Possible to fetch Facebook application API secret? - facebook

I'm using FB.Connect.createApplication (http://developers.facebook.com/docs/?u=facebook.jslib.FB.Connect.createApplication) to create applications on the fly. The problem is that the method doesn't return the API secret (only the app ID and api key). This is a big problem. Does anyone know if it's possible to fetch this data provided you have the application ID and API key?
Thanks

I dont think so. I know that some other APIs try to make secret keys nearly impossible to get through scripted methods for security. Not sure about facebook but from the forums it seems like the createApplication() method was rolled out before it was completely finished. The consensus on the dev forums is that it will get rolled out ... eventually.

Found out that what I'm trying to do is impossible. The next best solution is to create a child application, and make calls on its behalf (from the parent application).

Related

How to secure REST API PUT/POST calls being called manually through postman

Actually I have an API called update user data, it is called when the user moves from one page to another page. If the user copy the API from console and post in postman, user should not able to update the user data. How to provide security or implement feature to not to update data through post man.
You really can't.
You can slightly make it harder using some CSRF protection, but that's just it - it will only make it a bit harder, but not stop anyone determined.
If your API is public, you should be ready for your users to have custom client apps.
I am a bit confused by your question. Because PostMan or other applications like Fiddler are created to make the job easier for developers during development. anyhow if you are concern about who makes call to your webpage, you can make your API private and just give access to the user that have the right credentials. You can also read about CSRF or XSS.

Is OAuth suitable for this scenario?

I'm new to OAuth and I would really appreciate if someone could give me a hand with my problem. I need to create a simple web application for track expenses, with some basic actions (user must be able to create an account and log in, list expenses, edit them, etc) with a REST API for each one, and the trick is that I need to be able to pass credentials to both the webpage and the API. So, after some research I've found some examples using Digest Authentication and HMAC Authentication but lot of posts also mentioned OAuth as an alternative approach, so my question is, given this scenario, would be proper to use OAuth? I mean, as far as I understand OAuth is suitable when you want to share resources with other application, which I'm not doing for this project; besides that, when you try to access the shared resource it appears a page requesting permission for the foreign application, would that page appear at some point in my application? (maybe after the login?)
Thanks in advance guys
In your current scenario it does not make sense to use OAuth. It's not what OAuth is designed for.
If your application ecosystem is going to have multiple webapps running on a single SSO (like google) then it is very helpful to have OAuth.
Suggestion: Decide based on your business/operation plan and implement accordingly.
Note: If you plan to have 10 apps in the span of the next 5 years but only have one app now it does not make sense to spend time to implement complex protocols like OAuth right now. Scale as you grow.

ESPN Api Integration issue

I am implementing espn api, but having some issue, most api gives me this response.
{"timestamp" :"2013-02-25T11:19:02Z","message" :"This action is forbidden for the requested resource at your permission level. Please review the documentation for account level access.","status" :"error","code" :403}
I am using this api Espn MLB Standing
I want to know that where to review the documentation, i is there any need to purchase some api or anything else?
[EDIT]
One more thing there is ?apikey=:yourkey , so this key is same for all user or we have to get this according to user login.
I think you are using the wrong apikey or there is some issue in your URL query.
Your app will have a unique apikey. This key is same for all users who are using the app.
You should get a apikey by registering to their site and use it for development purpose.
My rep doesn't allowing commenting, but I thought I'd add the following here:
A small amount of ESPN API data is free, but much requires payment.
You probably don't want to publicly share your personal API key for security reasons.
Go to http://developer.espn.com/io-docs and plug in your API key and use the GUI to generate an API call/response. It's a good way to see a valid, working syntax that you can then drop into your app and edit as necessary.

Looking for API call to Block Application ID

I've been looking all over to find the correct API call to block applications via application ID, however I've yet to find it. I'm actually becoming quite certain that it's not possible (for obvious reasons, Facebook revenue being one of them), however I was wondering if anyone knew of a way, even via URL call ('https://www.facebook.com/apps/block.php?id=' + APPID + '&action=block' no longer works correctly, if it ever did.)
Basically I've been making a ruby script to be deployed to help users block spammy and generally unwanted applications via application ID's, the script is almost complete, however I need a method to be able to actually block the applications! If anyone could give me some help, I'd very much appreciate it.
Refer to https://developers.facebook.com/docs/reference/api/application/#banned
Create/Ban
You can ban a user for an app by issuing an HTTP POST request to
APP_ID/banned?uid=USER_ID1,USER_ID2 with an application access token
(i.e. a token created using the app secret, not an application Page
access token as described above). You can specify the following
parameters.
This is not (and probably/hopefully will not ever) possible via API. There are too many reasons to leave it that way. You don't want applications block each other...
This may sounds like a show-stopper for you, but it's not! Generate report arguing the reason why some applications better be blocked/removed/reported and show it to users instructing 'em how to do this.

Authorizing REST Requests

I'm working on a REST service that has a few requirements:
It has to be secure.
Users should not be able to forge requests.
My current proposed solution is to have a custom Authorization header that look like this (this is the same way that the amazon web services work):
Authorization: MYAPI username:signature
My question is how to form the signature. When the user logs into the service they are given a secret key which they should be able to use to sign requests. This will stop other users submitting requests on their behalf, but will not stop them forging requests.
The application that will be using this service is an iPhone application, so I was thinking we could have a public key embedded in the application which we can do an additional signature with, but does this mean we'll have to have two signatures, one for the user key and one for the app key?
Any advice would be greatly appreciated, I'd quite like to get this right the first time.
The answer is simple: It cannot be done. As soon as you ship any solution to the end user, he or she can allways attack the server it is communicating with. The most common version of this problem is cheating with hi-score lists in Flash games. You can make it harder by embedding some sort of encryption in the client and obfuscating the code... But all compiled and obfuscated code can allways be decompiled and unobfuscated. It is just a matter of how much time and money you are willing to spend and likewise for the potential attacker.
So your concern is not how to try to prevent the user from sending faulty data to your system. It is how to prevent the user from damaging your system. You have to design your interfaces so that all damage done by faulty data only affects the user sending it.
What's wrong with HTTP Digest Authentication?
I think the simplest way to do this right would be to use HTTPS client authentication. Apple's site has a thread on this very subject.
Edit: to handle authorization, I would create a separate resource (URI) on the server for each user, and only permit that (authenticated) user to manipulate this resource.
Edit (2014): Apple changed their forum software in the past six years; the thread is now at https://discussions.apple.com/thread/1643618
There is a better discussion of this here:
Best Practices for securing a REST API / web service