I have successfully set up the feedly developer access token using the javascript library Axios on a NuxtJS site. I am having trouble, though, figuring out how to set up the refresh token.
This is the process I have used for the developer token
export default function({ $axios }) {
$axios.onRequest((config) => {
config.headers.common['Authorization'] = [FEEDLY_ACCESS_TOKEN]
})
}
This code gets run whenever I make the relevant axios request.
What I am wondering, now, is what I need to do for the refresh token. I have taken a look at the instructions on these two pages:
https://developer.feedly.com/v3/developer/#what-happens-once-the-developer-access-token-expires
https://developer.feedly.com/v3/auth/#refreshing-an-access-token
However, I'm still not 100% clear as to what I am supposed to do. In particular, I have two questions:
Do I also run the refresh token each time I make an axios call -- or should I create a function that runs every thirty days and runs the code.
How exactly do I make the axios call for the refresh token. My initial guess is something like this:
$axios.$post('https://cloud.feedly.com/v3/auth/token/?refresh_token=FEEDLY_REFRESH_TOKEN&client_id=feedlydev&client_secret=feedlydev&grant_type=refresh_token')
Is that correct? If not, what do I need to change.
Thanks.
Different developers will use different strategie regarding refreshing an access token. While some will return a new token on every request, other will do it over a term of days or longer.
The idea is to reduce the window of risk in which an access token can be abused but it is sort of a subjective topic imo. Obviously there is a performance penalty when you generate a new access token on every request. Sometimes this may be acceptable, but I really don't think it's necessary in many cases. Measure the tradeoff between the penalty and the sensitivity of the token in your case.
The docs explain it well:
Endpoint:
POST /v3/auth/token
It does say that using url parameters is not recommended, so why not just do it the way they recommend it? Either:
using a x-www-form-urlencoded POST request (standard)
as a JSON object (make sure you set the Content-Type header to “application/json”)
You have more questions around this?
Related
I've read quite a lot of documentation about Webpush, and so far I've understood that push subscription should have a read-only propery expirationTime. Also, I understand how should I react if the browser decides that subscription is outdated (handle event in service worker, etc.). But is it possible to somehow set expiration date manually, without implementing complex client side logic? I guess that this is an ordinary problem for apps that have authentification.
My problem is that if user gets logged out automatically, webpush endpoint stays valid. I know multiple ways this can be solved with workarounds, but I guess that's not the optimal way for a relatively basic problem.
It's been a long time ago that I've fixed this, but I guess sharing my solution can be helpful.
The solution was to make a HTTP request from service worker to the app using fetch('/path') , because all cookies from the app are also attached to requests made from SW.
So, if user is not logged in, you are redirected to login page.
My code:
fetch('/path', {method: 'GET', redirect:'error'}).then(function(result) {
... //some code specific for my app
}).catch(function(e) {
registration.unregister(); //error on redirect to login
});
I needed to submit an approved-account access to Unsplash API, so as to access certain links for access approval. Given that the replies from the support team has taken more than a few days, I would just like to seek out additional help to resolve in retrieving the access_token for new requests-submissions via GET / POST methods.
The original website was working perfectly, till when I had wanted to get ready for submission for production stage and had wanted to prepare potential increases in requests to the Unsplash API.
However, the approval process entailed certain setup criterial, which I totally missed during my development phase and sought to iron out as soon as possible. One of the key component is to resolve your UTM links, which you may find here as the ideal reference: https://help.unsplash.com/en/articles/2511315-guideline-attribution.
My challenge then was that I had attempted to use the official javascript API, Unsplash-Javascript-API (https://github.com/unsplash/unsplash-js#authorization), in an effort to make the authentication / request processes simpler for my webapp to call.
Though most GET requests do work, given that a specific URL of links via "download_location" (https://help.unsplash.com/en/articles/2511258-guideline-triggering-a-download), has to be used instead, it will then require an authenticated request per new submission request by the webapp.
The final challenge then is that apparently it is not clear how the official Unsplash-Javascript-API actually pulls the "authenticated" request, as I was unable to find it on the website, so that I may retrieve the current-access_token for requests' usage.
The basic codes I am using via the API is the following, however I am confused what is the actual maximum request I may pull per page, I am hoping to get 100 returned images' details, but only gotten a maximum of 30 per time. Anyone can also help to confirm is there a workaround to increase this 30 to 100?
Retrieving a Collection of Photos
unsplash.collections.getCollectionPhotos(urlAPI, 1, 100, "Popular")
.then(toJson)
.then(jsonData => {
console.log("jsonData", jsonData);
});
So, currently my website is unable to launch for nearly 1 week plus, as I am just awaiting the final confirmation or additional help from the customer support end of the official Unsplash Team.
Hopeful that someone may help to assist me in clarifying the codes so that at least I can get one step closer to sorting this "official authenticated" process out, and take away one lesser step to getting my approval access for production ready.
Thank you in advance!
Given multiple tries. I wasn't able to retrieve the Access_Token reply, given that there is a pre-authorization step that I wasn't able to find any working solution to.
The current and clear limitations to the API are:
Maximum of 30 images request per GET request.
The official javascript API, Unsplash-Javascript-API (https://github.com/unsplash/unsplash-js#authorization) works but there is not clear or easy way to retrieve the "Access_Token" for a session usage.
Multiple async AXIOS / FETCH requests may not be "compiled successfully" when using ReactJS ContextProvider function prior to the first render. Therefore, an empty array will be shown instead on the final initial render.
Ultimately, my chosen solution is current to break down the images list to the most priority, with the limitation of only 30 images on retrieval, and still store into the original collection and retrieve it.
The other alternative is to actually download and load the images to your own server to load it, which may also be a faster route.
Sadly enough, the Unsplash API team doesn't response as frequently to assistance and my last contact was roughly 1 month ago, though I have attempted to update to their requirements but there were no feedback thereafter.
Thus, it will tentatively be better for you to just build an alternative solution than to rely on the team for a feedback, unless you are a paying client.
Good luck to the others on this! Cheers!
I'm using npm package 'request' to make API calls. Upon initial login, I should receive a cookie back, I need to store that cookie indefinitely to make subsequent calls.
I'm doing this in Python with requests like so:
#set up the session
s = requests.session()
#logs in and stores the cookie in session to be used in future calls
request = s.post(url, data)
How do I accomplish this in node? I'm not tied to anything right now, the request package seems easy to work with, except I'm having issues getting known username and passwords to work, that said, I'm sure that's mostly my inexperience with JS/node.js.
This is all backend code, no browsers involved.
I need to essentially run a logon function, store the returned encrypted cookie and use for all subsequent calls against that API. These calls can have any number of parameters so I'm not sure a callback in the logon function would be a good answer, but am toying with that, although that would defeat the purpose of 'logon once, get encrypted cookie, make calls'.
Any advice, direction appreciated on this, but really in need of a way to get the cookie data retrieved/stored for future use.
The request package can retain cookies by setting jar: true -
let request = request.defaults({jar: true})
request('http://www.google.com', function () {
request('http://images.google.com')
})
The above is copied near-verbatim from the request documentation: https://github.com/request/request/blob/master/README.md#requestoptions-callback
I am currently having trouble with the ADAL.js (v1.0.7) library. When I load my app after a decent period of time I get a login error stating "Nonce is not same as undefined." After looking over the code, I am wondering if I am missing a best practice. To my knowledge, I have followed the suggestions of #vibronet here. Should I be refreshing the user profile, or logging out, or something else?
My configuration looks like:
window.config = {
instance: 'https://login.microsoftonline.com/',
tenant: 'blahblahblah.onmicrosoft.com',
clientId: 'GUID',
postLogoutRedirectUri: window.location.origin,
cacheLocation: 'localStorage'
};
this.authContext = new window.AuthenticationContext(window.config);
var isCallback = this.authContext.isCallback(window.location.hash);
this.authContext.handleWindowCallback();
if (isCallback && !this.authContext.getLoginError()) {
window.location = this.authContext._getItem(this.authContext.CONSTANTS.STORAGE.LOGIN_REQUEST);
}
If there has been an extended period of inactivity, the error occurs after calling this.authContext.login(). In order to get the error I call this.authContext.getLoginError().
I get why the nonce is different, but I want to "reset" it or cause a brand new login to happen.
Please let me know what other relevant information I can provide.
Update:
Seems like solution has been provided in blog post you provide. below is the quote.
The trick is to go back to the authority asking for a token, like we’d
do in the roundtrip apps scenario, but doing so in a hidden iframe. If
there is still an existing session with the authority (which might be
represented by a cookie – but it is a cookie in the domain of the
authority, NOT the app’s) we will be able to get a new token without
any UX. There is even a specific parameter, prompt=none, which lets
Azure AD know that we want to get the token without a UX, and if it
can’t be done we want to get an error back. Here there’s the request.
Previous answer:
i am not fully follow what your code does. but as from blog post, seems like underneath you are using OAuth 2.0
when you said error happen when there is period of inactivity, my guess is token has been invalid, and you will need to refresh the token. Not sure if there is a way for you to refresh it. But normally on server side once you authenticated, OAuth 2.0 provider will hand over you a token and a refresh token, if token is expired, you can use refresh token to get a new one.
I need to retrieve a facebook page's list of posts (feed) using their javascript SDK, just like they explain in their docs: https://developers.facebook.com/docs/graph-api/reference/v2.4/page/feed
/* make the API call */
FB.api(
"/{page-id}/posts",
function (response) {
if (response && !response.error) {
/* handle the result */
}
}
);
I need it to be my website's "news section", so users should see it even if they are not connected to facebook.
The problem
Cool, but there is a problem... It returns: An access token is required to request this resource.
Holy cow... I'd like to get some access token for you #facebook, but my app doesn't make use of your authentication tools/plugins.
ANYWAY, I tried with FB.getLoginStatus(); but doesn't work, because the only way it can return an access_token is if the user is actually connected to the application. My users may not even be logged to facebook!
So, ¿How can I get an access_token to be stored into a variable, and later be used to get /{my-page}/posts?
I've already payed a look to this SO question, but it doesn't solves my problem, simply because there are no such "generic tokens".
I've also read https://developers.facebook.com/docs/facebook-login/access-tokens/ and that also relies on tokens generated through facebook login methods... So, can't I display a list of fb page's posts in my website, without being connected into facebook, hence an application?
ADD: My app is build with angularJS, I'm not dealing with server-side code. I shall rely purely on javascript methods.
You could either use an page or an app access token, but as you'd be using them on the client-side, neither of them are an option.
See
https://developers.facebook.com/docs/facebook-login/access-tokens#apptokens
https://developers.facebook.com/docs/facebook-login/access-tokens#pagetokens
Note that because this request uses your app secret, it must never be made in client-side code or in an app binary that could be decompiled. It is important that your app secret is never shared with anyone. Therefore, this API call should only be made using server-side code.
I'd strongly recommend to build a simple server-side script (PHP for example) to proxy the request to the Graph API. You could then call this via AJAX for example and load the posts asynchronously (and alse get rid of the FB JS SDK!). There is NO way to handle this in a secure manner if you don't want to use FB Login for all of your users (which also doesn't make much sense IMHO).
I think it's straightforward :)
Since pages' posts are always public, it only needs a valid access token to retrieve page posts.
Quoting what you've written:
So, ¿How can I get an access_token to be stored into a variable, and later be used to get /{my-page}/posts?
You only require an access token.
My suggestion would be;
- Generate an access token for yourself (no extra permission needed)
- request page-id/posts
This way you don't require other users to be connected to facebook, you can simply requests page-id/posts to retrieve posts with access token you generated for yourself.
I hope it solves your problem :D
TIP: As long as posts are public, you only require a valid access token, it doesn't need to be user or page specific.