I'm developing an application that the only way to access the protected pages is through the Facebook's authentication. In this cenario, I need to login with a Facebook's test user and made my tests.
I'm using the PHP-SDK, so I need to figure out a way to login with an user test only with PHP (without javascript) and without a browser and cookies (because my tests runs only on command line, emulating a browser, without selenium for example).
Ideas about how I can test my protected pages that the only way to access is using a Facebook's user?
I am not familiar with the PHP-SDK but on a more general level I would stub out Facebook.
Your tests don't need to depend on a third party service: the build might fail because Facebook is down and running your test will be slow as it needs to wait for Facebook to report back each time.
Can't you stub the Facebook endpoint and send your own response back (one that looks like the Facebook one)? You could do this with an HTTP faker. For Ruby I would use something like FakeWeb but there are probably some similar tools out there for PHP.
Facebook now has test users, which can use most of Facebook except for interacting with real users. You can create them in your developer control panel or via the Graph API. There's even an API call that allows you to automatically create friendships between your test users. https://developers.facebook.com/docs/test_users/
Related
I'm building a Rails API with a proper front-end to go along with it (probably React). I'm currently implementing the API and haven't written a single line of front-end. I'm trying to implement OAuth with Facebook as explained in #a14m's answer for this post.
However the problem is that my API would require an authentication code so that it can exchange it for an access token with Facebook. As far as I understand, the code is obtained via a login dialog on the front-end. Now I want to test whether or not my API is getting a valid access token from Facebook in exchange for the code. But to get the code I have to open a dialog on the "front-end" which I have not implemented yet.
Any way I could open the dialog for Facebook login and get the code without writing the front-end? I probably think Postman would help but I don't know how. Also if there is a way to obtain the token without triggering the dialog would also get my job done. So I just want a way to access the code without a front-end.
You can definitely use Postman for this. I write Rails APIs often and I always use Postman to hit the endpoints without having a front-end. All you have to do is find out what you need to send to the Facebook API and set it up as a form body on Postman.
I am working on API Integration Tests. In particular, I am trying to test the user's ability to login to our application with Facebook. Prior to signing in with our API, the user must sign in with Facebook on the front end of the application via the steps listed here. Since the tests going to be backend integration tests, I would like to handle the entire login in flow solely by leveraging Facebook's API. I can't seem to find any docs that illustrate a methodology to do what the these docs allow the front end to do. Does anyone have en experience with Facebook's API, and know how to simulate the login flow without actually using the login dialogue window?
Sign In Steps
Log in to Facebook
Log in to our API with Facebook returned authentication credentials and redirect uri
Their test user capability should help: https://developers.facebook.com/docs/apps/test-users
It'll allow you to create & sign into a test account, then destroy it afterwards. It won't be limited to normal login & visibility restrictions either.
I'm running a Classic ASP website, that has its own user authentication and login mechanism. For example, In order to remember a logged-in user, ASP creates an encrypted cookie and a 20-minute session for each connected user. If the 20 minute session is elapsed, the server revives the session from the cookie saved previously, and saves some data regarding the user to the database.
I want to to be able to allow users to connect with their Facebook or Google identity, but the mechanism used by Facebook or Google is based mainly on Javascript and on client-side code.
How Facebook or Google login can be used while maintaining server side code in ASP? (So that the ASP server can still manage the session and save data regarding it, for example whenever a session is revived)
For me somehow it seems that it may become less secure to use client-side authentication as the code may be altered easily. Isn't this the case?
If I use client-side javascript and log in with Facebook, how would I update the user data retrieved from facebook back into my database, for example the user's first and last name?
For me it sounds that it should be a "server-to-server" communication (between my ASP server and Facebook's or Google's servers) and what they propose is a "client-to-server" communication ... Any ideas how this can be done?
Any help or explanation would be very much appreciated! Thanks.
I'll try to address your Facebook-related questions one by one. However, I will not give you an implementation or any ASP-specific feedback, but only a rough approach. Additionally, I recommend that you study Facebook's documentation on Facebook Login extensively to further your understanding of the matter.
1. Facebook documents the server-side OAuth 2.0 flow in their Manually Build a Login Flow guide. Basically you redirect the user to a specific FB URL that (in the parameters) tells FB to render the "Login with Facebook" dialog, and which permission scopes to ask for. Once the user approves the Facebook Login for your webapp, they will be redirected back to your web app, e.g. with an OAuth token in the query string, that your webserver can then exchange for a user access token.
Once you obtained a user access token, you could e.g. store it in your web app user's session.
2. I don't know what you mean. Client side apps are fairly secure. Perhaps you can convince yourself about how secure JS apps are when reading about things like CORS.
3. If you only use JavaScript (e.g. Facebook's JS SDK) and you want to store e.g. app-scoped user IDs on your server, you need to expose an endpoint on your server that your JS application can submit that kind of information to.
4. You state
what they propose is a "client-to-server" communication
Who are "they", and where are the proposing this? The resources I linked to in 1. should explain how you can use Facebook login in a pure server-to-server way.
I am building a "authenticate with facebook" or "login with facebook" function for a website on my development server.
The development-server is a VM running on my computer.
I have set up my own DNS-server so that i can access the website with: anydomainname.de - which of course only works for me (not any external server).
Will i be able to test/develop the "authenticate with facebook" in this environment?
Will i be able to test/develop the "authenticate with facebook" in this environment?
Yes, that should be no problem. (Done it lots of times myself already.)
Most of the login flow happens inside your browser anyway. And when it comes to the part of exchanging the code parameter you receive from Facebook for a token, that requires your server to make a request to Facebook, and not the other way around.
Only features that require Facebook servers to make a request to your server you won’t be to test that way, f.e. any kind of Open Graph implementation, where you host the OG objects yourself – that requires the FB scraper tool to read the meta data from the object URL, and therefor public access to it.
(Regarding login there is only one feature, called “De-authorize callback URL”, that you won’t be able to test. If you set that up, Facebook will notify you when users de-authorize your app [remove it from their settings completely] – and that is done by Facebook sending a request to your server. But that is kind of an “advanced” feature and not that broadly used anyway. Should you later on decide it would be nice to implement that as well, you will need to test it on a publicly available system.)
TL;DR version:
Can you authenticate with Facebook without having a callback URL for a web application since the web application isn't actually running on a server.
Full explanation:
I'm working on building a connectedTV platform application where the "app" itself is a bunch of HTML/JS/CSS running locally (like File -> Open on your desktop browser) and I'd like to integrate Facebook into this.
The problem is that all of Facebook's OAuth calls for the web require you to have a callback URL to redirect the user to in order to complete authentication. Here's the gotcha -- there is no URL for this application -- it's a locally running webpage on the device.
I know this is what out-of-band authentication was designed for, but I can't seem to find any documentation on how to use this (or how to do a non-callback OAuth flow) with the Facebook OAuth system.
You're describing desktop authentication or any situation where you are authenticating to FB without a server. The redirect URL you pass to the OAuth dialog is https://www.facebook.com/connect/login_success.html When the browser redirects you can get the access token. You can read all about it in the FB documentation, way at the bottom in the Desktop Apps section (https://developers.facebook.com/docs/authentication/)
Just reread your question and since the application runs inside a browser you will need to open another window to authenticate and get the access token from that.
If you're doing HTML/Javascript, use their Javascript SDK. You can log the guy in simply by using FB.login and getting the access token from the callback from that.
I really don't think this is directly possible. Unless there is something totally undocumented, Facebook has no mechanism to send authentication data except by loading a url. I'm sure it's meant at least partly as a security measure, functioning as sort of a "whitelist" of where auth data will be sent.
The only way I can think of for you to work around it might be to set up a url on a server somewhere that could answer the redirect and store the auth data, and have your client-side code poll that server to get it. Kind of a proxy authentication service, in effect. You would probably have to open a second browser window with the Facebook auth screen in it, but in theory it could work.