They say that we must check our privacy policy with curl. I tested this with Google's privacy policy to see what the fuss is about with http vs https. I believe the issue is that they are not following the redirects with -L. What should I do?
curl http://policies.google.com/privacy returns nothing
curl https://policies.google.com/privacy
returns the full privacy policy
curl -L http://policies.google.com/privacy returns the full privacy policy
We sent a note to Facebook and they fixed it. There really wasn't anything for us to do once the helpful people here pointed out the site was flagged.
Related
I'm trying to add Jenkins build status using the Embeddable Build Status plugin onto Github README.md file. I have SSO for Github and Jenkins and I assumed it will have the login info in the browser cookies or wherever it stored that info but looks like it doesn't work that way (The same URL works and picks up SSO info and doesn't prompt me when I open it from a browser. It just doesn't like Github pulling that info)
I see a 302 redirect on the Jenkins status badge link that is getting redirected to the SSO page and is expecting JS to be enabled for it to work which isn't possible on a Github README.md page (Even if that was possible I would not see a login prompt)
The console has a warning for this redirected URL request as Cross-Origin Read Blocking (CORB) blocked cross-origin response <the-URL> with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.
I also set the Jenkins config to ViewStatus for anonymous uses based on JENKINS-17798 and I'm using the unprotected link but it still needs SSO
Is there a way I can fix this?
Read this first. Cors-Filter Plugin for Jenkins.
Before you go debugging. First make sure that CORS is enabled for the Jenkins instance. You can go to configure system in jenkins and then to CORS Filter:
A very short summary.
Access-Control-Allow-Origins - List domains that may access the jenkins url.
Access-Control-Allow-Headers - Headers that can be used to make actual request
Access-Control-Expose-Headers - List of headers browser are allowed to access.
Whenever one tries to go authenticating from one domain to another it usually gets redirected in jenkins if CORS Filter is not active. So try this first.
Using the Stitch Facebook authentication provider with the Web/JS SDK the auth flow seems to work fine up until the redirect is done back to the Stitch servers.
loginFB() {
const credentialFB = new FacebookRedirectCredential();
this.$stitch.auth.loginWithRedirect(credentialFB);
}
It then returns this error from the Stitch service:
https://eu-west-1.aws.stitch.mongodb.com/api/client/v2.0/auth/callback?code=AQClGc41QMShUyLT0FOIyGM4ZEi8FPEj4qSHF022F6gGqdIYrgBmop7QVWVuKQYH-CNCtGNSpOWJSVu9_nZwrHauMVrKt6CeswVIgRs5iQpt84YPFkg35BXZHf_PGcpvTsTBt2HC4B_yyYCcYCc4Ccn_wlCkG9bu-LwfKOePDtTYOJahys-xflBC8IyveMZIAK9lc00orXqC7zooETDgrE8KdoDw6uE8Q8zT_XMD7fGmCB7_-kcnmE9wScgC2Vsb38_AG4dkazNG_IenKpbo0s7vfDDfRLPawXpeWpSue_PRYLGSoKUB1UyWSNiujuq3ClE&state=nBspwBNKIdbEUxcyFdrHDudGKbuJhfjVTcHpzyMjSi-uImn5LQG3XtsgqRUGsB_UIEVnAIi6dswt5FwV90kphQ%3D%3D#=
error: "error exchanging access code with OAuth2 provider"
error_code: "AuthError"
link: "https://stitch.mongodb.com/groups/5ded6422f2a30b6096c347b8/apps/5dfdd120fab085de276dacb2/logs?co_id=5e176295f9d51cd518d60dc6"
Following the link in the error message we arrive at the Stitch logs which says the same thing.
I have followed the official docs (Google Auth works wonders, no worries there) for setting it up and tested the following:
Modified Redirect URIs, tested on hosted (https / http) and localhost.
Configured a Test App in Facebook dev
Tested the various settings for the auth in Facebook console.
Enable forced Re-auth in Facebook, I must then provide password and once that completes same error.
Trying to find information on this error in the official docs or here on Stackoverflow has yielded no results unfortunately. Could someone help explain how to get around this error?
Docs:
https://docs.mongodb.com/stitch/authentication/facebook/
https://docs.mongodb.com/stitch/tutorials/guides/todo-guide-facebook/
The error shown was due to a faulty app secret in the Auth provider section in Stitch. Once that was mended to a correct secret from the Facebook App the login worked as intended. This error should be mentioned somewhere in stitch docs but does not to be documented there at the time of writing this.
I have problem like here Facebook login message: "URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings."
I have checked various answers - cant make it work, and they don't give much new - just practically say to add url to that field.
One of them said to "Make sure your App IDs and Secret Keys are correct."
I found out they were not set, but now admin said he added those so should be ok.
What else to do? How to debug?
"URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings. Make sure Client and Web OAuth Login are on and add all your app domains as Valid OAuth Redirect URIs."
It also tells to check Client and Web OAuth to make on, but I have them off to increase security becasue I have read or watched somewhere in facebook documentation. And since login works locally with them turned off, they should be not be needed. I tested by trying to turn them on, but as I expected they don't fix the problem.
Update:
Redirect uri parameter is redirect_uri=https%3A%2F%2Falpha.vop.veracityinsurance.com%2Fconnect%2Ffacebook%2Fcheck
Made a video: https://www.loom.com/share/88e607aece6b45489214d95ee01bbb0b
I have made debug function and pushed it to server which prints provider:
$provider = (array)$this->clientRegistry->getClient('facebook_main')->getOAuth2Provider();
print_r($provider);
And from that class I see app id is correct in server.
config.yml
knpu_oauth2_client:
clients:
# the key "facebook_main" can be anything, it
# will create a service: "knpu.oauth2.client.facebook_main"
facebook_main:
# this will be one of the supported types
type: facebook
client_id: '%env(CONFIG__OAUTH__FACEBOOK__ID)%'
client_secret: '%env(CONFIG__OAUTH__FACEBOOK__SECRET)%'
# the route that you're redirected to after
redirect_route: connect_facebook_check
redirect_params: {}
graph_api_version: v5.0
Btw I am using symfony bundle for integration https://github.com/knpuniversity/oauth2-client-bundle
Made it work as 04FS said to turn on settings. It was enought to turn on one of them only - Web OAuth Login.
Background
We are writing some documentation for our support team.
We want to include links to files that are stored in private GitHub repositories.
We do not want the documentation to become stale if somebody refactors the code in the private GitHub repositories, so instead I am setting up a CI job that parses the documentation (with jsoup if you are interested) and finds all the links.
Once we have all the links we start checking them.
NOTE: we have written a custom link checker, because one of the critical set of links we have is for our monitoring solution, and sadly (also understandably) the SaaS we are using returns 404's for any unauthenticated requests on the URLs of the alerts.
The SaaS itself uses a 2FA to access the Web UI, so what we have ended up doing is parsing the URLs and then constructing an equivalent call to the SaaS API to validate the link.
For the monitoring system we use, this is easy: all the URLs are the same format.
Question
Can we validate a random GitHub URL as valid (ideally using only curl - I can translate to my chosen HTTP client from there, and curl gives a more generic answer) using a Personal Access Token? And if so, how?
The URLs could be:
simple direct to repo URLs: https://github.com/<org>/<repo>
direct to branch URLs: https://github.com/<org>/<repo>/tree/<branch>
file URLs: https://github.com/<org>/<repo>/blob/<path/to/file>
diff URLs: https://github.com/<org>/<repo>/compare/[<branch>...]<branch>
other URLs that are based on the presence of the repo and do not vary in child path, e.g. https://github.com/<org>/<repo>/pulls, https://github.com/<org>/<repo>/settings/collaboration, etc
plus who knows what other URLs people will add within the docs...
Things I have tried that didn't work
HTTP Basic authentication with the Personal Access Token as the password, e.g.
curl -I -u stephenc:2....token.redacted....b https://github.com/stephenc/<repo-name>
HTTP/1.1 404 Not Found
HTTP Bearer authentication, e.g.
curl -I -H "Authorization: bearer 2....token.redacted....b" https://github.com/stephenc/<repo-name>
HTTP/1.1 404 Not Found
It looks like it works for some URLs (no idea which ones).
I can access curl -u agentgonzo:$TOKEN https://raw.githubusercontent.com/agentgonzo/repo/path/to/file using the API Token as my username, but the same doesn't work on https://github.com URLs. Not sure if this will help you or not.
I got an answer from GitHub Support: No
Since a personal access token won't work for GitHub web UI URLs, no, there isn't a way to verify all possible GitHub private repo URLs without making API calls in some cases.
I am using facebook SDK. I am getting the following error:
Insecure Login Blocked: You can't get an access token or log in to this app from an insecure page. Try re-loading the page as https://
After studying I came to know that I have to set 'Enforce HTTPS' as NO under 'facebook login> Setting> '. But I can not set Enforce HTTPS as NO. Is this problem is from mine? OR I facebook restrict to use https instead of http?
enable Client OAuth Login and write "localhost:3000" in Valid OAuth Redirect URIs.
Save changes. it will automatically change to https://localhost:3000 , but it doesn't matter...
And set Status: In Development (THIS IS IMPORTANT!)
Then it will work in your http localhost.
But I can not set Enforce HTTPS as NO. Is this problem is from mine?
https://developers.facebook.com/docs/facebook-login/security:
Enforce HTTPS. This setting requires HTTPS for OAuth Redirects and pages getting access tokens with the JavaScript SDK. All new apps created as of March 2018 have this setting on by default and you should plan to migrate any existing apps to use only HTTPS URLs by March 2019.
Sounds to me, like they don’t want you to be able to even start without HTTPS, when you are creating a new app now.
Plus, Chrome has recently announced that they will mark all HTTP sites as insecure soon, from version 68 on, that will be released in July 2018. So you’re gonna have to go HTTPS rather sooner than later anyway.
The “big players” of the industry are currently pushing for this big time, whether we want it or not.
If you just enable Client OAuth Login and write just localhost:{port} to Valid OAuth Redirect URIs, it will work.
If you're developing locally with create-react-app, a quick solution is to add
HTTPS=true
to your .env file and just comment it out when you're not testing Facebook login.
It seems like Business apps do not have app modes and instead rely exclusively on access levels. Because of this, you can't set the app to the "Development mode".
All newly created apps start out in Development mode and you should avoid changing it until you have completed all development and testing.
https://developers.facebook.com/docs/development/build-and-test/
https://developers.facebook.com/docs/development/build-and-test/app-modes
However, if you wanna try out your app in a localhost, you need to create a test app, like you can check out in this thread:
How to fix 'Facebook has detected MyApp isn't using a secure connection to transfer information.' error in Laravel