When you verify signed JSON which comes when a user has completed transaction there is obvious need to verify that this particular purchase was made by a particular user. It especially important to prevent the possibility of changing the userId when you send for example userId and signed JSON to your server for verification purposes. But there are no such fields in signed JSON.
So is it OK to place some userId in developerPayload field ?
{ "nonce" : 1836535032137741465,
"orders" :
[{ "notificationId" : "android.test.purchased",
"orderId" : "transactionId.android.test.purchased",
"packageName" : "com.example.dungeons",
"productId" : "android.test.purchased",
"developerPayload" : "bGoa+V7g/yqDXvKRqq+JTFn4uQZbPiQJo4pf9RzJ",
"purchaseTime" : 1290114783411,
"purchaseState" : 0,
"purchaseToken" : "rojeslcdyyiapnqcynkjyyjh" }]
}
Yes. It is OK to place some user identity in the developer payload. When you receive that back in the PURCHASE_STATE_CHANGED broadcast you can then send this on to your own server.
This is especially relevant to unmanaged items where you need to maintain purchase and use of those items per user on your own server.
The real question is what user identity are you going to send and where are you going to get it from. It can't be device specific because a user may have multiple devices. It really needs to be an identity provided by Google Play. But I don't know how to find that.
Related
I work on chat app one to one chat and my database structure is
"rules": {
"Messages" :{
"$chatId" : {
".read": "root.child('Chat_members').child(chatId).child(auth.uid).exists()",
".write": "root.child('Chat_members').child(chatId).child(auth.uid).exists()"
}
I want to implement delete message so if user1 delete message i will hide it and display it only for user2 ,i can do this from client side but it is very inefficient way to request all data where there is for example just one message that will display for user1 how to do this from firebase rules? can I find any help?
As the documentation says security rules don't filter data. Instead you need to ensure that the client only reads the data you want to show.
I don't seen an easy way to do that to your structure without adding more data. In fact, the simplest way I can think of is to simply replicate the chat for each user and then actually delete the message from their data structure when needed.
I am trying to create a customer feedback management program in which a link to a page is sent to customer. The link sent to each customer is different(but each customer should land on the same page as it clicks the link) so that no non customer can use the link and each link expires as soon as the customer uses that link( same case as when you try to change Oracle Corporation password).The url(link) should be so that each customer's social security number e.g "35202-6641939-8" and customer's tracking id e.g "10901540381" are combined and then encrypted and then appended to the url(link) which is e-mailed to the customer. But even though the url of each customer is different , even then each customer should land on the same page. My priority is that a Java component(servlet) which handles the above mentioned scenario be created. But don't know how to implement the above mentioned scenario.
Regards!.
Here's an idea:
When you create the link, generate some UUID (see UUID.randomUUID()) and put the uuid, the SSN and the tracking ID in some DB (a file could do the job if you really can't use a DB). => The link for the customer http://www.foo.com/somepath/<UUID> (the servlet is mapped to /somepath/* in this example)
Now the customer click the link, you get the DB record using the UUID, and you then have the SSN and tracking ID. Do something then purge the DB record (side note, you probably want some "batch" to purge old, non used links)
No encryption required.
I'm trying to send messages to customers who want to know the current state of their order. Now I know that you can only send messages to someone who sent you a message because you need to have the specific recipient ID. The problem with this is that if I want to get the recipient ID I need to read my mailbox and therefore need the permission: read_mailbox. But read_mailbox is deprecated as of Facebook API v2.4 and newer. I don't think that it is impossible to do it though. Question beeing, how to do it with v2.4 or newer?
Edit: Thanks CBroe for the answer
Last problem now is that when I get a specific message it only gives me the created_time and the id back. Same thing when I try it with the GraphAPI Explorer
This:
JsonObject message = getFacebookClient().fetchObject("m_mid.1467893842385:ae7475981839704062", JsonObject.class);
Gives this:
{
"created_time": "2016-07-07T12:17:22+0000",
"id": "m_mid.1467893842385:ae7475981839704062"
}
What am I doing wrong? Am I missing a parameter or a permission?
No, this doesn’t need read_mailbox permission.
https://developers.facebook.com/docs/graph-api/reference/page/conversations#read:
A page access token with read_page_mailboxes permission is required.
So you have to ask for that permission, plus manage_pages of course (because you need the latter to get a page access token.)
I have two projects Project-A and Project-B.
On Project-A I have a service account loader#project-a.iam.gserviceaccount.com which I want to use to read messages from Project-B PubSub topic.
I've created a topic subscription on Project-B projects/project-b/subscriptions/data. Then added loader#project-a.iam.gserviceaccount.com in Permissions tab as a Subscriber. I believe it should give me access.
But if I try:
TestIamPermissionsRequest iamreq = new TestIamPermissionsRequest();
iamreq.setPermissions(Arrays.asList(
"pubsub.subscriptions.consume",
"pubsub.subscriptions.get"
));
pubsub.projects().subscriptions()
.testIamPermissions(topicSubscription, iamreq).execute();
It returns empty list of permissions.
And for actual pull request:
PullRequest pull = new PullRequest();
pull.setMaxMessages(1);
pull.setReturnImmediately(true);
pubsub.projects().subscriptions().pull(topicSubsription, pull).execute();
It fails with:
com.google.api.client.googleapis.json.GoogleJsonResponseException: 403
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "User not authorized to perform this action.",
"reason" : "forbidden"
} ],
"message" : "User not authorized to perform this action.",
"status" : "PERMISSION_DENIED"
}
I've double checked that service account is in Subscribers list, also tried to remove/add it again, etc. Tried with different project. It doesn't change anything.
If I have PubSub Topic Subscription and Service Account under same Cloud Project, then it works fine, for both testIamPermissions and pull requests. Does it mean that IAM Service Account cannot be used to get access to PubSub from another project?
Please note that it works fine for Storage access from other project. Which means that problem is specific only to PubSub. That's why I think I've missed something on PubSub configuration side. But what exactly?
To consume from Topic Subscription role "Subscriber" should be given to the Subscription. Unfortunately it's not possible with Cloud Console right now.
The problem was that Cloud Console is misleading, by selecting a Topic I expect to setup permissions to Topic Subscriptions also (because there're no separate UI for Topic Subscriptions after all). But it's doesn't work like this, Permissions form applies changes only to selected Topic, ignoring all existing Topic subscriptions. Basically you cannot view or edit Subscriber permissions, there're no such UI currently.
PS There're a way to do that via API, though. But it doesn't work for my situation
So I've recently been working on a server-side application which collects message lists from users, based on history id. I am doing full syncs.
Normally, I get responses like this:
{
"messages": [
{
"id": "14d9c91dbba84646",
"threadId": "14d9a7f9b36c65ae"
},
],
"nextPageToken": "14788016228466612591",
"resultSizeEstimate": 832
}
which is precisely what I get in 99% of cases. However, for some users, I get only this:
{"resultSizeEstimate":0}
with no other information. Note that this is on a full sync. I find this odd, because even on brand new email accounts, I receive the oldest information. One of the emails providing this result is an #yahoo.com email. Which in itself is not so odd, since non-gmail accounts can have OAuth credentials. However, normally when a user has no gmail inbox I instead get a 400 error with failedPrecondition. Can anybody provide some insight on this behaviour?