So, apparently I need to provide a Privacy Policy URL for my Instagram application.
The only reason I'm using this application, is for a website I built for a client of mine. The client wanted an automatic integration for her Instagram, so I went through the whole Instagram API hassle.
Now, the website is ready for production, so I wanted to get my app out of sandbox mode, but it looks like I need this Privacy Policy URL.
What's the best way to go about this?
Put a Privacy Policy page up on their website (really any website you can link to) and use that link. It can be a static HTML page, as long as you can link to it.
Instagram won't let you take an application like this out of Sandbox, btw. Your use case is not an approved use case. From Instagram's Developer Documentation under Invalid Use Cases:
One-off Projects. If you are an agency building websites or other integrations, note that we don't grant permissions to clients created for one-off projects. If you are interested in building a product, platform, or widget that will be used as a service across multiple projects, then you may submit a single client_id that you can use across multiple projects.
You can (probably) still achieve the outcome you're looking for but you will need to go back to the drawing board and rethink your application's use case before getting out of the Sandbox. I know some developers who really just don't understand (or care to understand) the policies and never make it out of Sandbox. It's a shame because they can read the technical portions of the documentation so easily but just can't/don't read/understand the more critical parts (like the Invalid Use Cases section).
Related
I work in a company where we have many different applications. To reduce code repetition and keep the experience for the users the same across applications we created a component library which is used by all applications.
Now we want to allow the users to switch between applications. Something similar like Google does:
Screenshot of Google Application Drawer
An additional requirement for our "Application Switcher" would be that it "updates" itself. Meaning if we change how this "Application Switcher" looks we don't want all applications which use this Switcher to create a new deployment and be newly deployed.
So currently we use the same header (from our component library) in all our applications. So, my idea was just to simply add a script tag to all the index.html pages of all the applications which should support this "Application Switcher". The Script would parse the DOM, find the header and inject a component for this application switcher. I wanted to host the actual script from a CDN like server and the script tag in the index.html just references this URL. This way we could change this script however we want, and all the applications will always get the latest version.
Now I did a small proof of concept in our environments and solved all the CORS issues but since we were fetching from an authenticated context and the script was also in an authenticated context I always got a 401.
Additionally, we have the requirement, that this "Application Switcher" shows different applications to different users i.e. depending on which apps a user is allowed to access. So, the script itself will also do calls to an "Application Switcher" backend providing it user-specific information.
Now this makes me think that my initial idea of just putting a script tag and fetching from a CDN was too simplistic. Now I'm thinking if it would be better to implement a rest endpoint in all applications to fetch this script. This way I don't have the problems of fetching a resource from an authenticated context from the user's browser and instead can handle all of this in the backend.
So long story short; I feel like a complete noob who just hacks around to get things working (or actually not working) and was wondering if any of the smart internet people out there (who might actually already have experience with this) could give me a hint what would be a clean way to implement this?
I would like to develop a new web-app in node.js (using express). I am relatively new to node.js world, so I assume there are frameworks that I am not familiar with.
Is there any framework (like Spring for Java) that manages authentication (and save the trouble from the developer)? Or each developer has to write this code over and over again?
Login/Logout is not all. There are other flows:
registration (create account),
forgot-password (and then set new password),
locking/unlocking an account,
change password
and I think I have covered all flows.
I know that each application has its own UI, forms, maybe with its logo, but the flow itself is similar for most applications.
In addition, I know that it is not that hard to implement, but it could be great to have some kind of tool / framework / infrastructure which implements the flows.
Is there such a tool/framework which helps applications' developers and implements these flows?
I've searched this issue but could not find anything.
Thanks!
Long ago I have developed authentication-flows for Java over Spring, and recently I wrote authentication-flows-js.
It is a module that answers most flows - authentication, registration, forgot-password, change password etc., and it is secured enough so applications can use it without the fear that it will be easily hacked.
It is for node.js applications (written in TypeScript) that use express. It is an open source (in GitHub). A release version is on npm, so you can use it as a dependency in your package.json.
In its README (and of course in the npm page) there are detailed explanations for everything and if something is missing - please let me know. An article will be published soon (I will add a link as a comment).
You can find here an example for a hosting application.
NOTE: I have heard comments like "It's not so difficult to implement". True.
But you have to make sure you take care of all cases. For example,
what happens if a user tries to create account that is already exists?
what happens if a user tries to create account that is already exists
but inactive? what about the policy of the password? (too long/too
short/how many capital etc.) what about sending the email with the
activation link to the user? how you create this link? should you
encrypt it? what about the controller that will receive the click on
the link and activate the account? and more...
I'm currently trying to place the docusign console onto my website. My current method is using an iFrame but I'm wondering if that is secure and the optimal way of doing it. I was also wondering if the docusignAPI has a solution to that implemented already because I couldn't find one after playing around on the website with various code sources.
Preferably, users would be able to go to some part of the website, view the contract or document they need to sign on the website without having the leave the website. This includes viewing the document on the website as well such as using an iFrame allows.
Using iframes to host DocuSign embedded signing is not a good idea for a few reasons.
Typically to have a good experience it is recommended to use a large window.
Security Concerns. The users of your app wouldn't be able to see the DocuSign URL as well as the green check to know they're using a secure website which should make them feel more confident about using your integration.
I'm new to web development, and I'm currently making a presentation website(home, services, news, vacancies) for a small company. I'm using Node.js,Express and MongoDB.
The client wants to manage certain content on the website, therefore there needs to be a dashboard, where only admins could login/register. But website design does not provide any login/registration system for users.
The question is, where do I put a dashboard and how should I hide it from ordinary users? Should I just use url, like mysite.com/admin, which should be typed by the admin, whenever he wants to get to the admin login/dashboard zone(it seems quite unsafe, since everybody on the internet could type that and get to the login form)? Or maybe I should make a separate desktop app for managing website content?
How should I approach this problem, what are the best practices?
Thanks!
You don't need to reinvent the wheel as i think you can first explore CMS systems and check if the tools covers your requirement . Since CMS tools brings in lot of website admin capabilities as out of the box features.
Following links will get you started.
https://en.wikipedia.org/wiki/Content_management_system
https://en.wikipedia.org/wiki/Web_content_management_system
My iOS app needs to use Instagram API to load some images, user feedback based on geo location. I requested public_content permissions from Instagram team but got rejected with explanations below even though I filled out as much info as possible. Note I have my app in development only and website looks very minimal but some designs and lots of description was submitted for review.
How to resolve this issue of getting these basic permissions? I googled and I notice this is a common problem.
General issues: Invalid Use Case: The use case descrbied in your submission notes, screencast and website is not a valid use case that
we allow on our Platform. Please see our Permissions Review and valid
use cases description (https://www.instagram.com/developer/review/)
for more information.
public_content: This permission (public_content) does not support the use case you described in your submission notes, screencast and
website. Please review Login Permissions
(http://instagram.com/developer/authorization/) for a comprehensive
list of permissions and valid use cases.
Perhaps this helps. I have tried two times but our app was declined. I will write the submission text one more time. I also want to go more into detail as the new FAQ says that Instagram expects a very detailed submision.
Cheers, Christian
FAQ
My submission was rejected but it was a valid use case. What should I do?
A common reason for rejecting a submission is that we do not have enough information to make an assessment of your app. This can happen if your submission was too short, if it missed important information, if you did not provide a good screencast, your website is not working, etc. Before you submit for review again, make sure to provide a long and clear explanation of what your app does and how you use every permission. Make sure also to provide a video screencast and to follow all our Platform Policies.
What should I write in the submission?
The submission should be long enough for us to understand exactly what your app does and why you need the permissions you are asking for. If your submission is too short or does not explain all parts of your integration, then we may not be able to understand and approve your app. For example, your submission should explain what does your app or company do, which of the approved use cases your integration falls into, who will be using your app, how do your user authenticate with your app, how you use the API to power your integration, how does your product use the data acquired from Instagram, etc.
What should I show in the video screencast?
The video screencast is a very important part of a submission and cannot be omitted. Please make sure that the video clearly shows how your application works, including any Instagram login experience and the usage of every permission you are requesting. Since your app may still be in sandbox mode, you can use data from sandbox users to showcase the integration.
My company is working with multiple clients, should I submit one app per project?
No, we do not approve apps that are created for one-off projects (e.g. a hashtag campaign, an event, a website). You should use a single client_id across all your integrations.
Can I revoke a submission if I made a mistake?
You can't cancel a submission that is in progress. You will need to wait until the submission has been reviewed before you can start a new one.