I have an application with restricted access to the whole site, except for login and password recovery.
I'm trying to add to the login view open graph meta tags with data based on the referer address. To do that, I use the \Symfony\Component\Security\Http\Util\TargetPathTrait in the login action like this:
<?php
$referer = $this->getTargetPath($request->getSession(), 'main');
Locally, I use Open Graph Preview chrome add-on, and it works perfectly. As an anonymous user, I try to acces to a page, and then redirected to the login page. Here $referer is not null and I can retieve data I need to generate meta tags.
Now on test environment on my production server, with open graph chrome add-on, it still working. Share a link through Telegram, the preview is displayed as expected. But when I share the same link through Facebook messenger, I don't get what I want.
Edit: doesn't work with Discord and WhatsApp either.
I've made some test with the Facebook debugger, it appears that $referer is null and I don't understand why. It looks like Symfony access control have a particular behavior when a Facebook service try to see a page, as no session data seems to be manage by the symfony security components.
The login feature of the application is quite simple as it follows the basics step described in the Symfony documentation.
Is anyone has a clue on what can I do to fix that? Meanwhile, I'm trying to find a workaround with Symfony events.
EDIT 1: I reproduced the issue localy, with a cURL request. In that case it appears no session is handled. \Symfony\Component\Security\Http\Util\TargetPathTrait::getTargetPath method is useless as Symfony store the target path in session.
So now, when an anonymous user try to request a restricted URL, I add the referer as a GET parameter to the redirect login URL.
Cool thing, now the preview works perfectly on Discord, WhatsApp and still works on Telgram.
Sadly, it still doesn't work on Facebook's app (Messenger and Facebook posts).
So, I took a look on the facebook debugger tool. And here come the strange thing, the redirect url request by FB service is different than the one my application normally give.
Expected URL : https://domain.ext/login?referer=https://domain.ext/referer/path
URL requested by FB : https://domain.ext/login?randomCoherentParamName=intValue
The odd thing is that 'randomCoherentParamName' correspond to a route parameter from the referer URL.
Here how I generate the redirect URL:
<?php
// From a class that extends
// Symfony\Component\Security\Guard\Authenticator\AbstractFormLoginAuthenticator
/**
* Override to control what happens when the user hits a secure page
* but isn't logged in yet.
*
* #return RedirectResponse
*/
public function start(Request $request, AuthenticationException $authException = null)
{
$url = $this->urlGenerator->generate('loginRoute', ['referer' => $request->getUri()]);
return new RedirectResponse($url);
}
If anyone has a clue of what's going on, I will appreciate any advice :).
EDIT 2: It seems FB service use a canonical URL to access the login page when redirected. Problem is I never set the canonical address meta tag in any page on my website. So, I'm wondering how is it possible...
Anyway, I think I've got a solution to bypass this problem, I'll share if it works, but I really want to understand how FB service works and identify how it is able to get a canonical URL I've never set... Apach fault? Symfony fault? My Fault? Or is it related to the Facebook crawler ?
Any comment will be appreciate :)
Problem solved !
The Facebook issue was totally my fault, actually, and a bit because of FB service. Let me explain.
When FB service request a shared URL, it parses the response to find open graph meta tags. During response parsing, if the service detect an url open graph meta tag, it request that url and use the parsed data from that response to generate the preview. This behavior seems to be specific to Facebook, as I didn't have any issue with Discord, WhatsApp and Telegram (and Telegram handle session when it retrieve data from an URL).
Now, what did I do wrong ? Actually, my login page has an url open graph meta tag, and, well... I didn't generate the good URL as its value...
Thanks for your attention :)
Related
I wrote my own RSS reader and it is not able to discover feeds on youtube. The reason is that youtube redirects to a separate page for their cookie warning, and the rss discovery url is not on that page. I tested it with curl and the redirect did not happen. I then changed the user agent in my application to be curl/7.8.6.0 and now my app can handle youtube discovery. So the problem is solved, but this feels like a bad workaround. Best practices for a user agent string is
appname/version framework/version (comment)
or something similar, which is what I was using before. Now I am forced to lie to every website I visit about what application I am using, just to make it work for one site. I could write a special bespoke discovery function just for youtube and change the url to youtube-nocookie or change the user agent just for that request, but that is extra work, and extra processing cycles on the user's machine for every discovery attempt.
Is there a standard way to inform a website that the request is coming from a piece of code and not a human? How do webcrawlers deal with this?
I am using Godot Mono as the framework for the application, you can find the full source here, this question relates to the GetHtml() function in the DiscoveryService which is a standard dotnet HttpClient call:
HttpResponseMessage response = await this.http.GetAsync(url);
if (!response.IsSuccessStatusCode) return null;
using HttpContent content = response.Content;
return await content.ReadAsStringAsync();
The HttpClient is instantiated in the constructor and the User agent string is set there too.
If the user agent is set to anything other than curl/someversion youtube does not return the requested page and instead returns a page asking the user whether it is ok for them to save a bunch of cookies.
The issue can be reproduced easily enough with curl, just do
curl <some youtube channel url> | grep rss+xml
and
curl -A "porifera/1.0.0.0" <some youtube channel url> | grep rss+xml
porifera is the name of the application I am developing, you can write pretty much anything there it seems
When I send a one-off document to RightSignature via their API, I'm specifying a callback location in the XML document as specified in RightSignature's schema definition. I then get a signer-link value back from their API for the document. I display the HTML response from the signer-link URL in an iFrame on our website. When our user signs the document in this iFrame, which is rendering the responses from their website, I want their website to post to our callback location.
Can I do this with the RightSignature API and does it make sense?
So far, I'm only getting content in the iFrame that indicates that the signing was successful. The callback location does not seem to be getting called.
I got it solved just now. Basically, i was doing two things wrong first you have to go in RightSignature Account and set it there the CallBack url
Account > Settings > Advanced Settings
But the thing which RS is unable to mention to us that this url can not be of localhost, but it should be of https i mean like Live URL of your site like
https://stagingmysite.azurewebsites.net/User/CallBackFunction
And then in your CallBack just write these two lines and you will receive complete XML which would have the GUID and document status as well.
byte[] data = Request.BinaryRead(Request.TotalBytes);
string callBackXML = System.Text.Encoding.UTF8.GetString(data);
I found the answer with some help from the API team at RightSignature. I was using callback_location but what I really wanted is redirect_location. Their online documentation was difficult to follow and did not clearly point out the difference.
I got this working after a lot of trial and error.
I've created a registration system like this:
User fills in a form at /register
The form is posted to the same page (/register)
If the form is valid, the user will be added to the database with isActive = 0
A token will be generated to activate the user
The user gets an e-mail with a link containing the token
The user clicks the link and goes to /activate/{token}
If the token matches to the database, the user will be activated isActive = 1 and redirected to return $this->redirect($this->generateUrl('login')); with a flashmessage Account activated, you can login now.
Everything is working fine, over 1500 users registered in the past 2 days. But some are experiencing trouble activating their account. After clicking the link they receive a 404-error. However, their accounts are activated as supposed.
I searched the logs and found around 1500 records, more or less around the time users are activating their account: No route found for "GET /favicon.ico"
/favicon.ico doesn't exist, the favicon is located somewhere else and included in shell.html.twig, so every regular page has the favicon. But because the /activate/{token} is just redirecting, no view is loaded.
It possible this has something to do with the error some users are encoutering?
Maybe the error has nothing to do with the favicon, all suggestion are more then welcome. I'm not able to reproduce the error, so it's very hard to debug at the moment.
Also try to use different browsers to test this. You can also test this on your local machine. I have found online that some browsers (IE) automatically request /favicon.ico in some cases, if you include it somewhere or not.
Read through this for a start: How to prevent favicon.ico requests?
I see this is an old thread and you probably solved your issue years ago but here are my two cents - when I try to run a Symfony 2.3 application with one of the later php 5 versions, I get the same error message as you in my log file, it complains about the favicon.
That is however not the real issue. The real issue that caused this redirection and in turn the favicon-issue is that I am using an old version of FOS User Bundle, and there is a conflict between the user unserialization and the new php version. Move to a more recent version of FOS User Bundle and you should be ok.
I am using 'omniauth-linkedin-oauth2'.
When I am login with linkedin then I am getting this error
Invalid redirect_uri. This value must match a URL registered with the API Key.
This is my settings:
Went back to LinkedIn developer site (https://www.linkedin.com/secure/developer ) to check my setting again. Everything matches API Key, Secret Key and OAuth 2.0 Redirect URLs.
Searched web looking for some clues. Couldn’t find a one. Crazy issue:
Then I saw that in the URL Owin was appending some extra string to the redirect_uri “signin-linkedin”. When I decoded the URL I saw this http://localhost:54307/signin-linkedin . I took this URL and placed it in the OAuth 2.0 Redirect URLs field in the LinkedIn developer site.
This link is helpful for me
https://naveengopisetty.wordpress.com/2014/09/15/linkedin-oauth-2-0-issue-invalid-redirect_uri-this-value-must-match-a-url-registered-with-the-api-key/
You can just look in url that you are getting that error message on.
eg. if you are using python's social auth the url would look like this:
https://www.linkedin.com/uas/oauth2/authorization?scope=r_basicprofile+r_emailaddress&state=XXXXXX&redirect_uri=http://example.com.au/sa/complete/linkedin-oauth2/&response_type=code&client_id=YYYYYYY
so you would use this part of the above url for the redirect url
http://example.com/sa/complete/linkedin-oauth2/
please check your redirect_url. for my case I see like this.
https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=77k93y0w31zaey&redirect_uri=http%3A%2F%2Flocalhost%3A1729%2Fsignin-linkedin&scope=r_basicprofile%2Cr_emailaddress&state=nhAC-nR-CgEwO3XS2ezANhuPBMz-IUmLPJYgGHlZvZ8B1pCfsGBU0PR0dZ5XxE4zbyeI0RLcKByqPLKkgQdqMm4s6DjFYqMCEehYA2iWT9MfioEHjPXGCt2USxUTF0wKBpflCUjG5URVlJa3qI7U3ydFOErZ4Hhnr9SVmKdf1bithYfbOqBx345o8LQLexbddQ687vP6y0szrIyCM6FHip1tCpOY3Hgg5FJQEFH1mCJ_yLunD5vDUN4VVfkQbcjk
for this I add the url for OAuth 2.0 Authorized Redirect URLs:
http://localhost:1729/signin-linkedin
where http://localhost:1729 =base url and
signin-linkedin = the string which add after base url
One more solution is to just verify the client_id you've been using the whole time..because with every update in the list of redirect_uri, the client_id gets updated.
Worth mentioning when one uses libraries to handle oauth: some libraries fail to care about the protocol that is used (or at least require further parametrization). Eg, I gave Linkedin https://example/callback as oauth2 url, but the library sent the request with http://example/callback as parameter.
I had this when trying to authorise from a zurb Reveal modal popup. In my case, the issue was the URL for the page that was being displayed in the popup was not in my OAuth2 Redirect URLs list on the LinkedIn developer site.
That was easy to miss because the page URL from the page in the modal is not the URL that was currently showing in the browser's address bar. Once I added the URL for the page being shown in the pop up it worked.
After spending hours i finally get to the solution. You got an error no issues just check the url and find redirect_uri. Copy and Paste it's value it in your linkedin dev account oauth2 redirect field.
Make sure to add both with and without trailing '/' as redirect url.
http://localhost:8000/oauth/complete/linkedin-oauth2
http://localhost:8000/oauth/complete/linkedin-oauth2/
I've a registration system which redirects user to specific page lets say success.php
In this page I've custom script that sends out Welcome mail to the user and posts success on facebook since registration is through FB oath.
I would like to redirect success.php to the original page user was reading before asking for registration/login.
How do I do this?
I'm using Wordpress as CMS if its helpful.
Would something like this work in all situations?
$_SERVER['HTTP_REFERER']
There are many ways to redirect users in Wp the simplest one being :
wp_redirect() (HERE) which has 2 parameters :
$location = The absolute URI to which the user will be redirected. No default.
$status = The status code to use. For example, 301, 302, etc. The default is 302.
wp_redirect('http://mywebsite.com/',302);
Note that it is also pluggable.
Then you have
auth_redirect();
which is basically the same but requires login before giving access - no parameters
you also have a login_redirect filter which you can use ,but i am not sure it is for your case as described.