Scribe - multiple callback simultaneously - java

I am making a module for a server software that is allowing support for facebook.
The problem is with the callback URL. If one client start the authorization proccess, then another client starts the proccess at the same time, or before the first user finish. How could I check what user finished first?
I need a way to check what client's callback I'm getting. One solution would be to lock other from register until the first one has finished, but I don't want to do that. Is there another way? I have thought about including ?client=clientid at the end of the callback, but I heard facebook only allows the exact url specified in the app on facebook.
UPDATE
It didn't work to add client="clientid" to the callback. Any other ideas?

After some more searchig I figured facebook will allow a parameter: state. (thanks to #jacob https://stackoverflow.com/a/6470835/1104307)
So I just did ?state=clientId.
For anyone using scribe the code is this:
service.getAuthorizationUrl(null) + "&state=" + clientId;

I think there is no problem on adding and GET parameter like client=clientID. Facebook will redirect you to the URL you have specified and using the REQUEST parameters you can check who completed the request. The problem exist if you have specified URL as http://yoursite.com and pass redirect to http://some-sub-domain.yoursite.com or entirely different location.

if you are using the server-side flow then the oauth 2 flow will be:
redirect user to facebook
facebook then rediects the user to your specified callback
your server uses something like curl to get the access token
your server does some more curl to get maybe more user data or update the user's data
my recommendation would be to set a session cookie in step 1 and simultaneously store this session id on your server. then the session cookie will automatically be sent to the callback url in step 2 and you can identify the session in the database this way.
this will work for all service providers (google, twitter, linkedin, etc) and is the preferred way of maintaining session continuity.

Related

Paypal subscription integration full cycle missing in documentation?

I already have an implemented CMS system where the user creates the subscription plans.
I want to integrate my CMS server with Paypal so when the user creates a plan it will be created on Paypal servers.
I can see how to do that in https://developer.paypal.com/docs/subscriptions/integrate/
But the problem is there is no documentation for the front-end side for the subscription step ! How should i redirect the customer to Paypal to login, and how will i receive the data to send it to my server ?
Note : Since i want my user to create plans only on my CMS, there is no easier way to integrate with paypal than this : https://developer.paypal.com/docs/subscriptions/integrate/ .. right?
i don't want to use Smart Buttons so the only option i have is to integrate with APIs.. if there is any easier way please tell me.
This is a bit hidden.
When you create a subscription, its status will be set to APPROVAL_PENDING. Look for the "rel": "approve" link in the response (in links). The URL will look something like this:
https://www.paypal.com/webapps/billing/subscriptions?ba_token=xyz
This is the URL you need to redirect the customer's browser to. Once they click on "Subscribe" to approve it, PayPal will redirect their browser to the return_url value you set when you created the subscription.
PayPal adds 3 extra parameters to that return URL: subscription_id (self-explanatory), ba_token (the approval token), and token (???). At that point, you can get the subscription details from PayPal, and its status should now be "ACTIVE".
Now I just need to figure out why next_billing_time is set in the past, and why I'm not receiving the PAYMENT_SALE webhooks :)
Hope this answers your question.

Spring browser back button handling

Using Spring 4.2.9
Web-Flow: My web-flow has three pages page-1, page-2 and error-Page
Scenario: User clicks on a link in the email, my back-end code consumes the link and user lands on a page-1(the link in the address bar now is different than what the user clicked on), the user does the required stuff on page-1 and clicks continue button and lands on page-2.
What I need when the user is on page-2:
User presses browser back button they should go to error-Page.
The user had copied the link when they were on page-1 and open a new tab and paste the page-1 link, they should land on error-page.
It's a quite common problem. A simple google search gave some possible solutions. Did you tried them? If yes, then update the question with more specifics on the issue. If not, here are a couple of links:
How to Detect Browser Back Button event - Cross Browser
Solution to browser back button click event handling
You can achieve this by configuring a Spring MVC filter (or interceptor). There you can check if the request is GET and it contains the url that you want to block. If true, you can redirect that request to the error or access denied page.
To prevent the user from resetting values when going back with the browser back button you can put a variable in the conversationScope, variables in this scope are not reverted to their previous state when you use the back button. You can this way set a variable when they reach part 2 and check for it when you load part 1, but for this to work part 1 and part 2 need to be in the same flow.
To prevent the users from using a link again, if they are authenticated users you can save a flag in the database that say they have finished the flow and simply look at the database when loading part 1 and throw an exception if the user shouldn't have access. If they are unauthenticated users (like when doing surveys), give each users a token in the url (the token should be random enough that it cannot be brute forced easily) and store it in your database, when part 1 load check that the token is in the database and when your flow is done remove the token from the database.
If you can't do any of this, you can use cookies, just send a cookie to the user when they arrive on part 2, their browser will automatically send it on any new request so if you see it on part 1 you can throw an exception. But users will be able to delete their cookies to circumvent the protection.
Changing page-2 to end-state solved the problem. The solution was mentioned in "The Definitive Guide to Spring Web Flow".
Thank you all for your help.

Send multiple tweets(mentions) with multiple accounts Twitter4j

I am designing an application using which the users would be able to send multiple tweets(mentions) from multiple accounts and am using Twitter4j for the same. Regarding this, I have a few questions:
Authentication: The application has an authentication part.I am able to authenticate using the PIN based authentication(oob).But I want to know if it is possible to persist the access token such that the user only needs to authenticate once at the time of installing the app and never thereafter.
Exception Handling: The application would be sending multiple tweets.So I wish to know that what would be the way to check for exceptions, particularly the suspension of user account.
Limit: What would be a safe rate(I mean minimum interval between two tweets) to send the tweets hourly or per minute. Does twitter also check for the IP of the machine for suspending the accounts? I mean suppose I need to send 60 tweets.If I am using 4 accounts to do the same with 15 tweets per account and run 4 threads for the same, will that allow me to send more tweets form my app?
EDIT
Kindly note that I am making a desktop app, not a web app.So a PIN based authentication is necessary. Also I am not sure about the validity lifetime of an access token.Will the access token once generated by using OOB authentication be valid forever so that I can save it in a database and hence enable user to authenticate only once?
Some points to note:
Authentication : It is possible to get the access token without using pin based authentication, for that when you create an application you have to specify a callback url, and so you dont have to copy and paste the pin, instead a parameter oauth_verifier is appended with the callback url which you can fetch from the url itself. With this oauth_verifier , you can get access_token and token_secret as mentioned here
Exception Handling : Nothing other than simple try catch can be more helpful here.
Limit: There are two initial buckets available for GET requests: 15 calls every 15 minutes, and 180 calls every 15 minutes. Refer here for more details.
Edit: For desktop app there is no other alternative, so you have to do a pin based authentication and since twitter works on Oauth1, so as of now, the validity of the access_token and token_secret is lifetime. So authentication is required only once and the api calls can be made using same tokens.

spring 3 + hibernate 4 + user authentication and authorization privileges

Status: Waiting for comprehensive answers with code examples concerning dao, service, controller, view.
With spring 3 + hibernate 4, in a service, dao, controller, view (mvc scenario), like http://www.cavalr.com/blog/Spring_3_and_Annotation_Based_Hibernate_4_Example ,
where is the good place to have authentications before doing something. e.g
Occasions:
Is user logged in? (first check by session , then by data base username password match)
session made? getting previous session on every transaction and authenticating if no session has made.
More authentications for every transaction e.g:
get some value or boolean from database, check if its true (e.g can this user add more users), then proceed.
Does user have permissions? and if authentication fails, how to respond to user?
Ways to respond:
a. Redirect to error page (dont like that though)
b. redirect to the same page with an error message (ok)
c. Do all with ajax, (most preferred) dont reload or redirect page, just authentication by
session and or
database
send error message on the same page by ajax.
proceed if authentication succeeds.
Where to put the logic? in dao, service, controller?
What options do I have?
Can some one give a sample code? I have googled but found irrelevent examples.
I know one solution is spring security, but what do you think? and is there a sample code for it that covers all my questions?
Example scenario:
my scenarios is like this. a user comes and a db query tels/lists the borads he has access to. when he enters a board. the boxes privileges are lists and only readable boxes are shown to him. then same with tasks. each of them has create/read/update/delete permision and that is known/fetched at the time when the user acts for one. e.g tries to create/read/update/delete a board/box/task.
now there are millions of boxes / tasks. loading permissions for each might be insane?
I do not understand how to and where to do the authentication and authorization. daos, services,controllers, and then sending the problems to views as error messages. One dao may call another, one service may call another dao(s) and / or service. all or most may give authorization failures. how to pass the failure strings to view placing them accordingly?
Thanks!

HttpClient - confirm password, redirect

Phase 1: I succesfully confirm the user password in a web form using HttpClient and HttpPost.
In this case, the code I receive from the server is 200OK.
Phase 2: Now, let's say the user will attempt to confirm his password again. But he can't do that,
because the initial URL won't exist anymore, so he will be redirected to the login page.
Here's a bit of a difficulty: in this case, server responds again with 200OK, not a redirect code.
How can I differentiate between the first phase and the second?
I tried
serverResponse.getStatusLine().getStatusCode();
and
serverResponse.getLastHeader("Location").getValue();
without luck, as there's no real redirect happening from the server point of view.
I thought about getting the response content and parsing it as html, but I believe that's not a good solution.
I also thought about storing in a boolean SharedPreference the confirmation action, but then there's the case when the user has multiple devices.
Another possible solution is to hide the confirm password fragment, once the user confirms his password.
What do you think it would be a good way to differentiate between phases or to prevent phase 2?
I appreciate any idea.
Thank you.

Categories