I am working with a research group that needs to collect Facebook post data for a group of participants over the course of a few months. The goal is let the participants authorize us to collect this information via facebook, and when they post to Facebook, send that information to a secured server.
After reading the Facebook documentation, I'm mostly just confused about how to provide a mechanism for the user to agree to the terms of collecting his/her data. I'm planning on using webhooks to collect the data, which is independent of the client platform, but do I really need to build separate apps for web, iOS and Android just for the approval process?
I'm planning on using webhooks to collect the data, which is independent of the client platform, but do I really need to build separate apps for web, iOS and Android just for the approval process?
You most likely won't get this approved in review anyway.
Permissions must, for the most part, be used to provide a direct benefit to the in-app user experience; collecting data for analytical measures only is explicitly mentioned as a not allowed use case. Whether the users would agree is not relevant here.
For example, user_posts permission, has "non-visible use of this data such as sentiment analysis or guarding against spam bots" marked with a red "X" for nope.
So the only way of getting your app to request the necessary permission(s) from users, would be to add them as testers to the app via app dashboard/API. Anyone with a role in the app which can be asked for any permission, reviewed or not. Those users would however have to have their accounts verified (mobile/text, credit card) and sign up as a "developer" on the FB platform, before your app could send them requests to become testers.
You'd be flying under the radar with that, so to speak. Facebook offers this "loophole" mainly for the purpose of letting developers test and develop their apps properly, before review. It is also explicitly mentioned in the app development FAQ as a way around the need for review, for specific use cases such as wanting to get your blog posts published to your own FB page automatically. It would not cover what you are trying to do so, but it will likely "work" as long as none of your test users specifically raises a complaint with Facebook ...
Not sure if there is any published limit on the number of test users that can be added to an app, people have asked about that in the past, but AFAIK none is documented or otherwise published by Facebook. If there is one, and it is not completely stopping this approach dead in it's tracks (say, a few hundred per app rather than, five), you could use multiple app ids, if you don't need to relate data between user accounts too much - because the app-scoped user ids will be different per app id, so that could making connections between friends that are in different "app-id test groups" etc. difficult. Or you might have to refer to other, less reliable measures of uniquely identifying them, such as email or profile name.
Related
Does anyone have any thoughts on how to build a user profile system on a site that is so secure that there's absolutely no way to figure out that person's identity; while also allowing them to reset their password?
Don't want their email
Don't want a phone number for SMS
Don't want to use the social media platforms to authenticate
Cannot use secret questions because they forget their own answers
Cannot use a TOTP app on a cell phone because people lose/break their phones (and some still don't have a cellphone)
Cannot use a cookie on their device because it isn't universal across phone/laptop/tablet, and they break their devices
Cannot fingerprint their browser agent, ip, etc, because the users access the site from multiple systems, from multiple different IP's. There are also multiple users logging in from the same home computer.
Cannot issue them a physical token because cost, and, they'd lose them
Has anyone figured out an identity broker system that isn't associated with big social media? The user could register their identity stuff with the 3rd-party broker, and the broker just gives me a key to identify them? That is free for everyone to use? Kind of like the GPG key ecosystem...
Looking for ideas. How can I register an account for you, but no matter how hard I try, I never have any data that I could use to Google you?
I need to find a way to remove a user from my slack team without having a paid version of slack.
I found this API method: users.admin.setInactive
But it requires me to have a paid version. Are there any workarounds to make this possible on a free tier Slack?
No. Unfortunately, deactivating a user by API is only possible with a paid version of Slack.
But I can offer a few organizational workarounds from my experience with managing large Slack teams on free tier that makes work easier for admins:
Automatic removing from private channels
You can still programmatically remove users from private channels. So one workaround is to structure your Slack in a way, that all important channels are private. Then you have a batch running that automatically removes users from those channels when they fail to meet a defined criteria.
Automatic notification of users to be disabled
Have a batch running that is automatically notifying you / the admins about any user that fails to meet your defined criteria and need to be disabled. Then you still need to disable them manually of course, but you can be sure to be informed timely and that you don't miss anyone.
I am playing around with the idea of creating a website for cryptocurrencies, where a user can sign up on my website, enter his API details for one of the exchange markets that I will support, which allows him to trade on that exchange, but using my “more user friendly” web interface.
My main goal is to create a more user friendly interface than what most exchange websites offer. I am not hooking directly into any cryptocurrencies or wallets, all I do is use the API of existing exchange markets, relay the information to my website, where I have a more user friendly interface.
Since this is a very sensitive subject in regards to security, I am trying to figure out, what the best way would be to store the API details of the users.
In general I don’t like the idea of storing the API details on my database server, nor on my server in general. The thought of having my website hacked and all the API details being exposed is terrifying. Of course each exchange website that supports APIs has their own security built in, such as API sessions with 2FA, IP restrictions, weekly generations of new API secret keys, daily trading limits via API, and not allowing withdrawals of wallets via API. But damage can still be done if those API details get stolen.
I would prefer if there would be a way where I would not need to store the API details on my server at all, but rather have the user save them locally on his PC. That way he is in charge of keeping the API details secure.
This thought brought me then to the idea of creating a desktop app using electron (https://electron.atom.io/). That way I can still create the website the way I want, but it’s wrapped into electron, so it always run locally. Before I pursue this idea, I would like to keep investigating my previous idea of a regular website, as I prefer to have my website cloud based, SaaS, to prevent piracy.
So I wonder, storing API details of a user, without saving them on the server, what other options would I have?
Cookies? Probably not secure.
What about localStorage? https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API
Are there other options or am I too paranoid about this? Is it generally accepted to store sensitive API details on a database server along with the rest of the users details?
I think saving data in to users computers is wrong way, because when you will save user's personal data in to your server, you will be able to control security of your server, when it will be saved on user compputer the security of your server will be depended from users. Today we know many methods how to deceve users and I think, that the programmers must take care of his users. when you will save data in server db you can switch many methods, like email verification or verification by phone you can send message with some verification code, switch ssl service, also you can avoid on sql injection using a modern framework like Laravel or Yii 2, in any case if you will save user data in you server the security of your application will be depended of you.
if you will save user data in local computer, today hackers uses many methods to steal users cookies or methods to get a controll on pc, for example you can read this post
https://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/
today hackers using this method, creates an exe file which extension on first look is docx or other some extension for example pdf and so on ...
but in real it is an exe file and it is runnable, user can download it, and run... I think you understood what can do hacker with users computers by this way, today so many viruses which even very professional users cant recognize.
I am making a personal (resume type) website. I was hoping to retrieve all of the data from my facebook page and display it on the about page using the Graph API.
The issue is, it seems like a user always has to give credentials to get an authorization token. I don't want to require people to log into facebook just to view my page. I also don't want to login everyone using my credentials (which would mean they would be stored in JavaScript). Does anyone see a way around this?
I looked into the creating a "page" and using the "page access token" instead. Then I could get the page access token using my userid stored in JavaScript (in my opinion much better than username and password). Is there a problem doing it this way?
I would prefer to retrieve this data directly from my account and not have to make a separate "page." Any and all information is appreciated. Thanks for your time.
This appears to be banned in Facebook's Terms of Service:
Safety
We do our best to keep Facebook safe, but we cannot guarantee it. We need your help to keep Facebook safe, which includes the following commitments by you:
You will not post unauthorized commercial communications (such as spam) on Facebook.
You will not collect users' content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without our prior permission.
You will not engage in unlawful multi-level marketing, such as a pyramid scheme, on Facebook.
You will not upload viruses or other malicious code.
You will not solicit login information or access an account belonging to someone else.
You will not bully, intimidate, or harass any user.
You will not post content that: is hate speech, threatening, or pornographic; incites 9. violence; or contains nudity or graphic or gratuitous violence.
You will not develop or operate a third-party application containing alcohol-related, dating or other mature content (including advertisements) without appropriate age-based restrictions.
You will follow our Promotions Guidelines and all applicable laws if you publicize or offer any contest, giveaway, or sweepstakes (“promotion”) on Facebook.
You will not use Facebook to do anything unlawful, misleading, malicious, or discriminatory.
You will not do anything that could disable, overburden, or impair the proper working or appearance of Facebook, such as a denial of service attack or interference with page rendering or other Facebook functionality.
You will not facilitate or encourage any violations of this Statement or our policies.
Sorry to be a downer, but I don't think that page scraping is the best way to go.
I have a donation form which users fill out and I would like to then send the user to the charities own website with their information already filled in. Is this possible?
thanks
This is a big part of what my company does....but we have to rely on the client as well. It could be a great exercise for both you and them.
Here's the basic idea. We take a web form entry from a site. We have a script that processes the information and decides where to route the info (we do this for quite a few different clients) Then the system goes through logic for each individual site (functions in a class) that tells it how to pass the information over. In some cases, it's simply an email to a person. In other cases, we CURL a string over that the recipient site has been setup to accept. One site allows us to directly post to a "hidden" page on their site....this doesn't seem the most secure option to me, though. The key is to negotiate with the partner how they'd like to receive the information. If you're helping them get donors, I suspect they'll be willing to do anything they can to help.
Be aware, there could be some security issues with trying to forward donation information across sites....you'll want to remain as secure as humanly possible....and personally, I don't think I'd ever transmit something like a credit card number except to a processor via SSL.
I was a non-profit webmaster for quite a few years, and still have several non-profit sites I consult with. There's systems out there just for this purpose (one that comes to mind is network for good) Also, I've seen groups build non-profits specifically to accept donations on behalf of other non-profits. Point being, there's many different ways to approach this task, not all of them even code related.