I have a web app that uses firebase for auth. Once a user signs up/logs in there is always a certain cookie present.
I would like to, based on the presence of that cookie, redirect the user from the root path to a sub path i.e. site.com=>site.com/app whenever they visit the site.
I'm using Netlify to host my site and I've read through their documentation
but I can't figure out anyway to do this. It appears as though the only "conditions" that can be used for a redirect are langauge & role, but nothing about cookies.
Maybe this is possible using JWT Roles?
It's not possible today, but you can keep an eye on this thread: https://community.netlify.com/t/expanding-functionality-of-redirects/988/36?u=goleary
Related
I'm trying to build a "RSVP to this event" action using the Facebook JS SDK.
All of our sites run on multiple subdomains (event1.example.com, event2.example.com) and I'm trying to setup a single Facebook app that will allow people to RSVP.
Ideally I'd like to be able to specify wildcard subdomains in the Valid OAuth redirect URIs settings, but Facebook doesn't seem to allow that.
Previous StackOverflow answers said that either just putting in the top-level domain or leaving that field blank would work (for example), but I always get the This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings error.
Frustratingly, we shouldn't need any sort of redirect callback to the server. I just want a short-lived token to post the event RSVP which should be possible client-side only.
Is there any way to accomplish this?
The options I can think of...
One app per subdomain We have 100s of subdomains, so creating Facebook apps for each isn't going to work (plus that's a manual process)
List all subdomains as redirect URIs it appears Facebook has a limit on the number of redirect URIs, plus this is also a manual process - there's no API endpoint for adding these
Set the redirect URI via JS to our root domain and then just ignore the callback - this seemed promising, but calling FB.login with a redirect_uri param gave an error: When using FB.ui, you should not specify a redirect_uri. Is there a way to do this without FB.login?
Somehow let Facebook know we don't care about those redirects at all -- is there some other way to request permissions and make a JS API call without needing the oauth redirect?
Thanks in advance for any insights...
I don't think so that there is a way you can login through Facebook on multiple domains, but there is a proper work-around to implement sign-in on multiple domains it's called Single Sign On:
See:
https://www.sitepoint.com/single-sign-on-explained/
https://github.com/cubiclesoft/sso-server
We could use one specific sub domain/main domain itself to handle the facebook authentication
Every time pass the state which includes subdomain redirect uri so that need not to adding sub domains to redirect uri list
Initial setup:
My app uses facebook oauth system and has 3 different environments: production, testing and development. I've already listed all 3 valid redirect urls in facebook app's advanced settings (like people do here and here):
Valid OAuth redirect URIs:
http://myapp-pro.herokuapp.com,
http://myapp-tst.herokuapp.com,
http://myapp-dev.herokuapp.com
Additionally, on basic settings the app has:
App domains: myapp-pro.herokuapp.com
Site URL: http://myapp-pro.herokuapp.com
What happens so far:
When using production environment, everything's ok.
When on testing or development (both are not located in App domains or Site URL):
a. When the user logs in to my site and he's already logged in to facebook, everything goes fine.
b. When the user logs in to my site, but he isn't already logged in to facebook, facebook complains that:
Given URL is not allowed by the Application configuration
One or more of the given URLs is not allowed by the App's settings. It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App's domains.
More details about the latter case:
Current URL in browser at that moment is (not exactly, I've decoded next and cancel_url parts for clarity):
https://www.facebook.com/login.php?
skip_api_login=1&
api_key=...&
signed_next=1&
next=https://www.facebook.com/v2.0/dialog/oauth?
redirect_uri=http://myapp-dev.herokuapp.com?
scope=public_profile&
email&
user_birthday&
response_type=code&
client_id=...&
ret=login&
cancel_url=http://myapp-dev.herokuapp.com?
error=access_denied&
error_code=200&
error_description=Permissions+error&
error_reason=user_denied#_=_&
display=page
As you may have noticed the redirect_uri and cancel_url domains are totally equal and this value (http://myapp-dev.herokuapp.com) exists in the list of Valid OAuth redirect URIs.
If I manually change here cancel_url to production domain, facebook's error will disappear.
If I manually remove cancel_url parameter completely, the error will vanish also.
If I just ignore the message, enter my credentials and press login button, I will be redirected to https://www.facebook.com/login.php?login_attempt=1 and nothing else happens.
Thoughts:
It seems like facebook simply doesn't check cancel_url to exist in the list of Valid OAuth redirect URIs.
Already mentioned manual hacks are obviously not acceptable for a regular user, so I call for another ideas.
Using different facebook apps corresponding to different environments is also not a good idea ideologically, imho.
Workarounds:
As #CBRoe mentioned in comments: tried to use an own top level domain instead of herokuapp.com (used it as App domains and Site URL value) and it worked. This does not solve the initial question, but is a good workaround.
It appears that facebook app domains can be on a subdomain - facebook doesn't check it exists, it just looks for the top level domain, this allows us to setup a fake sub domain. And allow us to host our local dev environment on the fake sub domain.
This won't work if you or your client doesn't have a live top level domain though.
Edit your hosts file /etc/hosts on mac and /windows/system32/drivers/etc/hosts on windows
192.168.10.10 dev.theclientsdomain.com
Then put dev.theclientsdomain.com into the app domain.
hope that helps.
Our website runs in public computers and the browser is restricted to our own site. Facebook needs a redirection for security reasons. Can this be avoided somehow?
If not, which are the urls I'd have to allow/unlock?
Have a look at
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.2#login
You need to use the following structure:
https://www.facebook.com/dialog/oauth?client_id={app-id}&response_type=token&redirect_uri=https://www.facebook.com/connect/login_success.html
Have a look at the hints in the blue box at the bottom of the docs paragraph:
When using a desktop app and logging in, Facebook redirects people to the redirect_uri mentioned above and places an access token along with some other metadata (such as token expiry time) in the URI fragment:
https://www.facebook.com/connect/login_success.html#access_token=ACCESS_TOKEN...
Your app needs to detect this redirect and then read the access token out of the URI using the mechanisms provided by the OS and development framework you are using. You can then skip straight to the Inspecting access tokens step.
I am building a facebook canvas app and i am using the signed request parameter provided by facebook to check if the user has already authenticated the app. (by checking the presence of user_id field). If the user_id is not set then I redirect the user to a uthorization page (using top.location in javascript).
The problem is that, in my application I need to make internal redirects and then i can´t get signed request anymore.
Possible solutions:
1). Change the way i check if the user has installed the app . Get the current user (not sure if I need signed request anyway). Then use the graph api to check the permissions).
2). allways use client side redirects. (then I can allways get the signed request and it is also provides better navigation to the user because the top url change.) Not sure about the performance compared with iframe redirects.
What is the best option, in your opintion.
PS: I am using PHP SDK / symfony framework and the javascript sdk.
The most common way to handle this is to set a cookie to carry forward either signed_request or whatever subset of data from it you need, so it is available on all pages. You can do this directly or by using PHP sessions to store the data.
However I am personally of the opinion that cookies are a bad idea within iframe apps. For an alternate approach that may do what you need, have a look at http://www.braintilt.com/fbcookies.php .
I have a website based game that has login accounts that I want to integrate into facebook (not facebook connect, I want to use an iframe canvas page).
My question is how can I authenticate a user and how can I check if a user is coming from facebook or directly from the site.
I have been playing around with require_login() using the PHP library. My main fear is how can I authenticate that the GET parameters from facebook are indeed from facebook? If I can do that then I can store their facebook session id and Uid in a session as login credentials.
My other worry is that the GET variable may get passed as a reffer to an external link.
Finally... I find in some browsers that with require_login() that it breaks out of the iframe and gets into an eternal look continually adding additional authtoken's to the URL.
Hope someone can help
Yes you can create a app that works independently as well as facebook app. For the facebook you will have to use the facebook's iframe method to work under facebook.
You can verify the request comes from Facebook by verifying the signature in the same way that Facebook checks that API requests come from your application. With the PHP client library you can use the validate_fb_params() method of the Facebook class to do this automatically.
Bear in mind that session key's are temporary so the user will keep needing to authenticate with Facebook through your application otherwise the key expires within the hour. You may also run into a 3rd party cookie issue with Safari if you're hoping to store the session key in a cookie, and you'll need a compact privacy for quite a few other browser/privacy setting combinations as well. Something like:
<?php
header('P3P: CP="CAO PSA OUR"');
?>
in an include would do it.
And yes: the session key may be passed to external sites as in the referrer properties. It's just one of the security flaws that the platform currently has. The only way around that is either to redirect all external clicks through a handler which removes the referrer, or redirect on page load to strip the fb_sig_ss parameter out.