My account seems to be blocked for certain scope - uber-api

I'm trying a simple request to sandbox:
https://sandbox-api.uber.com/v1.2/requests/current
with token generated with my account: tristan.tran89#gmail.com and get a 403: forbidden error.
Same request with a different account does not return a forbidden. Can someone please verify why it's being blocked on my account?

That is typically what the 403 error indicates. Strictly it is saying that the token you sent does not have access to the resource. This could mean it's been corrupted, it expired, or the user revoked access.
If the current application is the one that booked the trip then requests/current should be able to be accessed.
In your case, you are calling GET v1.2/requests/current with an access token that has the request scope but not the all_trips scope. That means that the endpoint will respond with the current trip only if it was booked by your application. In the case that the user is on a current trip but it was booked by another application or the Uber app, you will get a 403. In the more common case that the user is not on a trip at all, you will get a 404.
If you wanted to be able to give status updates for any trip that a user takes, you would want to get the all_trips scope during OAuth.

Related

Kuzzle : Insufficient permissions to execute this action

i am using js sdk of kuzzle,
sometimes (after few days of running) all request fails and i get:
"Insufficient permissions to execute this action"
what's the best method to avoid it ?
Should i check the jwt token is still valid before request ?
or how to get notified of token expiration (i set it to 1 year) ?
This error message indicate that your current user does not have the permissions to execute this API action.
The error message is different when the anonymous user (default user when you are not authenticated) try to execute an API action that's need to be authenticated.
See the differences between error 401 and 403 here
About your authentication token, it's considered as a bad practice to have an authentication token that last a long period of time. (Even if Kuzzle authentication token can be revoked).
You should rather use the auth:refreshToken method to regularly refresh your authentication token)
Actually Kuzzle send a notification indicating that the current token is expired only when a subscription has been made to the realtime engine.
This will certainly be extended to any persistent connection made to Kuzzle in a next release.
Concerning your usecase, you may want to use an API key to authenticate your SDK instance. There are revocable and can have infinite duration.

What error to handle first on a rest resource?

I'm developing a REST API and when developing the user resource I ended up having a doubt. I want the users in my application to view other user profiles without being authenticated. But, obviously, a user needs to be authenticated to edit or delete his profile.
My doubt comes when I access, for example, to this url without been authenticated: PUT /api/user/1. Imagine that the user doesn't exists. Which error is checked first, the 404 because the resource does not exist or the 401 because the user is not authenticated? Thanks.
There's no point in querying for that particular user, if the request is a PUT and the current user isn't even authenticated. You'd be better off filtering these requests as soon as they hit your endpoint, and return a 401.

Get forbidden when try query request receipt

I have a app on uber with request_receipt scope avaiable
But when i trying to get a request receipt with a token created in my app i got Forbidden error.
Others endpoints (map, product, history...) are ok.
My authentication request is fine too and return:
{
"expires_in"=>2592000,
"token_type"=>"Bearer",
"refresh_token"=>"[...]",
"last_authenticated"=>0,
"scope"=>"history profile history_lite places ride_widgets all_trips request_receipt",
"user_id"=>"[...]"
}
I made this requests on app and get same error.
You can only access trips that were initiated through your own Uber integration. For instance, if you book a ride through the Uber app and take that request id, you won't be able to access the details of that ride. Here's what the docs state:
The receipt endpoint will only provide receipts for ride requests originating from your application. It is not currently possibly to receive receipt data for all trips.

REST API - Does the Token need to be returned in every response?

So this is a random question that I can't seem to see an answer to.
I'm using Token based auth in my application. When the login credentials are first sent to the system, a token is returned. That token is then required with each and every request afterwards. When the token expires, a refresh token is used to determine if a new one should be issued. All pretty basic stuff.
What I've noticed is that the token isn't returned to the client with each web call. As in, client sends a message to the server with the token, server sends a response, but doesn't include the token unless it has been refreshed. Now, obviously thanks to client-side storage the token is still available.
My question is whether or not it is a best practice to return the token with each and every response, even if it is unchanged. Or if this really isn't a big deal and I can just stop worrying about it.
Thanks in advance.
Generally no, the response should not contain the token as it's unnecessary at that point - the user has already been authenticated for that specific request and appropriate actions have been taken (either a 200 with data or 401 or whatever).
It is the responsibility of the client to know the token when making a request.

How do I check when a fb-token will expire

is there a possibility to check when a fb-token will expire?
I've read Authenticating as an app and Handling invalid and expired access tokens and searched the interwebs for an answer but I couldn't find any.
Regards, Senad
The good news is, there's an endpoint for it now.
You can retrieve the information related to a particular Access Token by issuing a GET request to the debug_token connection. Something like:
GET /debug_token?
input_token={input-token}&
access_token={access-token}
You can get more information about it in the Getting Info about Tokens and Debugging reference.
Unfortunately there's no specific endpoint that will tell you if an access_token is still valid or not, but you can use the token to fetch anything and see if it return an error or not.
However if you are using the server side flow for authentication, they will send you an expire parameters that will hold the time in seconds that the token will remain valid (the sdk may hide this fact from you).
But as the Handling invalid access tokens page explains, there's a number of reasons why an access_token can go invalid so the expire field alone won't be able to tell you if the token is valid at the moment or not, so the only way to find out is to try using it and see if its returns an error, as the Handling expired... page states, you will have to be prepared for any graph request return errors.
You can manually check it here for a given access token:
https://developers.facebook.com/tools/debug