Is it possible to make a Facebook wall post using the FB.ui but without showing the pop up dialog box to the user ?
No, not with FB.ui. To post directly to the users wall without a dialogue you would have to use FB.api. To do this the user will have to be logged in and have granted your app the publish_stream permission. The code example from the documentation:
var body = 'Reading JS SDK documentation';
FB.api('/me/feed', 'post', { message: body }, function(response) {
if (!response || response.error) {
alert('Error occured');
} else {
alert('Post ID: ' + response.id);
}
});
Be aware though that Facebook dislikes direct wall posting, and unless the content you are posting is a direct result of the user's interaction with the flow of your app, you run the risk of being flagged as spam and having your app suspended. From the platform policy (section IV):
.2. You must not pre-fill any of the fields associated with the following products, unless the user manually generated the content earlier in the workflow: Stream stories (user_message parameter for Facebook.streamPublish and FB.Connect.streamPublish, and message parameter for stream.publish), Photos (caption), Videos (description), Notes (title and content), Links (comment), and Jabber/XMPP.
.3. If a user grants you a publishing permission, you must still obtain consent from the user before taking any action on the user's behalf, such as publishing content or creating an event.
From personal experience, Facebook will insist on your app notifying the user in some way before taking any publish action. This won't stop you putting an app live that contravenes their policies, but if their app monitoring team pick up on it they can and will suspend the app until you make the required changes.
Try the graph api? Here's the relevant section:
You can publish to the Facebook graph by issuing HTTP POST requests to the appropriate connection URLs, using an access token. For example, you can post a new wall post on Arjun's wall by issuing a POST request to https://graph.facebook.com/arjun/feed:
curl -F 'access_token=...' \
-F 'message=Hello, Arjun. I like this new API.' \
https://graph.facebook.com/arjun/feed
Obviously, this isn't the JavaScript API, but it does the trick. I don't think it can be done without the popup directly through the JavaScript API.
Related
I have endpoints coded in Nodejs... I use the following codes to keep them safe...
const corsOption = {
origin: ['https://www.mywebsite.com'],
};
app.use(cors(corsOption));
if (host !== "myendpoint.com") {
return res.status(403).json({ message: "forbidden access" });
}
will these keep my endpoints safe... or do I have to do anything more for my endpoints to keep them safe... I don't want bots or anyone else to use it... I know that they are public but I want to restrict access... pls, any help or suggestion ???
thank you
To be sure you can control who can access your endpoint, you can setup a token authentication.
When you send a request to your endpoint, the header should include:
Authorization: Token {your token}
And in your endpoint, you can check if the token is authorized or not (by storing authorized token in a database). If the token is not recognized, you can send back a 403 error.
If your website accesses your endpoints, this means that any browser that can display your website must also be able to access your endpoints. Requests are not made by your website, they are made by browsers visiting your website.
You must first ask how much you want to restrict access:
Restrict to individual known users to whom you send a password via mail, which they must then type into your website ("log on") before they can make any requests to your endpoints.
Restrict to users who have self-registered. Can anyone in the world then self-register, or do you demand confirmation via an email address?
Restrict to users who can log on with their Google (or Facebook, or ...) account.
Zain_Ul_Din's answer shows details of a possible implementation for the "self-registration" case. See also What's the best way to add social login (Sign in with Google) to existing email/password app and database?
you can implement user authentication and authorization in your Node js app to restrict access.
for this you can use the jsonwebtoken npm package.
Look up John Smilga's node and express projects on google for a 10hr video including 4 projects. One of the projects introduces JSON web tokens and how to use them.I highly recommend that.
You can also use the express-rate-limit package. With this you should be able to 'limit' how many requests a user can make to your API endpoints within a set amount of time. If the requests exceed that limit then this middleware steps in and stops further access (Haven't tested it in production myself but looks good)
All right?
I am in need of help with Azure AD B2C implementation. I need an API that manages the login for my application and that makes a connection with AAD B2C. However, I only find login options through the B2C login page. I would like to know if there is any way to implement in Node a form of login in my application without having to use the MS login screen. User entering with password and email and validating in AD. I saw that there is ROPC, but at the same time saying that it is an insecure method.
I am currently implementing it with ms graph, azure-graph, ms-rest-azure, but I think this way is wrong.
User enter the email prefix and password via post.
server.post('/login', (request, response) => {
const {email, password} = request.body
msRestAzure.loginWithUsernamePassword(`${email}#<tenant-name>.onmicrosoft.com`, `${password}`, { tokenAudience: 'graph', domain: tenantId }, function (err, credentials, subscriptions) {
if (err) console.log(err);
console.log(credentials.tokenCache)
Update: few days ago, they announced the preview feature for iframe compatibility (i.e. embedded login):
https://learn.microsoft.com/en-us/azure/active-directory-b2c/embedded-login?pivots=b2c-custom-policy
of course, it's better if you don't use it in production yet, but it might be the solution you were looking for. :)
Old answer:
The only way to achieve that is by using ROPC, as you mentioned. ROPC is insecure basically because for some time you have to manage the credentials of the user (unlike when the user directly inserts them in B2C), but in your case, this is a requirement.
You cannot achieve this with Graph API, because you'll be only able to register the user, update his/her data (incl. password), but you won't be able to get an access token.
I have a web app and I will like to integrate mailchimp such that when a user clicks the signup button on the page, the user's email is added to a mailchimp subscription list but I'm having difficulty in doing so. The problem is, the button on the page is created in a javascript file using extjs. I do not have that much experience in developing web applications . I already downloaded the api for integrating with php. I saw this: " AJAX Mailchimp signup form integration " but it seems to have security issues.
Can anyone help explain how to go about this?
Have the ajax call directed to your server, with the user's email.
From there, use the API (you downloaded) to add the email, and return the outcome of their response to your client.
When you do it behind the scenes (your server to theirs), there is no security risk, as you are not exposing your API key.
Client side code:
Ext.Ajax.request({
url: 'add_mail_to_chimp.php',
params: {
email: theUser_sEmail
},
success: function(response){
var text = response.responseText;
alert ('yay' + text);
}
});
I've followed this tutorial: https://developers.facebook.com/docs/opengraph/tutorial/ multiple times and always get the same result.
I always get this error: (#15) This method must be called with an app access_token. I tried adding the app access_token and I got another error that was saying something like that I can only query for information and not make posts. (I checked in the privacy settings and the app is allowed to post to timeline.) I did make the objects and found nothing wrong when using the facebook debug tool.
I also read this part:
Why am I getting "This method must be called with an app access_token"
error when publishing an action?
Uncheck the "Require app access token to write" checkbox on the
configuration page (hidden under the Advanced section) for your Open
Graph action type in the Developer App.
I couldn't find this in app config and I have a feeling that this is old. The code I'm using to make the post is exactly the same as the tutorial:
function postCook()
{
FB.api(
'/me/[YOUR_APP_NAMESPACE]:cook?recipe=http://fbwerks.com:8000/zhen/cookie.html',
'post',
function(response) {
if (!response || response.error) {
alert('Error occured');
} else {
alert('Cook was successful! Action ID: ' + response.id);
}
});
}
[I did make the appropriate changes of course :)] Any help would be greatly appreciated.
I think the me here assumes that you are already authenticated. If you are not, you will have to substitute the me with the the fb id of whoever user's timeline you are posting to. That user has to be authenticated in your app. and you have to use the app's access token. So the curl url would look like:
curl -d "access_token=<app_access_token>" -d "badge=<object_url.(this has to be publicly accessible)>" https://graph.facebook.com/<authenticated_user_fb_id>/<app_namespace>:<action>
I have just used the javascript sdk to publish to the wall when the user is online.
I am starting to like it. Now I want to post to wall when user is offline. I already have extended permissions from the user.
How can I post to user's wall when user is offline using javascript sdk.
here is my code:
function Publish(body){
FB.api('/me/feed', 'post', { message: body }, function(response) {
if (!response || response.error) {
alert('Error occured');
} else {
alert('Post ID: ' + response.id);
}
});
}
I appreciate any help.
Thanks.
That's only possible when user permits you. In other words, you need offline_access extended permission from user and only after that you can do that.
I'm not 100% sure of this, but I don't believe you can accomplish this with only the JavaScript API.
Just getting the user to accept the permissions isn't enough - that doesn't make all your API calls "automagically" work. As mentioned in item #3 here, you are given an access_token that is to be used in future API calls on behalf of the user.
And so enters the problem with the offline_access permission. If using JavaScript only - where are you going to store the access token that grants offline access so that you may use it when the user is not at their computer?
If even you figured out how to store it and retrieve it for later use, I'm not sure if you can even use the JavaScript SDK to make API calls for a non-session user.
From my understanding, you only need 'publish_stream' permission - please check Do I need “offline_access” permission if I request publish_stream?