I am using this method to login with google plus, It's working properly, I need email of user in callback but this method in return did not give email address. what should I do for email, is their any other method which return email or we can get user email using access token?
You need to add an additional scope to the request. Email-providing scopes have recently changed, with older ones being deprecated. The full list is at https://developers.google.com/+/api/oauth#email-scopes, but you can probably safely just use the email scope in addition to the https://www.googleapis.com/auth/plus.login scope. Scopes are specified by listing them with a space between each one, so your button configuration might look something like this:
<span id="signinButton">
<span
class="g-signin"
data-callback="signinCallback"
data-clientid="CLIENT_ID"
data-cookiepolicy="single_host_origin"
data-requestvisibleactions="http://schemas.google.com/AddActivity"
data-scope="https://www.googleapis.com/auth/plus.login email">
</span>
</span>
You would use the people.get API to access the full profile of the user, which would include the emails array. Each element of the array contains the type of the address (home, work, etc) and the address itself. The email scope just lists the address directly associated with the account, while other scopes provide other publicly available addresses, so they may not provide further information.
Note that the older userinfo.* scopes are deprecated and may stop working in September 2014. See https://developers.google.com/+/api/auth-migration#timetable for details.
Update: To be clear - the sign-in button does not give you the email itself. It requests permission to get the email address and user profile information. What it gives you is an access token that you can use for further requests.
As both #DalmTo and I have pointed out, in order to actually get the information, you need to call the API endpoint of people.get. Go to this page and go to the Examples section and select JavaScript from the pull down for an example. You will also need to load the javascript client library: see https://developers.google.com/api-client-library/javascript/samples/samples for some examples, but in particular you will need a line like
<script src="https://apis.google.com/js/client.js?onload=onLoad"></script>
which loads the client library (and calls the onLoad() function when it has been loaded) and then something like
<script>
function onLoad(){
gapi.client.load('plus', 'v1', onClientLoad);
}
</script>
The onClientLoad() callback will be called when the client is loaded, and should set a marker to indicate things are set to make the call. Then, as part of the signinCallback() function, you would make sure this marker is set (indicating the client library is ready) and use the gapi.client.plus.people.get() method to make the request. Possibly something like this as part of the signed in block:
gapi.client.plus.people.get({
'userId': 'me'
}).execute(function(response){
console.log(response);
});
This does a call to people.get, requesting the profile of a particular user. The special userid of "me" indicates it should be for the user that is signed in. Calling execute() with a callback function executes the request, returning a response object. In this example, we're just printing it, but it will be a JSON object containing the user's profile.
You need to add another scope https://www.googleapis.com/auth/userinfo.email it should let you request the email address then using plus.people.get
<span id="signinButton">
<span
class="g-signin"
data-callback="signinCallback"
data-clientid="CLIENT_ID"
data-cookiepolicy="single_host_origin"
data-requestvisibleactions="http://schemas.google.com/AddActivity"
data-scope="https://www.googleapis.com/auth/plus.login,https://www.googleapis.com/auth/userinfo.email">
</span>
</span>
you can test the API here: plus.people.get
Note: a user can have more then one email you probably want the one with type account
Related
I'm using Yousign on my onboarding process to make my users sign a contract before accessing my application.
To achieve that:
On the YouSign UI, I manually create a new procedure from a template and copy the signature link (I get a URL like https://staging-app.yousign.com/procedure/sign?members=/members/a8xxxxxx)
I copy that link on my user account
When the user logs in, I open a modal and display the signature procedure in an iframe
When the users has signed on the iframe, I redirect him to a webpage where I trigger an event that closes the modal
At that stage, when the modal closes I'd like to check through a backend API call to YouSign API if the procedure has been fully signed.
But I can't find anything to do that in the API.
It seems I could use the GET /procedures/xxx method, but the Signature link does not contain any procedureID, only members IDs.
And there is no GET /members/xxx method, so I can't retrieve any procedure from there.
The use case of checking if a document has been signed seems pretty common for a e-signature API so I'm probably missing an obvious solution.
I'm trying to implement facebook login/autoregister for a website. There is a problem with the requested scopes.
First I have tried to use the "default" scope. According to the official documentation, it provides access to a subset of the UserData structure. It is documented here:
https://developers.facebook.com/docs/facebook-login/permissions/#reference-default
However, if I try to do this, then I get an error:
Invalid scope: default
I have also tried to use something basic first. For example, scope="id". Then I get this error:
Invalid scope: id
If I try scope="email first_name last_name middle_name name picture" then:
Invalid scope: first_name
The only that worked so far is scope="email", but that is not enough for auto registration.
Moreover, the documentations cleary says that "All permissions, except the Default Public Profile fields, require Facebook Login and Client OAuth Login enabled for your app to allow Users or Pages to grant your app these permissions." (you can read this on the top of https://developers.facebook.com/docs/facebook-login/permissions/ ). So it seems that the scopes are not invalid because I don't have Facebook Login enabled for my app. They are invalid for some other reason - maybe because the don't exist?
I wonder why are these scopes documented if they are invalid? And where can I find the valid ones?
Side note: it seems that Facebook does not follow RFC 6749. When there is an error, the Oauth2 server (https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2 more specifically 4.1.2.1 error response ). But Facebook does not do this. It displays a popup window on facebook.com instead, and if I press "OK" on that window, it enters an infinite loop and keeps displaying the same message again and again: "You are no logged in". (Why would I?)
UPDATE: Even though I used scope=email only, the /me api returned all fields, including first_name, last_name, email, and profile picture. So maybe those things are not scopes, but field names. But it is still unclear what scopes are available? The documentation still seems bad. It should clearly tell which terms are scopes, which are field names from data structures. And a complete list of scopes is still missing from the docs (or maybe there is a list, just I couldn't find it?)
The docs are indeed a bit misleading, but "default" is not a permission/scope, it just tells you want data you can get WITHOUT an additional permission. You can find the available permissions in the link of your question, if you just scroll to the top. Only that list is important, for the default fields there is a link "Default Public Profile Fields", but - again - no scope/permission is needed.
And yes, there is a big difference between scope and fields. For example, the email field can be used after authorizing with the email scope, but the birthday field requires authorization with the user_birthday permission. Fields can be found here, for example: https://developers.facebook.com/docs/graph-api/reference/v3.1/user
In golang, is there a way to pipe a variable to part of a web form?
For example, sending "123 Random St." to the Street address part of https://www.dominos.com/en/pages/order/#/locations/search/ and so on? I found pizza_party*, but the GUI used is no longer available, I have also found pizzadash**, but this uses a credit card where I want to use cash. I even found a list of golang ones, but the links that they use doesn't work anymore.***
Therefore, my goal is so: order a pizza in golang through the dominos website API!
NOTE: Please suggest a package or function with example!
NOTE: I do not want to make a web scraper/data getter.
NOTE: Your answer must work on at least one box of my linked website.
NOTE: I want to fill out links similar to the provided link from the linux command line.
*https://github.com/coryarcangel/Pizza-Party-0.1.b
**https://github.com/bhberson/pizzadash
***https://golanglibs.com/top?q=pizza
This is how you post any form values onto an online form. Provided you know the POST endpoint of the service.
func main():
resp, err := http.PostForm(targetPostUrlHere,
url.Values{"Service_Type": {"Delivery"},
"Address_Type_Select": {"House"},
"Street": {"123 E 24th St"},
"Address_Line_2": {"4D"},
"City": {"New York"},
"Region": {"NY"},
"Postal_Code": {"10027"}})
}
**Note: The field keys and values are guesstimates. You must inspect the actual key names expected in the form.
In your case, https://www.dominos.com/en/pages/order/ is an endpoint for the form page. Once the form is filled and submitted, the information is submitted using POST method akin to the code afore-mentioned to a dedicated CREATE endpoint (C in the CRUD), which normally can be found in the <form> html tag.
<form action="posttargetendpoint" method="POST">...</form>
Once the POST operation is successful, usually a web service would redirect you to another page. In your case, it is https://www.dominos.com/en/pages/order/#/section/Food/category/AllEntrees/
However, any good web service wouldn't expose the POST endpoint in the clear since it is the vulnerable point of attack. You're welcome to find out by inspect he Domino's page source and adjust the field values in the Go code accordingly.
Now to make a command line prompt to wrap around the PostForm code, I suggest you look into https://github.com/codegangsta/cli which is a very nice package for creating quick command line app.
I assume you mean pipe information originating from your backend to another site on behalf of a user?
The standard way of passing information between domains is via HTTP params, usually via a GET request, but this capability would need to be supported by established protocols the remote site. You can also use an iframe to embed the page of another site onto your page, however, you wouldn't be able to remotely interact, call JS code, or even query the page at all. Cross-domain security safeguards justifiably prohibit such capability, and generally speaking, interacting on behalf of the user via their browser is also restricted for security reasons.
However, if you're looking to emulate user behavior such as with a bot or web scraper from your own host or browser then that's a different story. There are tons of frameworks provide rich capability for interacting with a page. I'd recommend checking out Selenium, which acts as a virtual browser. There are also tons of libraries in Python for processing data from HTML and structured data. You might want to check out Beatiful Soup and Scrapy.
Hope this helps.
I am reading over Creating an efficient REST API and I understand and agree with a lot of what the document has to say.
I'm currently implementing a Twitter clone and each tweet object in the database has a list of readers (user IDs).
According to the document, it seems like the request for this would be something like:
PATCH /tweet
{read: true}
However read is not an actual property of the tweet. Instead this would actually update the list of readers on the tweet with the currently authenticated user. Is this correct?
This also means that the user could potentially perform other operations on the tweet using this same API route, but users cannot actually update/PATCH tweets in any way other than to mark them as read or not.
Additionally, only an authenticated user should be able to do this and it should only update the list of readers for them. The document says that you should not handle state in your API which means no sessions -- however authentication is obviously necessary. It seems to say that you should send the authentication/authorization token each time, but I don't understand how this is substantially different from a session cookie in some cases. Is the implication that the request should actually be:
PATCH /tweet
<Authentication-Header>
{userId: userId, read: true}
i.e. should the API itself not try to use information from the session and force requests to provide logged-in user information? Is there a better way to structure this?
Depends on what level of authentication is necessary.
Keep it simple. No need to complicate things.
Do you really need a "state"? You have a database where you have to check the user authentication. Why not use the database record?
If the API will be used by the client on their web server, then you just have to check the IP address of the request.
The IP address cannot be spoofed and therefore is a very good authentication factor. Add username and you have multi-factor authentication
Instruction for client using PHP
$user = 'joe';
$param = 1;
file_get_contents("http://apisite.com/api/function/?id=$user¶m=$param");
An HTML form, maybe you'd have to restrict access but if they name name the page something not easy to guess, then you have it.:
<form action="http://apisite.com/api/function/">
<input type="textarea" name="tweet"/>
<input type="hidden" name="user" value="joe" />
<input type="hidden" name="param" value="1" />
</form>
If the API were to be done in PHP:
PHP
<?php
header('Content-Type: text/plain; charset=utf-8');
header('Cache-Control: max-age=0');
$ip = $_SERVER['REMOTE_ADDR'];
$results = mysqli_query("SELECT COUNT(*),`user`,`state` FROM `Profile` WHERE `ip` LIKE '$ip' ");
$row = mysql_fetch_array($results, MYSQL_NUM);
if ($row[0] == 1 && $row[1]==$_GET['user']) && $row[2]==1){
$tweet = trim($_GET['tweet']);
$param = $_GET['param'];
include('tweet.php');
echo "Sent\n";
}
else{
echo "Not Sent\n";
}
?>
The problem with using cookies is that you are moving state outside of the URI and into the cookie.
RESTful APIs should have all the state necessary in the URI. Believe it or not but this does make things a lot easier as you don't have to mess around with handling cookies if you are creating a new client library.
Not using cookies also makes for really nice integration with other devices. Say I am viewing a RESTful webpage on my browser, and then I want to show someone something on my account. I can email them the URI /some-uri?authToken=1234 and they will be able to view my account without me giving them my password!!
Once the token expires, they will no longer be able to access the account.
EDIT
If you put the token in the POST body, a user won't be able to visit a page by typing in the address bar. They will keep being told they are not authorised. So yes, you need it in the URI. You can use a cookie if you really want, but except that it is a workaround.
You'd get the login token by exposing a login resource. To login you would send your username and password to:
POST /login
This would create a /login/{token} resource. You can use this token (or even the full URI if you want) to authenticate with the server.
When you want to log out, you call
`DELETE /login/{token}`
If you try to use the token now, the API should return with 'not authenticated' as the token no longer exists.
I'm developing a basic recruitment-type website.
I have an "Apply" CustomForm attached with a contenttype("Job"), but I can't get access fields outside of the CustomForm widget. I'm trying to add the reference number or the url to the email within the workflow. Orchard shows {Content.Fields.Input-Reference} token, but it returns no value when used.
Should I overwrite the handler when the form is created or how can I access fields of other zones?
As far as I understand the question, you don't actually need to add a custom token to your module. Custom Forms module takes care of that for you and adds the tokens for fields itself. You just need to use them in the email module.
Just look for a tokens named like this:
Content.Fields.[FormContentTypeName].[FieldName]
Not that the tasks of adding custom tokens to the system and accessing them inside the workflow are particularly hard, mind you.