I'm struggling to generate pincode in source code. Actually I can't even guess how to do that.
I'v already read nest doc about how to make pincode.
I understood that just copy url with client id and secret. And paste it to the address bar.
If a user accept that, we can achieve the pincode.
Is it true that user find the pincode at the first prior to develper?
If I have lots of user, how can they(users) confirm pincode one by one? even though user exists only one. I think, they aren't interested in that code. Pincode is necessary for only develper.
Could you explain how to make pincode in source code?
Thank you for reading this.
PIN codes are indeed one per user, you are asking your user for access to their Nest account.
Flow is generally:
User logs into your app/account
User click your pair with Nest button and you load the Auth URL in a WebView
User logs into their Nest account and grants permissions
Either a PIN code, or a redirect with access code is returned (configurable by you)
Your app sends access code, secret, and client ID to Nest to get an access token, which you store like a password and use to access the Nest API on behalf of the user.
The Android Sample code from Nest includes the authorization flow, and is likely what you want: https://github.com/nestlabs/android-NestDK/blob/master/NestLib/src/main/java/com/nestapi/lib/UserAuthActivity.java
Related
I'm trying to implement a GET method with Express in my nodeJs application.
I'd like to do something like this in order to display user data :
router.get("/user/:idUser", (req, res) => {
The user doesn't need to be authenticated in order to execute this code. However I don't want that anybody can execute this request with a user id of someone else. Because he could see data he's not supposed to see.
How could I proceed ? I thought about using some encryption process to have something like :
/user/PdfgdfJFDGTfrfgdsf
Your question isn't really making sense. You don't want authentication, but you only want a user to be able to view their own data so nobody else can view it.
The ONLY way to solve that is by using some form of authentication. The user has to prove to the server that they are allowed to view that data before the user renders the page for them.
Yes, you could obscure the URL (make it some mostly unguessable string of characters), but it's not clear what problem that is solving. The user themselves won't be able to remember it or type it so it would probably have to be a link in a web page and if it's a link in an unauthenticated web page, then anyone can get to it - thus defeating the purpose.
There are cases where temporary links (often done for privileged downloads) such as what you mention /user/PdfgdfJFDGTfrfgdsf are sent via an authenticated channel (either an authenticated webpage or sent to an email address known to belong to an authenticated user) and these links contain some unique and hard to guess code. The user can then click on that link (in authenticated webpage or in email) and access that resource without further authentication. In that case, the knowledge of the code in the URL is serving as a form of proof of authentication. Because URLs may be logged in service providers or corporate infrastructure and thus not remain entirely private, this technique has its limitations and is typically only used for short term (download this resource in the next 10 minutes) type of uses, not a long term substitute for authentication and not used for things that demand real security. You don't explain enough of your use case to know whether this is practical for your situation or not.
The user doesn't need to be authenticated in order to execute this code. However I don't want that anybody can execute this request with a user id of someone else. Because he could see data he's not supposed to see.
That's an inconsistent statement. You say "user doesn't need to be authenticated in order to execute this code" and then you say "I don't want that anybody can execute this request with a user id of someone else.". You can't have both. The user is either required to prove authorization or they aren't. Pick one. It can't be both.
you can use jwt for this and a auth middleware for this
upon decoding jwt token, you can implement logic to check if the decodedToken.user_id (given that you add user_id when encode token payload) is equal to the :idUser in route (or any kind of logic you want) there.
I have an API method where the authentication server allows an automatic registration when the user does not exist yet on first login.
The auth server would make a call to:
PUT https://some-api/api/v1/auth/users
The handler of this method will check if the user already exists, and create it when the user does not based on email.
My question is whether there is something inherently wrong with not specifying the id in url upfront. The problem being that in fact, there is no userId yet when the user does not exist.
I know that the usual format would be:
PUT https://some-api/api/v1/auth/users/:userId
Obviously the client can check whether the user exists based on email upfront, create a POST request to create the user, or GET if the user already exists.
This introduces more network requests so I'd prefer to avoid this.
I noticed that there is some common solution to use 'email' as resource identifier.
This works for me. One remark is that I do not particularly like to use an email address in the url, but in my case it is okay as this url will only be visible within the cluster, and is not exposed to the outside network.
I'm very new to python scripting and anything online in general, but I wanted to start somewhere interesting so I came up with a goal to write a simple desktop .py file that everytime I run just simply posts 'Hello World' to my facebook wall under my name.
In the end, I managed by just hardcoding (to my knowledge) a User Access Token and using the facebook graph under that token
facebookGraph = facebook.GraphAPI(access_token="qwertyuiop")
fb_response = facebookGraph.put_object("me", "feed", message="Hello World")
now the docs say that the User Token's lifetime is quite short and I don't really like the idea of having to manually going in and copying it into my program (even if its at every 2 hours or 2 months) so I made a second attempt by instead fetching an App Token to which I enabled every permission to access my account
def FetchAppAccessToken(app_id, app_secret):
headers = {'grant_type': 'client_credentials', 'client_id': app_id, 'client_secret': app_secret}
response = requests.post('https://graph.facebook.com/oauth/access_token?', params = headers)
logging.debug(response.text)
return response
#then.. get the right substring within response and use the graph as before
but I'm always met with
facebook.GraphAPIError: An active access token must be used to query information about the current user.
I thought that maybe using the User Token was the way to go, but after several hours of trial and error including trying to get the User Token by supplying an email and password, I read that it was not possible at all without user interaction. So going back to App Tokens and more reading. I came across using PHP within Python or creating a Login Flow with OAuth/OAuth2 (which I have neither experience with) to retrieve a token that I can use, but I'm starting to feel like I'm getting off track on what I'm supposed to be using.
Is there a simpler way like providing email and password to a file that as long as its in my desktop would accomplish that task?
Also, I'd like to avoid opening any browser and click simulations to do it (if its even possible that way).
Not sure if this is the most efficient answer, but I managed by using App credentials to authenticate my login, but instead of passing it through requests, I had it go through a WebWidget to emulate a browser in which the URL would include the code or token, close the window after retrieving the value and use it to create the facebook graph and run it like normal.
facebookGraph = facebook.GraphAPI(access_token=accessToken["access_token"], version=2.7)
facebookGraph.put_object(parent_object='me', connection_name='feed', message='Hello, world')
Unfortunately it does have to go through a pseudo browser.
I haven't tried this yet but,
On the other hand, if theres a user already logged in, you could check cookies if a user is already logged in and exchange the code for an access token and just do a browser login if theres none. This way the webwidget doesnt need to popup every time the program is run.
I have a webpage which has a form which allows users to add comments to the page to give feedback.
https://express-chat-comment-ap.herokuapp.com/feedback
You'll notice a user can delete comments, not only their own comments, but all of them.
So my question is, how would you limit those privileges to only that current user?
There is a major piece to all of this which is the web page is being integrated to a website which has a user login/user account already.
Also do I have to do any research regarding what back end their using now? Or can I keep this all encapsulated with Express/Node?
What packages should I use?
Where do I start?
Thanks in advance for your help!
You're putting the horse before the cart. This isn't really a "Node/Express" question; you're not going to solve it at the Javascript level.
Instead, your main question is actually "How do I do 'security'?"
More specifically: "How do I 'authenticate' users?" "How do I grant access?" "How do I prevent access?" And so on...
SUGGESTIONS:
User Authentication with the MEAN Stack
MySQL Authentication using Passport
OAuth 2 Single Sign on Authentication with Passport
Node.js: Token based authentication
Heroku: Managing Organization Users and Application Access
You must have an authenticated and logged in userID for each user that your server authenticates and understands. Each comment must be saved with the userID of the creator and you must be able to retrieve that from your data store.
Then, your server can check who the user is that is attempting an operation (probably from a logged in cookie that accompanies the request), what the operation that is being attempted and decide if that operation is allowed by that user. For example, if the user logged in is "Bob" and they try to delete a comment from "Alice", then the server will refuse to carry out that operation.
And, your UI in the web page can not offer operations that are not allowed (though the server must always check anyway). So, if you have a delete button in the comment, you would only show that button on comments that belong to the current user.
I'm in the process of using the facebook javascript sdk to provide user login functionality for a website.
What I'd like to do is simply take the logged in user's unique facebook id and then put/fetch data to/from a mysql database using the id to determine what data is available to said user.
However I don't really feel like this is very secure. Whilst I'm not storing anything sensitive like credit-card details etc, I'd obviously prefer it to be as secure as practically possible.
My fear is that with javascript being what is it, someone could fake the facebook id and just pull whatever they wanted.
I'm aware that the php sdk would provide a solid solution to this problem, but i like the javascript one mainly because it's easy to use and I have the basis of it set up (I admit it, I'm lazy).
So, my questions are:
Would this set up be as insecure as I feel it might be?
Is there anything I can do to improve the security of such a system, other than switching to the php sdk?
Thanks!
Facebook Ids are pretty hard to make up (at most a user will only know their own). Depending on what you store in the database (which will not be anything that the user cannot get on their own, unless you ask for extended permissions)
If you are worried about a user trying to get information from the database, add an access token or signed request to each row and us that and facebook id to get data. That will greatly increase security.
EDIT
There are few occasions where you get a signed request from a user:
* A signed_request is passed to Apps on Facebook.com when they are loaded into the Facebook environment
* A signed_request is passed to any app that has registered an Deauthorized Callback in the Developer App whenever a given user removes the app using the App Dashboard
* A signed_request is passed to apps that use the Registration Plugin whenever a user successfully registers with their app
Signed requests will contain a user id only if the use has accepted permissions though, and are not passed again if the user enters the application, and accepts permissions (meaning that the signed request would not contain the ID). Because of this saving an access token may be a better idea. Here is more on the signed request
Also the signed request is in the url (param = "signed_request"). I always parse it through c# but I am sure you can at least get one through javascript
It's pretty easy to spoof the origin using curl. I'd imagine Facebook has another mecanism in place to make this possible. If you inspect their code, it appears that they generate an iframe and pass requests through. If I had to guess, they have setup the requests to only be made from the Facebook domain, and ensure that the iframe can only be embedded in a page that has a white listed domain.