I want to set up a way for my server to grab all of my instagram photos and put them on a website. I'm trying to use this lib https://github.com/mckelvey/instagram-node-lib.
It says I need to auth as the user (myself) to get the photo feed. Can I do this in an automated way from the server? I don't want visitors to my site to have to login...
I just can't figure out how to get my own feed for an anonymous user on my site. I don't want to deal with redirects and urls, I just want to get my own feed server-side.
Thanks!
How to setup instagram-node-lib (for a personal site)
http://instagram.com/developer/ - Fill out the info, both the URLs can just be yourdomain.com
You should get a Client ID / Client Secret!
You’ll also need your user id (which is not your username) and an access_token (basically the idea is that you have to prove you are a particular person in case the user you are trying to get photos for is viewable).
Now, since I’m guessing you get all fuzzy when people start talking about OAuth stuff (me too) here’s a lame way to grab a access_token:
http://instafeedjs.com
Just search the page for a “click here” link, you’ll walk through the OAuth process for this tiny bit of JS and the page will come back with your access_token.
Now, for a small bit of code to prove what we did just worked:
Instagram = require('instagram-node-lib');
Instagram.set('client_id', '*******');
Instagram.set('client_secret', '*******');
Instagram.set('access_token', '*******');
console.log(Instagram.users.recent({ user_id: ******* })); // Notice the distinct lack of quotes around the user_Id
HIGHFIVE!
Related
I've spent the better part of the day trying to figure out how OpenID works. My goal is to set up a simple site where, upon clicking a login button, users are taken to a Steam login-page, where they are prompted for username and password. After successfully logging in, the user is redirected to a page on my domain, where I collect the query string parameters. They look like this:
{
"openid.ns": "http://specs.openid.net/auth/2.0",
"openid.mode": "id_res",
"openid.op_endpoint": "https://steamcommunity.com/openid/login",
"openid.claimed_id": "https://steamcommunity.com/openid/id/7656119[0000000000]",
"openid.identity": "https://steamcommunity.com/openid/id/7656119[0000000000]",
"openid.return_to": "http://127.0.0.1:8000/resolve",
"openid.response_nonce": "2018-12-01T14:49:46Z30hhn2/[someTEXTendingIN=]",
"openid.assoc_handle": "1234567890",
"openid.signed": "signed,op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle",
"openid.sig": "[someTEXTandNUMBERSendingIN=]"
}
What I am unable to solve though, is the actual authentication issue. I'm not sure what to do with this data. I want to have my own database where I store more information about the user, such as friends, messages, currency etc. For this, it is very important that I can verify that someone didn't just take this request body, change their ID for another and in that way access their account.
I'm pretty sure these are the relevant pieces of documentation, but it still isn't clear to me. How am I supposed to authenticate the user with this data?
I've omitted some values in this post that I fear could be bad to share. These placeholders have been outlined with brackets []. Also, that assoc_handle is really 1234567890, which kind of puts me off, since according to the OpenID documentation, it is used for determining the signature.
To be clear: this page where credentials are collected is not run by me, but is the official OpenID sign-in page for Steam. Steam is a gaming platform. https://steamcommunity.com/dev/ for reference.
For Steam authentication in nodejs you can use Passport.
Passport is an authentication library that works best with Express-based web application.
There is a steam-strategy that can handle your steam authentication.
Check passport here
And this is the Repository for Steam strategy. There is an example folder that you can see how to setup your Steam authentication.
lets say for example i have my website like that:
http://whatever.herokuapp.com/
and i don't want anyone to view it until he enter a password on the URL like that.
http://whatever.herokuapp.com/pw=1231fd1ffs
i am using angular for this project and i am connecting to some apis.
how i can do something like this.
this is what i am looking to do.
Do a GET request and give it the parameter as:
http://whatever.herokuapp.com/?pw=1231fd1ffs
Then, on server side you should check if the password is, in fact, correct and if it is just return the new web.
However, this is not really advisable. Anyone could access if they have the full link with the password. Instead of this you should do a form with a POST request asking for the password. Or even better, a users db so everyone would have his own password and third persons will not be allowed to log in.
After POST request just return the full web the same way you would do it with a GET
I'm building a Pyramid application. In "normal" usage, users have to use typical username/password to login and do much of anything. The Pyramid documentation made it pretty easy to cut and paste and get that going.
However, now I want to extend limited (both in authority and time -- permission expires on a given date) editing ability to people that I don't want to experience any account/password UI. I just want to email them a link that I generate, and when they click on the link I want them to land on the associated page and get identified and authorized to make some limited changes.
All the obvious stuff like generating a link, storing it in the database, associating a username and expiration date, is no problem. It's plugging this into the Pyramid ident/auth framework that I don't know how to do. I made it this far without really understanding their code in depth, and am hoping that someone has a code example of what I want to do lying around that could allow me to continue to not dive into that topic.
Or if the answer is stop being lazy and read the documentation, well, it cost me little to ask. :-)
Create a random number and expiration date and store them in database. Generate a link with this number and send it to the user. Check that when the link is clicked its generated random number matches one in the database. Authenticating Pyramid user by hand:
from pyramid.security import remember, forget
def authenticate_user(request, user)
if not user.can_login():
raise AuthenticationFailure('This user account cannot log in at the moment.')
# get_session_token_from_user() is your custom function.
# It usually returns user.id - it's the key how session backend maps sessions
# back to authenticated user.
token = get_session_token_from_user(user)
headers = remember(request, token)
# assert headers, "Authentication backend did not give us any session headers"
if not location:
location = get_config_route(request, 'websauna.login_redirect')
# Send any custom events related to user login your appplication cares of
e = events.Login(request, user)
request.registry.notify(e)
# Redirect user to the post-login form location
return HTTPFound(location=location, headers=headers)
For the specific use case of doing one time email link logins like Slack or Medium please see websauna.magiclogin addon.
I am developing a social network and I would like to know if in the profile page of a user I could put the user id stored in database as a parameter in the url or is it a bad idea in terms of security?
I want the url to be bookmarkable. Should I put another thing instead of the user id?
In terms of security there's no problem in putting the user id in a url. For example StackOverflow does it already: https://stackoverflow.com/users/3477044/aliuk
What's important is to verify that the currently authenticated user is allowed to access this url and take actions on its behalf.
most socialnetwork i've been using, use username as url not id, of course it also affects seo, since u have "pretty url".
Security is really depend on how you write your code, say there is a page to edit-profile, if you put on your code something like:
UPDATE .. SET .. WHERE id = $_GET['id']
no question it's dangerous, you should check every user action, like posting/editing profile, etc. who is login, not what's the id on current url
It is secure if you secure your website against sql injection.
But if breach happens all users are vunerable. Only thing that hacker needs to do is find the user profile get his id. Copy output of sql injection. Go to text editor. Press ctrl - f and search for user id.
I'm in the process of using the facebook javascript sdk to provide user login functionality for a website.
What I'd like to do is simply take the logged in user's unique facebook id and then put/fetch data to/from a mysql database using the id to determine what data is available to said user.
However I don't really feel like this is very secure. Whilst I'm not storing anything sensitive like credit-card details etc, I'd obviously prefer it to be as secure as practically possible.
My fear is that with javascript being what is it, someone could fake the facebook id and just pull whatever they wanted.
I'm aware that the php sdk would provide a solid solution to this problem, but i like the javascript one mainly because it's easy to use and I have the basis of it set up (I admit it, I'm lazy).
So, my questions are:
Would this set up be as insecure as I feel it might be?
Is there anything I can do to improve the security of such a system, other than switching to the php sdk?
Thanks!
Facebook Ids are pretty hard to make up (at most a user will only know their own). Depending on what you store in the database (which will not be anything that the user cannot get on their own, unless you ask for extended permissions)
If you are worried about a user trying to get information from the database, add an access token or signed request to each row and us that and facebook id to get data. That will greatly increase security.
EDIT
There are few occasions where you get a signed request from a user:
* A signed_request is passed to Apps on Facebook.com when they are loaded into the Facebook environment
* A signed_request is passed to any app that has registered an Deauthorized Callback in the Developer App whenever a given user removes the app using the App Dashboard
* A signed_request is passed to apps that use the Registration Plugin whenever a user successfully registers with their app
Signed requests will contain a user id only if the use has accepted permissions though, and are not passed again if the user enters the application, and accepts permissions (meaning that the signed request would not contain the ID). Because of this saving an access token may be a better idea. Here is more on the signed request
Also the signed request is in the url (param = "signed_request"). I always parse it through c# but I am sure you can at least get one through javascript
It's pretty easy to spoof the origin using curl. I'd imagine Facebook has another mecanism in place to make this possible. If you inspect their code, it appears that they generate an iframe and pass requests through. If I had to guess, they have setup the requests to only be made from the Facebook domain, and ensure that the iframe can only be embedded in a page that has a white listed domain.