I'm recently trying to lock down security on a parse project and have disabled except for public create.
However after doing so if I try and link an existing user to Facebook as follows:
[PFFacebookUtils linkUser:[PFUser currentUser] permissions:nil block:^(BOOL succeeded, NSError *error) { /* ... */ }];
I see the following error printed on console:
2015-02-04 00:11:19.856 Walker[43201:381190] Error: This user is not allowed to perform the update operation on _User. You can change this setting in the Data Browser. (Code: 119, Version: 1.5.0)
This is despite the current user having read / write permissions to itself:
If I enable public 'Updates' for the User class again this problem goes away?
Is there any way I can enable updates on the current user without enabling public access?
I ended up getting the following answer from Hector Ramos on the Parse Google Group ( https://groups.google.com/d/msg/parse-developers/JFMrXheHgdo/1dw_6dl1EmUJ )
In order to link a user to Facebook, the user object must be modified.
You'll need to turn on Updates for this class. Per-object ACLs cannot
increase the scope of permissions past what the class-level ACLs are
providing, as far as I know.
I took this to mean that I had to enable Updates for the class in order for any update to be made at all.
I still was a little concerns this could some how allow unauthorized updates to my user account (as this answer wasn't 100% clear). To be on the safe side, I also added a CloudCode before save hook which sets the users Access Control List (ACL) to only allow them access to this object (as per my apps requirements).
Parse.Cloud.beforeSave(Parse.User, function(request, response) {
// Set ACL for new User to only that user
request.object.setACL(new Parse.ACL(Parse.User.current()));
response.success();
});
Related
I'm using Sails with Passport for authentication. I'm using passport-google-oauth(OAuth2Strategy) and passport-facebook for enabling Google Sign-in.
I'm not too well-versed with Passport, so pardon me if this is a rookie question. I've set up login via Facebook and it works just fine. With Google, I do receive an authorization code after allowing access to the app, but the I'm eventually not authenticated. I'm guessing the same code should work for both Facebook and Google since the strategies are both based on oauth2.
I'm not even sure what code to share, since I'm using the auto-generated code from sails-generate-auth, but do let me know if there's anything else I can share.
Any ideas on why this might be happening? The app is locally hosted but that's unlikely to be the problem since I am getting to the authorization stage anyway.
I faced the same problem and it was located here in in api/services/passport.js:
// If the profile object contains a list of emails, grab the first one and
// add it to the user.
if (profile.hasOwnProperty('emails')) {
user.email = profile.emails[0].value;
}
// If the profile object contains a username, add it to the user.
if (profile.hasOwnProperty('username')) {
user.username = profile.username;
}
// If neither an email or a username was available in the profile, we don't
// have a way of identifying the user in the future. Throw an error and let
// whoever's next in the line take care of it.
if (!user.username && !user.email) {
return next(new Error('Neither a username nor email was available'));
}
The Google service was not returning a profile.username property.
Because of it, the user is not saved in the database and cannot be authenticated. Then the passport callback receives an empty user, so the function that handles errors is fired and the user is redirected to the login page.
This change allows to use the displayName property as the username:
// If the profile object contains a list of emails, grab the first one and
// add it to the user.
if (profile.hasOwnProperty('emails')) {
user.email = profile.emails[0].value;
}
// If the profile object contains a username, add it to the user.
if (profile.hasOwnProperty('username')) {
user.username = profile.username;
}
/** Content not generated BEGIN */
// If the username property was empty and the profile object
// contains a property "displayName", add it to the user.
if (!user.username && profile.hasOwnProperty('displayName')) {
console.log(profile); // <= Use it to check the content given by Google about the user
user.username = profile.displayName;
}
/** Content not generated END */
// If neither an email or a username was available in the profile, we don't
// have a way of identifying the user in the future. Throw an error and let
// whoever's next in the line take care of it.
if (!user.username && !user.email) {
return next(new Error('Neither a username nor email was available'));
}
You could also use the profile.id property because profile.displayName is not necessarily unique (ie: two Google accounts can have an identical displayName). But it is also true accross different services: a Twitter account could also have the same username than a Facebook account. If both register on your application, you will have a bug. This is a problem from the code generated by sails-generate-auth and you should adapt it with the behavior that you want.
I will propose a PR if this solution works for you too.
Alright, so this ultimately turned out to be a known issue with the API.
TL;DR: Enable the Google+ API and the Contacts API as mentioned here. (The Contacts API isn't required, as #AlexisN-o pointed out in the comments. My setup worked as desired with Contacts API disabled. This obviously depends on what scope you're using.)
I believe it's not a nice way of failing since this was an API error that was prevented from bubbling up. Anyway, I dug into passport.authenticate to figure out what was going wrong. This eventually calls the authenticate method defined in the package corresponding to the strategy (oauth2 in this case). In here (passport-google-oauth/lib/passport-google-oauth/oauth2.js) I found that the accessToken was indeed being fetched from Google, so things should be working. This indicated that there was a problem with the requests being made to the token urls. So I ventured a little further into passport-oauth2/lib/strategy.js and finally managed to log this error:
{ [InternalOAuthError: failed to fetch user profile]
name: 'InternalOAuthError',
message: 'failed to fetch user profile',
oauthError:
{ statusCode: 403,
data: '{
"error": {
"errors": [{
"domain": "usageLimits",
"reason": "accessNotConfigured",
"message": "Access Not Configured. The API (Google+ API) is not enabled for your project. Please use the Google Developers Console to update your configuration.",
"extendedHelp": "https://console.developers.google.com"
}],
"code": 403,
"message": "Access Not Configured. The API (Google+ API) is not enabled for your project. Please use the Google Developers Console to update your configuration."
}
}'
} }
This was the end of the hunt for me and the first result for the error search led to the correct answer. Weird fix though.
I would like to keep track of the amount of times that a user has logged into the application to either:
Remind them on their first visit to complete their profile
If profile is not complete, every X amount of visits remind user to complete
I'm not sure if the proper way to do this would be adding a key value to the users collection, or tie login to a new collection which counts up one each time a login occurs.
Is there a built in method to keep track of login successes?
Yup. You can even keep track of login failures.
From http://docs.meteor.com/#/full/accounts_onlogin:
Accounts.onLogin(function() {
// track successful login here. You can just use Meteor.user() to find out which user.
});
Accounts.onLoginFailure(function() {
// track failed login here.
});
There is even a "validate login attempt" method where you could potentially screen your users:
Accounts.validateLoginAttempt(func):
Accounts.validateLoginAttempt(function(loginInfo) {
// loginInfo.user returns a valid user object, if logged in successfully. Maybe tie this one to a collection, and do some checks etc.
// you can even use loginInfo.connection to see where the user has connected from (e.g. IP address.. perhaps)
return true; // return false if you want to 'bounce' this user.
});
Note: These can be done server-side only.
I think this is because Facebook just made some changes to their login process.
A few days ago, my air app was working with the FacebookDesktop class from the facebook-actionscript-api. Today I opened the project, and noticed that the Facebook login screens are a little different than when I started building my app. After I type my userID and password in, I grant the app access to my public profile, friend list and photos. Then another screen comes up where I grant the app permission to post to my friends on my behalf.
Then the window closes, and I get 'OAuthException 2500 An active access token must be used to query information about the current user.'
When I sign into Facebook through a browser, I see that my app shows up under "Your Apps" but I can't log in and do anything through my app.
I'm using Adobe Flash with GraphAPI_Desktop_1_8_1.swc on OSX Lion.
Here is my code:
public function MyApp(){
FacebookDesktop.init(APP_ID, onInit);
}
protected function onInit(result:Object, fail:Object):void {
if (result) {
trace("onInit, Logged In\n");
} else {
trace("onInit, Not Logged In\n");
var permissions:Array = ["publish_stream", "user_photos"];
FacebookDesktop.login(onLogin, permissions);
}
}
protected function onLogin(result:Object, fail:Object):void {
if (result) {
trace("Logged In as:");
trace(FacebookDesktop.getSession().user.name);
} else {
trace("Login Failed");
trace('code: '+fail.error.code); //code: 2500
trace('message: '+fail.error.message); //message: An active access token must be used to query information about the current user.
trace('type: '+fail.error.type); //type: OAuthException
}
}
I get the same results when I use the FlashDesktopExample provided in the SDK (modified with my app ID of course).
Any help would be great! Thanks in advance!
I ran into this problem, too: the success URL did not have any parameters.
Cadderly82 is correct; it's a problem with secure navigation. Turning off my Facebook account's "Secure Browsing" option fixed the problem, but I didn't want to have to require users to do that.
I was able to solve this by setting ALL of the FacebookURLDefaults values to use "https://".
Now I get a valid user-access-token in the success URL; and I get valid values regardless of my facebook account's secure-browsing setting.
I have figured out the problem:
The LoginWindow class sets the token based on the uri.
This worked fine until the LOGIN_SUCCESS_URL (http://www.facebook.com/connect/login_success.html) and the LOGIN_SUCCESS_SECUREURL (https://www.facebook.com/connect/login_success.html) pages stopped including the access token in the uri.
Hence, the token is never set. Even though my app shows up under the 'Your Apps' section in Facebook after I login, my app still can't do anything without a token.
I have two solutions:
The easiest is to change the LOGIN_SUCCESS_URL and/or the LOGIN_SUCCESS_SECUREURL properties in com.facebook.graph.core.FacebookURLDefaults like the following.
beginning on line 82:
public static var LOGIN_SUCCESS_URL:String = 'http://www.facebook.com/connect/login_success.html';
public static var LOGIN_SUCCESS_SECUREURL:String = 'https://www.facebook.com/connect/login_success.html';
Change to:
public static var LOGIN_SUCCESS_URL:String = 'http://www.yourwebsite.com/';
public static var LOGIN_SUCCESS_SECUREURL:String = 'https://www.yoursecurewebsite.com/';
of course you would use your own website - not 'http://www.yourwebsite.com/'. I tried it using http://localhost/ and it worked great.
Another solution is:
Change com.facebook.graph.windows.LoginWindow with the following code. I have made some changes to my files, so please forgive me if the line numbers are different than what they are in a fresh copy of the SDK.
around line 143:
change:
vars.redirect_uri = FacebookURLDefaults.LOGIN_SUCCESS_URL;
to:
vars.redirect_uri = 'http://localhost/';
In production code, you probably want to use your own website address instead of localhost, but I used localhost for testing purposes.
Then, in the handleLocationChange function (should be around line 168) add this to the else if statements:
}else if (html.location.indexOf ('http://localhost/') == 0) {
loginCallback(getURLVariables(), null);
userClosedWindow = false;
html.stage.nativeWindow.close();
html.removeEventListener(Event.LOCATION_CHANGE, handleLocationChange);
}
As I said before, change localhost to your website address.
I hope this helps!
I was having the same problem for random users and I don't really know if it is a Facebook problem with secure navigation:
Check user properties in Facebook: Security Settings > Secure Browsing
(www.facebook.com/settings?tab=security)
For users with "disabled" state it works fine.
For users with "migration" state it gives the error.
For users with previously "enabled" state it works fine.
When I tried with users in "migration" state and changed to "disabled", it worked fine.
Then if I turned it "enabled", the "migration" state is gone and marked as "enabled", but the error it's still there.
So I guess this is the problem, but don't know how to fix it.
alot has change in a year this is what i think the answer is now
you need a token to login FacebookDesktop.getSession().accessToken
public function MyApp(){FacebookDesktop.init(APP_ID, onInit, FacebookDesktop.getSession().accessToken); }
Using the Facebook API, you can get back the post ID of a Facebook share, even if the user has not authorized your app.
The post ID is prefixed by your user ID, and separated by an underscore.
FB.ui({
method: 'feed',
name: 'People Argue Just to Win',
link: 'http://www.nytimes.com/2011/...',
}, function( response ){
// Response gives you :
// { post_id: "[fbUserId]_346759642059572" }
});
To me it looks like Facebook is using this programmatically, rather than with the idea of providing us the userId out of the kindness of their hearts. But it's extremely tempting to use.
I'm a little rusty on permissions - if there is a way to get back all the users that have liked/shared a specific URL, and not just a count, then this should be okay.
But the question remains, is it acceptable to use?
EDIT:
Now that I think about it, you can access the user ID by making an anonymous call to https://graph.facebook.com/[postId] but ONLY if the post was made public.
If you get a response from FB, it means that you have already ask the user for the required permissions,
so yes you can use the data returned from Facebook as you like, but you always have to inform the users how you use those data.
You can only cache user data if you have permission or it is necessary for the function of your app. Using the like button you can subscribe to edge.create and cache the response from the like.
refer to: http://developers.facebook.com/docs/reference/javascript/FB.Event.subscribe/
II. Storing and Using Data You Receive From Us
You will only request the data you need to operate your application.
You may cache data you receive through use of the Facebook API in
order to improve your application’s user experience, but you should
try to keep the data up to date. This permission does not give you any
rights to such data.
in my app i store the id of every page or user that is viewed to speed up page load times and count page views. Seems with in the scope of Policy as long as i am not sharing the info with 3rd parties or making public what a user has set to non public.
I'm trying to integrate the scoring system in my canvas app with Facebook's, implemented using MVC 3 and the 5.2.1.0 Facebook SDK.
A simplified hello-world variant of my game controller looks like:
public class MyController : Controller
{
[CanvasAuthorize("publish_action" /*And some others*/)]
public ActionResult Index()
{
var fb = new FacebookWebClient();
var scores = fb.Get("/me/scores"); // Works (I think)
fb.Post("/me/scores", new { score = 10 }); // Throws an exception
}
}
The call to get scores looks like it's giving me something sensible; the call to write a score value throws "(OAuthException) (#15) This method must be called with an app access_token."
What've I missed? The application id and secret are correctly set in my web.config - for example, I can successfully post an application apprequest in other parts of the actual application not shown in this stripped down test copy. Rummaging around with the debugger shows me that the FacebookWebClient object contains a non-empty access token field, and that that's included in the URI that fb.Post eventually uses.
The Facebook scores page (that Björn links to) mentions only publish_actions but I've tried including other pertinent sounding permissions, such as offline_access and user_games_activity to no effect.
I am assuming that the CanvasAuthorize attribute does the login correctly - it certainly seems to let me send an application apprequest, so it looks as if it's doing the right thing...
Your app needs the permission to write to the users profile. You can use the Graph API to request the required permissions from the user. If granted, Facebook will give you the required access token that you can then use in your request to Facebook. This practice ensures that you only perform actions, the user allowed you to.
Edit_: After looking at the docs: Are you sure you have the required permissions from the user like described here http://developers.facebook.com/docs/score/ ?
Please see this link. You'll need to get an facebook app. Using the apiId and SecretId, you can then post using the information in the link below. The key is adding &scope=manage_pages,offline_access,publish_stream to the url.
like so:
"https://graph.facebook.com/oauth/access_token?client_id={0}&client_secret={1}&grant_type=client_credentials&scope=manage_pages,offline_access,publish_stream";