I want to create chrome extension, which interacts with github repository.
1: User click button
2: API creates new file and inserts submitted data
3: API reads all existing files and calculates specific data
4: API sends back calculations to user
(All commands launched automatic from extension)
Can someone explain:
If it's possible to use Personal access tokens from github, but also lock access for outsiders?
I mean.. token can be visible for everyone, but Github-API should work only if used with chrome extension.
At this moment completed only two steps..
Created 'machine user'
Invited him to my repository and gave 'repo' permissions
Next steps unknown..
?? Create Personal access tokens or OAuth apps to get access to API?
?? Somehow give info to github about my extension, and allow all actions only from this extension
Related
Is it easy for people to find "public" google sheets/docs?
Context: Storing some semi-sensitive data (individual user info, of non-sensitive nature) for an app beta-test in google sheets. Planning to migrate to some DB in the future, but for now, just using JavaScript to pull the data directly from the google sheets (since there are visualizations being dynamically updated by the sheets).
Yes, it's easy to get information. Search engines may index and cache the information. Then, there are bots, crawlers and scrapers. Do NOT put (semi)sensitive information in public. Implement google-oauth properly with google-sheets-api to get information. You can also use service-accounts
Yes, it can be easily accessed.
According to the official Google article Share files from Google Drive: when you set your file's General Access setting to public:
Anyone can search on Google and get access to your file, without signing in to their Google account.
What you can do:
In the case of your app beta-test in google sheets data, you may want to reconsider to change your file's General Access setting to one of the following (in descending order of security):
Restricted - Only people that you manually give access to can view or edit your files. When you click the share button, a prompt will show and you may manually add the users who can view or edit your files:
Afterwards, you may select a role for those users and then they can be notified afterwards through email.
On the other hand, you can share the link to others. A prompt will show like the one below if you send the url through Google Chat:
You may opt to select Don't give access which will result in the following view on the other user's end:
This would mean that if unauthorized users get hold of the file URL, they will still need to send an access request. If other users submit the request, an email notification will be sent to your mail inbox. Other users who also own the file will also be notified by mail.
Your Organization - If you use a Google Account through work or school, anyone signed in to an account in your organization can open the file. If you are an administrator in a work or school workspace, you may set how members can share content within the organization. The administrator can prevent the sharing of content with group members outside your organization. If external sharing is prohibited, only group members who are in your organization can access the group's shared content.
Anyone with the link - Anyone who has the link can use your file, without signing in to their Google Account. This option is least recommended because if the URL is leaked to unauthorized users, they can easily access the file.
References:
Share files from Google Drive
Share content with a group
Don’t make it public unless you want the public to see it. Use oauth to access.
I am trying to publish a Google Sheets Add-on. I am working on the Google Workspace Marketplace SDK configuration. The configuration automatically includes the following 2 scopes as defaults:
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
The Add-on has no reason to access the user's email or profile. Why are these added? Can I delete them? The only scopes that the script code should need are:
https://www.googleapis.com/auth/script.container.ui
https://www.googleapis.com/auth/spreadsheets.currentonly
When I go to create the OAuth Consent Screen. I am told that I need to create "A Youtube video showing how you plan to use the Google user data that you get from scopes". Am I being asked to do this because of these default scopes that are included?
EDIT: I deleted these 2 scopes and did a SAVE. It confirmed that the edits were saved. But when I refreshed the page, the scopes were back!
The reason why the Trust and Safety team is asking you for the video is because this:
1-Most of the apps that will be public, require certain steps. So the video is one of those.
2-Now, the main reason for the video, is because the scope https://www.googleapis.com/auth/script.container.ui is part of the restricted scopes. And according to the documentation it needs to go through the verification.
So basically the reason for the video is because you have a restricted scope because this scope allows you to display and run third-party web content in prompts and sidebars inside Google applications. Therefore, it is important for the verification process.
Now in regards to your concern of the default scopes, I was able to remove them and create OAuth consent screen without them.
Created a developer account and trying to follow the basic https://github.com/docusign/eg-01-python-jwt example but cannot get it to work. My goal is just to create a basic POC showing the ability to download envelopes using the API as a system integration (the idea would be for this app to download ALL completed envelopes, regardless of the owning account, for local storage).
What I've done:
Created a single developer account and sandbox, downloaded code from git
Under APIs created a new app/integration key, generated RSA key pair, and set the redirect URI to https://www.docusign.com
Copied all values into the config file of the code sample
When I run the code it consistently throws an error CONSENT REQUIRED and provides a link for the user to use to grant conset. The first time this happened I followed the link, logged in, and allowed access. On subsequent runs the link just immediately redirects to www.docusign.com. Also, under my account Connected Apps I can see that the app I granted access to is listed, so obviously something worked...
Thanks for any help.
When you update all the needed configuration for the code example (https://github.com/docusign/eg-01-python-jwt) it's important to remember to set the GUID for the userId in ds_config.ini file. That can be found by going to DocuSign Admin and checking the user in the users list. This is the relevant line:
DS_IMPERSONATED_USER_GUID={IMPERSONATED_GUID}
Updating this with the correct user that corresponds to the login you used when granting consent would resolve this issue.
The docs say (step 4):
In the App Review for Instagram section, click Add to Submission for each permission your App will need from its Users. instagram_basic is required. instagram_manage_comments, instagram_manage_insights, and instagram_content_publish are optional.
Scroll to the bottom of the page, and in the Current Submission sub-section, for each submission, click its View Notes link.
In the View Notes dialogue for each permission submission, provide a description for how you will use the data returned by any endpoints that require the permission, and a screencast showing how your app will use the data.
Once you've completed your notes for all of your permission submissions, click the Submit For Review button at the bottom of the page. Note that this is separate from your App Review, which you will do after testing.
After you've added both Facebook Login and Instagram API products to your app configuration, add Facebook Login to your app and record a screencast showing how you will use data returned by the Instagram API. This is similar to the Facebook Login screencast but with Instagram data, so the same guidelines apply.
Step 5:
Once you've been notified that your Instagram API product submission has been approved, you can use the Graph API Explorer to test your app.
With Facebook Login I can create an app that works in sandbox mode. Which lets me create a screencast. To be able to use Instagram Graph API (on a site) I need (from what I can gather):
Facebook Page linked to Instagram Business Account
an app icon
a privacy policy page
a site with working Facebook Login
description of how each permission is going to be used
screencast of... what exactly? of a site that is basically ready, but instead of fetching data from Instagram, it has them hardcoded in the code?
Or there is a sandbox mode after all?
UPD I've highlighted the important parts in the quotes above. Then:
5. Test Your App
Once you've been notified that your Instagram API product submission has been approved, you can use the Graph API Explorer to test your app.
Go to the Graph API Explorer...
The first call you will make is to the Graph API's /user/accounts edge...
Locate the Page that you connected to the Instagram Business Account and click its ID...
Next, [make /page?fields=instagram_business_account request].
This is where I get empty response in Graph API Explorer (only id field is returned), or:
200:- OAuthException:(#200) Access to this data is temporarily disabled for non-active apps or apps that have not recently accessed this data due to changes we are making to the Facebook Platform. https://developers.facebook.com/status/issues/205942813488872/
GET /...?fields=instagram_business_account HTTP/1.1
on my site. Which requests to Instagram Graph API can I make before passing reviews (Instagram App Review, and Facebook App Review)?
It looks like the documentation that Facebook provides is somewhat misleading. You can actually use Instagram Graph API via Graph API Explorer (or by sending GET requests from your code) in a very limited way accessing only your instagram business account BEFORE you get initial approval described in Step 4.
Steps:
Open Graph API Explorer.
First, you need to add extra permissions in the "Access Token" section. There is a "Add a Permission" drop down on the bottom of that section. Open that drop down and select: instagram_basic, manage_pages, business_management permissions. Depending on what you are trying to do, you may need other permissions as well (e.g. instagram_manage_comments, ads_management, manage_pages).
Once you selected the extra permissions, click on the "Get Access Token" button.
Now, you have access token with correct permissions and you should be able to execute instagram_business_account request. This will return the instagram id of your business account, which you can then use for other requests.
After going through these steps, I'm able to get media for my business account via Instagram Graph API, although I'm still trying to figure out why tags request returns empty list.
Go to your app dashboard from your developer account:
https://developers.facebook.com/apps/APP_ID/dashboad
Go to: Roles -> Test Users.
Edit one of the test users to change its password to what you want in order to know him.
Once done, logout from your personal account and connect with the "test user" account in https://facebook.com
Go to your app and click the facebook login with the scope "instagram_basic".
With the access_token that you get you are able to ask Graph API about the user's instagram business account.
Et voilà.
PS: You will not be able to use the Open Graph API tool from your test user. My advice is to test your app from Incognito mode so it will not interpose with your personal account.
UPDATE
Currently, access the instagram data from this way is disabled but this is the right way to access the data.
FB error message says:
(#200) Access to this data is temporarily disabled for non-active apps or apps that have not recently accessed this data due to changes we are making to the Facebook Platform. https://developers.facebook.com/status/issues/205942813488872/
You can get full functionality of Graph API if you login with the developer account, use that to create a video screencast of app functionality and submit
You will have to create a test application out of your real application, these applications are in sand box mode by default (developer mode) https://developers.facebook.com/docs/apps/test-apps/ You will be able to access any fb permission / feature with it, and develop a product with it. Once you are ready to review, in your submission of your real application link your test app in the process
I've downloaded the starter pack and performed all steps as mentioned in the tutorial. I can create accounts but if I log out and want to sign in again I always get the error invalid username or password. Can anyone share any pointers as debugging this is nearly impossible.
I've created several accounts already just to be sure the password was ok.
I've created the keycontainers
I've created the two applications that are needed in the custom policies (web app and native)
I've updated the extension file with the correct id's
yeah if you dont get your client IDS correct you cant log in and then it constantly reports as invalid credentials.
Double check that you are writing the object ids correctly.