Is there any safe way to detect, on a web page, client side (JS), whether user has an Google/Yahoo/Live/? account?
I know about some suspicious ways to do this by styling visited links and then sneaking on computed style attribute, but it's more of a hack, Mozilla and maybe other are planning to crack down on this, as it might be abused.
But I need this to allow users more integration with their identity providers, like:
Have a Google account? ~> load contacts for sharing from Google Contacts API
Have an Yahoo account? ~> load contacts for sharing from Yahoo Contacts API
none of the above? show no link
I don't want to provide all these options to all visitors, would be nice if I can detect the account, and provide integration only in that case.
Yes, you ask them. Despite your misgivings, people will be far happier with you if you bother them, asking for the information, than they will be if you 'steal' such information.
You only have to re-read your question with phrases like "sneaking", "more of a hack", "planning to crack down", and "might be abused" to realise what a bad idea this is - maybe you could scan their hard disk looking for bank account information while you're at it :-)
The only valid way to do that is by using Google and Yahoo API's which are easy to implement. User will have to either provide his login details on your site or to use token methods which redirect login to Google/Yahoo and then back to your site. Once you connect to API, you can do anything with user account.
Related
I've run into a bit of a security issue with a project, and I want to force the user to automatically be logged out at the start of a session or prompt them to sign in with their credentials at the start of a session. For reasons I don't want to disclose, simply logging the active user's e-mail is not sufficient.
I'm having trouble finding a way to do this and was hoping someone on here knows how
Google Docs is a SaaS product so you can't handle this process
The security of your Google Doc is fully managed by Google. As a best effort you can take a look into Security best practices for administrator accounts in case you own a Workspace admin account.
The only thing you can do with it is trigger your doc by using simple or installable triggers as mentioned here.
My website allow users to signup by their Google or Facebook account. But some users use clone account to signup for spamming, so I want to detect and allow only Facebook or Google account which was created at least 1 year ago to signup.
I know that Facebook and Google API do not allow to see that information, do you have any opinions about this, please help me.
Thank you vẻry much.
I have few thoughts over this. In my view I do not think that information can be available via API. Both Facebook and Google have strong layer of security with some abstractions in terms of data they shared about a perticular entity. IMHO (in my humble opinion), it appears too much internal to me regardless of the fact that you have fair enough information being shared by their rich set of API.
Here is an overview of what Facebook has mentioned regarding permissions:
When a person logs into your app via Facebook Login you can access a
subset of that person's data stored on Facebook. Permissions are how
you ask someone if you can access that data. A person's privacy
settings combined with what you ask for will determine what you can
access.
However you can check what permission you have been grant access to in your app by Facebook.
For Google API, i did not see/find such information. Check obtaining user profile section.
So is there anything we do to check spammers?
Well, not in kind of way we anticipated, but one thing that could be helpful is the email verification. Most of the spam users do not like to provide valid/verified email addresses while sign up.
Calling the Facebook Graph API like https://graph.facebook.com/version/me/?access_token=token&fields=verified (where verified can be true or false). I saw some users report that it brings in whether the account has been verified, not the email.
In Google API, we can get the profile by calling the people.getOpenIdConnect endpoint. This method has email_verified property which returns true only if the email address is valid.
These may or may not be helpful but something is better than nothing until some better option get available in future versions of API.
Conclusion
Besides it is certainly not in scope of a developer using the API to control fake/spam users from signing up on either of these social networking giants. I believe that apart from checking the authentication, it is not easy to detect/filter out the such users out of million users even at their end.
We are providing Chat support for the online visitors and tracking their sales (tracking the sales happened through our support only) for our clients, who are having their online stores.
We have to add a javascript code in their store. But the clients are not willing to provide their FTP credentials.
So is there any alternate way to make this work?
Most of the clients are asking for a single click installation at once they register in our website. Is there any way to automate this?
Even if we assume, most of their stores are in,
Shopify
Bigcommerce
Magento
Virtue Mart
Is there any way for creating a module in the above mentioned platforms?
Just let me know all of your ideas and suggestions.
Thanks in advance.
I think it is not a good idea for someone to give you their FTP credentials. I suggest you provide them with a JavaScript code(with an App Key) that they can put in their website by them selves.
Do as Google analytics, Facebook etc do. They give you a script that links to their statistics tool.
I'm trying to create a webpage that can incorporate LinkedIn info's (profile,people,company, etc...).
The things that it can/would do are the following:
When the user enters a name that is registered in LinkedIn, he gets the following
*Name, Company, Email
*List of LinkedIn messages that are waiting for reply
The same process goes on everytime the user adds a profile, I'm planning to use the Profile API of LinkedIn to get the Name, Company and Email but I can't find a working example to be my basis.
As for the 2nd one I still don't know how to get the LinkedIn messages.
Here's my Layout and expected result.
How can I achieved this? Opinions and Suggestions are highly appreciated tnx
This is far to broad a question for me to invest the necessary time in to figure the answers (multiple) for you, but do let me give you some hints. First of all, from my experience with the linkedin API not all the data you wish to access is available (do double check this though, I used the API quite awhile back and stuff might have changed in the meantime). As this data is not available through the API the only alternative would be to somehow bypass the cross domain policy, which in conclusion would require the user to install a chrome extension/firefox plugin which will function as a proxy for your application or even 'better', make you entire application a browser plugin based web app. Not that I am a fan of those whatsoever but if you application is meant in any way whatsoever as a linkedin (dedicated) plugin (probably as part of a greater service you're developing) then it might make most sense.
The whole system you are describing is very long winded and requires a large amount of development time. Alot of the data is not accessible directly or indirectly too. You cannot get email address's out from the API as a security feature (bots could just harvest emails for marketing campaigns).
First of all, you will need to make an application that allows for oAuth2 connections with the linkedin API service. People will log onto your website, click to join their linkedin account with your website and your website will receive back an access token to do the calls.
You will then need to build the queries which will access the data you require. The linkedin API documentation (http://developer.linkedin.com/) isn't greatly indepth but it gives you a good understand and points you where you need to go. There are also a couple of pre-done php API's around such as https://code.google.com/p/simple-linkedinphp/.
I have worked with many API's from twitters, facebooks and LinkedIn's and they all require a lot of back-end work to make sure that they are secure and get the correct data.
It would take me hours to go through exactly how to do it and has taken me many hours to get a solid implementation in place and working with all the different calls available.
If you have minimal coding knowledge, it would be best to go to an external company with a large amount of resources and knowledge in the field who can do it for you. Otherwise it may take many months to get a working prototype.
I have a 'little' problem.
I am working on a project for school in Ruby on Rails: a platform where people can share things with eachother. I recently started working on widgets which people can place on their website.
In the widget you see this 'thing' and how much it is shared. But now when someone loads the widget I want to check if he is logged in on my website and then show him which friends of him/her also shared that thing. I've Been thinking and trying a few hours now but haven't figured something out yet.
I have tried to use the Facebook SDK but could not get it to work because this is domain limited. Altough Facebook would not have been the best option I think because then it is only available for people who have their Facebook account linked to their account on my website.
Probably I have to create something by my own. But I have no clue how to do it right now. I hope someone can point me in the right direction.
If A and b are on the same domain as a subdomains you can use cookies to store authentication token and in that case that will work.
If not, you can use OAuth for example http://en.wikipedia.org/wiki/OAuth.
Ruby has a bunch of gems to support that. Devise has OAuth integration as well as authlogic.
Twitter uses that widely.
Also there are CAS and WebAUTH those do quite the same.
You can list both domains (A and B) on application settings under Basic section in App Domain field. This will allow you to use Facebook JS-SDK on both sites with same application id.
You should understand that this will allow both sites to access personal info of your users and this should be done only if you have control on those sites since you are responsible for application who uses JS-SDK