rails beta request signup with social media sharing reward - facebook

I would like to build a simple beta request signup page where the user is rewarded with an earlier reward when he is sharing the link to the application as much as possible.
A solution like this is seeable on
trenvy.com
User enters email
User gets unique link with his unique code
User shares this link on every signup its a +1 count on him
An admin method throws out the users emails which have shared the link and brought the most people in. I want to use this email list to use in CampaignMonitor.
Anyone knows what could be a good way to achieve this? Or someone wrote such a thing or knows a git repo that has this feature implemented as is to take a look at and learn?
I have already coded a unique code generator for the app that makes unique codes of 10 chars.
Now only this social media sharing is a bit unclear to me on how to approach this in rails, any ideas on that? thx!

Something like this can be achieved pretty easily in any framework, so I think I'll provide a general answer first, and if any specific gems occur to me, I'll mention them:
1) The unique code part is easy, it's just a parameter in a controller that checks the validity of the code — this would be a unique code that's added to the user model for ease of verification and created when the user first enters his email address.
2) Every time the link is visited, it's parsed by the controller and saves an event (don't just increment a field if you want maximum data out of the interaction, you could save IP for country of origin, time of the page hit, etc), just count the click events for that user for his +1s
3) Just write a quick admin site (i used twitter bootstrap for this recently) that lets you see the user's who've interacted with the system and sort by shares, and you can use the createsend gem to add them to whatever list you like.
There are no specific gems I can think of that'll speed this process up, Devise is overkill, you don't really need an activity monitor gem since you're not storing much info, definitely twitter_bootstrap for speeding up building the admin interface. Heroku lets you add an Sendgrid as a plugin, so you're covered there for mail sending.
Am i missing anything in your requirements? Seriously though this should be a 2-4 day dev effort, nothing fancy here.

Related

Facebook Developer Account always disabled after couple of days of using Messenger API

This is not exactly a programming related question but it is closely related to developing so I think it is pertinent.
I´ve been charged in my work with developing an app with access to Facebook Messenger. I needed a Facebook Account and I didn´t want to use a personal one (and I don´t use Facebook anyway) so I created a new gmail account to use it to sign up in Facebook, as user and as a developer.
After a couple of days of work, having created the page, my webhook, done some tests, etc., and investing a good deal of work hours, my account appeared as disabled.
I have to admit a didn´t use much of real info on this account (I´m kind of allergic to disclosing personal information unless mandatory), and the account was new so I thought that maybe that was the reason (they don´t give you any).
So I tried again a second time with an account I had been using for years (just for logging in some sites, not much of real information there neither, as I say I don´t really use Facebook), and after a couple of days, same results, locked account.
I can´t stress enough I don´t use the API extensively, I just send some messages to another user I have added as one of the application developers so I can test (that other account is never blocked, by the way). It´s not like I am sending hundreds of messages or anything like it. And by the way, I have never been blocked while I was doing something (so I could indentify my wrongdoing). It just happened that at some point when I was going back to work (first hour in the morning, or after lunch for example) I tried to log in again and then I got the warning.
So I have tried a third time, this time I have given all my real information, reluctantly uploaded a personal picture, given all my data to Facebook (yikes!).
And after a couple of days: damn, same result. Blocked account. Work lost. They prompt you to upload a picture to check your Id, but to no avail (no answer yet, not even a notice of any kind) and they don´t give you absolutely any reason why the have blocked you.
And if I go to https://facebook.com/help/contact/260749603972907 to fill the form where they ask you to upload an ID then it says that the email doesn´t belong to a disabled account!
What is the unusual activity they have detected? What have I done wrong? Has someone experienced the same problem? Has someone got any clue of what it is that I could be doing wrong?
Because I don´t want to go through the whole process once again only to get blocked in a couple of days.
Thanks.
EDIT 1:
Ok, after checking again now it recognizes the account as a disabled one. I have gone to https://facebook.com/help/contact/260749603972907 to fill the form and I have uploaded my ID (even though I completely disagree with disclosing that kind of information).
Honestly, I don´t know what it means by "shortly". It´s been two days now and I have not received any kind of notification yet.
By the way, I haven´t received any kind of notification (mail, sms, anything) during any step of the process EVER. No one. Nothing. Not even an automatic email response. Plain absolute silence.
Honestly, if Facebook uses a security system like this, that lets hackers in while blocks legitimate users, creating false positives and making us lose many hours of work, without any reason or notification or explanation, then Facebook security is plain wrecked.
And I cannot do anything less than to strongly discourage any developer to use it if they can avoid it (what unfortunately I can´t).
EDIT 2:
After some days I regained access to my account again. Without any notification, I just tried again and now it worked (really good communication policy, Facebook, congratulations).
My App had disappeared, so I had to go through the whole process again. And after sending ONE message to the API, this again:
And once again the asked me to upload a picture of myself (I think they already have enough pictures of me to make an album).
This is just plain crazy.

How websites like Facebook are protected against bot without any captcha

How websites like Facebook and Twitter are protected against bot during registration? I mean, there's no captcha at all on the signup form?
I want to create a signup form for a project, and I don't want bot during registration and Captchas are often ugly..
edit:
My question is really during the registration because I know Facebook uses Captchas once registred for the first time.
Facebook uses some sort of hidden spam protection, if you view source of sign-up form you will see things like:
class="hidden_elem"><div class="fsl fwb">Security Check</div>This is a standard security test that we use to prevent spammers from creating fake accounts and spamming users.
so capture becomes visible when javascript will think that you are a bot.
Where is few methods of making it harder for bots to complete registration without capture, things
like timing to fill out form, originators of mouse clicks events ect.
also random session based values in form (to privent direct submissions without downloading of the form first)
also some people use hidden form elements with common names like 'email' that is styled invisible in css but common simple bots will try to fill out all form fields and so you can block them if this hidden element have any value
twitter and fb spend lot of time on developing tecniques to block spammers i don't think they will made it public as it will be counter productive for them to fight the spammers.
But all the client side javascripts you can download from fb or twitter and study them if you want, because most of the protection will happen inside client not on server.
server could only issue some random session variable, check for valid headers in request, overall time etc. its really limited.
some sites are also use ajax exchanges between server and client during the time when user is filling out the form , mostly just to make it harder for bot developer to do simular fake exchanges of data.
Anyway, unfortunatelly where is no easy solution to do decent protection , espesially without captcha or some kind of question
also,
for submit button you can use image map instead of button,
you can dynamically create big image with a submit botton image drawn on it at random position using things like GDI in PHP and using css to display only portion of that image with the actuall button, and on server side check X and Y position of where mouse was clicked, this will be hard for bots to break.
Unless they use real browsers and just emulate keyboard and mouse. Anyway , as i said unfortunatelly where is no easy solution.
One way would be to send a verification to the user's email address or cell phone and obtain verification (so in that case, you would have to allow only one email address or cell phone per account)
Another option is to use "Negative CAPTCHA" or "Honeypot Captcha"
I don't know how Facebook and Twitter do it, but if you want to create something simple and that doesn't interfere with your site aesthetics, I know that some websites just ask the user to enter an answer to a simple math problem like "what is 2 + 3?". This is not the most secure way to do it, but it's just a thought.
Well you can always deploy hardware solutions as well to create Layer 4-7 firewall rules. You can create specific rules to look for the well known agents of bots crawling the web. However to stop newly created bots you need to know what agent they are using for the bot.
Since you don't want CAPTCHA, you can use Keypic - keypic.com - which is an invisible protection, no CAPTCHA needed. It's an efficient antispam method for any web form. Site users don't pass any tests which is good for the site as it improves the quality of the user experience and thus raises user engagement. The solution is a kind of an expert system which analyses the behaviour of the users and checks the databases, then makes a conclusion if the request comes from a legitimate user or a robot.
BTW, Twitter and Facebook still use CAPTCHA for password verification which is a very disputable method in terms of efficiency of such protection.
I had a problem with tons of bots signing up for my Nintendo site so I put a single image of Mario on the sign-up page (making sure nothing in the image data said "Mario") with the text "Who is this? Answer in one word." Haven't had a single bot sign-up since. Not sure if this is actually a good solution though, not sure how smart bots are. I'm kind of surprised that it worked.
In theory it might be keeping out a few legitimate users, but it is hard to imagine many legitimate users of a Nintendo site not knowing who Mario is...

Is it possible to save a custom variable for each user on their account?

I just got starte with programming a Facebook app. I already wrote an app for the VZ-Network, and there they have something called 'Persistant Storage'. Basically its an environment where you can save custom data on each user account. With your app you can read this data from the current user as well as from the users friends. Now I want to port my app to Facebook and my problem is that I didn't find such functionality here yet.
For now I would like to finish and launch this as soon as possible, so it would be nice if I could c&p as much of the code as possible.
Since the data is contains information about participation, at some point I would like to use the Facebook event object. But I was wondering if that could cause problems since it would require to create those events publically in order to use them in my app. Couldn't that lead to legal problems when I create such events with those who actually host the events in the real world? Would I have to ask the hosts to create those events, could I automate this process, or in case they don't have a Facebook account ask them to approve that the app creates the event for them?
I also need to know in what events the users friends participate, so I can't simply save the information on my server, since I don't have the friend info there.
In any case, it seems much easier to me to simply use a list of EventIDs on each user account to check whether or not the user participates in an event.

Facebook Connect vs Twitter Anywhere vs OpenID for third-party login/registration system?

We want to streamline the user registration and login process. The goal is to reduce the time and effort for users to register and login to our site.
At the same time, we don't want to overwhelm users with choices. We don't like how some web sites present registration/login options via multiple channels (e.g., Facebook, Twitter).
What are the pros/cons of each of these systems? Which do you use, and what are your main gripes?
Offer all of them, don't take the time to ask "why?".
It's always worth it to get users on board.
The biggest (IMO) pro is that you are no longer storing passwords in your db. Leveraging one of those other site's authentication service relieves you of this. It doesn't relieve you of having a secure design. I'm also not sure that your average end user really cares. If your service is highly aligned with one of those services, maybe. However, if you are not targetting those end-users, then probably not.
Rob Conery did a recent write up of his experience with OpenId. This might be a good read:
http://blog.wekeroad.com/thoughts/open-id-is-a-party-that-happened
Hope this helps.
Bob
Well, yes, it does all depend on your user audience.
In any case, I would say that Facebook Connect is probably your best bet due to the sheer number of people using Facebook. Still, as far as I've noticed, it's not really "professional" websites that use Facebook Connect, mostly forums and unofficial (but popular) news blogs.
Many "professional" websites (catering to... well, professionals) will use a normal Register/Login rather than Twitter, Facebook, or OpenID. Still, a professional website would likely need a more professional solution, so I would suggest OpenID, which also supports websites such as Yahoo! Mail and developer communities (such as Stack Overflow!). You can see the full list of sites here.
In all honesty, I don't really think that using a Twitter login would be very efficient. Think of it this way: for one, I've noticed (but I could be wrong) that Twitter is mainly used by the small hobbyist or the people who use it to give updates on things they're doing or making (and sometimes just the people who want to be in on the times). So unless your website is aimed at these type of people, it wouldn't really be useful. On top of that, I don't know of many people who particularly like it, partially because of its over-popularity. Still, it could be the same way with Facebook, but this is all subjective, so if you really want to pick Twitter, go for it.
Anyway, that's my take on things. I don't personally use these systems on websites I've built, but I know how they work.
For one, when you log in using any of these for the first time, they take the user to a new page or open a popup window asking them to confirm if they want to connect their [Whatever] account to your [Website Name]. After that, it's a bit easier to use just because they don't have to keep repeating the process unless they disallow your website on their service.
With OpenID, you have to log in to your OpenID-enabled webpage using http://myusername.myopenid.com/ or myusername.myopenid.com. If they don't choose to remember their password, this can become a bit tedious to type in every time.
With Facebook Connect, it usually automatically connects all of their information to the website, including full name and profile picture (meaning that if they have a profile picture of that snazzy tattoo on their inner thigh, other users will be able to see that).
Finally, as far as I can see, Twitter doesn't do much other than connect whatever name you had on your profile page (if it's "John Doe" or "Weiner Schnitzel", it'll show on your website) and your profile picture, just like Facebook.
To finish up, those are pretty much all the pros and cons that I can tell about the services. Good luck!
What is your target group?
If you want that many normal people uses your application than use Facebook.
If there are many coder / blogger / internet junkies than use Twitter.
If you have a lot of open source guys than OpenID will do the job.
If i'm is not wrong, previously there is a website providing kinda service about providing login platform to allow user connect to your site. Of course it is not free and i was abandon it because of high annual fees and mind change after research being done.
While you using their service to growing your business or website, you can save their time it's true. but honestly, will they really care on how long time taken to connect their facebook with your website either register as a new member in your website. While you can give confidence to you client, they do. they willing to spent few minute to fill up simple information to make an account for them self if they felt they worth to spent the minute to get service from your website.
Totally agreed to what rcravens said, if they connect through third party website, means you are gonna giving you user information to that website. For example, to archive FACEBOOK CONNECT you will need to create an application for them to trust them you only can get authority to access. while they accept and login to your site, it is good for FREE advertise because while they connect, can use their account as medium to post your information to public. BUT mostly site will sell their information gather or share them in any way to some organization who need them for decision.
My point is, how many people using your site and mostly who is using, what characteristic of your site user and so on... everything is no more under your control !!!
Perhaps, you may use it but what if their service shut down few hour for maintainance...
I'd recommend using something like RPXNow (https://rpxnow.com/) or Gigya (http://www.gigya.com/) as an intermediary to the various authentication providers. Facebook and Twitter are notorious for always changing their APIs. It is a pain to keep up with them. These services give you a simple abstraction layer, so that you don't need to change anything on your end when the providers change their APIs.
i like facebook but..
facebook is block in some country.
open id is not famous.
twitter is famous and simple.
so use twitter is the best :)
Use OpenID as it is a standard that is also integrated into many Mail Accounts, like Google or Yahoo. You never know how long Facebook will stay around and therefore it's better to have something people just don't throw away (there Mail address). If you make a nice selection screen (e.g. stackoverflow), the people don't even know that they're using OpenID. If you just want to get authorized Comments, picture uploads for twitter or fb, a game connected with social features don't use it.
Facebook Connect is very usable for one time comments or stuff like this. If you want to store your own data about the user (e.g. blog service, saas), not dependend on "social networks" don't use it.
Twitter Login makes only sense if you connect your service with Twitter, otherwise forget about it.
I would use a hidden OpenID approach.
Facebook is great for keeping tabs on family and friends. Beyond that I, personally, wouldn't use it in support of any other app. It's just not bullet-proof enough from a security/malware standpoint. There is too great a chance someone could have issues of that sort with Facebook and attribute it to your site, whether reasonably so or not.
I like OpenID. Not thrilled with the notion of hitching my wagon to any of the social networking sites/services at all.
Is this a technical or commercial question?
The answer to my mind is it depends what you want to do with the data.
If you just want to provide a service to a broad list of people then the answer has to be to gun for openness, not proprietary - particularly since the open standard is supported elsewhere, Gmail, Yahoo et al.
However, if you want to demographically profile that database at some point to offer targeted services, then you need to understand the questions you're likely to require answered and whether a third party method is going to enable that or not.

CMS for anonymous interaction

I need a CMS that allow me to interact with people anonymousely... The site will present some video, some picture... but i need to :
Let ANYBODY without registering send video, post and picture. those media will fall into a queue for approval by real persont that manage the site, and send that to the right category !
So if you know plugin or extension for joomla, drupal or wordpress that do that or another cms that will allow the flexibility to do that...
Dont tell me it's dangerous to let anybody upload photo, i can get porn, but it will be filter by human, and registering under false name do the same thing
Sure, that's easily enough done in Drupal.
Set up standard drupal. Get CCK, and the video modules necessary for how you want to handle video - filefield/imagefield is probably pretty close to what you need.
Set up the content types you want the users to be able to create. Give the anonymous user role the create permissions for the types you want anonymous users to use. Unset the published check box in the content type forms, so that new nodes will not be published.
I would then snag a copy of the workflow module, which will allow you to define states for the nodes to be in (such as 'waiting for review', 'approved', or 'rejected') and set up roles for your moderator(s) to review the content and approve. Workflow's a pretty easy module to get working.
And there you go - anyone can create a new node, but the node won't be seen by visitors to the site until after it's been approved by a moderator.
A final thought - including a module like spam or mollom might work with preventing new nodes that are only spam from bothering your moderators. Captcha might be helpful too, although that does get bypassed at times.