        }\n    }\n\n    public class ErrorResponse\n    {\n        public int ErrorCode { get; set; }\n        public string Description { get; set; }\n    }\n\n}
\n

In the above file we have created the method for checking the Xss in QueryParam, RequestUri and RequestBody.

\n

Here we have different methods which are as follows:-

\n

ReadRequestBody which is used for reading the RequestBody.

\n

RespondWithAnError which is used for returning the error.

\n

IsDangerousString which is checking if there is any dangerous string like any script in the given string.

\n

Step 7: Edit the Startup.cs file and add below line in Configure method.

\n
app.UseAntiXssMiddleware();
\n

Step 8 : After editing the Startup.cs file will look like below

\n
using System;\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Threading.Tasks;\nusing AntiXssMiddleware.Middleware;\nusing Microsoft.AspNetCore.Builder;\nusing Microsoft.AspNetCore.Hosting;\nusing Microsoft.AspNetCore.HttpsPolicy;\nusing Microsoft.AspNetCore.Mvc;\nusing Microsoft.Extensions.Configuration;\nusing Microsoft.Extensions.DependencyInjection;\nusing Microsoft.Extensions.Hosting;\nusing Microsoft.Extensions.Logging;\n\nnamespace AntiXssMiddleware\n{\n    public class Startup\n    {\n        public Startup(IConfiguration configuration)\n        {\n            Configuration = configuration;\n        }\n\n        public IConfiguration Configuration { get; }\n\n        // This method gets called by the runtime. Use this method to add services to the container.\n        public void ConfigureServices(IServiceCollection services)\n        {\n            services.AddControllers();\n        }\n\n        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.\n        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)\n        {\n            if (env.IsDevelopment())\n            {\n                app.UseDeveloperExceptionPage();\n            }\n\n            app.UseHttpsRedirection();\n            app.UseAntiXssMiddleware();\n            app.UseRouting();\n            app.UseAuthorization();\n            app.UseEndpoints(endpoints =>\n            {\n                endpoints.MapControllers();\n            });\n        }\n    }\n}
\n

Step 9: Now build and run the solution.

\n

As we run the default API which is https://localhost:44369/weatherforecast we will get the below response.

\n
[\n    {\n        "date": "2020-08-21T11:58:40.0289718+05:30",\n        "temperatureC": 27,\n        "temperatureF": 80,\n        "summary": "Sweltering"\n    },\n    {\n        "date": "2020-08-22T11:58:40.0289896+05:30",\n        "temperatureC": 21,\n        "temperatureF": 69,\n        "summary": "Cool"\n    },\n    {\n        "date": "2020-08-23T11:58:40.0289899+05:30",\n        "temperatureC": -20,\n        "temperatureF": -3,\n        "summary": "Hot"\n    },\n    {\n        "date": "2020-08-24T11:58:40.0289901+05:30",\n        "temperatureC": 21,\n        "temperatureF": 69,\n        "summary": "Sweltering"\n    },\n    {\n        "date": "2020-08-25T11:58:40.0289902+05:30",\n        "temperatureC": 2,\n        "temperatureF": 35,\n        "summary": "Balmy"\n    }\n]
\n

Now if we inject any script in the above url like https://localhost:44369/weatherforecast<script></script> we will get the response as

\n
{\n    "ErrorCode": 500,\n    "Description": "Error from AntiXssMiddleware"\n}
\n

Note:

\n
    \n
  1. The default port may be different when you run the project. So change the port accordingly.
    2. \n
  2. You can customize the error message according to your need.
    3. \n
\n

Conclusion

\n

In this blog, we learnt about how to implement AntiXssMiddlware in ASP.NET Core Web Application Project. We have implemented the AntiXssMiddleware in API's QueryParam, ReuqestUri and RequestBody. So if any script is injected in QueryParam, RequestUri or RequestBody then it will give the error.

\n","frontmatter":{"date":"August 26, 2020","updated_date":null,"description":null,"title":"Implement AntiXssMiddleware in .NET Core Web","tags":["C#","ASP.NET"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/813c7a5a008113481ac2c05836830d14/ee604/antixss.png","srcSet":"/static/813c7a5a008113481ac2c05836830d14/69585/antixss.png 200w,\n/static/813c7a5a008113481ac2c05836830d14/497c6/antixss.png 400w,\n/static/813c7a5a008113481ac2c05836830d14/ee604/antixss.png 800w,\n/static/813c7a5a008113481ac2c05836830d14/f3583/antixss.png 1200w,\n/static/813c7a5a008113481ac2c05836830d14/5707d/antixss.png 1600w,\n/static/813c7a5a008113481ac2c05836830d14/eeb1b/antixss.png 1920w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Hemant Manwani","github":"hemant404","avatar":null}}}},{"node":{"excerpt":"In this post, we will look at the step-by-step process for Kafka Installation on Windows. Kafka is an open-source stream-processing software…","fields":{"slug":"/engineering/quick-kafka-installation/"},"html":"

In this post, we will look at the step-by-step process for Kafka Installation on Windows. Kafka is an open-source stream-processing software platform and comes under the Apache software foundation.

\n

What is Kafka?

\n

Kafka is used for real-time streams of data, to collect big data, or to do real-time analysis (or both). Kafka is used with in-memory microservices to provide durability and it can be used to feed events to complex event streaming systems and IoT/IFTTT-style automation systems.

\n

Installation :

\n

1. Java Setup:

\n

Kafka requires Java 8 for running. And hence, this is the first step that we should do to install Kafka. To install Java, there are a couple of options. We can go for the Oracle JDK version 8 from the Official Oracle Website.

\n

2. Kafka & Zookeeper Configuration:

\n

Step 1: Download Apache Kafka from its Official Site.

\n

Step 2: Extract tgz via cmd or from the available tool to a location of your choice:

\n
tar -xvzf kafka_2.12-2.4.1.tgz
\n

Step 3: Copy the path of the Kafka folder. Now go to config inside Kafka folder and open zookeeper.properties file. Copy the path against the field dataDir and add /zookeeper-data to the path.

\n

\n \n \n \nStep 4: we have to modify the config/server.properties file. Below is the change:

\n
fileslog.dirs=C:\\kafka\\kafka-logs
\n

Basically, we are pointing the log.dirs to the new folder /data/kafka.

\n

Run Kafka Server:

\n

Step 1: Kafka requires Zookeeper to run. Basically, Kafka uses Zookeeper to manage the entire cluster and various brokers. Therefore, a running instance of Zookeeper is a prerequisite to Kafka.

\n

To start Zookeeper, we can open a PowerShell prompt and execute the below command:

\n
.\\bin\\windows\\zookeeper-server-start.bat .\\config\\zookeeper.properties
\n

If the command is successful, Zookeeper will start on port 2181.

\n

Step 2: Now open another command prompt and change the directory to the kafka folder. Run kafka server using the command:

\n
.\\bin\\windows\\kafka-server-start.bat .\\config\\server.properties
\n

Now your Kafka Server is up and running, you can create topics to store messages. Also, we can produce or consume data directly from the command prompt.

\n

Create a Kafka Topic:

\n
    \n
  1. Open a new command prompt in the location C:\\kafka\\bin\\windows.
    2. \n
  2. Run the following command:
    3. \n
\n
kafka-topics.bat --create --zookeeper localhost:2181 --replication-factor 1 --partitions 1 --topic test
\n

Creating Kafka Producer:

\n
    \n
  1. Open a new command prompt in the location C:\\kafka\\bin\\windows
    2. \n
  2. Run the following command:
    3. \n
\n
kafka-console-producer.bat --broker-list localhost:9092 --topic test
\n

Creating Kafka Consumer:

\n
    \n
  1. Open a new command prompt in the location C:\\kafka\\bin\\windows.
    2. \n
  2. Run the following command:
    3. \n
\n
kafka-console-consumer.bat --bootstrap-server localhost:9092 --topic test --from-beginning
\n

If you see these messages on consumer console,Congratulations!!! you all done. Then you can play with producer and consumer terminal bypassing some Kafka messages.

\n","frontmatter":{"date":"August 25, 2020","updated_date":null,"description":null,"title":"Setting Up and Running Apache Kafka on Windows OS","tags":["Kafka","Windows"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/cf0f7f91117e9c259a3ad57b67a89c15/ee604/messagelog.png","srcSet":"/static/cf0f7f91117e9c259a3ad57b67a89c15/69585/messagelog.png 200w,\n/static/cf0f7f91117e9c259a3ad57b67a89c15/497c6/messagelog.png 400w,\n/static/cf0f7f91117e9c259a3ad57b67a89c15/ee604/messagelog.png 800w,\n/static/cf0f7f91117e9c259a3ad57b67a89c15/f3583/messagelog.png 1200w,\n/static/cf0f7f91117e9c259a3ad57b67a89c15/5707d/messagelog.png 1600w,\n/static/cf0f7f91117e9c259a3ad57b67a89c15/7ddcb/messagelog.png 2700w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Ashish Sharma","github":"ashish8947","avatar":null}}}},{"node":{"excerpt":"Getting Started with OAuth 2.0 OAuth has been a jargon for quite some time now and it is difficult for a beginner to learn it, not because…","fields":{"slug":"/engineering/oauth2/"},"html":"

Getting Started with OAuth 2.0

\n

OAuth has been a jargon for quite some time now and it is difficult for a beginner to learn it, not because OAuth is hard, but because of the confusing facts found about OAuth on the web. So I wrote this article to explain why and how OAuth is used in very simple terms.

\n

Let’s start with the basics: OAuth stands for Open Authorization. It’s a process through which an application or website can access private data from another website.\nIt provides applications the ability for “secure designated access.” For example, you can tell Google that it’s OK for abc.com to access your google account or contact without having to give abc.com your google password.

\n

OAuth never share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.

\n

Now Let’s have a look at OAuth 2.0 Terminology.

\n\n

We have a pretty good understanding of OAuth 2.0 and Terminology, let’s move further and discuss the OAuth grant type that is widely used in this protocol.

\n

In total, there are five different grant type flows defined and described to perform authorizations tasks. Those are

\n\n

Authorization Code Grant

\n

The Authorization Code Grant Type is the most commonly used grant type.

\n

\n \n \n

\n

The Story: A user tries to log in on abc.com but he can’t remember his password and he discovers an option to sign in with google, by clicking on this, the user will easily get logged using google account.

\n

Flow

\n

The client redirects the user to the authorization server having the following parameters in the query string.

\n

Step 1

\n\n

After successful authentication, the user will be redirected to the Consent screen where he needs to provide consent to abc.com to access the account detail.\nAuthorization code is generated by the authorization server and sent back to the client with redirect Uri.

\n

Step 2\nThe client will now send a POST request to the authorization server with the following parameters:

\n\n

In the entire flow, the access token is never exposed to a web browser.

\n

Implicit Grant

\n

The Implicit flow was a simplified OAuth flow previously recommended for client-side applications like JavaScript apps where the access token was returned immediately without an extra authorization code exchange step.

\n

\n \n \n

\n

The Story: In this flow abc.com directly get access token without an extra authorization code exchange steps and able to access resources on a resource server

\n

Flow

\n

The client will redirect the user to the authorization server with the following parameters in the query string:

\n\n

It is not recommended to use the implicit flow (and some servers prohibit this flow entirely) due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client.

\n

Resource Owner Credentials Grant

\n

The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as a highly privileged application. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.

\n

This grant type is suitable for clients capable of obtaining the resource owner’s credentials (username and password, typically using an interactive form). It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token.

\n

Flow

\n

The client will ask the user for their authorization credentials (usually a username and password).\nThe client then sends a POST request with following body parameters to the authorization server:

\n\n

Client Credentials Grant

\n

Using this flow the client can request an access token using only its client credentials (or other supported means of authentication).

\n

\n \n \n

\n

The Story: The client application presents its client credentials (client identifier and client secret) to the authorization server requesting approval to access the protected resource (owned by the client application) on the resource server.\nThe authorization server authenticates the client credential and issues an access token.

\n

Flow

\n

The client sends a POST request with following body parameters to the authorization server:

\n\n

Refresh Token Grant

\n

Access tokens eventually expire, however, some grants respond with a refresh token which enables the client to refresh the access token.

\n

Flow

\n

The client sends a POST request with following body parameters to the authorization server:

\n\n

Conclusion

\n

I hope you got an idea of how OAuth works and why it is needed. Now it’s time for you to go explore, find out more about the OAuth flow and implement it into your application.\nGood Luck and have fun! Thank you for following this article and hope it helped you! Please do buzz me if you want any help: indrasen.kumar@loginradius.com

\n","frontmatter":{"date":"August 24, 2020","updated_date":null,"description":"Using this blog one can easily understand the basic concept of Oauth 2.0","title":"Getting Started with OAuth 2.0","tags":["Engineering","Oauth","Authentication"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.7699115044247788,"src":"/static/e6413c80a3d38d63b14543319d3c54dd/ee604/oauth2.png","srcSet":"/static/e6413c80a3d38d63b14543319d3c54dd/69585/oauth2.png 200w,\n/static/e6413c80a3d38d63b14543319d3c54dd/497c6/oauth2.png 400w,\n/static/e6413c80a3d38d63b14543319d3c54dd/ee604/oauth2.png 800w,\n/static/e6413c80a3d38d63b14543319d3c54dd/40ffe/oauth2.png 960w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Indrasen Kumar","github":"indrasen715","avatar":null}}}}]},"markdownRemark":{"excerpt":"Google has prepared a roadmap to restrict third-party cookies in Chrome. Since 04 January 2024, Chrome has rolled out third-party cookie…","fields":{"slug":"/engineering/identity-impact-of-google-chrome-thirdparty-cookie-restrictions/"},"html":"

Google has prepared a roadmap to restrict third-party cookies in Chrome. Since 04 January 2024, Chrome has rolled out third-party cookie restrictions for 1% of stable clients and 20% of Canary, Dev, and Beta clients.

\n

What does it mean for user authentication?

\n

On one hand, Google believes third-party cookies are widely used for cross-site tracking, greatly affecting user privacy. Hence, Google wants to phase out (or restrict) supporting third-party cookies in Chrome by early Q2 2025 (subject to regulatory processes).

\n

On the other hand, Google introduced Privacy Sandbox to support the use cases (other than cross-site tracking and advertising) previously implemented using third-party cookies.

\n

In this article, we’ll discuss:

\n\n

How is User Authentication Affected?

\n

Third-party cookie restrictions affect user authentication in three ways, as follows.

\n

External Identity Providers

\n

If your website or app uses an external Identity Provider (IdP) — like LoginRadius, the IdP sets a third-party cookie when the user authenticates on your app.

\n

Web SSO

\n

If you have multiple apps across domains within your organization and authentication is handled using an IdP (internal or external) with web SSO, you already use third-party cookies to facilitate seamless access for each user using a single set of credentials.

\n

If you have implemented web SSO with one primary domain and multiple sub-domains of the primary domain, third-party cookie restrictions may not apply. For now, Google doesn’t consider the cookies set by sub-domains as third-party cookies, although this stance may change in the future.

\n

For example, you have apps at example.com, travel.example.com, stay.example.com, and web SSO is handled by auth.example.com. In this case, third-party cookie restrictions don’t apply.

\n

Federated SSO

\n

Federated SSO is similar to, albeit different from, web SSO. It can handle multiple IdPs and applications—aka., Service Providers (SPs)—spanning multiple organizations. It can also implement authentication scenarios that are usually implemented through web SSO.

\n

Usually, authentication is handled on a separate pop-up or page when the user wants to authenticate rather than on the application or website a user visits.

\n

For example, you already use federated SSO if you facilitate authentication for a set of apps through multiple social identity providers as well as traditional usernames and passwords.

\n
\n

Note: It is also possible to store tokens locally, not within cookies. In this case, third-party cookie restrictions won’t affect token-based authentication. However, the restrictions still affect authentication where tokens are stored within third-party cookies (a common and secure method).

\n
\n

Chrome’s Alternatives for Third-Party Cookies

\n

Google has been developing alternative features and capabilities for Chrome to replace third-party cookies as part of its Privacy Sandbox for Web initiative.

\n

Specific to authentication, Google recommends the following:

\n
    \n
  1. Cookies Having Independent Partitioned State (CHIPS)
    2. \n
  2. Storage Access API
    3. \n
  3. Related Website Sets
    4. \n
  4. Federated Credential Management (FedCM) API
    5. \n
\n

Cookies Having Independent Partitioned State (CHIPS)

\n

CHIPS are a restricted way of setting third-party cookies on a top-level site without making them accessible on other top-level sites. Thus, they limit cross-site tracking and enable specific cross-site functionalities, such as maps, chat, and payment embeds.

\n

For example, a user visits a.com with a map embed from map-example.com, which can set a partitioned cookie that is only accessible on a.com.

\n

If the user visits b.com with a map embed from map-example.com, it cannot access the partitioned cookie set on a.com. It has to create a separate partitioned cookie specific to b.com, thus blocking cross-site tracking yet allowing limited cross-site functionality.

\n

You should specifically opt for partitioned cookies (CHIPS), which are set with partitioned and secure cookie attributes.

\n

If you’re using an external identity provider for your application, CHIPS is a good option to supplant third-party cookie restrictions.

\n

However, CHIPS may not be ideal if you have a web SSO or federated SSO implementation. It creates separate partitioned cookies for each application with a separate domain, which can increase complexity and create compatibility issues.

\n

Storage Access API

\n

With Storage Access API, you can access the local storage in a third-party context through iframes, similar to when users visit it as a top-level site in a first-party context. That is, it gives access to unpartitioned cookies and storage.

\n

Storage Access API requires explicit user approval to grant access, similar to locations, camera, and microphone permissions. If the user denies access, unpartitioned cookies and storage won’t be accessible in a third-party context.

\n

It is most suitable when loading cross-site resources and interactions, such as:

\n

Verifying user sessions when allowing interactions on an embedded social post or providing personalization for an embedded video.\nEmbedded documents requiring user verification status to be accessible.

\n

As it requires explicit user approval, it is advisable to use Storage Access API when you can’t implement an identity use case with the other options.

\n

Related Website Sets

\n

With Related Website Sets, you can declare a primary website and associatedSites for limited purposes to grant third-party cookie access and local storage for a limited number of sites.

\n

Chrome automatically recognizes related website sets declared, accepted, and maintained in this open-source GitHub repository: Related Website Sets

\n

It provides access through Storage Access API directly without prompting for user approval, but only after the user interacts with the relevant iframe.

\n

It is important to declare a limited number of domains in related website sets that are meaningful and used for specific purposes. Google may block or suspend any exploitative use of this feature.

\n

The top-level site can also request approval for specific cross-site resources and scripts to Storage Access API using resuestStorageAccessFor() API.

\n

If you’re using an external identity provider for your web application, you can declare the domain of the identity provider in the related set to ensure limited third-party cookies and storage access to the identity provider, thus ensuring seamless user authentication.

\n

Related Website Sets can also work to supplement third-party cookie restrictions in web SSO and federated SSO if the number of web applications (or domains) is limited.

\n

Federated Credential Management (FedCM) API

\n

FedCM API enables federated SSO without third-party cookies.

\n

With FedCM API, a user follows these steps for authentication:

\n
    \n
  1. The User navigates to a Service Provider (SP) — aka., Relying Party (RP)
    2. \n
  2. As the user requests to authenticate, the SP requests the browser through FedCM API to initiate authentication.
    3. \n
  3. The browser displays a list of available identity providers (supported by the RP), such as social IdPs like Google, Apple, LinkedIn, and Facebook, or other OAuth IdPs like LoginRadius.
    4. \n
  4. Once the user selects an IdP, the browser communicates with the IdP. Upon valid authentication, the IdP generates a secure token.\nThe browser delivers this secure token to the RP to facilitate user authorization.
    5. \n
\n

You can access a user demo of FedCM here: FedCM.

\n

For more information about implementing federated SSO with FedCM API, go through the FedCM developer guide.

\n\n

Firstly, we’re committed to solving our customers' user identity pain points — and preparing for the third-party cookies phase-out is no different.

\n

We’ll implement the most relevant and widely useful solutions to facilitate a smooth transition for our customers.

\n

Please subscribe to our blog for more information. We’ll update you on how we help with the third-party cookie phase-out.

\n

In Conclusion

\n

The proposed changes to phase out third-party cookies and suggested alternatives are evolving as Google has been actively collaborating and discussing changes with the border community.

\n

Moreover, browsers like Firefox, Safari, and Edge may approach restricting third-party cookies differently than Google does.

\n

From LoginRadius, we’ll keep you updated on what we’re doing as a leading Customer Identity and Access Management (CIAM) vendor to prepare for the third-party cookie phase-out.

\n

Glossary

\n

Top-level site: It is the primary site a user has visited.

\n

First-party cookie: A cookie set by the top-level site.

\n

Third-party cookie: A cookie set by a domain other than the top-level site. For example, let’s assume that a user has visited a.com, which might use an embed from loginradius.com to facilitate authentication. If loginradius.com sets a cookie when the user visits a.com, it is called a third-party cookie as the user hasn’t directly visited loginradius.com.

\n

References

\n\n","frontmatter":{"date":"July 08, 2024","updated_date":null,"description":"Google Chrome has planned to phase out third-party cookies, which will affect different website functionalities depending on third-party cookies. This blog focuses on how this phase-out affects identity and user authentication and discusses alternatives for overcoming challenges.","title":"How Chrome’s Third-Party Cookie Restrictions Affect User Authentication?","tags":["Identity","Cookies","Chrome"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/eb7396060c0adc430dbed2d04b63d431/ee604/third-party-cookies-phaseout-chrome.png","srcSet":"/static/eb7396060c0adc430dbed2d04b63d431/69585/third-party-cookies-phaseout-chrome.png 200w,\n/static/eb7396060c0adc430dbed2d04b63d431/497c6/third-party-cookies-phaseout-chrome.png 400w,\n/static/eb7396060c0adc430dbed2d04b63d431/ee604/third-party-cookies-phaseout-chrome.png 800w,\n/static/eb7396060c0adc430dbed2d04b63d431/f3583/third-party-cookies-phaseout-chrome.png 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Raghunath Reddy","github":"raghunath-r-a","avatar":null}}}},"pageContext":{"limit":6,"skip":174,"currentPage":30,"type":"//engineering//","numPages":52,"pinned":"17fa0d7b-34c8-51c4-b047-df5e2bbaeedb"}},"staticQueryHashes":["1171199041","1384082988","2100481360","23180105","528864852"]}