I want to get the email address of the logged in user, not the email address of the profile. I am using chrome.identity.getProfileUserInfo in my extension popup. It works fine when I a user is logged in, I get the email address. But it also gives me the email address when i am not logged in. I guess the profile is not dependent on the login status?
I am concerned with getting the wrong email address on a shared machine. How can I be sure that I am only getting the email address of the person sitting at the keyboard?
Related
I am using this python3 Linkedin API:
https://github.com/DEKHTIARJonathan/python3-linkedin#production-authentication
I have 4 permissions on my profile:
r_basicprofile
r_emailaddress
rw_company_admin
rw_share
Even though this API seems to have nearly everything, I can't figure out how to get a member's email address.
For example when I query my own profile, (through the .get_profile() function), I don't get my email address. I looked through the API code and there doesn't seem to be a way to get a profile's email address.
For people who've used this API, how do you get a profile's email address? Because I can't produce even my own profile's email address
GET http://api.linkedin.com/v1/people/~:(email-address)
this api-call will give you a users email.
I am trying to implement the email verification system on Parse-Server (/Heroku), when a user account is created; so that the user can confirm his/her account creation.
Things are working well for those matters:
I can create a working account.
The user receives the verification email that is expected.
The problem is this:
When the user clicks on the link inside the verification email. This is what appears in the browser:
{"error":"unauthorized"}
Has anyone seen a similar issue and knows how to solve it?
I just setup the basic JHipster application and set in the FB client ID and secret. However, when I try to login by not sharing the email - I see that it gets redirected to my app with a success. I can handle the no email exception on application.
Instead , I wanted FB to make sure that my email was a mandatory field. How do I do that?
You can't force Facebook to return an email address for a user. It may also be null on their end (if the user signed up with a phone number). You will have to handle it in your application. This is the same case with Twitter - they simply don't provide the user's email.
Note, even if you request the email permission it is not guaranteed you will get an email address. For example, if someone signed up for Facebook with a phone number instead of an email address, the email field may be empty.
https://developers.facebook.com/docs/facebook-login/permissions/
Like you mentioned, you need to handle it in your application. You could catch the fact the email is null and prompt the user to enter an email.
I have a registration form in my website. I don't want to give away information about the existence of an e-mail address for security reasons. How should we, security wise, handle the "e-mail already exist" scenario without giving this information away?
Theoretically, its impossible, think about the email as the user name, you will inform the user that the user name is already reserved or taken, the same applies for the email address.
You can let the user enter his email twice by typing to ensure that he didn't enter other email by mistake, how ever, if the user entered his email wrongly twice, then, its his problem!
On the other hand, you won't send the confirmation email for already confirmed users, also for emails that are not stored at your side, you need to put this message in your confirmation emails:
If you are not {First Name + Last Name} then please ignore this email or something similar.
I hope this will help.
You could make it so the user can create an account / sign in with openid/google/facebook/yahoo. That way those sites hand the auth and if they can log in successfully through those you can collect any additional information you need.
You could alternatively have them create an account by first only providing an email. You would email the user with a link where they could continue the registration process if they don't already have an account. If an account is already created you can send an email saying something like: a request was made to create an account using this email address, but an account already exists. If this wasn't you then....
I have a question about security flow of confirmation link.
I have a website on which you have to fill your email address and password after filing these information my app sends an email with a secure link to user email address. After clicking on confirmation email user automatically gets logged inside the application.
Now question :
Is there a security risk to auto login user on clicking of confirmation link ?
Is there and security risk to auto login user on clicking of confirmation link? Yes and no. It depends on what is in the link. What I would do is I would have two field in database activate_code, that is randomly generated and is_activated which is defaulted to 0. Then I will send a link to activation code and another email with activation link. Once at activation link, user will fill code and account will be activated. redirect him to login page.
Do not send user emails or any other information. just send random codes or something similar
That is my cent!
Yes there is a security concern, as Gumbo points out.
Since the user has provided an email & password, why not require he be logged in to access his confirmation page?