I've been making a Chrome Extension and I can authenticate just fine using chrome.identity.launchWebAuthFlow(), it returns a token no problem. The thing is, I can not logout using removeCachedAuthToken().
During some research, I read that you cannot use it with launchWebAuthFlow, only with getAuthToken, but I need to authenticate in a third party website so I have to use launchWebAuthFlow. What are other options other than removeCachedAuthToken? I just need to drop a specific token that I get from chrome.storage.local.get() so the user is presented with the authentication flow again.
Thank you!!
For anyone who might face this problem.. using chrome.identity.clearAllCachedAuthTokens worked for oauth launchWebAuthFlow
chrome.identity.clearAllCachedAuthTokens(() => {
console.log('Logged out!')
});
Related
I've set up the most basic implementation of firebase auth login with email and password.
firebase.auth().signInWithEmailAndPassword(email, password).then(() => {
console.log('Logged in')
window.location.href = "./home.html"
}).catch(function (error) {
console.log(error)
});
For some reason, on iOS, the login process sometimes gets stuck waiting for the promise of signInWithEmailAndPassword() to resolve. I don't get any error message.
The only way to re-enable the login mechanism is to clear the browser cache.
Is this a known problem? I've been experiencing this problem for my last two apps over the last year.
Edit: After further trial and error I found out that the problem usually happens after being logged in, letting the iPhone go to sleep, waking it back up, and then logging out. Then the same problem also happens for the signOut() function.
Turns out the problem had to do with the domain not being whitelisted in my project settings. The reason why I didn't pay attention to the console alert about oAuth was that it did work most of the times, even with it showing. So I thought it didn't have any effect on it.
The answer was suggested in this thread
I was having the same issue, but it was even more consistent when I moved to version 9 of the firebase sdk and my app was running in an Ionic-Capacitor native app on iOS. The solution was to add "localhost" to Firebase > Authentication > Sign-in method > Authorize domains (NOTE: if you use localhost make sure you have sufficient security db rules to prevent someone from adding bad data and you may not want to use this in production).
Then I needed to use intializeAuth() when running in hybrid (native app) mode. My app is also a pwa and getAuth(app) makes assumptions that its loading in a browser environment which causes this problem.
const firebaseApp = initializeApp(FirebaseConfig);
this.firebaseAuth = isPlatform('hybrid') ?
initializeAuth(firebaseApp, {persistence: indexedDBLocalPersistence}) :
this.firebaseAuth = getAuth(firebaseApp);
EDIT : tried the authorized domain and it seems to be what i need, i'll try to go deeper with André's answer :)
Thank you !
Hi,
I'm new to firebase and i just finished a project but i had a question:
Since the doc says i have to put my api keys and else in the javascript, they are visible to anyone even if put into process.env
i've read here : Is it safe to expose Firebase apiKey to the public?
that making the api key public is normal and not a big deal.
I'm using the email/password auth and i'm scared
If someone takes my :
API_KEY_FIREBASE
AUTH_DOMAIN
DB_URL
PROJECT_ID
that are in the source code and use the createAccount function, is he gonna be able to create an account ?
Is yes, is there a way to disable this ?
I want to be able to create account only through the firebase console
I'm not using firebase database for my data, i only use it for auth so i don't have to create a user table in my database, but i use the IDTokens they provide to secure some routes on express.
thank you ! :)
Someone can only create an account when you have that option enabled in your firebase console. So If you have it disabled there is no problem.
You can look here in the "before you begin" section for how to enable/disable Email/password sign-in method.
I'm building a register system where a user can login with Facebook, Google, or locally.
Whenever I post via any login strategy I get uknown strategy error. I think I did connect all files all together.
I did check every solution, on stackoverflow, but can't find anything that could help aht the moment.
My code:
https://github.com/ExadelPraktika/Back-exabook/tree/backend_full
added
require('../passport');
in passport.js
it works
You will also get this error if the strategy is not passed to the use command like so:
passport.use("google", strategy);
this is my first post so please go easy on me!
I am a beginning developer working with javascript and node.js. I am trying to make a basic request from a node js file to facebook's graph API. I have signed up for their developer service using my facebook account, and I have installed the node package for FB found here (https://www.npmjs.com/package/fb). It looks official enough.
Everything seems to be working, except I am getting a response to my GET request with a message saying my appsecret_proof is invalid.
Here is the code I am using (be advised the sensitive info is just keyboard mashing).
let https = require("https");
var FB = require('fb');
FB.options({
version: 'v2.11',
appId: 484592542348233,
appSecret: '389fa3ha3fukzf83a3r8a3f3aa3a3'
});
FB.setAccessToken('f8af89a3f98a3f89a3f87af8afnafmdasfasedfaskjefzev8zv9z390fz39fznabacbkcbalanaa3fla398fa3lfa3flka3flina3fk3anflka3fnalifn3laifnka3fnaelfafi3eifafnaifla3nfia3nfa3ifla');
console.log(FB.options());
FB.api('/me',
'GET',
{
"fields": "id,name"
},
function (res) {
if(!res || res.error) {
console.log(!res ? 'error occurred' : res.error);
return;
}
console.log(res);
console.log(res.id);
console.log(res.name);
}
);
The error I am getting reads:
{ message: 'Invalid appsecret_proof provided in the API argument',
type: 'GraphMethodException',
code: 100,
fbtrace_id: 'H3pDC0OPZdK' }
I have reset my appSecret and accessToken on the developer page and tried them immediately after resetting them. I get the same error, so I don't think that stale credentials are the issue. My
console.log(FB.options())
returns an appropriate looking object that also contains a long hash for appSecretProof as expected. I have also tried this code with a number of version numbers in the options (v2.4, v2.5, v2.11, and without any version key). Facebook's documentation on this strikes me as somewhat unclear. I think I should be using v2.5 of the SDK (which the node package is meant to mimic) and making requests to v2.11 of the graph API, but ??? In any case, that wouldn't seem to explain the issue I'm having. I get a perfectly good response that says my appSecretProof is invalid when I don't specify any version number at all.
The node package for fb should be generating this appSecretProof for me, and it looks like it is doing that. My other info and syntax all seem correct according to the package documentation. What am I missing here? Thank you all so much in advance.
looks like you have required the appsecret_proof for 2 factor authorization in the advance setting in your app.
Access tokens are portable. It's possible to take an access token generated on a client by Facebook's SDK, send it to a server and then make calls from that server on behalf of the client. An access token can also be stolen by malicious software on a person's computer or a man in the middle attack. Then that access token can be used from an entirely different system that's not the client and not your server, generating spam or stealing data.
You can prevent this by adding the appsecret_proof parameter to every API call from a server and enabling the setting to require proof on all calls. This prevents bad guys from making API calls with your access tokens from their servers. If you're using the official PHP SDK, the appsecret_proof parameter is automatically added.
Please refer the below url to generate the valid appsecret_proof,and add it to each api call
https://developers.facebook.com/docs/graph-api/securing-requests
I had to deal with the same issue while working with passport-facebook-token,
I finally released that the problem had nothing to have with the logic of my codebase or the app configuration.
I had this error just because I was adding intentionally an authorization Header to the request. so if you are using postman or some other http client just make sure that the request does not contain any authorization Header.
I'm using facebook JS SDK version 2.11. For Login I've added following code
FB.login(function(response) {
// Handling Code here
}, { scope: "user_posts" });
But Login Dialog doesn't have permission for user_posts. I also checked using me/permissions and user_posts is not there.
How can I get access_token to get user_posts on FB.Login. App is still in developer mode and facebook review team is also facing the same issue.
Please Help!
I think you need to let Facebook review your app.
From the docs:
Which permissions require review?
Review is not required to ask for the three basic permissions: public_profile, user_friends and email.
Review is required to ask for any other permissions when people log into your app
You can try to get user feed at facebook graph api explorer - this is the best testing environment.
Then try
GET https://graph.facebook.com/v2.12/me/feed?access_token=<ACCESS_TOKEN>
this is request u are in need of use.
Also try
FB.login(function(response) {
// handle the response
console.log(response.grantedScopes); // should work as well
}, {
scope: 'publish_actions,email,user_likes,user_posts',
return_scopes: true
});
By setting the return_scopes option to true in the option object when calling FB.login(), you will receive a list of the granted permissions in the grantedScopes field on the authResponse object.
This will definitely help you with debugging your app. If #BigJ is right, you won't do much without app reviewed. Hope my answer is helpful.