I have a web app where people can log in through Twitter and by doing so authenticate the app to tweet on their behalf, I want to do this.
But the problem is that I cannot find any endpoints in the twitter API that would facilitate this,
I'm able to tweet from my own app using the Twitter npm package but I can't find a parameter to pass something like a user ID to tweet from a different twitter account using my App.
Do you maybe need the OAUTH token and secret to do this?
The solution is to have people sign in on your web page and get their tokenSecret and token from the login, put those in the place where the access_token_key and access_token_secret usually go when tweeting and send a regular statuses/update/ POST request.
Related
A user can create an account in my App only with his work email.
Example: john#xyzcompany.com
After he creates an account, he can link multiple social media accounts to his profile.
Example: john#gmail.com, john2#gmail.com
I'm using MEAN stack to develop the App.
When a user logs in to my app, I'm creating a JWT token to authorize all his future requests to the server.
When it comes to Social Media accounts Integrations, After successful authentication I'm able to receive the accessTokens from these Social Media to the backend callback URL. I need to link the tokens to the right user. Is there anyway I can pass my JWT token along with the callback URL to identify which user has made the request, because I cannot identify the user based on the email in his Social Media Account?
I was able to solve this using socket.io. But I feel it is unnecessary to use sockets for simple authentication.
Is there any other approach to solve it? I have researched online, few of them suggested using passport. I don't fully understand how passport works, I just feel it is just a middleware to authenticate API requests from users, which I'm doing anyway using a custom function.
Could someone explain whether it is possible to pass JWT in callback URLs using passport strategies?
What is the right approach to handle such authentications in a MEAN stack app? I'm stuck with this issue since the past week, really looking forward for a good solution.
I have encountered this type of situation in one of the large scale applications I have been working for and the approach we used to handle it was to store the jwtToken in redis and then retrieve it back with the help of user cookies. Let me explain it in more detail -
Send a new Cookie for the user when the user opens the login page. The cookie should contain some unique id or code against which we will save the JWT token,. Eg: res.cookie('jwtIdentifier', newid())
Now, when the user logs in, generate the JWT token and save it to your redis against the cookie jwtIdentifier's value. Eg: redisHelper.set(req.cookies.jwtIdentifier, JWTTOKEN)
At last, when the login is successful and the user is redirected back to your app, you can retrieve your JWT token again for the corresponding user using the cookie. Eg: redisHelper.get(req.cookies.jwtIdentifier) This will give you back the JWT token that you can then use across your application for that specific user.
Hope it's clear, let me know if you have any questions with this implementation ;)
You might try using client side facebook authentication as described here
https://theinfogrid.com/tech/developers/angular/facebook-login-angular-rest-api/
in this case in angular app you have facebook token alongside your app token and you can send them to your backend to identify the current user.
on backend part you eill call facebook to get profile data from accessToken and then store user profile id and depending on your business you might need also to store the access token
I'm currently developping a REST API with NodeJS and Express for a mobile application written with the Ionic framework.
I have a mysql database in which are stored my users.
I want my API to be safe concerning the authentication of my users and their right to access certain routes and ressources of the API.
My user can either login/register with their own credentials or use Facebook to do it.
So, this is what i'm doing right now :
A user register using one of my API's routes
When he wants to access a protected route, i use passport-http's Basic Strategy for Basic Auth.
I use it like this:
router.route('/protected/route')
.put(auth.isAuthenticated, controller.someMethod);
The auth.isAuthenticated looks like this :
passport.use(new BasicStrategy(
function(username, password, callback) {
Account.findByEmailAndPassword(username, password, function(err, user) {
if (err) { callback(err) };
if (!user) { return callback(null, false); }
return callback(null, user);
});
}
));
exports.isAuthenticated = passport.authenticate('basic', { session : false });
Then, in controller.someMethod(), i get my user object in req.user. I have a field in my DB that is type, i can check what's the type of the user and continue my request or not.
Now, using Facebook:
The client uses Facebook's Login button, authorize my app to access it's data, and then gets an access_token. It is send to my API via an HTTP request.
The API gets the token, and then start calling the Facebook Graph API to ask information about the user such as his id, email, firstName and lastName.
I send theses informations back to the client. He's able to modify his firstName and lastName if he wants. Then send it back to the API.
The API register the User.
They both works like a charm, but i'm facing some problems:
When registering with facebook, if the user id is already in the database, i consider that the user has already subscribed to my service. But how can i identify him using basic auth afterwards ?
The first question brought me to the others. I've read everywhere that Basic Auth isn't secure enough. So i was thinking about, first of all, buy a SSL certificate, then change my authentification system to OAuth 2.0.
I was thinking that if i do that, i would be able to send a token back to my user that logged in with Facebook, which would answer my first question.
But is OAuth2.0 the solution here ?
Am i doing things right with my Facebook registration ?
How does that callback stuff works when i want to login using my own users on my Ionic app ?
There's so many things that seems unclear about OAuth2.0 that i don't want to start implementing it and then figure out than it wasn't the right solution for my problem. I've always thought that OAuth2.0 was the right system to choose if you want other services to use your service. I am wrong?
Okay. So first thing first. HTTP Basic is perfectly secure if you are doing it over SSL.
OAuth 2.0 is an authorisation method.
OAuth is used when you want to make API calls on behalf of a user registered on other service. The other service has to provide the OAuth functionality for it to be usable by you. Let's say, you don't want to have a Registration function in your app but want to register users via Facebook, etc, you'll give an option to sign in using Facebook. So what happens is you are asking the user to give you access to access some of their Facebook account's info (more or less). You can read about it here: https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
On the other hand, you can be the provider so that other services can use your service.
Many services let you create a local account and also give you an option to signup with other services like Facebook, Google etc..... The handle the cases on their backend side.
Let's say you want to give option of Sign in with Facebook, you'll have to take care of a couple of cases:
Associating Facebook Login with an already logged-in account - This is the case where someone uses an app's custom login system to create an account. Later, while they are still logged in they want to associate their Facebook account with it. For example, people can sign up to Spotify with an email address and a password, but they can later choose to associate that account with their Facebook account using Facebook Login, such as when they want to publish their listening activity to their timeline.
For this, you want to add a Facebook log in flow, like Spotify does.
One thing you have to take care is the merging of your local account and the Facebook flow account info. It is advised that you create separate tables for this as this will ease the process when you want to add more providers like Google, etc.
Merging separately created accounts with Facebook Login - In this situation, a person logged in to your app with their own credentials such as an email and password for example. Later, when the person logs out they choose to sign in to your app using Facebook Login. Your app will now have two accounts for the same person, one created via the app login system, the other created via the Facebook Login flow. In order to provide the best experience for that person, your app should attempt to merge these accounts into one.
For this you have to request for email (assuming your app requires email for registration) from Facebook. If it's the same as the email registered in your app, you can merge these accounts. If it's not the same, then you should give an option to connect existing email/account.
You should go through the following for more info: https://developers.facebook.com/docs/facebook-login/multiple-providers
I just wanted to use webapi to play with the metadata like playlist, artists on my own account. Is it possible to do that by REST API without using /callback to web application which receives authorization code then can get the oauth token ?
I have researched here:
https://developer.spotify.com/web-api/authorization-guide/
Then I found:
https://developer.spotify.com/web-api/authorization-guide/#client-credentials-flow
That's it! You just need to get oauth token by giving your regular login and password credentials.
I'd like to be able to sign into my node app using LinkedIn, an email and password, Facebook, and possibly others. I don't want to use sessions/cookies. Instead, I want to use a header with a token for authorization -- jwt or something else. I'm open to anything here.
My question is the same as the one asked here: https://groups.google.com/forum/#!topic/passportjs/DJZZGKXDLsk -- I want the users to go through the following steps:
User comes to my site
User logs in through LinkedIn
User is redirected to post-login on my site
User can continue to interact with my site using header tokens (not session cookies)
Passport for LinkedIn OAuth2 more or less works for what I need it for, but the only problem is that it looks like this is entirely geared towards using sessions with cookies. After the callback url is hit on my server, I don't see a way to get tokens back to the client securely.
It also seems like I can use the LinkedIn frontend JS SDK to have users authenticate and post-authentication they can make a POST request to my server and at that point I would be able to confirm authentication with LinkedIn and respond with the tokens I create for authentication in the POST body. I'm not sure if this is recommended or secure and I don't love the idea of having the LinkedIn API key in the frontend JavaScript either.
How can I use LinkedIn OAuth2 to authenticate to my site and keep the authentication without cookies/sessions?
Logging people in with their Facebook accounts is quite easy with the Spotify API's auth methods. However, I couldn't find any procedure on the API docs for logging people out of Facebook.
Do I have to do this manually, utilizing the Facebook API, or does Spotify provide a way of doing this?
There is no method to log the user out in the Spotify Apps API. In order to do achieve it, you need to make a request to https://www.facebook.com/logout.php?access_token=<access_token>&next=<next>
where:
access_token is the same token you use to log a user in
next is a URL that belongs to the same domain as the registered one on Facebook for your app