So, I have a web application where users can register and when they do, a confirmation email is sent to their inbox to confirm their email. This email that is sent contains a link that takes you to the log in page, and we use firebase to convert that link into a short dynamic link, example: https://xm5z5.app.goo.gl/wiRt.
However, when this link is clicked, the user gets a "suspicious link" warning from google and I can't seem to understand why this happens. I've read that a few other people with web apps have the same issue with google flagging one of their links as suspicious. Why could this be and how can this be solved?
Related
I have no experience with this and I'm in need of major help. I have a word press website that I am trying to connect a gmail account to. So that the contact form gets sent to a gmail address. I got it all set up and it is telling me I need verification. This is only being used for my word press website. Probably very few users, not a business. Can I get around the verification process or not?
You would need an OAuth Consent Screen for your Project.
You can refer to this blog post on how you can connect a Gmail account on your Wordpress site
My app requests the user_link permission like this:
loginButton = findViewById(R.id.login_button);
loginButton.setPermissions("email", "user_link", "user_location");
And in the Graph API callback, the link field does contain a URL. However, for some users, selecting the link leads to the "Content Not Found" page. Why is this happening for some users but not all?
I just noticed that this only happens with test users! When Facebook tested my app, they used a name of a real user, but the email address was for a test user. Faked me out totally. I tested with an unfriended user and was able to see their page without a problem.
I have an App Maker app that sends a notification email to a user when they have to take action on an item. The email includes a link into the app to access the item they need to take action on directly. For whatever reason, when they click on the email in the link, users are getting a "Sorry, you don't have access to this application" error.
The URL generated in the email is correct, and exactly matches the URL you'd be at if you navigated to the same page/record from within the app.
It looks like there's some kind of link resolution going on when you click on the email link -- there's a brief period when the URL in the address bar is of the form https://www.google.com/url?q=https://script.google.com/a/xxxxx/macros/s/<correct script ID>/exec?evalId%3D823%23EditEvaluation&source=gmail&ust=<number>&usg=<string>
For almost all users, the link resolves to a URL in the form of https://script.googleusercontent.com/a/macros/xxxxx/echo?user_content_key=<string>&lib=MxCG-Sk-HF4ilQO-Kv7w6fINeS3Mb45sS#EditEvaluation, which then goes to a page that just has the "Sorry, you don't have access to this application" message.
If I copy and paste the full correct URL (https://www.google.com/url?q=https://script.google.com/a/xxxxx/macros/s/<correct script ID>/exec?evalId%3D823%23EditEvaluation) into a new tab, it goes to the same error.
The only time this error doesn't come up is when I'm logged in as the Admin user -- I can click on an email link or copy and paste the link into a new tab, and it loads just fine.
Here's what I've checked:
In the deployment settings, the app runs under the user's account, and application access is not restricted.
Access to the data models involved, as well as to all associated relations, is set to Everyone.
Security for the page involved is set to Everyone.
There are no permission-related bindings for visible or enabled anywhere on the target page.
Can anyone else see something I'm overlooking?
I am trying to use the Telegram Login Widget.
I have inserted the following script in my login page:
<script async="" src="https://telegram.org/js/telegram-widget.js?4" data-telegram-login="<name of bot>" data-size="large" data-auth-url="http://local.<domain>/tg" data-radius="0" data-request-access="write"></script>
This works insofar that the Login Widget gets displayed.
When I click the "Login with Telegram" button, it correctly asks me to Accept/Decline if I want to login at this website. But then nothing further happens.
By investigating the network requests I found that the telegram servers respond thus:
{"error":"NOT_AUTHORIZED","html":"<button class=\"btn tgme_widget_login_button\" onclick=\"return TWidgetLogin.auth();\"><i class=\"tgme_widget_login_button_icon\"><\/i>Log in with Telegram<\/button>","origin":"http:\/\/local.<domain>"}
Is there anything I am missing that I should have done?
I did have a chat with the #BotFather to set the domain to http://local.<domain>.
When logging in, I also get a message from Telegram in the Client telling me:
You have successfully logged in on local.furry.cafe via #.
The website received your name, username and profile picture.
Things that could be problematic:
local.<domain> is part of my /etc/hosts, but this shouldn't be a problem right?
I don't use HTTPS on my dev machine? But this is not written as a requirement anywhere.
After several hours of more debugging I've found the reason:
You need to have third-party cookies set as allowed.
Since the request seems to be made from the asking window, it didn't have any authentication cookies attached, which in turn gave the NOT_AUTHORIZED response, while at the same time 'logging' you in, in the telegram client.
Since the server has no idea that the cookies was not set, it could not say anything.
TL;DR: Don't disable third party cookies if you want to use Telegram Login as a User.
I'll have to add a small text explanation so that if a user does have them disabled, it is shown to them.
Some Background
We have an app which requires users registration
When a user registers, we send a confirmation email
The email contains a Firebase Dynamic Link to a web page and is caught by the app if it's installed
Since the final link contains a unique confirmation token, we generate a dynamic link each time using the Firebase dynamic link REST API
The generated dynamic link is something like this: https://{domain}.app.goo.gl/{randomChars}
The final link points to our domain, which is using HTTPS
The Problem
When I try to open that link in Gmail (both desktop and android), a pop-up appears that says:
Suspicious link
This link has been flagged as suspicious. Are you sure you want to proceed to {domain}.app.goo.gl?
Notes
It's weird that the top-level domain is from Google, and it's flagged as suspicious
The email contains other links, e.g. to the home page, youtube, instagram and facebook, and those open without any issue (all of them are HTTPS)
We're using Rackspace/Mailgun to send emails
Any insights will be really useful.
Edit:
I checked both domains ({domain}.app.goo.gl and ours) in MX Toolbox and no blacklist was found.
Dynamic links now use page.link instead of app.goo.gl. The latter url has been deprecated.
See https://firebase.google.com/docs/dynamic-links/create-manually