I have a mobile front-end that already has facebook authetication working. I have a Sails REST API that stores user data, posts etc.. I want to add security where facebook users can only POST GET DELETE PUT their own data.
I've read a almost every tutorial for facebook authenticating a web-app, but haven't found many for authenticating with a mobile app to protect the user data. I've tried to get Passport-Facebook-Token working but I just don't understand the little documentation available. I'm coming from a objective-C background so in the node learning curve now.
Here's the link to what I'm working with but I'm obviously missing something: https://github.com/drudge/passport-facebook-token
I have:
AuthController.js
module.exports = {
facebook: function(req, res) {
passport.authenticate('facebook-token', function(error, user, info) {
// do stuff with user
res.ok();
})(req, res);
}
};
api/services/protocols/passport.js
(with some other stuff from default passport sails-generate-auth)
var FacebookTokenStrategy = require('passport-facebook-token');
passport.use('facebook-token', new FacebookTokenStrategy({
clientID : "<my_id>",
clientSecret : "<my_secret>"
},
function(accessToken, refreshToken, profile, done) {
// console.log(profile);
var user = {
'email': profile.emails[0].value,
'name' : profile.name.givenName + ' ' + profile.name.familyName,
'id' : profile.id,
'token': accessToken
}
// You can perform any necessary actions with your user at this point,
// e.g. internal verification against a users table,
// creating new user entries, etc.
return done(null, user); // the user object we just made gets passed to the route's controller as `req.user`
}
));
Do I have to do something with config/routes to make sure it only allows users with access_tokens? I just can't find any resources out there. Passport doesn't even list Passport-Facebook-Token strategy as an option on their site.
thank you for the help
Related
I have Javascript App running under Node v8.11.2 which uses the Actions-On-Google library. I'm using the V2 API. I have account linking set up with Auth0 and am using the SignIn helper intent. Auth0 is set up to use Google, Facebook and Twitter.
The scopes I use are OPENID, OFFLINE_ACCESS, PROFILE and EMAIL.
Everything is working fine and when the User is authenticated I get an Access Token returned.
My question is, how do I get the Authentication Provider that was selected by the User so that I can use the Access Token correctly to retrieve profile elements such as the display name, email address etc??
The signin object passed to the Sign In Confirmation intent handler just contains the following regardless of the provider selected: -
{"#type":"type.googleapis.com/google.actions.v2.SignInValue","status":"OK"}
Any help greatly appreciated as I have a deadline and this is driving me a bit crazy now!
Thanks,
Shaun
If your question is about how to get the required information when you have your accessToken available then you could use what is shown in this answer.
In node this looks like that:
let link = "https://www.googleapis.com/oauth2/v1/userinfo?access_token="+accessToken;
return new Promise(resolve => {
request(link,(error, response, body) => {
if (!error && response.statusCode === 200) {
let data = JSON.parse(body);
let name = data.given_name ? data.given_name : '';
conv.ask(new SimpleResponse({
speech: "Hello "+ name + "!",
text: "Hello "+ name + "!"
}));
resolve();
} else {
console.log("Error in request promise: "+error);
resolve();
}
})
})
Everything you need should be in the data object.
Hope it helps.
I am trying to get the reviews for my app from the playstore using the new reviews api from the android publisher service.
The app key is me.jadi (https://play.google.com/store/apps/details?id=me.jadi) as you can see it have reviews posted for it.
Here is the code I'm using:
var google = require('googleapis');
var secrets = require('./secrets.json');
var androidpublisher = google.androidpublisher('v2');
var authClient = new google.auth.JWT(
secrets.client_email, null, secrets.private_key,
['https://www.googleapis.com/auth/androidpublisher'], null);
authClient.authorize(function (err, tokens) {
if (err) {
return console.log(err);
}
androidpublisher.reviews.list({ auth: authClient, packageName: 'me.jadi' }, function (err, resp) {
if (err) {
return console.log(err);
}
});
});
It doesn't contain any errors for the auth nor for the actual service request. But the result is always an empty object.
So I'm trying to identify the problem,
is there something wrong with the code
do I need to opt-in specifically somewhere to use the API
does the API have any limitations, like geographic (the service is allowed only for the US devs)
or maybe the service have some bugs because it is still in beta
I found the answer my self, and I'll post it here for future reference.
The problem with my specific case was that I didn't have reviews posted or modified in the last week.
And the API documentation clearly states that it will keep history of the reviews in the last seven days.
Once I get a new review I tried the code and the review was successfully retrieved.
I use the Accounts-UI and Accounts-[Github/Twitter/Facebook/Google] packages which allows login with external service.
I modified Accounts.ui.config with requestPermissions, example:
Accounts.ui.config({
requestPermissions: {
github: ['user'],
facebook: ['user_photos']
}
});
But when I logged me with Github (for example), I get only my Github's name.
Same thing with others external services.
How to get more information, like the url of the profile picture?
You can use the Accounts.onCreateUser(fn) method to customize what gets stored when the user is created. Here is some sample code:
Accounts.onCreateUser(function (options, user) {
var accessToken = user.services.github.accessToken,
result,
profile;
result = Meteor.http.get("https://api.github.com/user", {
params: {
access_token: accessToken
}
});
if (result.error)
throw result.error;
profile = _.pick(result.data,
"login",
"name",
"avatar_url",
"url",
"company",
"blog",
"location",
"email",
"bio",
"html_url");
user.profile = profile;
return user;
});
You have to make an additional call to the service in the callback function to grab any additional attributes. Currently, there's no way that I know of to plug directly into the method that Meteor uses to get the identity attributes.
I'm using PhoneGap/Cordova with the facebook plugin. Everything seems to work except for getLoginStatus who is not working as defined here and here. When called, it returns some data, but not all: it doesn't return userID nor signedRequest.
Here is the code:
FB.getLoginStatus(function(response) {
if (response.status == 'connected') {
var fb_uid = response.authResponse.userID;
var fb_signedRequest = response.authResponse.signedRequest;
alert('logged in');
} else {
alert('not logged in');
}
});
userID is filled with ellipsis (...), while signedRequest is undefined.
I managed to get userID with a graph call to /me:
FB.api('/me', function(me){
if (me.id) {
var fb_uid = me.id;
}
});
I wasn't able to find any way in the documentation to get a signed_request, which I have to use to authenticate the facebook user to a remote service to whom the user already connected to with facebook (I already made a login call so user is OK).
Basically the problem is that my call to getLoginStatus returns
{
status: 'connected',
authResponse: {
session_key: true,
accessToken: 'a long string...',
expiresIn:'a number',
sig: '...', //exactly this string
userID:'...' //exactly this string
secret:'...' //exactly this string
expirationTime:'a long number'
}
}
instead of what documented
As a background, when authentication happens using the plugin then the JavaScript SDK API calls the iOS/Android SDK to handle the authorization and then pass response auth data back to the JS part. The native (iOS/Android) SDKs do not get signed requests back to be able to pass this on to the JS. This is why it's empty.
If you use the latest plugin you should at least now be seeing the user ID. The one from June likely did not pass this back. Otherwise as a work around, you could perform a call to the /me endpoint when authentication is successful in your JS code to get the user id. See the Hackbook example that does this.
I am new to node.js and want to create a registration and login page for user.also there has to proper authorisation for the user.I want to store the user information inside mongodb database.How can i achieve this.can someone provide me the code to do so, so that i can get started with node.js and mongodb.Please help
You can find a complete sample of what you're trying to do in the Nodepad application by Alex Young. The 2 important file you should take a look at are these 2:
https://github.com/alexyoung/nodepad/blob/master/models.js
https://github.com/alexyoung/nodepad/blob/master/app.js
A part of the model look like this:
User = new Schema({
'email': { type: String, validate: [validatePresenceOf, 'an email is required'], index: { unique: true } },
'hashed_password': String,
'salt': String
});
User.virtual('id')
.get(function() {
return this._id.toHexString();
});
User.virtual('password')
.set(function(password) {
this._password = password;
this.salt = this.makeSalt();
this.hashed_password = this.encryptPassword(password);
})
.get(function() { return this._password; });
User.method('authenticate', function(plainText) {
return this.encryptPassword(plainText) === this.hashed_password;
});
User.method('makeSalt', function() {
return Math.round((new Date().valueOf() * Math.random())) + '';
});
User.method('encryptPassword', function(password) {
return crypto.createHmac('sha1', this.salt).update(password).digest('hex');
});
User.pre('save', function(next) {
if (!validatePresenceOf(this.password)) {
next(new Error('Invalid password'));
} else {
next();
}
});
I think he also explains the code on the dailyjs site.
I wrote a boilerplate project to do exactly this. It supports account creation, password retrieval via email, sessions, local cookies for remembering users when they return and secure password encryption via bcyrpt.
There's also a detailed explanation of the project's architecture on my blog.
For an easy way to get started take a look at ExpressJS + MongooseJS + MongooseAuth.
In particular, that last plug-in provides a standard simple way to do logins using several different authentication methods (Password, Facebook, Twitter, etc.)