MS BotFramework Temporary token issue in WebChat URL - node.js

I have developed a chatbot using Microsoft BotFramework and node.js and deployed it in webchat. As per this documentation, it is written that the bot's secret 's' can be replaced with a temporary token 't' which is valid for one conversation only.
But the problem is the life span of this token is 30 minutes and within this time window, if some intruder accesses the entire URL: "https://webchat.botframework.com/embed/YOUR_BOT_ID?t=YOUR_TOKEN_HERE&userid=some_user_id" then it is just a child’s play for him to get all of the user’s data because it mimics the chat of the actual user in the other machine.
Is there anything in the BotFramework (apart from DirectLine) that can be done that restricts the URL with the same token to be opened in another machine?

There is an issue on GH which is facing the same event with you, and with the comments, we can found that this situation will not be changed currently.
However, we can get some hints from the comment:
Ultimately, you can't hide the secret/token from clients.
If you want to remove it from the URL, you can host the JS control on your own.
If you want to remove it from page source, you can pass the value in a cookie >and read it in JS in your webpage.
However, in all cases, the value will be available in memory.
I think you can build another simple web site yourself as the bridge from the iframe and yout bot application. You can restrict your user whether is unique in this website's session. And also you can verify your user before instantiate the Bot WebChat.

Related

Saving and loading facebook instant game multiplayer data of the game

1) Is setting up webhook necessary to save json data of a context shared between players of context?
2) How to validate callback url for webhook on facebook developer console? My game is already live on facebook for single player. (No local testing)
3) Can I use my own personal https url to setup webhook?
No, you do not need to use the webhook to save context data. You can use XMLHttpRequest, fetch or a JavaScript SDK for a service like Playfab or Firebase to store data. In fact, we wouldn't even recommend you use a webhook for saving data because if the player turns off messages from your bot you will not receive any webhook callbacks.
You can validate a callback URL using the developer dashboard, including the "Show Recent Errors" button, which is really useful for spotting any issues. You can also get more information from the Webhooks item on the left nav.
You may need to clarify what you mean by "your own personal https url". As long as Facebook can hit your webhook URL, everything will work. You cannot, for example use a localhost URL.

An issue when authorizing Facebook pages in Bot Framework

The issue originates from the bot framework itself, when I add a new Facebook channel for the first time everything works as expected, what I am trying to do is connecting multiple FB pages to the same bot, I read somewhere that you can do this by re-entering the page info and clicking "resubmit", the problem is when the "resubmit" button is clicked without first clicking "Deauthorize" first causes a problem, when I analyzed the request with the browser's inspector it seems that EnableChannelForBot method throws an error.
Also we are developing a service where users can register and link their FB pages to the bot just like ChatFuel or any other famous bot platform, the main problem is that bot framework is asking for a specific page id and access token per FB bot and you must do it manually through the bot framework dashboard, can we have an easy way to register the bot to multiple FB pages and without having to do so manually through an API or something Similar? Please work with us to provide a solution for this as soon as you can, Bot Framework is vital to our work and migrating to another SDK is going to be very costly and time-consuming.
I don't think that connecting multiple Facebook pages to the same bot is supported. Where did you read that?
Also, there is no API currently you can leverage on to register your bot/enable Facebook channel.

How to track last login date for IBM Domino web user?

Does IBM Domino track the last login date for web users(UserName/Password and internet certificate)? I know the access logs contains this information but wanted to know if there may be something built into Domino (maybe in Address Book). Trying to come up with a method to disable web accounts that have not accessed a domino server in a specified time period.
Thanks,
Kev
The User Activity area in the Database Properties picks up from the log.nsf, which is where this information is stored. But, typically, the log.nsf will only have a few days' worth of information. When I've had this requirement before, I've manually captured it via a custom login page or an initUser function I've had in applications.
One of the easiest solutions is to trigger an action from a live web page that generates a database.nsf?openagent event.
like:
or
Ideally you've use the openagent to print a content type and a response, but if you don't browsers do pretty well with invalid responses from servers.
inside your "myagent" you will have the users name available to you to write it to a document.
Your next challenge will be in getting the agent to trigger, but, not too often, ideally only on login.
When a user uses a custom login form it submits the username/password and redirection url in POST method. You could change that to ...?openagent&nexturl=/blablabla.nsf
Your tiny little agent would run one and only one time upon login and update a document in a your custom logging database.
That's a developer's solution.
There are also admin solutions. The server does keep track of active web sessions, but, it does not drop them into the log.nsf like it does upon session ending for a notes session. I don't think it would be too much work from an admin standpoint to get that information there are a lot of event triggers available to you. It's just been way too long since I worked on any server that anyone cared about statistics.

Instagram API throwing OAuthAccessTokenException 400 error using client id

I was using the following api to get the latest 3 posts from public accounts to show on the website:
https://api.instagram.com/v1/users/{user-id}/media/recent/?client_id={client-id}&count=3
I had created an app to get the client-id.
However from today, this API has started throwing the following exception:
{
meta: {
error_type: "OAuthAccessTokenException",
code: 400,
error_message: "The access_token provided is invalid."
}
}
Could you please let me know as how to resolve this?
Based on the date, you probably have an older app that got hit by the API migration today, like mine. In short, Instagram decided to make developing for their platform WAY more annoying by requiring all API requests to be authenticated per user, even for data that users shares publicly. So you (like me) will likely be redesigning you app entirely.
To tell, log in to instagram.com/developer and click manage clients; then hit edit next to the set of keys your're trying to use. Up near the top, it will have a section called 'Client Status' -- if yours reads 'Sandbox Mode', fun times ahead! Hopefully you interact with less than 10 users and can stay in sandbox mode, otherwise you'll have to write an essay, film a video, and basically plead to get your permissions back (probably in a few months, when some Instagram intern finally digs his way down to you in the pile of applications). If it reads something eles, you've got another problem altogether and should thank your lucky stars.
In the meantime, I guess I'll get back to sending out dozens of emails to the maintainers of our many, many affiliated Instagram accounts to explain the issue and try to get permissions, so provided we get approved by then, all our social media displays aren't broken during a huge event Saturday. Another option might be to use the OAuth-less json response available here, but that might break terms of service.
I have a solution to this. If you are using the same code I am, which appears likely. I was pulling the last two images using this.
https://api.instagram.com/v1/users/{user-id}/media/recent/?client_id={client-id}&count=3
What I did to get this working is the following.
Login to your Instragram account you are using as the application.
Go to the developer (API) area. https://www.instagram.com/developer/clients/manage/
Manage clients. Make sure your website URL is the same as your valid redirect URL.
Add new Sandbox User. Put in the account of the IG photos you want to reach.
Hit this URL: https://api.instagram.com/oauth/authorize/?client_id=CLIENTID&redirect_uri=REDIRECT_URI&response_type=token where the client ID is the same one you used in your previous app above.
You should get back and access token URL. Copy your access token.
Login as your account that you want the IG photos of. The account you added as a sandbox user and go to developer and approve the Sandbox Invites.
Change your original URL above from https://api.instagram.com/v1/users/{user-id}/media/recent/?client_id={client-id}&count=3 to https://api.instagram.com/v1/users/self/media/recent/?access_token=ACCESS_TOKEN with your access token.
This is the IG API Media endpoint documentation: https://www.instagram.com/developer/endpoints/users/
After that, it all worked for me and while you are in the sandbox, you should be able to pull the last 3 photos or at this point, figure out how to read the JSON to do so.
Has your app been approved after the June 1st Instagram platform changes?
http://developers.instagram.com/post/145262544121/instagram-platform-update-effective-june-1-2016
If you want to retrieve the user media file then try this, It's working for me
https://graph.instagram.com/me/media?fields=id,caption,media_url,media_type&access_token=ACCESS_TOKEN
For some reason the token is no more valid. Request it again.
Possible reasons why a token is no more valid:
changed password
verified the account
logged-in from a different country

Share via FBSDKShareDialog ignores applink defined on target page

This has been driving me nuts all day:
I have an iOS app with a custom URL scheme defined, and am trying to share a link on FB which points to a page that has this scheme in its applink meta tags, so that tapping it should fire up my app.
Every little piece of it is working just fine. I can enter my URL scheme in safari on the phone and the browser launches my app. I have tested my webpage with the FB debug tool and there are no errors or warnings - it correctly identifies all the meta tags.
If I share the link using FB on the phone or on my laptop, all works fine.
HOWEVER, if I share the exact same link using FBSDKShareDialog, it does not work. It just opens the web page with the meta tags as if it was any regular web page.
Anyone has any idea why these two ways of sharing would be different? They look exactly the same otherwise.
If anyone else runs into this problem, here's the reply from FB:
When you share with mode automatic, the app does a fast app switch over to the FB app to show the native share dialog
The post is cached locally on the device, and it does not know about app links (since only Facebook server side knows about it)
When the user opens the FB, the user sees their cached story (with no app links behavior),
This doesn't manifest with the Web mode since the Facebook app needs
to pull from the server to get the post, in which case it has all the
app links info.
This is unlikely something that we'll fix. However, after a while, the
cache will expire, and Facebook app will re-pull the posts from the
servers, in which case the app link data will be available.
In order to test this, you can share the post on one device, and then
try clicking on the post from another device. The app links should
work at that point.
Which is kind of a lame response IMO - they parse the target page to build the preview, how hard would it be to remember the applink and use it?
There could be two possible issues:
Either the one told by #NJ, i.e. you are just trying to open the link in Facebook app, using the same device from which you posted the link.'
Solution - either open link in other device or cose and re-open your facebook app and do multiple refresh
Or You have some error in your meta tags. There is one important thing though, that Facebook never mentions, i.e. they cache the URL you provide.
So any one used the web link with meta tags the first time in Facebook, Whole meta tags will be cached, and you updated meta tags won't be parsed by facebook.
Solution
To get over with the issue, use below link
Facebook debug tool
Input your meta data included web page URL and
-click on show existing scrape information to find any error
Click on Fetch new scrape information for refreshing your URL on facebook. it will clear the cache for that URL in facebook server.

Resources