I have a GWT project, using Activities and Places. My problem is with history token.
Pattern of my token :
#/{key 1}/{value 1}/{key 2}/{value 2}
Value 1 must be Number
Value 2 must be Number
the valid token is :
#/view/1/date/123123123123
I decided to validate the token and then the problem appears.
In example, if the user change manually the token :
#/view/qqweqweqwedate/date/123123123123
In this case Value 1 is not a Number. I catch this exception and fix the token with the default value. The problem is that the invalid token is in the history and when I click "Back" button on the browser it appears again .
Could someone tell me how to remove the invalid token from the history or don't allow it to be written in the history ?
Once you set a new hash (new token in GWT), it is stored in the browser history stack.
You cannot remove tokens from the browser history, so the most you can do is to handle this event with code. I mean, when the user clicks back, the malformed token will be visited, and you can be notified doing whatever you want: to fix the token again and bring the user to the correct token, or to call History.back() so as the user is sent to the previous token.
The problem I see is whether to know when the user comes from the already fixed token screen to send it back.
In theory, you could use event.oldURL and event.newURL using javascript, but those attributes are not exposed in GWT, so you should implement them by hand using jsni.
Related
I am trying to connect to Paypal to get a users consent to access their paypal payment history. The end goal would be to download payments received at the end of the day and take the info and dump it into a local database.
https://developer.paypal.com/webapps/developer/docs/api/#obtain-users-consent
<Cfset returnlink="http://www.xxxxxx.com/paypal/paypalreturn.cfm">
<cfset paypalLink="https://www.paypal.com/webapps/auth/protocol/openidconnect/v1/authorize">
<Cfset paypallink="#paypallink#?client_id=#settingsLive.clientid#">
<Cfset paypallink="#paypallink#&redirect_uri=#urlencodedformat(returnlink)#">
<Cfset paypallink="#paypallink#&response_type=code">
<Cfset paypallink="#paypallink#&scope=profile+email+address+phone+https%3A%2F%2Furi.paypal.com%2Fservices%2Fpaypalattributes">
<cfset paypalLink="#paypallink#&nonce=#createUUID()#">
<cfset paypalLink="#paypallink#&state=create">
Login with paypal
Clicking on the link below returns:
Relying Party Validation error: redirect_uri provided in the request
does not match with the registered redirect_uri. Please check the
request.
I have logged into the Rest API, modified my app and made sure the redirect uri's for the test and live return link match that listed above. I have also made sure that the accept logins options are checked.
I have also tried the same code against their sandbox URL:
https://www.sandbox.paypal.com/webapps/auth/protocol/openidconnect/v1/authorize
and instead of receiving the validation error, I get a page cannot be displayed.
I've tried every combination of things that I could think of
1) removing 1 cfset statement at a time to isolate a bad variable
2) making sure the return uri was a https vs http
3) switching to sandbox mode url and back
I've connected to other oauth2 api's in the past, but can't figure this one out.
This has changed a bit, and will presumably change again soon... but here's how you do this now.
Log into developer.paypal.com
Click on Dashboard (https://developer.paypal.com/developer/applications)
Click your app name under "Rest API Apps"
Scroll to the box at the bottom of the screen labeled "Sandbox (or Live) App Settings
Set the Return URL (Where users will be redirected after test transactions)
Click save
NOTE
This Return URL must exactly match the redirect_uri that you pass in via querystring (so it's confusing as to why you'd need to pass it in in the first place)
GOTCHA
At this point in time, the Return URL can seemingly never be updated. In my recent experience, if you don't type it correctly the first time you save it, you will have to create a new app.
The only time I have seen this error is when your redirect_uri does not match the one set in your applications profile.
You need to set this value inside of your app on the developer website.
Log into developer.paypal.com
Click Applications
Under My Rest Apps click your App name
Click Edit next to App redirect URLs
Set the return URLs for live or test
Save
I am also unable to get sandbox to work for my Log In with PayPal tests so it is not just you.
As of now (October 2015), the Dashboard Return URL should correspond to the redirect_uri. You can obtain the redirect_uri parameter in Firefox, by downloading the HTTPFox browser plugin. Then you start HTTPFox, point your browser to the OmniAuth login link, and view the scParams in the query string in the bottom-most link in the HTTPFox history to obtain the redirect_uri.
You have to literally make sure the Return URL is the exact same sequence of characters as the input redirect_uri. For example, if one points to "localhost" and the other to "127.0.0.1", it won't recognize the redirect_uri value as the same. It also won't recognize redirect_uri if only one of the redirect_uri values has a final slash.
Yes, the return URL was able to be updated in my experience.
I've created a page on Facebook without creating an account. This means that a default account is created with the page_id the same as the account_id.
When I try and perform a graph call to the tabs on the page:
/<page_id>/tabs?auth_token=<auth token>
I get an empty "data" representation:
{
"data": [
]
}
Even though there are application tabs installed.
Add the tab_id makes no difference, I get the same response.
I'm guessing the page is getting confused as the account but I cannot find any way to distinguish the difference between the account and the page.
Does anyone know if it is possible to retrieve the page information another way?
Double-check that the access token you're using is the Page Access Token - this is the most likely reason this will fail to return an answer
I am authotizing my app in the following way:
// authorize app!
$('#authApp').click(function(){
var oauth_url = 'https://www.facebook.com/dialog/oauth/';
oauth_url += '?client_id=#{app.id}';
oauth_url += '&redirect_uri=' + encodeURIComponent('https://www.facebook.com/pages/null/#{fbPageId()}/?sk=app_#{app.id}');
oauth_url += '&scope=user_likes,user_photos';
oauth_url += '&app_data=7B%27game%27%3A+%27key%27%7D';
oauth_url += '&state=sbSbsbSb';
As you can see I am setting the 'state' param as part of the query string.
Now when the user authorizes the app he is redirected to the redirect url.
However the data passed in the state parameter is not posted to my app nor is it part of my app's iframe query string. I was expecting to find it as part of the signed request, but no. This is the deserialized signed request posted back after authorisation
{ algorithm: 'HMAC-SHA256',
expires: 1348927200,
issued_at: 1348921162,
oauth_token: 'AAA...',
page: { id: '490...', liked: true, admin: false },
user: { country: 'ec', locale: 'en_US', age: { min: 21 } },
user_id: '1...' }
I do see that the state is included of the parent page's query string. I need to access that parameter from my app (running inside an iframe). I believe that I cannot just access the parent page's window location because of same origin policy restrictions.
I have read through the documentation and searched online. Persisting data across an app authotization needs to be done using the state parameter. However it is nowhere stated how to retrieve that state param once redirected back to your app.
This is from the facebook doc's regarding the state param:
A unique string used to maintain application state between the request
and callback. When Facebook redirects the user back to your
redirect_uri, this parameter's value will be included in the response.
You should use this to protect against Cross-Site Request Forgery.
Am I supposed to get the state data back from the parent's page query string?
Or am I doing something wrong?
* EDIT *
I am storing the user to user request Id in the state parameter. For example A invites B to participate in the app via a facebook request. Once B authorises the app A needs to be rewarded. So I need to know that B came to the app following A's invitation. Therefore I store the requestId in the state param, so once B has authorised the app I can take appropriate action.
* EDIT 2 (SOLUTION) **
If your redirect_uri is pointing to the Page Tab URL then facebook will NOT send back the state parameter! It will only be sent back if you redirect to the Canvas URL !!!!!
The Facebook documentation you referenced is a bit confusing. The only thing you should be doing with the state parameter is making sure you are not a victim of CSRF. Facebook's server side authentication flow gives an example of this in PHP. In short, you should be storing the state value in the session and then verifying that the session value is the same as what Facebook passes back to you in the request. The key line in their PHP example is:
if($_SESSION['state'] && ($_SESSION['state'] === $_REQUEST['state'])) {
// Continue with application logic here because state matches.
// Otherwise, exit immediately because you're a victim of CSRF!
So back to your problem. From your redirect URL and the response you are getting, it's obvious your app is on a Facebook Page Tab. See the authentication flow for page tabs for how you should be doing this. Note they are not using the state parameter in step 2 and that the state parameter is never mentioned in page tab authentication flow. So even if you wanted to use the state parameter for something other than its intended use, you are out of luck.
Based on your edits, I suggest you check out the documentation on requests. Note that the user clicking on the request will be redirected to your canvas app, not the page tab. "The canvas URL will also contain an additional GET parameter request_ids, which is a comma delimited list delimited list of Request IDs that a user is trying to act upon." So there is no need for you to be trying to do this yourself.
Am I supposed to get the state data back from the parent's page query string?
No, not when authenticating within a canvas/page tab app. The only query string parameter that gets passed to your app in this scenario is the content of the app_data parameter.
But you don’t need the state parameter in this scenario – verifying the signed_request is absolutely sufficient, because it’s signed with your app secret, that only you and Facebook know. So that is enough protection against “manipulated” requests right there already.
See https://developers.facebook.com/docs/authentication/canvas/ resp. https://developers.facebook.com/docs/authentication/pagetab/ for more details. (And see how they do not mention the state parameter at all.)
Edit:
I am storing the user to user request Id in the state parameter. For example A invites B to participate in the app via a facebook request. Once B authorises the app A needs to be rewarded. So I need to know that B came to the app following A's invitation. Therefore I store the requestId in the state param, so once B has authorised the app I can take appropriate action.
That’s a misuse of the state parameter … it’s supposed to achieve something completely different (CSRF protection, as the docs say).
While this might work in your scenario – why are you not using the app_data parameter to transmit this piece of information? That’s the designated way of transferring info to canvas/page tab apps.
I am using the PHP SDK getLoginUrl() function which works perfectly to log the user in. Once the user is redirected back to my page, the URL can come in two forms, see in the following link subsection 3: http://developers.facebook.com/docs/authentication/server-side/
Part of the return URL is a ?state= value. This value is supposed to be used to prevent Cross Site Request Forgery: http://developers.facebook.com/docs/reference/dialogs/oauth/
Though, using the getLoginUrl() method I can never set a state value as it is not one of the parameters: http://developers.facebook.com/docs/reference/php/facebook-getLoginUrl/
So how can I utilize the state-value to log a user into facebook and prevent CSRF?
So how can I utilize the state-value to log a user into facebook and prevent CSRF?
This is being automatically handled by the Facebook PHP SDK. If you were about to write your own API calls to Facebook, you would need to submit the state manually (if desired) as per Facebook's OAuth documentation.
When you create a login url with BaseFacebook::getLoginUrl(), the first thing the function does is to establish CSRF token state1, which creates a hash using PHP's core mt_rand(), uniqid() and md5() functions and also stores the value as a session variable.
When the user gets redirected back to your page the, FBSDK checks if the submitted state matches the state value in the session. If the values indeed match, the state is cleared from the Facebook object and from the session, so all subsequent getLoginUrl() requests would get a new state variable.2
Theoretically you could use your own state value with FBSDK by writing it to fb_<your_app_id>_state session variable before constructing the Facebook-object, as the BaseFacebook's constructor and establishCSRFTokenState() both check if the state already exists in the session.
But that would probably introduce more complexity than is necessary.
see BaseFacebook::establishCSRFTokenState()
see BaseFacebook::getCode()
So I have a page, and am trying to create an app that determines whether or not a user is an admin of that page. The documentation states to use page_id/admins/user_id, which I am. However, it keeps throwing the error "Subject is not a page," which is obviously is, and even when I get just the page, it's type is set to "page." Why am I getting this error, and how would I fix it?
You should use the Page access token when making this call - see https://developers.facebook.com/docs/reference/api/page/#page_access_tokens
The "subject" in this case is the page so you should use that access token.