I'm trying to create a Javascript application that has a filterable listing of certain kinds of public Facebook events. The thing is, the FB Graph API requires that you provide a User Access token in order to use the search for public events. I really don't want to make people log in to facebook in order to use the website, especially because ANY facebook user's credentials are sufficient to query the events I want to query (ie the search is independent of any user credentials, I just need them because the fb api requires me to have a user access token.)
Do y'all have any suggestions for a work around? I'm thinking about providing my own credentials securely, and just using them to make the actual queries. The thing is I would potentially need to be doing A LOT of queries per minute, so this might not be terribly realistic. Any suggestions would be helpful.
Simply do this server-side not client-side.
You just need an app token (no user token) to do this search, but using this client-side is a bad idea since it would expose your app token publicly.
Related
I am building an app using HTML, CSS, and Javascript, and am trying to configure OAuth to use it to access data from the Goodreads API. I basically want to get a list of books that a Goodreads member has read in the current year and display statistics about the metadata of these books. I'm pretty new to Javascript and using API's and don't have a super good grasp on OAuth and API authentication in general so I would really appreciate it if it could be explained as simply as possible.
From what I understand I need to create a login button on my page that contains a link that looks something like this:
http://www.goodreads.com/oauth/authorize?oauth_token=SCDMymQWcIE8GnxmSA
When the user clicks this button they'll visit goodreads.com where they'll login to their account. After accepting the permissions, the user will be redirected to back to your site along with an access token that would contain the user's ID. At this point I would use the user ID to pull data about the books on their shelves.
I'm not really sure how to go about writing this in my Javascript file though. How do I go about authorizing via OAuth and storing the user's ID? From the Goodreads Developers group it seems like the Goodreads API uses OAuth 1.0 which I believe is relevant to how I will need to approach this.
I'm newbie to Facebook Graph API and Facebook JavaScript SDK but I'd like to know some things:
Is there any way to put my Access Token in a Open Source application without actually showing it? I'm using GitHub and for security purposes I'd like to make it private.
Can I show my user information without asking the users to Authenticate themselves?
Where in Facebook Developers App can I allow more "scopes" to share publicly? For example, user_photos, user_posts, user_likes, user_status, etc...
These "scopes" that Facebook allows by default are actually the information I'm getting from the user while I'm Authenticating them right?
Just to clarify what I'm trying to do, I want to share things about my Facebook Account through the Facebook Graph API in the gh-pages branch on GitHub, but I don't like the idea of having to authenticate every single user that has access to the page.
I'd like to make my user information public, but don't want to show my access token, because it's Open Source and it can get dangerous eventually.
If you'd like to see my repository and have a better understanding of the project. You can access https://github.com/iszwnc/rye
If I recap:
you don't want to share your app access token (good!),
you don't want your users to authenticate.
Basically, you can't hide your token and let your users query Facebook directly. You need some server-side code on a machine that would be the only one reaching Facebook. Your server would play the role of an interface between Facebook and your users. So you will have to:
do the API calls from a server using server-side code (i.e. Node.js),
save the information you want in a database. This is optional but better to avoid the same information to be retrieved multiple times, thus avoiding your future 100 users to (voluntarily or not) reach your app API limit.
let the users query your server using some client-side code (i.e. AngularJS) in order to retrieve what you and only you know (remember, you own the token).
About Github, don't share your token on it. People can generate their own token if they want to run your app. Here are several suggestions:
Add your token to an environment variable which you can set just before launching the app (don't forget to mention that in your README),
Add your token to a file:
Create a credentials.js file that contains an empty token:
// Please use your own token
var APP_TOKEN = '';
Commit the file to Github,
Have a .gitignore file that contains the credentials.js,
var APP_TOKEN = 'now-you-can-put-your-token-here';
Good luck with your project, it looks exciting :-)
I'm trying to use Trello API to create cards on our boards. But i cannot really bypass authentication programmatically, because a user prompt always appears asking for authentication in trello.
The idea is i create a system user on trello, add it to the boards, then use its API key to create the cards. I'm following this approach because I used Zapier to generate cards from Freshdesk, and wondering how Zapier bypass OAuth to do this.
You simply cannot bypass the authentication of the API, however what you can do is to generate the valid oAuth tokens for your "System User" and use them for authentication.
I'm not aware of the complete Auth process of trello, but most oAuth providers give you the possiblity to create tokens which last quite long (refresh tokens). You could use these in your code to call the api without any additional auth process.
You could also store the normal auth tokens and re-validate them from time to time using the prompt.
Best solution depends on what you are trying to achieve...
I'm building a payment plugin for a website, where users can buy some website intern currency with real money. the backend i use, which handles the payment process, is this.
It provides (beside others) a JavaScript library to communicate with their API, so you don't have to let your system touch sensitive payment data like credit card numbers etc.
The problem is:
For now the api-key, secret hash and other vulnerable data are hardcoded just into my script which initiates the communication with the server. so in theory every half-descent user could just copy them out of the browser and could do nasty sh*t with it, especially if they have access to the api documentation.
So, this isn't secure and it definitely cannot go live this way.
im working with cakephp and i thought of collecting those sensitive keys with some ajax calls to my controllers/models, after pressing on the submit button.
There's the problem, that this connection isn't secured and can easily be 'man-in-the-middled'.
Are there other, better ways to secure my API Keys in javascript?
Use token based auth, https and csrf tokens and never, ever, but a secret on the client.
Use oauth so users don't even need to send you a password. Use someone else's authentication system.
I'm developing a new web site that will be a single paged app with some dialog/modal windows. I want to use backbone for frontend. This will call backend using ajax/websockets
and render the resulting json using templates.
As a backend I'll use nodejs express app, that will return the json needed for client, it'll be some kind of api. This will not use server side views.
Client will use facebook, twitter, etc. for authentication and maybe custom registration form.
Client static resources, such as css, js, and html files will be handled by nginx (CDN later).
Questions that I have now:
How can I determine that a given user has the right to do some action in api(i.e. delete a building, create new building)? This is authorization question, I thought of giving user a role when they login and based on it determine their rights. Will this work?
Similar to the above question, will this role based security be enough to secure the api? Or I need to add something like tokens or request signing?
Is this architecture acceptable or I'm over engineering and complicating it?
Passport is an option for the authentication piece of the puzzle. I'm the developer, so feel free to ask me any questions if you use it.
I thought of giving user a role when they login and based on it determine their rights. Will this work?
Yes this will work. You can check for a certain role on the user after it's been fetched from the server. You can then display different UI elements depending on this role.
Will this role based security be enough to secure the api? Or I need to add something like tokens or request signing?
It wont be enough. Anyone could hop into the console and set something like user.admin = true. In your API you'll need to validate a user token from the request, making sure that the related user has the appropriate permissions.
Is this architecture acceptable or I'm over engineering and complicating it?
At the least you should have an API validation layer. That would make a decent enough start, and wouldn't be over-engineering.
For the authentication part of your question i would use everyauth which is an authentication middleware for connect/express. It supports almost every oauth-social-network-thingie.
For role management you could give node-roles a try. I didn't use it myself but it should help you out, because it checks the role on the server side. Of course that is only useful if your API is implemented in node.js. If that's not the case, you have to "proxy" the API calls over your node.js app.
I hope I could help you! :)