I am working a mobile application based on facebook. The application creates local user by facebook login. The steps of application are below.
Login With Facebook
Backend Service Create Local User
Find Friends Who use The App By Facebook SDK
Vote Your Friends
Notes:
I don't want to keep user friends on my database system
I use JWT
Problem:
I have to verify that authenticated user and voted user are friends on facebook. The user must be voted by its friends.
I found a couple solution but they have vulnerability too.
For instance;
I authenticated and i fetched all my friends by facebook sdk. The request is to vote a user like this:
/vote/user_id/vote_id
The backend service checks and verifys jwt token and vote user whose id is user_id as vote_id by authenticated user.
table structure
from_user_id,vote_id,to_user_id
So the problem is that when a user authenticate, it can vote a user from application outside taking jwt token whether it is its friend or not. This is a realy big problem for us. So I wonder how can verify two user are friends without send request to facebook for it. Or how can design the archtecture to avoid this situtation.
This can simply be done making a request to
/me/friends/{id_of_friend}
using the current app user’s access token. If they are friends, you will get back a data structure that contains the friend’s id and name – if they aren’t friends, data will be an empty array.
This of course requires that both users have granted user_friends permission to your app.
Related
I have been working on a project where I have to develop an android web application of a website that's made with Shopify. I used java for the purpose and in my app, I used firebase authentication because the client wants to store data in firebase. Now the problem is when the user logs in through my app, he gets to see the website view but needs to log in again since the website is on Shopify. Is there any way by which Shopify authenticates the user data from firebase data so the user doesn't have to provide details again?
I searched a lot about it and its something to do with OAuth and access tokens, but I have no clue how to integrate it. Someone, please help me with a solution.
If you are on the Shopify Plus plan, you can auth user on your app backend using Multipass
Documentation starts with the description of the very similar problem to yours:
You're the owner of a successful website forum. All of your users must log in to the forum to contribute. Members of your forum can then purchase a forum t-shirt through your Shopify store. Unfortunately, your users have to log in to the forum first and then log in to your Shopify store before they can purchase a t-shirt.
Multipass login is for store owners who have a separate website and a Shopify store. It redirects users from the website to the Shopify store and seamlessly logs them in with the same email address they used to sign up for the original website. If no account with that email address exists yet, one is created. There is no need to synchronize any customer databases.
By the way, storing e-commerce data outside Shopify is not the cheapest thing to do so I would reconsider the requirements.
I want to know is it possible to disable the user signing up in the application after he makes a request to delete his/her account from the app.
I don't want to let the user to use same login credentials to signup again that are deleted earlier.
I observed when we delete the account of a user from the firebase console or a user deletes the account with his own consent he/she can use the same credentials to signup again into the application. If this happens then the user can create a bunch of junk data for me by deleting and creating multiple user-id.
I know about the disabled account but this can account disabling can't be done from client-side SDK and only delete is available so, how can I ban the user to use the same credentials to sign-up again.
When you delete the user account from Firebase Authentication, all information about that account is gone. To instead prevent a user from signing in with an account, you'll want to instead disable their account in the Firebase console (or through the Admin SDK).
If you want prevent new users from creating other resources, you'll want to create some approval process in your sign-up flow. Firebase Authentication does not handle this for you.
If you want to prevent the same person to create resources under a newly created account, you'll want to use some other basis to identify that user (their email address being the most common) in your backend (code or security rules) and grant/deny resource creation permission based on that.
You could store a users credentials (e.g. a hash of email and / or password) in a cloud firestore table when the user gets deleted and validate a new user against this table to see if it was deleted before.
I have created Facebook app to get the feeds and i am using java with restfb to get the access token. I have specify scope for user post 'user_posts'.
The problem is when i login with my account i am able to get feeds but when i login from my friend account and accept the app permission i am not getting feeds.
I debug them in in facebook debuge tool the user post_scope is not listed in my friend account token and its totally different from mine.
See following screen shots.
Access Token From My Account:
Access Token From My Friend Account
Can anyone tell me whats going wrong?
You can only request extended permissions for other users than admins/developers/testers of your app if the app passed the Login Review process. It's all in the docs:
https://developers.facebook.com/docs/facebook-login/review/what-is-login-review
https://developers.facebook.com/docs/facebook-login/best-practices#loginreview
We have developed an application which is integrated with quickbooks.
I have two admin users on my quickbooks account and i m trying to login with both the admins but after the first admin is being logged in then it doesnot let me logged in with another admin.
In the developer account in my app.i have disconnected all the connected connections.but it always makes only one connection and shows : "You are using 1 out of your 10 connections".After having that one connection when i try to login with another admin it gives me the below error message.
Error Code: invalid_database
Message: The application has already been subscribed to by another user for this company
Can anybody please help me how to subscribe two admin user to my app OR i can only login with a single admin user ?
In practice you can only have one connection or perhaps more accurately one set of valid OAuth tokens per company. Get and store the OAuth tokens for a particular company. Use those OAuth tokens for all users within a company.
You can only have one user signed up for a connection at a time. If you need to have more than one person access the company file, you need to handle the user authentication and data access in your app for that company.
I have been trying to work through the instagram API but I am caught up on getting the access token. In the instagram API, it states:
At this point, we present the user with a login screen and then a
confirmation screen where they approve your app’s access to his/her
Instagram data.
Now I was wondering what if you don't want the user to have to login? For instance, say I have a site and I only want to display my latest images. The user should not have to login to be able see these. However, all the endpoints(http://instagram.com/developer/endpoints/) to get a users media require the access_token provided by the user login. How can I just get my latest images without a user login?
Which endpoint are you using?
The GET/users/{user-id}/media/recent endpoint requires authentication. So there is no way to get a specific users' media without an access token.
At the time of writing, this seems to work without needing authentication:
https://api.instagram.com/v1/users/USER_ID/media/recent/?client_id=CLIENT_ID
You could generate an access token with your instagram account here: http://instagram.pixelunion.net/,
then use this url: https://api.instagram.com/v1/users/self/media/recent/?access_token=ACCESS-TOKEN to retrieve all the info about your latest 20 posts including images urls.