I'm using
Catalyst::Plugin::Authentication
to authenticate users and
Catalyst::Plugin::Session
to track sessions. Is it possible to solve my problem using these plugins?
When a user has been authorized at some place, other sessions (the same user on other platforms, browsers etc.) automatically change to invalid. There can be only one working session from this particular user at the same time.
Related
Facebook provides an OAuth authentication system for third-party apps but they appear to not provide any fine-grained user management capabilities.
This seems like a security problem. I need to be able to:
Disable delete unused accounts
Disable or delete abusive users
White list users for early access to a new app.
But AFAICT FB provides no tool to do this.
I can probably hook of of the OAuth ID and put an entry in my database for the first two requirements, but I can't figure out how to white list Facebook users.
Google is unhelpful because all the results are about let users manage applications their user account is attached to, and nothing about allowing apps to manage what user accounts they are attached to...
Usually is a bad idea to delete or disable unused accounts, because maybe user was inactive for a long time, this doesn't mean the user deleted or disabled his account.
On the other hand, you can't avoid malicious users join your app via facebook authentication. What you can do is to detect suspicious activities with your own implementation (after Facebook accept them to join your app), and suspend, block or disable those accounts on the server (blacklisting them), after the user has joined client-side and sent the required access-token (optionally request the ID) trying to be accepted by the server.
Whitelisting users may depend on the requirements of your application, you can check profiles data and reject those that doesn't provide the requirements that your app needs (remember to ask the user for the fields that your app requires, like public profile, pictures, etc; these must be accepted by the user before signing in).
Here's how you white list users for an app on Facebook:
Keep the app in Development mode
Add users from your friend network in the Testers role
When you are comfortable, open your application to the world.
AFAICT you cannot white list when your app is published, but that's the point of publishing. Also the whitelist is not a request-grant method, it's invite only.
The other requirement to delete or disable users you must handle yourself in your database. You would tie the user's status to the FB's unique ID.
We have an application that allows users to associate multiple Facebook accounts. They use our software to, among other things, post selectively to those accounts.
Of course, the access tokens expire and we need to refresh them. However, since we have multiple tokens for multiple accounts, we need to refresh a very specific account.
If we simply throw the user into the auth flow, they will refresh to whichever Facebook account they are currently authenticated (or happen to log in to), which may not be the one we need to refresh.
Is there anyway to place the user into the auth flow with a hint so that they can log in to the correct Facebook account and refresh the specific token we need refreshed? Presumably, this would override any current session they might have with Facebook as well.
I can understand that this is sort of counter-intuitive to the normal use case (i.e., keeping the auth flow very seamless for the user), but nonetheless, it is our scenario.
If this is unsupported, does anyone have any ideas about alternate approaches?
I would like to process status updates of friends within a server-side application (like a server-side job).
I could create something like a configuration website to connect my application with facebook, let the user login, get the permissions, etc., but this should only be done once by the user. The (session-, access-, auth-, verification-, whatever-) keys or login information could be stored within a database and the server-side application/job could use these information from the database to access the status updates.
The problem is, that the user should only login once, so the user has not to login everyday manually to let the server-side application/job continually working.
Has someone an idea how this could get solved? It is very difficult to find working solutions/ideas for that problem, because Facebook is currently deprecating all these features (REST-API, Facebook-Connect, offline-access-permission, infinite session keys, ...). The Android apps have a similar requirement, but these seem to have the option to solve this problem via the mightly facebook app/integration which has some exceptions... At least all Android apps are working continually with my facebook data and I didn't saw a facebook login page for years. ;-)
In the Facebook javascript api there is a login function in which you specify extended permissions:
http://developers.facebook.com/docs/reference/javascript/FB.login
One of these permissions is offline access. So I can save the facebook user's session key and assume it will not expire for a long time. The question I have is simple - how do I use the session key? I understand that the session key will last longer, but I don't understand how to use it in the Facebook API. For one of my products, a user must restart his/her browser and I would like to recognize them when they restart. The problem is that they are logged out of facebook, so they must login on my site again where I would rather just use offline access. Sample code would be great!
Thanks
Offline access allows you to use the user's access token on the Facebook Graph API indefinitely (unless they revoke your application's access).
It is not intended for logging the user back in. It's intended for you to be able to access their profile (and potentially do stuff to it, if you have permission) at all times, not just when they have a live session on your site.
I want to build a Facebook application that will be available only to those who have been invited to it or to a certain list of people (the list will be used for initialization).
How can I achieve that?
Depends what you mean by available. Anyone can install/authorise your application - all it means is that it'll appear in their applications list, and that your application has more access to their profile.
However, whenever someone uses your application Facebook will send you their unique uid which you can then filter on within your own code. Store a list of uids that you consider "invited", and only allow them access.
Probably the neatest way to do this is at the start of a session; the initial exchange between Facebook and your application involves Facebook sending your app a uid and authentication token, with which your app requests a session key - if you filter at that point and simply refuse to request a session key for any uid that's not on your list, you can programmatically restrict access.
There is so called "application sandbox mode". It is intended for development and testing though. But the meaning of this mode - you directly specify what users have access to your app(testers)