I am trying to get all the friends of the user currently signed in. I tried /me/friends but that didn't work as it returns only the users using my app already. I then tried https://graph.facebook.com/me/taggable_friends?access_token=somecodehere
In the browser it says
"To use taggable_friends on behalf of people who are not admins,
developers and testers of your app, your use of this endpoint must be
reviewed and approved by Facebook. To submit this feature for review
please read our documentation on reviewable features:
https://developers.facebook.com/docs/apps/review"
But when I do a GET (using Angular.js) on this URL with a valid access token using my application, it returns me a list of my friends, with their id, name, picture. Why is this happening? How can my app get the data if my browser cannot?
Also, the picture currently returned is too small. How can I get the email and larger picture of all my friends in this response?
Any help is highly appreciated.
PS: I am building a cordova app and getting access_token via CordovaOAuth.
taggable_friends works for you because it works without review for everyone with a role in the App (Admin/Developer/Tester). You only need to go through the review process if you want to go public with your App.
That beind said, taggable_friends is for tagging only, a larger picture is not neccessary for that and you definitely can´t get their email. What would you do with the email of friends who did not even authorized your App? You would not be allowed to use those emails anyway. You can ONLY get the email of a Facebook user by authorizing that user with the email permission.
More information about getting access to friends: Facebook Graph Api v2.0+ - /me/friends returns empty, or only friends who also use my app
Related
Currently, Firebase offers the option to send an email to a users email who wishes to change their password. Unfortunately, Firebase does not allow you to edit their password requirements which I believe is locked at requiring only 6 characters.
For many people this is inadequate and insecure.
I recently made an application that allows users to create quizzes either for themselves or for others. In this application, I stores personal information of my users and I wanted to make sure that their accounts were secure so I required more from my passwords. Unfortunately, when a user wishes to change their email, the default Firebase function does not keep my security which leads to confusion as a user can change their passwords according to Firebase's lax constraints but then they still couldn't log in because they used an invalid password. (I blocked invalid passwords from the text box before even checking with Firebase).
After I encountered this error, I came to StackOverflow for help to see if anyone else had this issue and came up with a solution. Unfortunately, I was met with harsh criticism and harassment by users who claim to be Firebase officials and Administrators who did not care about my question.
Then, I after a week of research and testing, I found the solution using React and 3rd party libraries to handle this.
Please, see my answer below and if you have a more creative solution, I would be interested in seeing that as well.
To solve this problem, the only answer is to create your own mailer service with your own basic mailer service, host website, and API.
What you need:
An application which uses Firebase.
A hosted API which uses Firebase and a 3rd party Mailer such as Node with NodeMailer - hosted on Heroku
A React app which can communicate with the API
What I did:
First, I created my API which accepts calls from my specified IP addresses. This API can receive requests to reset a password when the password is known or unknown. When the password is known, I send an email to the user using NodeMailer and I send a special HTML file so the email looks official. It is quite easy to copy the layout of Firebase's emails if you wish.
More Info can be found here: https://nodemailer.com/message/
Then, I created a React App that is hosted on Heroku. When the user clicks a link in the email, it will send them to this website with the required information in the query. This app, much like when the Firebase link is clicked is just a simple text box and submit button. However, now you can customize it to require password confirmation with a second text box. You can also add a company logo and custom colors so it isn't so HTML 1 looking like the link you see from Firebase. Most importantly, you can now control the password that the user enters to add your unique requirements.
On submit, the app will send the new password, username and old password if available to the API.
If you do not know how to create a React App or a Node API, you can see a detailed tutorial here: https://www.techandstartup.com/tutorials/build-api-with-node-express-and-mongodb
Finally, the API can log into the users account if a password is present and then change the password. Detailed steps can be seen from: https://www.codegrepper.com/code-examples/javascript/firebase+user+change+password
If a current password is not present, then the API can delete the user and recreate it with the desired password. Deleting a user can be seen: https://www.codegrepper.com/code-examples/javascript/firebase+delete+user Then you simply recreate a user. Example code: https://www.codegrepper.com/search.php?q=firebase%20createUserWithEmailAndPassword
With these steps, you can now send a password reset email to a user. The email will be completely unique as you will be designing it yourself. The password will be to your exact specifications as your React App will control the data on submit. And the page itself will look much more user friendly as it's not the default Firebase page.
Hopefully this helps you or your company with working around the Firebase reset password with email function. I am still holding out hope that another user may have a more elegant or basic solution than this as creating an API and hosting a website just for 1 function is not appealing in many cases.
I am making a hybrid mobile application, using Ionic and Cordova, for which I would like to give the user the possibility to sign up/log in with Facebook, G+, Linkedin and Instagram, and email account. I would indentify everyone by their email (to check if it's the same person, it is not a pk in the database but just an index).
I have been looking around for information about OAuth2 and looking into the documentation for the services APIs. I have understood what I have to do in the front, but I have some questions on the whole process:
[BACK] How do I check the tokens provided by the services APIs? Let's say when a user logs in with Facebook, I get a token which is stored in the user's phone. Then, on every HTTP request, I have to attach the JWT to verify the user indentity. How do I verify it? Against what do I have to test it?
I want to be able to get information from the user's G+ account but also the user's Linkedin account (example). How do I manage this properly?
Do I just store both (or more) tokens (in local storage) and use them to authenticate? I want to do this as my app will have "friends lists", so the user will be able to log into external services and the app will get the user's friends/contact list from those apps.
As of now, I think about including an auth_method field in my database to store available authentication methods (a JSON string or something like that), and just add four fields (one for each service) default null where I would store the token created for the user.
I can show you my code but it do not think it would help as these are more of theory and not specific to a language.
Thank you for all the help!
I am creating an application and using angular as my js framework.i wanted to import the contacts of facebook user(who will provide his email and password) to his account on my application. How i can do that using angular..i have done an extensive RnD and found almost nothing about about it.Any help will be appreciated.Thanks in advance for help.
You can use this endpoint to get friends: https://developers.facebook.com/docs/graph-api/reference/v2.4/user/friends
Keep in mind that you can only get friends who authorized your App too, and you can´t get the email of friends either. All friend permissions are gone as you can read in the changelog: https://developers.facebook.com/docs/apps/changelog#v2_0
Meaning, you can only get data of users who authorized your App.
Edit: About inviting friends, please read this: https://developers.facebook.com/docs/apps/faq#friend_invite
Inviting friends (to become friends) is not possible at all, btw.
This sounds like a popular scenario, but I can't find direct answer nowhere...
I want to plot Analytics data in my app's admin area.
This area is used by multiple users of the company, and they have to authenticate to access this area. I plan to use GA service account, but 'browser-key/domain' option seems only available for public api.
Can I use server auth (through node API), get the token, and pass it to user while logging in? Will the token be valid? Can I have multiple valid tokens simultaneously for all the users?
Or maybe there is some other way to do it?
Okay, I've tested it myself and the answer is:
YES, you get universal (max 60min) token with every request - so you can have many of them, and dispose to you client-side apps as needed.
I have now embedApi widget in my Angular.js dashboard for every user, without login.
I would like to use Oauth 2 for an application in Google App Engine with Java, but I dont find any good example of that use, I would be very thankful if somebody could help me please, it is something frustrating dont find good examples, thnak you.
My 2c is avoid oauth2 libraries. Of course opinions may vary, but for me they provide very leaky abstractions, so you end up being dragged into understanding oauth by the back door. For me at least, taking an hour to read the the two pages that tell you all you need to know, and carefully avoiding all the others, will get you where you want to be.
In simple terms, the steps are :-
Call the auth URL with your app/client ID and the scopes you require. Include the "email" scope.
Google will walk the user through login, and (if the first time through) authorisation dialogues
Eventually the browser will redirect back to your oauthcallback url, and pass you an auth code
Call google to convert the auth code to a refresh token. This will also return the user's google ID and an access token.
Store the user ID in your session so you can identify the user subsequently
Persist the refresh token alongside the google user id in a database
On subsequent visits...
If you have the google user id in the your session, you can retrieve the refresh token from your database and use it to generate access tokens as you need them.
If you do NOT have the google user id in your session, go through the steps above. This time, google will NOT prompt the user for authorisation (since it's already authorised), and the refresh token will be blank (since you already have one stored).
Everything you need to know is within the oauth playground page. If you click through the buttons, you will see that it is following the steps I outlined above.
You then need to deal with the possible error situations, eg
user declines permission
user withdraws permission
google expired the refresh token (happens a lot) so you need to re-auth
timeouts
The two pages you need to read are :-
https://developers.google.com/accounts/docs/OAuth2WebServer and the oauth playground at https://developers.google.com/oauthplayground/
Trust me, as long as you know how to form a URL, store a refresh token (it's just a string) and parse a JSON response, then everything you need is on those pages. Except ...
all the documentation skips over the need to preserve the user ID in your session so you know who it is that is accessing your app. If you're on AppEngine, you may be confused by the appengine sample code which uses a separate appengine login. Ignore it. You will be using oauth to authenticate the user so the appengine stuff doesn't apply and is somewhat confusing.
It's actually much simpler than some of the documentation would lead you to believe, and like I said, imho the leaky libraries don't help.
I'm trying to do exactly the same thing and I agree - it is extremely hard to find a good example of this.
I did find this youtube video however and I think it would help: https://www.youtube.com/watch?v=tVIIgcIqoPw.
Its from Google and it is called Getting Started with Google APIs. The last segment of the video deals with authentication.
There are several OAuth 2 client and server libraries for Java listed on this page: http://oauth.net/2/
Here's quick-start documentation for using Apache Otlu: https://cwiki.apache.org/confluence/display/OLTU/OAuth+2.0+Client+Quickstart
If you're accessing a Google API (as a client), you can use the Google client library for Java, which does OAuth as well as API set-up: https://code.google.com/p/google-api-java-client/