I tried to perform Tumblr Authentication inside my Chrome App.
I followed Tumblr doc, so I registered my app using https://my app id.chromiumapp.org/ as URL Default callback.
Tumblr API supports OAuth 1.0a Protocol so I made a POST to https://www.tumblr.com/oauth/request_token to get an oauth_token.
I used a javascript library (OAuth) to perform the post, in order to add all the OAuth parameters needed (oauth_nonce, oauth_version, etc).
var oauth = OAuth({
consumer: {
public: key,
secret: secret
},
signature_method: 'HMAC-SHA1'
});
var request_data = {
url: 'https://www.tumblr.com/oauth/request_token',
method: 'POST',
data: {
oauth_callback: chrome.identity.getRedirectURL()
}
};
$.ajax({
url: request_data.url,
type: request_data.method,
data: oauth.authorize(request_data, {})
}).done(function(data) {
console.log(data); //data contains oauth_token and oauth_token_secret
});
This POST succeed and I get oauth_token and oauth_token_secret in the response.
After that, I try to use chrome identity API to let the user authorize my app.
chrome.identity.launchWebAuthFlow(
{
url: "https://www.tumblr.com/oauth/authorize" + "?oauth_token=" + oauth_token,
interactive: true
},
function (responseURL) {
if (chrome.runtime.lastError){
console.log(chrome.runtime.lastError.message);
}
if (responseURL) {
//everything ok
}
}
);
The call to chrome.identity.launchWebAuthFlow fails and the console shows "Authorization page could not be loaded." as chrome.runtime.lastError.message.
If I type https://www.tumblr.com/oauth/authorize?oauth_token=my oauth_token in the browser, I get the Tumblr authorize page.
Note that in my manifest.json file I have:
...
"permissions":[
"identity",
"https://www.tumblr.com/oauth/*", "https://api.tumblr.com/*"
]
but the authorization page is not loaded anyway.
I implemented the same steps for the Twitter API without errors.
I searched on StackOverflow, Tumblr documentation and Chrome API documentation, but I could not understand what I'm doing wrong.
Related
Short:
I am unable to find any setting in documentation one drive api to get a file url that could not be accessed without access token
Details:
I tried different things with queryParameters: "select=id,name,size,file" but could not change the result
Using javascript API, when files chosen from one it gives an array named values in which each object contains properties like (some fake but sample values)
#microsoft.graph.downloadUrl: "https://public.sn.files.1drv.com/m7ZHglUdfkMkwg-qqnNj8"
#odata.context: "https://graph.microsoft.com/v1.0/$metadata#drives('D2CFA54CB9FFC341')/items/$entity"
id: "FA4454CB9FFC341!172"
name: "sada.pdf"
size: 4344
My code to get above results is
var odOptions = {
clientId: "df45ae45-68bd-4568-a473-4159a1b16fc1",
action: "download",
multiSelect: true,
// openInNewWindow: true,
// advanced: {
// queryParameters: "/drive/root/children?select=id,name,size,file",
// },
success: function (response) {
console.log(555, response);
},
cancel: function (response) { console.log(response); },
error: function (e) { console.log(e); }
};
OneDrive.open(odOptions);
the problen is https://public.sn.files.. public url (any one can access file without login using this url) unlike google drive which gives a secure url
The downloadUrl is a short lived URL that is preauthenticated so that authorization is not required. Access control checks are instead performed on the request that returns the URL. A flow that's closer to what Google Drive utilizes would be to hit the /content endpoint for a specific file - this request requires an OAuth token to be provided and will return the binary content.
I'm trying to implement firebase's email link auth on a web app and I'm having some trouble understanding what the problem here is.
I've followed their instructions on the page to send the email and it's sending, but the problem is the URL being sent is an invalid one.
async sendAuthEmail(email) {
var actionCodeSettings = {
// URL you want to redirect back to. The domain (www.example.com) for this
// URL must be whitelisted in the Firebase Console.
url: "http://localhost:3000",
// This must be true.
handleCodeInApp: true,
iOS: {
bundleId: "com.example.ios"
},
android: {
packageName: "com.example.android",
installApp: true,
minimumVersion: "12"
}
};
return await firebase
.auth()
.sendSignInLinkToEmail(email, actionCodeSettings);
}
And the URL being sent is (I changed my firebaseapp name):
https://?link=https://myfirebasedbname.firebaseapp.com/__/auth/action?apiKey%3DAIzaSyDSio7vAbW7O0TVGCF2UpG7FsQDvHX0M7Q%26mode%3DsignIn%26oobCode%3DXoAsz5CoIJOhdhAcJpC2E3iWI8fmyTwJPIUmMlgLvakAAAFiy0Wm9A%26continueUrl%3Dhttp://localhost:3000&apn=com.example.android&amv=12&ibi=com.example.ios&ifl=https://myfirebasedbname.firebaseapp.com/__/auth/action?apiKey%3DAIzaSyDSio7vAbW7O0TVGCF2UpG7FsQDvHX0M7Q%26mode%3DsignIn%26oobCode%3DXoAsz5CoIJOhdhAcJpC2E3iWI8fmyTwJPIUmMlgLvakAAAFiy0Wm9A%26continueUrl%3Dhttp://localhost:3000
I also tried changing the url parameter but it fails anyway.
Any ideas that can be shared?
Thanks!
Have you configured your Firebase Dynamic Link domain? You need to do that in the dynamic links section of the Firebase Console.
If you are only using this for a web only app, you don' t need to include the android or ios fields in the ActionCodeSettings object. This avoids the need to setup FDL:
var actionCodeSettings = {
url: "http://localhost:3000",
// This must be true.
handleCodeInApp: true
};
I am using AngularJS and trying to work with Google's reCAPTCHA,
I am using the "Explicitly render the reCAPTCHA widget" method for displaying the reCAPTCHA on my web page,
HTML code -
<script type="text/javascript">
var onloadCallback = function()
{
grecaptcha.render('loginCapcha', {
'sitekey' : 'someSiteKey',
'callback' : verifyCallback,
'theme':'dark'
});
};
var auth='';
var verifyCallback = function(response)
{
//storing the Google response in a Global js variable auth, to be used in the controller
auth = response;
var scope = angular.element(document.getElementById('loginCapcha')).scope();
scope.auth();
};
</script>
<div id="loginCapcha"></div>
<script src="https://www.google.com/recaptcha/api.js?onload=onloadCallback&render=explicit" async defer></script>
So far, I am able to achieve the needed functionality of whether the user is a Human or a Bot,
As per my code above, I have a Callback function called 'verifyCallback' in my code,
which is storing the response created by Google, in a global variable called 'auth'.
Now, the final part of reCAPCHA is calling the Google API, with "https://www.google.com/recaptcha/api/siteverify" as the URL and using a POST method,And passing it the Secret Key and the Response created by Google, which I've done in the code below.
My Controller -
_myApp.controller('loginController',['$rootScope','$scope','$http',
function($rootScope,$scope,$http){
var verified = '';
$scope.auth = function()
{
//Secret key provided by Google
secret = "someSecretKey";
/*calling the Google API, passing it the Secretkey and Response,
to the specified URL, using POST method*/
var verificationReq = {
method: 'POST',
url: 'https://www.google.com/recaptcha/api/siteverify',
headers: {
'Access-Control-Allow-Origin':'*'
},
params:{
secret: secret,
response: auth
}
}
$http(verificationReq).then(function(response)
{
if(response.data.success==true)
{
console.log("Not a Bot");
verified = true;
}
else
{
console.log("Bot or some problem");
}
}, function() {
// do on response failure
});
}
So, the Problem I am actually facing is that I am unable to hit the Google's URL, Following is the screenshot of the request I am sending and the error.
Request made -
Error Response -
As far as I understand it is related to CORS and Preflight request.So what am I doing wrong? How do I fix this problem?
As stated in google's docs https://developers.google.com/recaptcha/docs/verify
This page explains how to verify a user's response to a reCAPTCHA challenge from your application's backend.
Verification is initiated from the server, not the client.
This is an extra security step for the server to ensure requests coming from clients are legitimate. Otherwise a client could fake a response and the server would be blindly trusting that the client is a verified human.
If you get a cors error when trying to sign in with recaptcha, it could be that your backend server deployment is down.
I am building a single page app with JavaScript to access a users OneNote notebooks.
Using this git project as a starting point: https://github.com/OfficeDev/O365-Angular-Microsoft-Graph-Connect
I set up the app in Azure AD with full permissions to MS graph.
I can login and get a bearer token, however I can't pull any information from my OneNote notebooks using this endpoint:
graph.microsoft.com/beta/me/notes/notebooks.
Here's my function:
function connectToOneNote(){
var request = {
method: 'GET',
url: 'https://graph.microsoft.com/beta/me/notes/notebooks',
};
// Execute the HTTP request.
$http(request)
.then(function (response) {
$log.debug('HTTP request to Microsoft Graph API returned successfully.', response);
response.status === 202 ? vm.requestSuccess = true : vm.requestSuccess = false;
vm.requestFinished = true;
}, function (error) {
$log.error('HTTP request to Microsoft Graph API failed.');
vm.requestSuccess= false;
vm.requestFinished = true;
});
};
I get this error: "The OneDriveForBusiness for this user account cannot be retrieved."
However when using the endpoint in the graph explorer: https://graph.microsoft.io/en-us/graph-explorer, my notebooks are retrieved without issue.
Any ideas?
Thanks for the responses. The answer for me was pretty simple. I had added the app to a newly created AD, which didn't have an O365 account associated with it. I was logging in as a global admin with an active O365 account on a different AD, but because it was a global admin, it had permissions on all AD instances. SMH.
In the authentication flow documentation here it mentions the CODE which is returned upon oAuth authentication.
Is this required for the Javascript SDK or is this handled automatically in the background in this code?
By "is this required?" I mean, do I have to handle this code to verify the authenticity of the request, or does the JavaScript SDK use the code automatically to gain the access_token.
The documentation explains the client side flow, and how to get the access token using the 'code' so until now. I've been assuming that the SDK manages this automatically in the background, because it produces an access code as response.authResponse.accessToken.
FB.login(function(response) {
if (response.authResponse) {
// User is logged in to Facebook and accepted permissions
// Assign the variables required
var access_token = response.authResponse.accessToken;
var fb_uid = response.authResponse.userID;
alert(dump(response.authResponse));
// Construct data string to pass to create temporary session using PHP
var fbDataString = "uid=" + fb_uid + "&access_token=" + access_token;
// Call doLogin.php to log the user in
$.ajax({
type: "POST",
url: "ajax/doLogin.php",
data: fbDataString,
dataType: "json",
success: function(data) {
// Get JSON response
if (data.result == "failure")
{
alert(data.error_message);
window.location.reload();
return false;
}
else if (data.result == "success")
{
window.location.reload();
return true;
}
},
error: function() {
return false;
}
});
} else {
// user is not logged in and did not accept any permissions
return false;
}
}, {scope:'publish_stream,email'});
I would like to know, because I want to ensure that my code is secure.
From the documentation
With this code in hand, you can proceed to the next step, app authentication, to gain the access token you need to make API calls.
In order to authenticate your app, you must pass the authorization code and your app secret to the Graph API token endpoint at https://graph.facebook.com/oauth/access_token. The app secret is available from the Developer App and should not be shared with anyone or embedded in any code that you will distribute (you should use the client-side flow for these scenarios).
If you plan on using the FB.api function to make calls to their Graph API, then you need the code to get the access token. But if you only need to authenticate the user, then what you have will do that just fine.