I am looking to integrate the buildfire auth for onLogin method.
I created a custom plugin and in the settings tab i checked the 'Require Login' checkbox. That way, now when i open this plugin in app it navigates me to the login page.
I now need to get the information right after user log in into the app. For this, in the wiget index.html file i added below script, which should do a callback as stated in the documentation.
Here is my code, which calls my external url and create a log there.
buildfire.auth.onLogin(function(err, profile){
$.ajax({
url: MY_URL_HERE,
data: {'user': profile},
dataType: "json",
success: function(response){
//response
}
});
});
This code is not seem to be working. However other methods in the Auth are working for me. Can someone please let me know what i am missing here?
Also, is there any method similar to this for registration as well? like OnRegister or something. Please let me know other possibilities.
Thank you.
Related
I want to send a request to this Amazon Alexa API.
That page contains the last 50 activities I made with my Amazon Echo. The page returns JSON. Before you can request that page, you need to authorize your account, so the proper cookies are set in your browser.
If I do something simple as:
const rp = require("request-promise");
const options = {
method: "GET",
uri: "https://alexa.amazon.com/api/activities?startTime=&size=50&offset=-1",
json: true
};
rp(options).then(function(data) {
console.log(data);
}).catch(function(err) {
console.log(err);
});
I can send a GET request to that URL. This works fine, except Amazon has no idea it's me who's sending the request, because I haven't authorized my NodeJS application.
I've successfully copied ~10 cookies from my regular browser into an incognito tab and authorized that way, so I know copying the cookies will work. After adding them all using tough-cookie, it didn't work, unfortunately. I still got redirected to the signin page (according to the error response).
How do I authorize for this API, so I can send my requests?
I have been looking for a solution for this too. The best idea I have is to use account linking, but I haven't try it yet. Looks like ASK-CLI has interface for this also, but I can't figure it out how to use it (what is that URL?). For linking account to 3rd party server is not easy, but link it back to Amazon for the json API should not be that complicated.
there is a website that works with virtual items for an online game. I made a chrome extension that automates some actions on that website. Since I'd like to make this run on my raspberryPi (and chromium with the extension seems to be too slow and unefficient) I am trying to move this into node.js.
The login for the website works with Steam OpenID. It allows you to select items from a list, click a few buttons, then it sends you a tradeoffer on steam.
My extension works with the website while I was logged in there. It receives their database with jQuery getJSON, loops through the array, pushes some values into an array and then sends a post request telling the website which items I want and which items I am offering.
Here is how I am sending the request from chrome:
function withdrawXHR(botId, playerItems, botItems) {
$.ajax({
url: websiteURL,
type: 'post',
data: {
"steamid": botId,
"peopleItems": playerItems,
"botItems": botItems
},
success: function (data) {
console.error('>> Done: ' + data)
console.log("")
},
error: function(XMLHttpRequest, textStatus, errorThrown) {
console.error('>> Error: ' + errorThrown)
console.log("")
}
});
}
I can do everything in node so far like receiving their database, working through it, filter out the values I need, but I can't manage to send a working request. The problem is probably the login / how the website knows who I am.
I used wrapAPI (a chrome extension) to catch the request that is being sent when manually working with the website. Here is what it looks like:
So these are the things I am wondering about:
How would I send this request from node?
How does the website know who I am? They obviously know, because they are sending me an offer, but I can't see any "personal" data in that request.
Would I need to log into Steam OpenId from Node in some way? Is that possible?
What is a CF-RAY? (See the end of the captured request).
I am quite new to JS and requests in general and even "newer" to Node.js. I don't fully understand how the background of sending requests works. I would just need some tips, ideas on how to achieve my goal here.
Any help is greatly appreciated! Thank you! :)
You cannot use XMLHttpRequest for resources across domains. ( incidentally, unless you are using an extension)
I would look into grabbing express.js, and something called CORS. CORS permits cross-domain requests.
Here: http://enable-cors.org/server_expressjs.html
And here is some information on XHR requests in browser extensions: https://developer.chrome.com/extensions
I'm using chrome.identity to log into a 3rd party oauth provider in an chrome extension. It works fine for logging in- when I use launchWebAuthFlow I am presented with the third party login screen and redirected back to my application after the signin flow.
However, I can't find a way to enable log out functionality in my extension. There doesn't seem to be a function to clear the cached logged in identity. The next time that launchWebAuthFlow is called, it will automatically log me in as the first user, and not prompt me to log in again.
Is there any way to clear the logged in state of the chrome.identity plugin?
I am not aware about the specific third party provider. But I faced the similar problem when using Google Oauth with chrome.identity.launchWebAuthFlow(). I could sign in the user, but not sign out using removeCachedAuthToken()
In this case, to logout the user, I used chrome.identity.launchWebAuthFlow() with Google's logout URL rather than it's oauth URL
chrome.identity.launchWebAuthFlow(
{ 'url': 'https://accounts.google.com/logout' },
function(tokenUrl) {
responseCallback();
}
);
This worked pretty well.
I've found that calling these two in the sequence is working:
var url = 'https://accounts.google.com/o/oauth2/revoke?token=' + token;
window.fetch(url);
chrome.identity.removeCachedAuthToken({token: token}, function (){
alert('removed');
});
You should add prompt=select_account to your auth URL. Your problem will be solved.
https://accounts.google.com/o/oauth2/auth?client_id={clientId}&response_type=token&scope={scopes}&redirect_uri={redirectURL}&prompt=select_account
For me, https://accounts.google.com/logout does not work. But https://accounts.google.com/o/oauth2/revoke?token=TOKEN work well, using simple window.fetch(url), not with hrome.identity.launchWebAuthFlow.
You can clear the identity cache using the chrome.identity.removeCachedAuthToken(object details, function callback) method.
https://developer.chrome.com/apps/identity#method-removeCachedAuthToken
I happened to hit the same problem recently, and I finally solved it by adding login_hint=<new_user> and prompt=consent in the login URL.
I could achieve result only with this implementation
chrome.identity.getAuthToken({ 'interactive': false }, currentToken => {
if (!chrome.runtime.lastError) {
// Remove the local cached token
chrome.identity.removeCachedAuthToken({ token: currentToken }, () => {})
// Make a request to revoke token in the server
const xhr = new XMLHttpRequest()
xhr.open('GET', `${googleRevokeApi}${currentToken}`)
xhr.send()
// Update the user interface accordingly
// TODO: your callback
}
})
If you try launchWebAuthFlow to logout but get User interaction required error, then you need to add one more flag along with the url:
chrome.identity.launchWebAuthFlow (
{'url': 'https://some-logout-url/',
'interactive': true },
function(result) {
console.log(result);
}
);
I'm using the Hapi framework (nodejs) with the Bell module, working with the Twitter provider.
It was pretty simple to get a working code with the example given in the github page. I access the /login route and I get redirected to Twitter, where I authorize the app and then I'm redirected back to /login?oauth_token=xxxxxxx&oauth_verifier=xxxxxxx where I can have access to the user profile in the request.auth.credentials.
The problem came when I tried to reject the app. Instead of clicking the "Sign In" button on Twitter, I clicked the "Cancel" button and then the "Return to site name" button. This last button redirects me to /login?denied=xxxxxx and then I'm redirected (again) to Twitter to approve the app.
I tried to handle this scenario using another example in the same page https://github.com/hapijs/bell#handling-errors but can't get it to work.
server.route({
method: ['GET', 'POST'],
path: '/login',
config: {
auth: {
strategy: 'twitter',
mode: 'try'
},
handler: function (request, reply) {
if (!request.auth.isAuthenticated) {
return reply('Authentication failed due to: ' + request.auth.error.message);
}
return reply.redirect('/home');
}
}
});
It seems that before checking the request.auth it interprets the /login route and redirects to Twitter. I still don't understand very well the Bell module but it might be that the Twitter strategy is expecting the oauth_token and oauth_verifier in the request.params, but the denied param is not interpreted by the strategy and that's why the redirect happens.
Has somebody managed to handle this scenario?
I found a workaround. It's not an optimal solution but at least allows me to handle the rejection from Twitter.
I had to modify a file inside the bell module. In bell/lib/oauth.js, before the verification of oauth_token
exports.v1 = function (settings) {
var client = new internals.Client(settings);
return function (request, reply) {
var cookie = settings.cookie;
var name = settings.name;
// Sign-in Initialization
// Verify if app (Twitter) was rejected
if (name=='twitter' && request.query.denied) {
return reply(Boom.internal('App was rejected'));
}
if (!request.query.oauth_token) {
// Obtain temporary OAuth credentials
var oauth_callback = request.server.location(request.path, request);
With that change I can catch and show the auth error in the handler, without the automatic redirect.
At least this is the way I managed to make it work. The cons of this modification is that if the bell module is updated then the modification is lost and the bug arise again, unless the updated module comes already with a fix for this. So, you have to keep an eye on that.
Here's the link off the Github issue I created on the Bell repository regarding this bug.
I'm beginning to build out an API using .NET Web API. I'm coming across scenarios where I need to think about how to prevent abuse of my API. Take this example:
On my account creation form, I have a client-side check to see if the username is taken. This check is something like this:
var exists = false;
$.ajax({
url: '/api/people?username=' + name,
method: 'GET',
async: false,
success: function (response) {
exists = response;
},
error: function (XMLHttpRequest, textStatus, errorThrown) {
//alert('error');
}
});
return exists;
My ultimate question is: how do best secure my API so that someone can't build something that just pings https://example.com/api/people?username=blah looking for info? I've read about adding Basic Auth, but how is that design best implemented in this scenario?
You could consider using Access Control rules and only allow calls from www.example.com, so if someone calls from www.othersite.com, it will reject the request.
Access Control
Same-Origin Policy
But if you're trying to allow outside sites to access your API, you will definitely need authentication. Hope this helps!!