I'm making a Twitter client in Java, and I've came to a problem I don't know how to solve it.
How the hell I store open auth for twitter? I mean it doesn't make very sense for a person to allow an application every time he wants to use the client. I've been look at the Twitter documentation, but I must say, it's really poor in terms of Java.
So do you guy have some idea to solve this?
Thanks in advance!
After your application successfully authenticates to Twitter, you will receive two strings: OAuthToken and OAuthTokenSecret. You store these tokens in a cookie, a user settings file, or wherever makes sense for your application.
Then, whenever you are making a call to the Twitter API, you retrieve these strings from the cookie or the user settings file, or wherever, and include them in the API call.
Or is there something about your question that I don't understand?
Yes, unless the user revokes the permission of your application.
Most of the time you need to store the twitter username and two tokens (public and secret). You get this tokens after you submit the password to the authorization twitter page.
So finally you would only need those three things to post and retrieve Twitter data.
Hope it helps.
Related
I have a website and my own server and database, I also have an native Android app. I need to allow users to be able to sign-in with their account from the website inside the app in order to sync information and other things they need to use. I've been stuck for a couple of days trying to figure out how to do that. I've found a lot of content regarding OAuth and AppAuth but they are focused on using an OAuth API to the job. Back on my server, I use Hybridauth for social login, but users can also register directly on the site. How would be the proper way to allow my users to sign-in to their website account through the Android app?
You're overthinking it. OAuth isn't meant for users to log in, it's meant to enable external services to access data on behalf of a user.
To make a user log in? Create a POST endpoint on your webservice named login. It should take two parameters- username and password. The body of the login service should salt and hash the password, then check if the hash equals the hash stored in the db for the same user. If so, you're logged in and you return a success packet with a unique token to authenticate you for later requests. If not, you return a failure. The Android app would ask the user for their data, then send a request to the endpoint. On success it saves the token and sends it in all future requests to authenticate yourself, either as a parameter or as a header.
This is of course the simplest possible version. More advanced features would include expiring of login tokens, refresh tokens, possible lockout if you have too many bad requests, etc. But the above is the basic idea. Although really I'd look for an open source solution you can take, as there's quite a lot of complexity when you get into all the stuff mentioned above, and its a place where a mistake that leads to a vulnerability is probably the most dangerous.
I have to send an email from IntentService. My data is mostly the backup from a phone. I am using smtp.google.com + javamail.I can use a gmail account and send data through it.(http://www.oracle.com/technetwork/java/javamail/faq/index.html#gmail):
From my point of view the problem with this approach is that my app uses the gmail account and sends data via my account. All personal data would go through one my account. Question#1 - Is it a good approach to do it?
The gmail api uses OAuth 2.0. And I have to store my client ID in some place of my program. I read that it is impossible to restore login/password from it. This token has validity. Question#2 Is it possible to use this token for reading or deleting something from gmail account until it is valid?
For all examples of my app would be the same gmail account. This think bothers me sometimes, because if something happens with gmail account I will not be able to do anything.
Question#3 Is it worth to use services like https://www.mailgun.com/ or maybe to create at least another gmail account and to use them both?
Only if you're the only one using your app.
Yes.
Email is probably not the right solution to your problem. But without knowing more about the problem you're trying to solve and what your requirements are, it's hard to know what to suggest instead.
Hi everybody,
well, here it is my problem.
I have a corporation gmail user, lets say developer-user#mycompany.com, and I would like to list all the gsheets I have in my gdriver trhough the google API for Java applications, so I generated the credentials I supposed to need:
the email, which was auto-created by google with a different domain,
in this case something like 1234567890#developer.gserviceaccount.com
then I created the p12 key file.
After that I tried the connection and everything ran fine, but It did not list the spread sheets I had, and I figured out that I can not list all the gsheets I had 'till I shared them with the 1234567890#developer.gserviceaccount.com mail/user, but the problem is that I can NOT share anything outside of the #mycompany.com domain, even though the email (1234567890#developer.gserviceaccount.com) created for the authentication is linked to my developer-user#mycompany.com account.
I am not sure if I was clear enough, but what I need is a solution for that. did someone figur out something? may you help me?
Anyway, thank you guys and I appreciate your time.
You'll have to ask your Google Apps Admin to enable sharing outside your domain on Google docs, that's the only way Drive will allow the service account to reach existing docs.
The only alternative is to recreate the docs using the service account (programatically) and share them with your account.
Your admin can delegate domain wide access to your app which will then be able to impersonate you.
Alternatively, don't use service accounts and simply generate a refresh token for your own account (which is by far the easiest solution).
I'm trying to get the Twitter data from the Twitter page URL.
I.e. I have this URL http://twitter.com/eBay.
How can I to get followers number, etc... from every URL?
I'd like to use the Twitter API, but I've not an app to register. So it's not possible for me to authenticate, because I'm creating an University Thesis project.
Cheers.
I highly recommend using Twitter4J. It's a useful library for Java to parse all of this information. You can find it here.
As for not having an app to register, Twitter is pretty loose about obtaining credentials, so just create credentials on your personal twitter account and you should be good to go. You don't need a specific app to do it.
It's also important to know Twitter has rate limits on their API calls. You can find that information here.
Hope this helps!
I'm have implemented a module for Java web application that users will need to request for them to access the secured data. It works like this: when users that does not yet have access clicks on a certain link, a request is made and is received on the server side. It now generates an email and sends to people who are "approvers". The email contain links on approving or denying the access of that user.
Approved Link:http://hostname/App_name?action=actionClass&approved=true
Denied Link:http://hostname/App_name?action=actionClass&approved=false
Now the question is, is there a better way to do this which also takes into consideration the security?
I did try to look for other posts that are related to this but the results don't seem to be touching on this regard. If there are any that I have missed, I would appreciate if you can also point them so I can revise the question.
Thanks in advance
I'll assume that you are authenticating the users when they click on the given link, because otherwise it's just bad mojo.
You can have some privileges assigned to that user and check that to see if you are going to allow the approve or not.
That depends on how you are sending out the email. Assuming you are doing it client-side, then a user could intercept their own approval link, which clearly you don't want.
A better way (assuming you aren't doing this already) would be to send the user information (via HTTPS of course) to your server and then have the server generate and send the email. This way no one has access to the approval link except those emailed by the server and those in control of the server (you hopefully).