Laravel6
lighthouse-php 5
pusher
I'm creating admin and user chat app and use graphql subscription.
User authentication and admin authentication are used different guard.
I want to use different guard in subscription, is it possible? Or I have to change my authentication system using #can directive?
ex.
subscription's guard guard_user(a)
mutation's guard guard_admin(b)
User chat(a) wants to get admin push the message(b). But (b)'s subscription after mutation try to throw the unauthenticated exception message and it's over the limit pusher, then User chat doesn't accept any message.
[13:55:41] LOG.error: The data content of this event exceeds the allowed maximum (10240 bytes). See ...
Related
I am first time creating an app on slack which responds to command in channel / group / dm. My questions are
should i use slack bot token or user token , how to decide on it ?
If i use user token do i need any additional scope access , just to read list of users in group / personal / channel only where i am part of
I want to know what are best practices on that
should i use slack bot token or user token , how to decide on it ?
When architecting your app, it's best to require the least number of scopes as required for your app to function. On the same thread, you should only use the User Token if you have a method that only the user token can access or you want to do something on behalf of the user, otherwise it's best to stick with the bot token only.
If i use user token do i need any additional scope access , just to read list of users in group / personal / channel only where i am part of
The method to retrieve a list of users is the conversations.members method. You'll need the specific *:read scope for the type of conversation that you want to pull the users from: im, mpim, private channel or public channel.
I need to get list of attendees of a MSTeams meeting call, and their times by an Azure Application.
For now, i've tried 3 different approaches without success:
Registering a Bot
Retrieve the attendee report of an event
callRecord subscription
In more detail:
Registering a Bot
MembersAdded event works as described in the documentation for v4.7 of the Bots SDK, ie. when a new user is added to a chat or a team, webhook is called, which does not work for online meetings. However for v3 of the Bots SDK there is a mention:
The conversationUpdate event with the membersAdded object in the
payload is sent when a user is added to a private scheduled meeting.
The event details will be sent even when anonymous users join the
meeting.
I've not tried this version of SDK, but i think it has the same behaviour as v4.7 because i don't see any request comming to my bot's webhook when an user joins a meeting.
Moreover, when i request Members of a meeting on message event to a bot by invoking:
var members = await TeamsInfo.GetMembersAsync(turnContext);
i get a list of team/chat members where a meeting is created but not the list of attendees of a meeting for the current time.
Retrieve the attendee report of an event
By this request, I can get the list of attenees, but only for live events.
However Teams clients (in preview mode now) can get this report for ordinary meeting with the full history of who/when entered/leaved a meeting with even guest names(!).
Anyway, this method has the following disadvantages:
As mentioned in the Get onlineMeeting and according to the Allow applications to access online meetings on behalf of a user, a Tenant administrator have to invoke PS command Grant-CsApplicationAccessPolicy for each meeting organiser, to grand my app permision to download this report
Administrators must create an application access policy and grant it to a user, authorizing the
app configured in the policy to retrieve an
online meeting on behalf of that user (user ID specified in the
request path).
Uses Beta version of the GraphAPI, so it can't be used in production
callRecord subscription
According to the Create subscription, i can subscribe to create and update events of a callRecord, and everything works well - when a meeting call is finished, my notification URL is called in 5-20 minutes, so i can find original meeting by callRecord.joinWebUrl and Get onlineMeeting:Example 3. Seems it's most suitable method for me, but has the following disadvantages:
Guests cannot be identified, their names as them passed in MSTeams clients are not reported to callRecord ie. callRecord.Participants[].AddtionalData["guest"].displayName == "Guest user" for any guest (seems like a bug), however entered/leaved information can be found by searching callRecord.Participants[].AddtionalData["guest"].id in callRecord.Sessions[].Segments[].Caller.Identity.AddtionalData["guest"].id
External users cannot be also indentified, callRecord.Participants[].User.DisplayName == "External user" for any external user, however i can retrive tenantId and userId, but still cannot get user's profile because my app has to have Directory.Read.All permision in that tenant, and it's not possible for every tenant.
PS. I can setup MSTeams to do not allow guests or external users, then it works partially well, because each user has to have Teams license assigned, and there is NO login page appears during joining a meeting, just an error page saying that meeting does not allow guest or external users, so the user should find a link to login to a tenant, which is not obvious in MSTeams Web Client, but possible.
PSS. In the Microsoft Teams admin center, i've checked the calling history of an organiser for a meeting with 1 guest, 1 tenant and 1 external and here it is:
Seems for guests, displayName is not stored at all, however for an external user there AAD email is stored (this is AAD guest user ie has '#EXT#' in his principal name, and has the same email as on the picture), however i'm not sure from where it resolved from by Azure - either from external tenant AAD or my tenant AAD for external user, because Azure has access to both.
So, maybe you know a method to get attendees and their times in a meeting call ?
Thank you for your suggestion/advice/reply !
Thanks for reaching us!
Teams by default generate attendees report and meeting report after completion of meeting call. We can able to see the list of attendees and the report. But at present we don't have any API to fetch list of attendees and their timings.
As this feature is not available at present, could you please raise an UserVoice if this needs to be consider as a future request.
I would like to create a webservice capable of automatically sending messages in Microsoft Teams. I tried authenticating as an application, but currently Microsoft does not support granting application permissions to send messages in Teams, so the only choice here is to authenticate using a service account with real credentials (Unless there is another way?). This method only specifies using user interaction to log in as a user.
I would like to use a service account teamchatbot#domain.com to authenticate with Microsoft Graph in order to send messages on Microsoft Teams. (similar to this but since I'm not accessing a resource it is a little different.) Is there a way I can silently obtain an access token on behalf of the service account in order to send messages?
It seems that you have a misunderstanding.
Your scene is actually the same as this post.
You should use Resource Owner Password Credentials to call Microsoft Graph API to send messages.
Based on permissions, you need the Group.ReadWrite.All delegated permission. So you need to add this permission into your Azure AD app firstly.
Don't forget to click on "Grant admin consent for {your tenant}" after you add this permission.
Then you can get an access token like this:
You can see that https://graph.microsoft.com/Group.ReadWrite.All has been included in the response.
Now you could use this access token to call POST /teams/{id}/channels/{id}/messages.
There are a few other ways I can think of.
1) One is that you can create a Bot using the Microsoft Bot Framework, and once that bot is installed to the particular team, it can send "pro-active" messages (i.e. not a message in response to a user's message, but rather whenever you need).
Essentially, when you bot is added to the team, you get access to a specific event in your bot (OnMembersAdded for a general bot, and there's now a new event just for Teams). See more on this in my answer on Detect bot application open event. In this event, you get the information you need for later, which you can store in a database or wherever, and then create the message as if it's your bot posting to the channel. You can see more on that at Programmatically sending a message to a bot in Microsoft Teams.
This option above is a lot of work, but useful if there's other functionality you want from a bot (e.g. the ability to receive messages from the users)
2) Another, and even more simple way, is to create an incoming webhook directly to the channel. Here's a post on doing this using PowerShell, so you can do that for simple testing and extrapolate from there for Node.
Of course, things like Flow (Power Automate) are an option too, but you're already writing code so one of the above is probably easier.
Hope that helps
I'm setting up OneSignal on my website.
As far as I can see, there are 2 ways I can associate a push subscription with my user ID:
I can call OneSignal.getUserId(), which returns a UUID, and make an authenticated call to my web server to associate this UUID with my logged in user on my server
I can call setExternalUserId() to send the logged in user ID and associate it with the subscription on OneSignal servers
The first option is perfectly secure, as one could only hijack my client-side code to send an invalid subscription ID (or another valid subscription ID they have created), which is not a big deal.
The second option though, feels totally unsecure: anyone could hijack the client-side code to send any valid user ID and associate it with its subscription, and therefore receive notifications on behalf of another user.
Is there a way to securely use setExternalUserId() while preventing a user from associating their subscription with another user?
The only secure scenario I can think of is if my users had UUIDs as well, instead of sequential IDs, and these UUIDs were kept secret (i.e. never exposed publicly on the website).
Any other scenario I can think of sounds plain insecure.
Did I miss something?
I want to send web push notifications to registered users, are there any best practices on how to implement the cases when multiple users have access to the same device and one should not see the message of another user.
Thanks in advance.
A web push notification subscription is tied to the browser, not the device.
What you need to do is, map this id with your registered user when he logs in from a particular browser. Also, you need to remove the subscription id mapping with any other users in the system.
In the case of multiple users using the same browser, the above logic will make sure that at a time, a particular browser subscription id is linked only to a single user.
And when you want to send a notification to a registered user, you can retrieve all push subscription IDs linked to this user in your database, and trigger notifications to those subscription IDs.
And don't forget to unmap a subscription id when the user logs out from a browser. Otherwise, he will continue to receive all notifications even if he has logged out.