Simple Python script to post in facebook wall - python-3.x

I'm very new to python scripting and anything online in general, but I wanted to start somewhere interesting so I came up with a goal to write a simple desktop .py file that everytime I run just simply posts 'Hello World' to my facebook wall under my name.
In the end, I managed by just hardcoding (to my knowledge) a User Access Token and using the facebook graph under that token
facebookGraph = facebook.GraphAPI(access_token="qwertyuiop")
fb_response = facebookGraph.put_object("me", "feed", message="Hello World")
now the docs say that the User Token's lifetime is quite short and I don't really like the idea of having to manually going in and copying it into my program (even if its at every 2 hours or 2 months) so I made a second attempt by instead fetching an App Token to which I enabled every permission to access my account
def FetchAppAccessToken(app_id, app_secret):
headers = {'grant_type': 'client_credentials', 'client_id': app_id, 'client_secret': app_secret}
response = requests.post('https://graph.facebook.com/oauth/access_token?', params = headers)
logging.debug(response.text)
return response
#then.. get the right substring within response and use the graph as before
but I'm always met with
facebook.GraphAPIError: An active access token must be used to query information about the current user.
I thought that maybe using the User Token was the way to go, but after several hours of trial and error including trying to get the User Token by supplying an email and password, I read that it was not possible at all without user interaction. So going back to App Tokens and more reading. I came across using PHP within Python or creating a Login Flow with OAuth/OAuth2 (which I have neither experience with) to retrieve a token that I can use, but I'm starting to feel like I'm getting off track on what I'm supposed to be using.
Is there a simpler way like providing email and password to a file that as long as its in my desktop would accomplish that task?
Also, I'd like to avoid opening any browser and click simulations to do it (if its even possible that way).

Not sure if this is the most efficient answer, but I managed by using App credentials to authenticate my login, but instead of passing it through requests, I had it go through a WebWidget to emulate a browser in which the URL would include the code or token, close the window after retrieving the value and use it to create the facebook graph and run it like normal.
facebookGraph = facebook.GraphAPI(access_token=accessToken["access_token"], version=2.7)
facebookGraph.put_object(parent_object='me', connection_name='feed', message='Hello, world')
Unfortunately it does have to go through a pseudo browser.
I haven't tried this yet but,
On the other hand, if theres a user already logged in, you could check cookies if a user is already logged in and exchange the code for an access token and just do a browser login if theres none. This way the webwidget doesnt need to popup every time the program is run.

Related

How can I protect a express route without authentication?

I'm trying to implement a GET method with Express in my nodeJs application.
I'd like to do something like this in order to display user data :
router.get("/user/:idUser", (req, res) => {
The user doesn't need to be authenticated in order to execute this code. However I don't want that anybody can execute this request with a user id of someone else. Because he could see data he's not supposed to see.
How could I proceed ? I thought about using some encryption process to have something like :
/user/PdfgdfJFDGTfrfgdsf
Your question isn't really making sense. You don't want authentication, but you only want a user to be able to view their own data so nobody else can view it.
The ONLY way to solve that is by using some form of authentication. The user has to prove to the server that they are allowed to view that data before the user renders the page for them.
Yes, you could obscure the URL (make it some mostly unguessable string of characters), but it's not clear what problem that is solving. The user themselves won't be able to remember it or type it so it would probably have to be a link in a web page and if it's a link in an unauthenticated web page, then anyone can get to it - thus defeating the purpose.
There are cases where temporary links (often done for privileged downloads) such as what you mention /user/PdfgdfJFDGTfrfgdsf are sent via an authenticated channel (either an authenticated webpage or sent to an email address known to belong to an authenticated user) and these links contain some unique and hard to guess code. The user can then click on that link (in authenticated webpage or in email) and access that resource without further authentication. In that case, the knowledge of the code in the URL is serving as a form of proof of authentication. Because URLs may be logged in service providers or corporate infrastructure and thus not remain entirely private, this technique has its limitations and is typically only used for short term (download this resource in the next 10 minutes) type of uses, not a long term substitute for authentication and not used for things that demand real security. You don't explain enough of your use case to know whether this is practical for your situation or not.
The user doesn't need to be authenticated in order to execute this code. However I don't want that anybody can execute this request with a user id of someone else. Because he could see data he's not supposed to see.
That's an inconsistent statement. You say "user doesn't need to be authenticated in order to execute this code" and then you say "I don't want that anybody can execute this request with a user id of someone else.". You can't have both. The user is either required to prove authorization or they aren't. Pick one. It can't be both.
you can use jwt for this and a auth middleware for this
upon decoding jwt token, you can implement logic to check if the decodedToken.user_id (given that you add user_id when encode token payload) is equal to the :idUser in route (or any kind of logic you want) there.

OpenID authentication through Steam

I've spent the better part of the day trying to figure out how OpenID works. My goal is to set up a simple site where, upon clicking a login button, users are taken to a Steam login-page, where they are prompted for username and password. After successfully logging in, the user is redirected to a page on my domain, where I collect the query string parameters. They look like this:
{
"openid.ns": "http://specs.openid.net/auth/2.0",
"openid.mode": "id_res",
"openid.op_endpoint": "https://steamcommunity.com/openid/login",
"openid.claimed_id": "https://steamcommunity.com/openid/id/7656119[0000000000]",
"openid.identity": "https://steamcommunity.com/openid/id/7656119[0000000000]",
"openid.return_to": "http://127.0.0.1:8000/resolve",
"openid.response_nonce": "2018-12-01T14:49:46Z30hhn2/[someTEXTendingIN=]",
"openid.assoc_handle": "1234567890",
"openid.signed": "signed,op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle",
"openid.sig": "[someTEXTandNUMBERSendingIN=]"
}
What I am unable to solve though, is the actual authentication issue. I'm not sure what to do with this data. I want to have my own database where I store more information about the user, such as friends, messages, currency etc. For this, it is very important that I can verify that someone didn't just take this request body, change their ID for another and in that way access their account.
I'm pretty sure these are the relevant pieces of documentation, but it still isn't clear to me. How am I supposed to authenticate the user with this data?
I've omitted some values in this post that I fear could be bad to share. These placeholders have been outlined with brackets []. Also, that assoc_handle is really 1234567890, which kind of puts me off, since according to the OpenID documentation, it is used for determining the signature.
To be clear: this page where credentials are collected is not run by me, but is the official OpenID sign-in page for Steam. Steam is a gaming platform. https://steamcommunity.com/dev/ for reference.
For Steam authentication in nodejs you can use Passport.
Passport is an authentication library that works best with Express-based web application.
There is a steam-strategy that can handle your steam authentication.
Check passport here
And this is the Repository for Steam strategy. There is an example folder that you can see how to setup your Steam authentication.

Node.js Two-Factor Authentication

I am working on a personal program using node.js that uses authentication for Steam app specifically. The login reads the username and password from an external .txt file and it works using array positioning, split by a ‘:’ (colon). Now this is where I need help. With some accounts Steam uses a two factor code that is randomly generated by time on a mobile app or by email. At this time, I have my program so it checks to see if the account has the authentication code enabled and if it does I have it prompt to manually put in the appropriate two factor code. I know that there is a way to incorporate my program to pull this authentication code and put it in without having the user to do so manually but I don’t know where to start.
Problem: I want the program to pull a randomly generated code and automatically set it in without having to do anything manual.
Code is as follows:
else if (eresult === Steam.EResult.AccountLoginDeniedNeedTwoFactor)
{
login.two_factor_code = readline.question(`[${param[0]}] Mobile auth code: `);
client.disconnect();
client.connect();
}
else if (eresult === Steam.EResult.AccountLogonDenied)
{
login.auth_code = readline.question(`[${param[0]}] Steam Guard code: `);
client.disconnect();
client.connect();
}
Thank you.
Two factor authentication (2FA) is a principle where you're authorized to a resource by two separate factors. 1. something you know (login/pass) 2. something you have (a phone with a 2FA app installed, like Google Authenticator, Authy, also I think there's an app for this made by Steam).
If I understood you correctly - you want to store passwords and 2FA details in your app. Probably there's a technical way to do it, but I would not use such an app. This is a big security no-no. Better to ask users of your app to provide login/password each time, and if Steam API asks for second factor - ask the users for it.
As I seen most APIs - you could probably get a special token so the user don't have to login and provide the code each time without storing the password etc. Dig in the docs - you'll find it. (Unless you don't use any official Steam API, but it looks form the code that you probably do)

Ident/auth with temporary URLs in Pyramid

I'm building a Pyramid application. In "normal" usage, users have to use typical username/password to login and do much of anything. The Pyramid documentation made it pretty easy to cut and paste and get that going.
However, now I want to extend limited (both in authority and time -- permission expires on a given date) editing ability to people that I don't want to experience any account/password UI. I just want to email them a link that I generate, and when they click on the link I want them to land on the associated page and get identified and authorized to make some limited changes.
All the obvious stuff like generating a link, storing it in the database, associating a username and expiration date, is no problem. It's plugging this into the Pyramid ident/auth framework that I don't know how to do. I made it this far without really understanding their code in depth, and am hoping that someone has a code example of what I want to do lying around that could allow me to continue to not dive into that topic.
Or if the answer is stop being lazy and read the documentation, well, it cost me little to ask. :-)
Create a random number and expiration date and store them in database. Generate a link with this number and send it to the user. Check that when the link is clicked its generated random number matches one in the database. Authenticating Pyramid user by hand:
from pyramid.security import remember, forget
def authenticate_user(request, user)
if not user.can_login():
raise AuthenticationFailure('This user account cannot log in at the moment.')
# get_session_token_from_user() is your custom function.
# It usually returns user.id - it's the key how session backend maps sessions
# back to authenticated user.
token = get_session_token_from_user(user)
headers = remember(request, token)
# assert headers, "Authentication backend did not give us any session headers"
if not location:
location = get_config_route(request, 'websauna.login_redirect')
# Send any custom events related to user login your appplication cares of
e = events.Login(request, user)
request.registry.notify(e)
# Redirect user to the post-login form location
return HTTPFound(location=location, headers=headers)
For the specific use case of doing one time email link logins like Slack or Medium please see websauna.magiclogin addon.

Facebook Javascript SDK security

I'm in the process of using the facebook javascript sdk to provide user login functionality for a website.
What I'd like to do is simply take the logged in user's unique facebook id and then put/fetch data to/from a mysql database using the id to determine what data is available to said user.
However I don't really feel like this is very secure. Whilst I'm not storing anything sensitive like credit-card details etc, I'd obviously prefer it to be as secure as practically possible.
My fear is that with javascript being what is it, someone could fake the facebook id and just pull whatever they wanted.
I'm aware that the php sdk would provide a solid solution to this problem, but i like the javascript one mainly because it's easy to use and I have the basis of it set up (I admit it, I'm lazy).
So, my questions are:
Would this set up be as insecure as I feel it might be?
Is there anything I can do to improve the security of such a system, other than switching to the php sdk?
Thanks!
Facebook Ids are pretty hard to make up (at most a user will only know their own). Depending on what you store in the database (which will not be anything that the user cannot get on their own, unless you ask for extended permissions)
If you are worried about a user trying to get information from the database, add an access token or signed request to each row and us that and facebook id to get data. That will greatly increase security.
EDIT
There are few occasions where you get a signed request from a user:
* A signed_request is passed to Apps on Facebook.com when they are loaded into the Facebook environment
* A signed_request is passed to any app that has registered an Deauthorized Callback in the Developer App whenever a given user removes the app using the App Dashboard
* A signed_request is passed to apps that use the Registration Plugin whenever a user successfully registers with their app
Signed requests will contain a user id only if the use has accepted permissions though, and are not passed again if the user enters the application, and accepts permissions (meaning that the signed request would not contain the ID). Because of this saving an access token may be a better idea. Here is more on the signed request
Also the signed request is in the url (param = "signed_request"). I always parse it through c# but I am sure you can at least get one through javascript
It's pretty easy to spoof the origin using curl. I'd imagine Facebook has another mecanism in place to make this possible. If you inspect their code, it appears that they generate an iframe and pass requests through. If I had to guess, they have setup the requests to only be made from the Facebook domain, and ensure that the iframe can only be embedded in a page that has a white listed domain.

Resources