I'm trying to create a simple script (node) that each day collects information from various APIs, including Facebook's Graph API.
The idea is simple, each day I want to collect the total friend count of my personal account, total page likes of my managed pages, total social interactions of my content (personal and from pages).
Now, if I was doing this in a web app, the normal route would be using facebook login to request the access tokens for my profile and pages, but since this is a script it does not have a public exposed url to return the authentication to.
Does anyone know of a way to manually get the tokens, to use in a scenario like this?
Thanks
Have you tried to use this node package?
If you get an accesstoken via some other Oauth module like everyauth ,
connect-auth or node-oauth you can just set the access token directly.
Most get calls, and pretty much all post calls will require an
access_token
There is also a decent article on Medium which works through this process.
Related
I am currently learning full stack dev, and have made a simple application with React on the front end, and set up a very simple REST api on my express web server that handles certain routes.
For example api/users returns a list of users from my database and returns responses as JSON data. api/blogs can return a list of blogs in JSON with a get request, or post a blog with a post request.
I have learned and been able to implement very basic user tokenization with JWT, and so only logged in users with a valid token can make a post of a blog for example. This is done by adding their token with bearer as a Authentication header in the request, which the server verifies. This makes sense to me, however I am very confused on how the backend works or if I am doing something critically wrong.
If I go to my main page for my application, and type api/blogs it opens up a page displaying JSON data. Anyone can basically view this from my application by going to api/endpoint
I am also assuming anyone from outside can use something like Postman to send a post request to my database assuming they have the token which they got since my token is saved in storage.
This is incredibly weird to me Is this just how these things work? Or am I failing to understand something crucial?
if I wanted to progress forward and learn more about this, where or what do I do?
You have described how users authenticate to your application (with a bearer token), but what steps does your application take before issuing such a token?
Does your application keep a database of users and their passwords?
If yes, can anyone sign up by inventing a user name and password?
Do you verify an email address before admitting a new user?
Or does your application rely on an external OpenID Connect service (for example, login with your Google or Facebook account)?
If yes, can anyone with a Google or Facebook account sign up for your application?
Or must an application admin (that is, you) put the user on an "allow-list"?
To summarize: Unless you take special precautions, anyone from outside can sign up to your application and subsequently use it.
I have a nestJS app that allows a user to interact with my MongoDB, mostly CRUD operations. However, this is hosted on Heroku which means that anyone can send requests and perform operations on my database.
What I would like to achieve is to have only users who have a valid token be able to use the API. The users would have to send their requests with a token v1/search/errors?token=INSERTTOKENHERE
However, all the docs I've read are getting a user to login to a frontend like you would login to Facebook or YouTube. I have a frontend but the users of the API will be applications and not people so I don't want them to have to interact with a frontend. Ideally, I can just generate a token for the application and then only apps with a token can interact.
I have searched far and wide and have not found anything like this but every public API I have used behaves like this. Any links to docs that explain how I can achieve this would be appreciated.
Thanks
Tokens are a way to identify unique and authenticated users. Login attempt is mandatory for creating a token. You need a Guard implemented to verify each user on API request. Login from a front end Application is not mandatory. You can login from postman sending the right body elements.
I'm trying to build an app that gets public information from Facebook. In the past, this type of operation would require an App Token (A token that could be used on behalf of the application to query public data). I had no problem implementing this technique with Twitter and Youtube, but Facebook looks like you can only access their API by letting a user login with Facebook via OAuth, retrieve them a personal token, and give them permission to query their own information.
I see a lot of posts related to this question, but they seem outdated. I know Facebook has been under a lot of privacy pressure lately and I'm wondering if they changed it.
Here are my questions:
Is it possible to generate an App Token used to access Facebook's Graph API?
If so, where can I find the documentation for this? I can only find information on using a user token.
I prefer to use Node.js as my backend, so any direction on where to start there would also be appreciated.
User Profiles: They always require a User Token, there is no way to access User Data without explicit authorization of the User, no matter if data is public or not.
Pages: If you manage the Page, you can use a Page Token of that Page to access data. If you want to access other Pages, you need to apply for Page Public Content Access - after that, you can use an App Token for those Pages.
In other words: App Tokens for public Pages (with PPCA), Page Tokens for Pages you own, User Tokens for User Profiles.
Btw, App Tokens do not need to be "generated", they are just "App-ID|App-Secret" (with a pipe in the middle).
I have a simple use case for the instagram api: I want to display media related to a specific tag. E.g. GET/tags/tbt/media/recent. I do not need users to authenticate with Instagram to do this, I merely wish to use my own account and access_token to make the api requests.
Unfortunately, I've run into two problems:
I cannot test this API in sandbox due to the fact that the public_content scope is only available to approved applications.
My app submission was denied because I did not provide a screencast showcasing my usage of an instagram authentication flow (my use case does not have one, and I explained that I did not need users to authenticate).
Currently, the API seems geared towards larger, richer integrations, and doesn't leave a lot of space for applications like my own.
Is there a way to accomplish what I want given the new access_token only flow?
I'm working on a project to connect Google Apps (Contacts, Gmail, etc.) to our own private software.
I'd like to use Hapi.js in order to achieve this, but since I have no expertise in the matter (OAuth, Google, etc) I found it to be quite challenging.
I wonder if it's posible to use Hapijs and Bell to handle the "ask permission" flow, and once authorized save the credentials to long-term uses.
Also, is it possible to use Bell to handle token refresh and consume api? (like requesting http://www.google.com/m8/feeds/contacts/default/full)
In the documentation for Bell, there's an example for twitter, basically you need to change the provider to Google: https://www.npmjs.com/package/bell
When you request access, you can add the parameter access_type with a value of offline. The server will response also with a refresh token that you can use in further requests to the API's without asking for the user credentials again.
You won't be able to store the actual user's credentials since it wouldn't be secure.
You can use the Google OAuth playground to learn more about the authentication process, here is the link https://developers.google.com/oauthplayground/
Here you can find more information and examples of using node.js and the Google API's