We have Rest Api created by Laravel 4 Php framework. We are using combination of scope and grant to prevent users accessing some resources. But we are having problem preventing one user accessing another user data.
For Example- in our application a user can log in using email and password and we use password grant type to create access_token.
user can see their access token by using browser debugging tolls. Now, that user can use postman or curl request with that access_token to get other users data. What is the best way to prevent user showing other user data ?
When user login into the system, create access_token with roles and permissions return that access token to the user. When user calls the API with the access_token, then check that users is having the permissions to access the requested data.
If that user not having permissions then return with some error message.
You can create filters for this, In which you can check access_token permissions.
Userful like for Laravel routing- http://laravel.com/docs/4.2/routing
Related
I thought it would be simple to use Graph API to read my own user profile or another signed-in user profile but no luck so far.
I created an Azure app with only the following:
a) Client Secret
b) Delegated API permission of User.Read only
I then used the following simple code to try to read my own profile but it returned (400) Bad Request even though I can see that a token was returned successfully.
I was wondering if I could use the same Azure app to read another user's profile provided that a sign-in prompt could be created to switch account.
Any thoughts?
The me endpoint requires a user context. You're using the client credentials grant type, which is for client apps to use in an app-only context. The app has no awareness of who "me" is, or what "your" profile is because you haven't provided a user.
For the app to read the profiles of other users in the client credentials flow, you need to add one of the MS Graph application-type permissions, and send a request to the https://graph.microsoft.com/v1.0/users enpoint
Get user API endpoint
I try to get ads performance data using this api: https://graph.facebook.com/v2.5/{ad-account-id}/insights. User access token is needed when doing this request. I have several ad accounts. But one user access token is valid just for part of my ads accounts. The error message is "(#10) You do not have sufficient permissions to perform this action". Why? (I can access the dashboard report of all ad accounts.)
Every user access token is related to an app. I have two user access tokens which are generated with different apps. If I change to another access tokens, the ad accounts of which I can get performance data by api are different. So I guess this is related to apps by which user access token is generated.
Access tokens are made of up a user + app. Make sure both the user, and the app have access entity you're trying to access (in this case, ad account).
Also, when generating the token make scope includes the permission for ads_read
Trying to add facebook login to an existing login system on a project I am working on. Built with angular, using the FB JS SDK. This is primarily to allow frictionless login, and not currently that fussed about using the access tokens to make further calls with the FB API.
So as a new user, they hit the FB login, accept permissions etc, and it fires me back an access token etc. The new user is created in my DB, along with the accesstoken, FB userid, etc.
How do I now authenticate the user with the userid and accesstoken now stored in my DB? As far as I can see, the access token changes on virtually every page load / request, so next time the user hits the FB login, or I check the FB login status the only constant thing I have is the userid.
Have done various reading on SO and FB docs eg:
https://developers.facebook.com/docs/facebook-login/web
https://developers.facebook.com/docs/facebook-login/multiple-providers
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#checktoken
How should a Facebook user access token be consumed on the server-side?
... although that has only served to confuse things further.
I imagine I would take that stored accesstoken then check its validity, however due to the various instances of access tokens expiring and being invalidated, this also seems like an incomplete solution.
So my question: How do I securely authenticate my FB users with their counterpart user in my own DB?
The Facebook login request returns user id + short lived access token (client side).
Use the server side Facebook SDK to check the validity of the access token (will return user_id and app_id fields if valid).
You can trust the user_id field returned from the Facebook API to check against your existing user database.
According to Facebook Devlopers: Test Users, I can list the test users of my facebook app by making a request to https://graph.facebook.com/APP_ID/accounts/test-users?access_token=APP_ACCESS_TOKEN. The response includes a valid user access token for each user.
How can I get a valid user access token for a specific test user without downloading the whole list of test users?
Test users should be able to be authenticated with your application in the same way as an other user. So use the Authentication flows while logged in for a specific test user.
Other than that there is no way to call one by one without parsing with code.
In my application I have collected the access token with offline access to facebook from the users.
I would like to open a facebook user session with this access token if the user logs in to my application so that the user does not have to login to facebook.
How can I do this?
I am not sure how your application is built, so it's hard to give a concise answer.
One way would be to store the access token and user id with the user details in the user database. When the user logs in, you can look to see if these value exists.
If they do exist, you can create a call with something like:
http://graph.facebook.com/$userID/friends?access_token=$userAccessToken