So I know there's plenty of SoundCloud documentation on creating custom players -- as well as streaming private sounds with their own player.
But I can't find a definitive answer to:
Can I stream private tracks through my own custom player using the API -- but WITHOUT requiring any SoundCloud login authentication?
--
Or in bullet form, I want to know if i can:
stream Soundcloud hosted tracks
these tracks must be private and NOT publicly available on SoundCloud
the player must be completely of our own design
no SoundCloud login is required for anyone to listen to these tracks
--
I realize this would just make SoundCloud into a music hosting service, so just wondering if anyone has done this.
in theory, yes, you can do that.
first you'll need to gain access token for the users who has uploaded these private tracks. (this should happen on server side)
after that, you will impersonate every visitor on the site as this default user, and he will have access to the tracks.
but, this is not a good practice.
you need to be worried about is that you need to hide this token pretty good, so the visitors can't abuse it.
my suggestion is to create a server code that will do all the job related to access token (getting tracks, getting tracks streams etc), and in client side just show the final results. this way, you'll keep your access token safe.
Related
I'm creating a service that needs to get all the public posts of a set of facebook users in real-time. The size of the set is variable and might grow a lot, let's say up to 500. All those users know me and are willing to authorize me (somehow) to read their data.
I've done something similar with twitter, it was really easy, I just followed all the users in the set, and used the streaming APIs to listen to updates on my twitter account.
I'm trying to do the same for facebook but the documentation confuses me and I can't understand the best way to do it. I don't think I can do it with just one subscription to the real-time APIs using my facebook account. I think that I might need to obtain a long-term access token for each user in the set, and then make a real-time API subscription for each of them. Is this the way to go? It seems over complicated to me.
To clarify things, I only need to read public posts, but I need to read them all, not just those that facebook think I might be interested in. I do not need to do anything on behalf of the users. The service will be always running and need to receive posts as soon as they are created, polling is not an option.
We're developing a social game on Facebook from which players can share posts on their wall. Now we want to reward them for that with in-game currency.
Of course, this should not provide an opening for hackers to generate infinite funds, but since the posting happens entirely client side, they could so by repeatedly telling our server "I have posted", though they haven't. Unless we add countermeasures.
Can our server check with Facebook whether a post was really made?
Can we attach data to a wallpost, like a cryptographic signature generated by our server?
If not, we need to limit the currency a hacker can acquire with some kind of flood control. Tips there?
We're developing a social game on Facebook from which players can share posts on their wall. Now we want to reward them for that with in-game currency.
I think that’d be a violoation of Facebook Platform Policies:
IV. Application Integration Points
You must not incentivize users to use (or gate content behind the use of) Facebook social channels, or imply that an incentive is directly tied to the use of our channels.
The callback you get after using the Feed Dialog will return to you a post_id. You can store that post_id in your database along with a flag indicating that you have already rewarded the user for that specific post. This way you can "reward" users once per post by testing the existence of that post_id + flag in your database.
I want to create an iPhone app that displays (among other things) a specific Facebook wall. For a good user experience I didn't want an app that required the user to have a Facebook account and I didn't want to force the user to have to log in to Facebook to see the latest "news" in the app. I started out by getting the wall RSS feed and tried parsing it ... I can "see" all the data I need ... but that is getting complicated quickly and has too many variables that are making the final results less than stellar. I have read through the Facebook iOS programming tutorials and it seems to me like the SDK forces the user log in, which I don't like.
My question ... Is there a way to use the Facebook SDK with hard coded profile credentials to access a specific wall without forcing the user to login? If possible, is that a recommended approach? Any other ways to skin this cat?
I have read through the Facebook tutorial and searched through many postings on this site but haven't found an answer to this ... sorry if this a newbie question and has already been answered.
Item I.2. of the Facebook API policy list says
You must not include functionality that proxies, requests or collects
Facebook usernames or passwords.
It sounds to me like that's what you're proposing to do; i.e., the user will be able to see a certain wall, but using hard coded credentials (not their own). In other words, your credentials are proxying for the user.
I do not know if it is technically possible to do this (I imagine it is) but I don't think it's a good idea, and I do think it's a violation of the Facebook API terms of service.
First you need to get the a access_token by parsing your app id and secret.
https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET
Then send following request to get the data you want. Note that only public data will be accessible.
https://graph.facebook.com/FACEBOOK_USER_ID/?access_token=ACCESS_TOKEN
I am building a facebook game using ASP.Net MVC3. (More like Mafia Wars and less like Farmville in terms of technology and look and feel).
Almost all of the actions of the game will be triggered by Javascript (which calls a REST api) that we have written.
Now, our game authentication is done using Facebook's JS SDK and we also ask for offline access permission. So we save the auth_token in our DB the first time a user signs up.
I want to know what would be the best way to access the id of the user for operations performed within the application from the point of view of security (and making it hard for people to spoof ids)
I know of the following ways:
Store it in a Global javascript variable and load it on every page load using the JS SDK. (bad idea because this can easily be changed in Firebug)
Read the value from server side using the fbs_[app-id] cookie that is set. (again, I was able to change the value in the cookie which got posted to the server)
Use the C# SDK and do an API fetch (for /me) to get the ID using the auth_code which is supplied in the cookie (by far the safest way - but also the slowest)
Any pointers would be greatly appreciated.
Also please let me know if I am getting excessively paranoid about this.
I am sure there must be a clean, simple, secure method which I have overlooked!
Thanks.
I guess I'll just put down what we are doing - incase someone stumbles upon this later.
I checked out Zynga's Mafia Wars and found my facebook id peppered at almost 6 to 7 places throughout the page in the HTML code.
I guess one could try fooling around and modifying it using Firebug - but the quantity of obfuscated javascript out there, one would need to be decently motivated to do it.
However, what we have ended up doing is follows.
Our game asks for offline access to the user - so the access token that we get in the first login, is saved in our DB.
Then everytime the user performs an action, the facebook cookie associated with the account is returned to us out of which we pull out the access token.
We then do a lookup on our own DB for the user id corresponding to this access token.
If the user id is not found (for a new user, say), we do a GET("me") using the facebook api to get the user id.
It is slightly ineffective - but I guess will do for the time being. Will update this if we end up doing something else. Maybe we just are over analysing things.
I'm working on an API that will aggregate data from several website, including facebook. The API has an engine that harvests data on regular intervals, and then the client app polls the API to get the data from all websites centrally.
The problem is that the API has no way of authenticating on the regular, behind-the-scenes harvests, as Facebook insists that the user has to click on the OAuth Dialog. With the short story being that there is no way to login to graph API silently this almost means that developing such an API is not possible (except for harvesting only public data).
However, I'm not easily satisfied by "it's not possible" answers and my clients - even less so. Accessing private information on demmand is defnitely possible as Facebook apps do that. For example, the official Twitter app posts on my wall whenever I tweet. I guess apps only need a permission once and then can access the user's profile as much as they like.
So this leads me to think that I should do a combination of a Graph API client and an application that talk to each other, and whenever the API needs to harvest - it asks the app to get the data and fetch it to the API. Or maybe it should be a push model (the app sends the data whenever it's generated) rather than pull (the API requests the data at regular intervals).
Am I on the right track? Is any of these the correct design approach?
I did some searching but it's very hard to find any useful discussion on the topic as whatever keywords I try I only find "Can I login silently? No" type of discussions.
You'll want to look into the offline_access permission. This lets you access a user's data when they don't have an active session, or are offline. That's as close to "silent login" as you can get.