Should Token created when the user registers or login? - javascript

I have an API created by one of my team :),
And he made an endpoints "Register/Login"
his thought
When user create a user we save his data and the endpoint response it " without generating a Token"
so i can't navigate him to other screens cuz I make a request based on his Token,
So he wants me to navigate user after register to the login screen then Login endpoint will response the Token
But I think it's not a nice way and not improve UX.
So what you think we do?
generate Token in the register or log in?

The way I see this:
Solution 1:
You have him change the register API so that returns a token for you and you keep doing whatever you do with it.
Solution 2:
By registering, I'm assuming they type in a username/email, some personal details and a password!? So you have all the data to log the user in after registration. Upon successful registration, use the same username/email and password from memory (do not store them in browser storage) and call the login api to get the token (you only redirect after you've gotten the token) - so UX doesn't suffer here.
P.S. Instead of "fighting" one another over who's solution is better, try to work together in a solution. This is clearly an "I told you so" attempt - hence why I gave you two solution where both sides can do the work. Both of you can implement a solution without affecting UX, it's a matter of who's more stubborn :P

Related

Google oauth session lost after page reload (javascript)

I recently moved from the deprecated gapi.auth2 to the new Google Identity Services, using the javascript client library, and noticed a big difference: if someone signs in, and then reloads the page, the session is lost, and has to sign in again, every time the page is loaded. This was not the case with the deprecated library.
The problem can be easily reproduced with the Calendar API example.
Is there any configuration option to keep the session persistent? Or do I need to store the access tokens somehow? I could not find anything relevant in the official docs.
UPDATE:
The migration guide states the following:
Previously, Google Sign-In helped you to manage user signed-in status using:
Callback handlers for Monitoring the user's session state.
Listeners for events and changes to signed-in status for a user's Google Account.
You are responsible for managing sign-in state and user sessions to your web app.
However there's absolutely no information on what needs to be done.
UPDATE 2
To be more specific, the actual issue is not making the session persistent. Managing the sign in state and user session is something I can solve.
The real problem is the access token used to call the Google APIs.
As mentioned in the comments, the access tokens are 1) short lived 2) are not stored anywhere, so even if not expired, they do not persist between page reloads.
Google provides the requestAccessToken method for this, however even if I specify prompt: '', it opens the sign-in popup. If I also specify the hint option with the signed in user's email address, than the popup opens, displays a loading animation briefly, and closes without user interaction. I could live with this, however this only works if triggered by a user interaction, otherwise the browser blocks the popup window, meaning that I cannot renew the token without user interaction, e.g. on page load. Any tips to solve this?
I faced all the same issues you described in your question.
In order to help:
Google 3P Authorization JavaScript Library: in this link we can check all the methods the new library has (it does not refresh token, etc..)
This doc says the library won't control the cookies to keep the state anymore.
Solution
Firstly I need to thanks #Sam O'Riil answer.
As Sam described: "you can somehow save access token and use it to speed-up things after page reload."
Given the the Google's exampe, we should call initTokenClient in order to configure the Google Auth and the requestAccessToken to popup the auth:
tokenClient = google.accounts.oauth2.initTokenClient({
client_id: 'YOUR_CLIENT_ID',
scope: 'https://www.googleapis.com/auth/calendar.readonly',
prompt: 'consent',
callback: tokenCallback
});
tokenClient.requestAccessToken({prompt: ''})
In your tokenCallback you can save the credentials you get somehow, e.g.:
const tokenCallback(credentials) => {
// save here the credentials using localStorage or cookies or whatever you want to.
}
Finally, when you restart/reload your application and you initialize the gapi.server again, you only need to get the credentials again and set token to gapi, like:
gapi.load('client', function() {
gapi.client.init({}).then(function() {
let credentials = // get your credentials from where you saved it
credentials = JSON.parse(credentials); // parse it if you got it as string
gapi.client.setToken(credentials);
... continue you app ...
}).catch(function(err) {
// do catch...
});
});
Doing it, your application will work after the reload. I know it could not be the best solution, but seeing what you have and the library offers, I think that's you can do.
p.s.: the token expires after 1 hour and there is no refresh token (using the implicit flow) so, you will have to ask the user to sign-in again.

Is it possible to post to chat.postMessage as any user in a Slack team?

I'm building a Slack integration that is intended to modify some text and then post it to a Slack channel as though the user who triggered the command had said it.
e.g. /makeFace disapproval
#Ben 3:45pm
ಠ_ಠ
I ask for the client permission scope, which adds the chat:write:user permission. But when I hit the chat.postMessage endpoint, it only seems to allow you to post as the user who added the integration because the token it returns seems to be individuated for that user.
I know that giphy, for instance, sends its gif messages as though you are the originator, but I can't find out how they manage it. Is there any documentation for sending messages as other members of the team?
There are 2 ways to achieve this:
A. Overwriting username and icon
When you send a message with chat.postMessage it is possible to set a user name with the property username. The message will then appear as being send by that user (same for icon with icon_url).
However, this is not meant to impersonate real users, so even if you use the same username and icon as the real user the message will have the app tag, so that they can be distinguished from a real user.
Here is an example how it looks like (from a gamer Slack about flying and killing space ships):
But depending on what your requirements are that might work for you.
If you want to use it make sure to also set the as_user property to false (yes, really) and it will not work with a bot token, only with a user token.
See here for more details on how it works.
This also works for the legacy version of Incoming Webhooks, not with the current version of incoming webhooks though. (You can still get the legacy version, see this answer)
B. Having the user's token
Another approach is to always use the token from the respective user for sending the message. In combination with as_user = true messages sent by your app will look exactly as if they would come from the respective user (no APP tag).
To make that happen your app would need to collect tokens from all users on your workspace and store them for later use. This can be done by asking every user to install your app (called adding a "configuration") through the Oauth process (same you use to install your app to a workspace), which allows your app to collect and store those tokens for later use.
Update: This doesn't work. It impersonates the user who installed the app, so it merely seems to work... until another user tries to use it (and they end up impersonating you).
Go to your App's management page. Select "OAuth & Permissions".
Add the chat.write OAuth Scope to your app as a User Token Scope, not a Bot Token scope.
Take note of your User OAuth Token at the top of this page (not your But User OAuth Token).
Call chat.postMessage with
username = user id of the user you'd like to post on behalf of
token = the token from step 3. above
The resulting post will be 100% impersonated. Not just the name and icon as mentioned in other answers, but it'll 100% function as if it came from the user.
I hope this will help those who are still facing this issue.
First give the chat:write and chat:write.customize scope to your bot. The scope chat:write.customize Send messages as #your_slack_app with a customized username and avatar
From "OAuth & Permissions" settings get the bot OAuth token or even bot access token (both will work).
Then set the arguments like the following.
username to specify the username for the published message.
icon_url to specify a URL to an image to use as the profile photo alongside the message.
icon_emoji to specify an emoji (using colon shortcodes, eg. :white_check_mark:) to use as the profile photo alongside the message.
You can visit the docs from here

AWS Cognito force refresh session

I'm running into some problems when I attempt to refresh my session tokens, (Access, Id, Refresh). I have already read this question and the answer has helped me understand what is going on some. But I feel what I am trying to do isn't quite what getSession is for.
I am attempting to implement a session expiration message (done) that allows the user to extend their session (refreshes the tokens). From what I gather about getSession(), it returns either the old tokens, if they are still valid, or new tokens if they are not valid. Please correct me if I am wrong there.
I am attempting to give the user new/refreshed tokens every time they click on extend session. For dev purposes, I have a button which then displays the message with the extend session button. The tokens I receive when I call getSession() are the old ones, but I want them to be new ones.
So basically, nullifying the old session and giving them a new one.
My questions are:
Am I missing some understanding about getSession(), as previously mentioned?
Can I give the user new session tokens (Access, Id, Refresh)?
Can I do #2 without having the user sign in again?
Thank you.
EDIT 1:
It may help to know that I am not using any Federated Identities.
You can call cognitoUser.refreshSession. I've found a reasonable example for you over here:
Sample code: how to refresh session of Cognito User Pools with Node.js and Express
Look for the method called checkTokenExpiration, it explains perfectly well what you have to do to refresh the session.

How to implement remember me in angularjs, using authToken?

I am finding difficulty in implementing the functionality for "remember me" in angularjs. I have gone through couple of blogs on stackoverflow but didn't get the solution.
Let us say I have 3 username and password stored in database.
[{username:1, password:1}, {username:2, password:2}, {username:3, password:3}]
Now every time when the user logs in, the server side is returning a token. Based on this token I want to implement my remember me functionality.
Below is the code I wrote for storing the username and password in cookies in my service.
if (rememberLogin) {
$cookieStore.put("userName", login);
$cookieStore.put("password", password);
}
And here is the code I am initializing on login page load
function init() {
if ($cookieStore.get("userName")!==undefined && $cookieStore.get("password")!==undefined){
self.emailAddress=$cookieStore.get("userName");
self.password=$cookieStore.get("password");
}
}
With this approach I am just able to remember only one user, but not others, and also I know that storing passwords in cookies is not safe .
Kindly help me or suggest me some good quality of code to implement this.
Any help is appreciated.
Thanks
As $cookieStore is deprecated, try to move to $cookies:
$cookies.putObject('key', value);
$cookies.getObject('key');
$cookies.remove('key');
And of course - storing a password in the cookie is a thing you have to avoid even in your school or private projects. Learn how to use Sessions and PHPSESSID cookie
As far as remember me functionality is concerned you can login from one user at a time at one login attempt,there is no chance any second user is logged in while first user is already in the session(browser session).You can store as much information of users as you want in your cookie unless you are not deleting the previous user's cookie.A simple scenario would be first user logged in and these details you save in browser cookie, another user cannot log in from that browser until the first logged out. Also every website does that,2 different users cannot log from one browser.It is quite unclear what you want to achieve.
As I understand your problem is you are not clearing the previous cookie after 1st user logged out or you restart your server.Try
$cookies.remove("userInfo")

How to use my long (60day) access token to get user data from facebook (offline)

I cannot find any example on facebook dev. or here on stackoverflow so I need to make this post which i didn't thought i had to.
I have a website which uses the facebook JavaScript SDK to login users into it.
When I log in users I uses the
FB.login(), scope:{'email, offline_access'}
When the login in done i get the short lived access token and passes it to:
https://graph.facebook.com/oauth/access_token?
grant_type=fb_exchange_token&
client_id=APP_ID&
client_secret=APP_SECRET&
fb_exchange_token=SHORT_LIVED_ACCESS_TOKEN
So i get the long lived, 60day, token in response. This is done server-side and i save the new long lasting token in my database along with facebook id etc.
Now to my problem. Every day at a certain time I want to update the users data in my database using the access token, which i have read that could. But how do i do that?
I'm used to do like this after the FB.login() but now when the user do not login I don't know how to do the call to FB.api using my persisted token?
FB.api(/me....)
Regards,
Kristoffer
As you have to synchronize/update information when user is not logged in you will have to use server side interaction.
You may use your saved Extended Access Token and set it into Facebook PHP SDK using setAccessToken() method.
$facebook->setAccessToken($extended_access_token);
After this you may call $facebook->api(...) method to perform the task that you intend to.

Categories

Resources