Which access token to use for open graph action - javascript

I've created a custom open graph action that uses the publish_actions permission.
Once the user has granted this permission, which access token do I need to use to post the open graph action? Can I just use my app token or do I need to use an active user token?
I've tested this and it looks like as long as the user has granted the app the permissions, using just the app token works. I'm worried though that this might be a quirk in the api or that it might change since its not in the api docs.
Let me know how others have implemented something similar, and if it helps this open graph action has not been submitted for approval yet.

Both will work, and in some cases the app access token is needed (this is an option you can specify on specific action types), but in general you should probably use the user access token, as you'll need this to read back the data and make any other api calls on the user's behalf

Related

Only allow requests with a valid token that's found in firestore

I'm building a small app in react where a developer will use my service in their website/app with firebase.
This is how I want it to work
The developer who wants to use my service will sign up and retrieve a token on my site.
The developer should use this token within their app to request my app (technically the request is comming from an end user which I don't know of, and shouldn't).
The security rule will look for this token in the users collection at firestore and only allow the request if an account is found in the collection users.
The developer should then only be able to see the posts made used by that token.
How can I achieve this?
Kindly point me in the right direction.
With Firestore, it's not possible to send extra data along with a query for the purpose of authorization with security rules. That's not really secure at all - it would be the same as requiring a plaintext password.
What you will need to do is write some backend code to put the token in the user's Firebase Auth custom claims. You can use the contents of custom claims in security rules to securely check if the user should have access to some resources.
For Firestore security rules, you will need to check the contents of request.auth.token in the rule to get the data you put there.
I guess you're looking for Custom Claims. Those are custom values attributes you can attach to the firebase auth user model which then can be loaded inside the firestore rules engine. Get more information: https://firebase.google.com/docs/auth/admin/custom-claims

Spotify API automated initial authorization

I'm making a personal smart mirror and i'm looking to integrate the spotify API to display my 'currently playing' track. However, I've noticed that in the authorization process, you need to physically click log in and authorize the app in order to get the credentials required to move forward in obtaining your data. Could this be automated/require no user interaction?
I am referring to step 1 of the api authorization guide.
Many thanks.
If you are using this for a personal smart mirror you shouldn't have a problem. You only need to authorize by clicking a button in a browser one time and will be able to make all API calls afterward without needing to click anything.
Specifically, after you do in step 3 of the authorization flow you will be given a refresh token. After the authorization token expires you can use the refresh token to refresh the authorization automatically without clicking anything.
From their documentation:
Accessing your data without showing a login form
I want to interact with the web API and show some data on my website. I see that the endpoints I need authorization, but I don’t need/want a login window to pop-up, because I want to grant my own app access to my own playlists once. Is there any way of doing this?
You basically need an access token and a refresh token issued for your
user account. For obtaining a pair of access token / refresh token you
need to follow the Authorization Code Flow (if you need a certain
scope to be approved) or Client Credentials (if you just need to sign
your request, like when fetching a certain playlist). Once you obtain
them, you can use your access token and refresh it when it expires
without having to show any login form.
If its not for you personally you could jump through hoops and write code that fakes being a web browser, perhaps using something like curl or selenium but odds are it is against their terms of service and are if you get caught they'll ban you.

Implementing Facebook's Graph API without user authentication

I'm newbie to Facebook Graph API and Facebook JavaScript SDK but I'd like to know some things:
Is there any way to put my Access Token in a Open Source application without actually showing it? I'm using GitHub and for security purposes I'd like to make it private.
Can I show my user information without asking the users to Authenticate themselves?
Where in Facebook Developers App can I allow more "scopes" to share publicly? For example, user_photos, user_posts, user_likes, user_status, etc...
These "scopes" that Facebook allows by default are actually the information I'm getting from the user while I'm Authenticating them right?
Just to clarify what I'm trying to do, I want to share things about my Facebook Account through the Facebook Graph API in the gh-pages branch on GitHub, but I don't like the idea of having to authenticate every single user that has access to the page.
I'd like to make my user information public, but don't want to show my access token, because it's Open Source and it can get dangerous eventually.
If you'd like to see my repository and have a better understanding of the project. You can access https://github.com/iszwnc/rye
If I recap:
you don't want to share your app access token (good!),
you don't want your users to authenticate.
Basically, you can't hide your token and let your users query Facebook directly. You need some server-side code on a machine that would be the only one reaching Facebook. Your server would play the role of an interface between Facebook and your users. So you will have to:
do the API calls from a server using server-side code (i.e. Node.js),
save the information you want in a database. This is optional but better to avoid the same information to be retrieved multiple times, thus avoiding your future 100 users to (voluntarily or not) reach your app API limit.
let the users query your server using some client-side code (i.e. AngularJS) in order to retrieve what you and only you know (remember, you own the token).
About Github, don't share your token on it. People can generate their own token if they want to run your app. Here are several suggestions:
Add your token to an environment variable which you can set just before launching the app (don't forget to mention that in your README),
Add your token to a file:
Create a credentials.js file that contains an empty token:
// Please use your own token
var APP_TOKEN = '';
Commit the file to Github,
Have a .gitignore file that contains the credentials.js,
var APP_TOKEN = 'now-you-can-put-your-token-here';
Good luck with your project, it looks exciting :-)

Login without using the FB.login()

I wondered if there was a way to login to Facebook via the oAuth (get-request) instead of using the FB.login().
The reason I would complicate the login is because of the FB.logout() problem. It is too cocky to logout someone from Facebook, just because they want to logout from my site. On the other hand, deleting the user from my application*, will prompt them to accept my terms everytime, which also doesn't seem to be very pro.
What I was imaging was:
I get the information needed from the GET-call
I store the session-cookies
I delete them if the user wants to logout
Once I retrieve the userid + access_token, I can get all the other information by simply making the JSON calls (no?).
It also bugs me in general that facebook stores so many cookies (what are they doing?)..
I tried to search this, but no luck this far.
*as proposed in this topic by DMCS: Can't Logout of my Facebook OAuth Session without logging User Out of Facebook
You can use the server side flows which, but you will have to adhere to the same policy.
Either way, it sounds like you are using FB's session data to control the auth state, something which is a very bad idea - you should only use the data provided by Facebook as an initial claim, which you then convert into a local claim with corresponding auth tokens/session cookies etc.

Chrome extension / web app session control

I am creating a chrome extension, rather a chrome webapp. This application just contains the html, js, image and css files. The application connects to a server to fetch data. I chose to do this as it would reduce the amount of files downloaded by the user. Using Backbone.js I have an MVC architecture in my application. Thus the application just sends json.
Now having said this, I need a session management. I plan to use Google authentication as the organization has Google Apps. I need a method that once the user has logged in using google auth the server get the user name every time the application makes a request.
Is it a good idea to add the user name in request header, if possible. Or should I use cookies? Can any one tell me how I could go about using cookies in this case?
This might be a late response but I want to present a more elegant solution to you given that the user has cookies enabled in their browser.
First read my answer on another question.
Now that you can send cross origin xhr from your content scripts all you need to do is store all your authentication and session management at server only. That is right, you just need to display whether the user is logged in or not and a logout button at client based on server response.
Just follow these steps.
At client Whenever user accesses your chrome web app, blindly make XmlHttpRequests to your server without worrying about authentication, just keep a tab on response from server which I describe below.
At server whenever you receive a request check for valid sessions or session cookie. If session is valid send proper response, if not send error, 401 or any other response to communicate to your client that session is not valid. It is better if you send an error code like 401 since then you can put a generic script at client to inform them that they are not logged in.
At Client If response from server is proper, display it, else display login link to your website.
IMPORTANT: Display logout button if user is logged in.
Check out my implementation of this in my extension
For help using Google authentication in your app take a look at Google's OAuth tutorial which comes with all you need (took me no time to set it up using this).
As for session management. The implementation of OAuth used by Google stores the tokens in localStorage. Also, as briefly mentioned in the extensions overview we are expected to use localStorage to store data. Thus, I suggest you store the users name here as it will be accessible throughout the app's lifetime (until it is uninstalled). However, you may need to manage the name stored here and consider what should happen when users log in and out. That said; I'm not sure if sessionStorage would be a better option as I've never used it before, let alone in an extension.
Note
localStorage and its counterparts only store strings so I suggest using a wrapper which uses JSON to parse and stringify to get and set your values respectively.

Categories

Resources