I'm trying to initiate Gmail Watch on behalf of my site's users and also get the messages according to what historyId I get on the corresponding PubSub Topic.
I have GCP + Firebase on the backend and Angular 7 in the frontend.
I face two problems here:
Doing this on the frontend seems the right way, with grantOfflineAccess, since it asks nicely on the consent screen for the required Modify scope. However, what I get back is an auth code, and I can't find out how to get access and refresh tokens from it, and use it in the backend Cloud Functions python part.
If I try this on the backend (which works), I have to initiate the flow from python, send the redirect to Angular and pop-up the consent url there. This already seems bad, since the consent screen does not say anything about what you're granting. Then I need a redirect url, which can't be a Cloud Functions url, because I can't whitelist it (can verify the domain), so it is now handled on the Angular side and sent back. Ie. the my oauth redirect is handled in the frontend, which also doesn't seem the right way.
Could you please advise on how to do this properly?
Thanks!
Related
I started working on server side for my current porject and one of the biggest issues that i facing is with Google O-Auth. Since i am not experienced with the server i decided to use firebase throughout my project.
3rd party cookies are need to be enabled for Google OAuth. I am trying to find my way around it(means: even if the 3rd party cookies are disabled a user can login through google).
First Qestion: Is it even possible?..
i guess it is because i have tried few popular websites like bitbukcet where even if you switch off 3rd party cookies, the O auth works perfectly.
If yes then Second Question: How do i implement it? i was reading some Google Developer docs and found this "another workaround is to implement server-side OAuth 2.0 flows". I really do not understand this.
What i have tried:
I have tried two things, first the typical and easier way of going with firebase auth and google login with popup. Second, Login through GAPI AUTH.
I am looking forward to any answer.
You can look at this link for an overview on how to implement server side based Oauth2 flow for Google. Please ignore the bits which are youtube specific but the instructions should apply to any google auth flow.
Basically you do not need to include any client side JS files on your webpage etc since they don't work with 3p cookies blocked. The server side flow is free from that restriction.
Edit: Adding a more general link for server side Oauth2 flow
I am trying to connect the FitbitAPI to my flutter-firebase application. However, whenever I authenticate my account it doesn't redirect back to my application. I used the Implicit Grant Flow since I am not working with a server to power my backend. However, I do not have a way to get the token written in the browser url. An example of this is :
https://MYFIREBASEPROJECT.firebaseapp.com/__/auth/handler#access_token=eyJhbGciOiJIUzI1NiJ9.egfhwerqwjehqwkjehkashdaadadsadybG9jIHJ3ZW123123123sdsadsaasdasdagcnBybyByc2xlIiwiZXhwIjoxNTczMjk5ODQ2LCJpYXQiOjE1NzI2OTUwNDZ9.axlEiYsVicy6l-aEbphcqZlr3bHXUxq6hV2ky5o_3qw&user_id=7SFL86&scope=social+location+weight+nutrition+activity+sleep+settings+heartrate+profile&token_type=Bearer&expires_in=604800
I would like a way for me to get the last url from an in-app web browser. The in-app-browser package I use is web_browser
With that package , no.
You could use https://pub.dev/packages/flutter_webview_plugin wich allows you to launch a webview inside your app , and have full control of it.
Or you could use your package or https://pub.dev/packages/url_launcher to launch an external browser wich you don't control, but redirect to a deeplink that opens your app and handle it with https://pub.dev/packages/uni_links
So both methods are possible
EDIT:
A brief explanation of how a deeplink works.
Most of the urls start with "http://", that tells the browser to open a webpage with the domain of the url. However, if you use other start of the url , the browser does different things. In android per example if you type whatsapp://app in your browser url and launch it, it will launch the whatsapp app. The same can be done for your app oauth. The only thing you will need to implement it is configure your android app. The brief concept can be found here , but to communicate the android app deeplink with flutter you need uni_links , they also provide a tutorial in their package page. You can find a tutorial for flutter HERE
I am creating a project to be able to share a Calendar among some users.
The strange thing is that when one of the users wants to connect, the following error appears telling him "This app isn't verified"
https://prnt.sc/p87wvm
I am not a programmer so it is difficult for me but I think I am doing everything right.
The only api that I am using is that of Google Calendar.
The email with which I am creating the Api is a #gmail.com
https://prnt.sc/p88o0g
I am not using any special scope that requires some type of verification.
I did not exceed any quota limit or anything like that.
And the send to verification button is disabled and tells me that my changes do not require verification
I want any user with a Gmail email to connect to the calendar
What i need to do??
For the doubts I have verified the domain thinking that it was that but it did not solve the problem either
I want to call Facebook's Graph API from the client to READ public posts on a page using a permanent Page Access Token. I'm curious if this is safe (or how to make it safe). From everything I've read and tried, an access token is required to perform this operation and none of Facebook's other functionality will suit my needs (see background below).
https://developers.facebook.com/docs/javascript/reference/FB.api/ suggests that it is safe to expose Page Access Tokens to the client, but I'm suspicious they're lying to me.
Background:
I'm working with a group that wants to display some posts from their Facebook feed on their WordPress website. They don't want to display all posts, but rather filter them based on a hashtag. I don't know a ton about WordPress, but I'm guessing I can't implement custom back-end API calls on a WordPress site. Please suggest any alternative solutions that you might have!
Access Token are like house keys, you NEVER leave them in front of the door. Which means, you should NEVER hardcode any Access Token. No matter if it is an App, Page or User Token. The docs do not state anywhere that it is ok to expose tokens, they just state how you can use a Page Token on that page in your question - but you cannot just hardcode it on the client.
Vulnerabilities: Without extra permissions, this would be more like a privacy issue, because you can get a lot more info with a Page Token (as the Page owner) than with a simple App Token.
Of course it is possible to do that kind of backend-calls with wordpress. And it would be the far better way, i think.
First you can use the WP-Cron to time your Facebook-Calls. You could create a Cron-Job every hour or so.
WP Developer Scheduling WP Cron Events
Wordpress Codex wp_cron Function Reference
Kinsta Knowledgebase Wordpress Cron Job Tutorial
If you work first time with the WP-Cron have one thing in mind: WP-Cron depends on Site-Activity to be run. So if there is no Traffic on the Wordpress-Site, no Cron-Jobs are run. Here is a link how to add WP-Cron to your systems cron, so your API-Call will be called every time you intend to:
WP Developer Hooking WPCron into System Task Scheduler
The Cron-Job than can use the Wordpress HTTP API to do the call. You should check the Docs on the HTTP API and the wp_remote_request function in special.
Wordpress Codex HTTP API
WP Developer wp_remote_request Reference
Or you could install the Facebook SDK with your Theme/Plugin.
I'm not sure about the security impacts when using a Page Access Token on the Client, but it seems to me, that it would be a better way to do that kind of job.
I'm using Google Calendar API in my application.
The problem that I faced is that Google doesn't send me Push-Notifications.
I setup my app here https://console.developers.google.com/
Verified domain: https://console.developers.google.com/apis/credentials/domainverification
Watched calendar: https://developers.google.com/calendar/v3/reference/calendarList/watch and got successful response.
However, having done all of this, no push-notifications are received by my web-hook. It seems that Google just doesn't send them. Maybe I missed some step? I use https URL.
The problem was that the URL that I used for PUSH-NOTIFICATIONS wasn't whitelisted and if it was requested from other network(e.g. Google), then the request couldn't be processed.
Therefore, if there is such a problem, consider checking your URL availability outside your network. It should be accessible from anywhere and by anyone.