I am using facebook on my website to send requests. (like a multi friend selector)
I am using the a basic method in fb documentation as
https://www.facebook.com/dialog/apprequests?app_id=APP_ID&message=Facebook%20Dialogs%20are%20so%20easy!&redirect_uri=http://localhost/mysite/newpage.aspx
It works and sends requests and I get the id'd of the users requests are sent to.
Now, How do I get their email address ?
I would like to store both facebook id and email addresses of all the people requests are sent to.
In fact, it would be of great help if I can get some basic details like email, first and last name, facebook profile picture etc., for all those ids.
I am using asp.net. Please try to answer in that.
That's simply not possible - there's no way the Facebook Graph API would expose Email-addresses of friends! (you can of course access the email-address of the current user when authorizing with the "email"-extended permission).
As for the other basic details - yeah, firstname, lastname & profile picture are publicly available, just query https://graph.facebook.com/USERID?fields=first_name,last_name,picture. You should consider using Batch-Requests if you want to query lots of different persons in one go.
Related
What I want
I have a list of people with all their personal information (name, first name, date of birth, email, etc.). I created an account for each of these people using their email/phone + a password I generated for them.
I want to send to each of these people an email/SMS with a link allowing them, once clicked :
to be directly connected on our website, without having to type a password or using a third party as Google/Facebook/etc.
and I want the link not to expire after the first use. The user must be able to click on it several times and be connected to our website each time.
What I tried
This is what I tried so far, unsuccessfully :
Passwordless Auth with email link: using both backend and frontend. Doesn't fit my needs because the signin link works only once by design.
Create a custom token with Firebase: as I understood, the token will expire 3600 seconds after creation, which is not useful for me.
Implement anonymous auth: it still need the user to type email+password at some point if you want to convert the anonymous account to a permanent account (because I don't want to use Google/Facebook/etc auth). Plus, it will need consequent changes in all my website code to work.
At this point I realized that Firebase doesn't have a solution that fits my needs. I started to fiddled around as best I could.
The idea
It works as the following:
First I create an account for the user in Firebase + a unique document in a collection in Firestore. That document contains 3 fields: magic_token, email, password.
Then, I create a link to our website with a unique token as a parameter in it. I store the token as magic_token in the document I described above. I send the link to the user.
The user clicks on the link, get redirected to my website. In the front, I detect the presence of the token in the parameters of the URL, I retrieve the document in Firestore with the corresponding token.
Using the email and password stored in this document I call: signInWithEmailAndPassword() to login the user.
PROS:
it fits my needs.
it is easy to implement
CONS:
the user password is visible in Firestore.
it's not very secure.
The question
Is there a proper way to implement a Magic Link that fit my needs? If not, how can I improve my own custom token authentication ?
I created a google form as a work request form for my team at work. The request then goes to a google group (where all team members can access and pull from) The issue is when a request from the form comes to the google group it is showing that it was submitted by me and not by who is requesting the work, but when we go to the google spreadsheet to see the request it is showing the correct user who submitted.
How can I get the user (work email) who submitted to show in the google group?
Response to first comment-
Here is what a work request looks like coming into our group inbox (google group)
This is showing as being sent by Shaun, but I (Jessica) as in the second picture shows was the requester who filled out this work request
It appears that Shaun is the owner of the spreadsheet receiving the input from the google form, and/or the author of the script that generates an email from the form input and sends it to the google group. You don't say so explicitly, but I would guess that you're using a "Collaborative inbox" group type.
Since the email to the group comes from Shaun, that is the user profile that is displayed on the message, above the message content.
Possible options that fail:
While you can specify a different "from" address when sending an email via the GMail Google Apps Script service, you are limited to using your own registered aliases - so that isn't going to help you.
Instead of emailing the completed form, have the script generate the whole group entry on behalf of the Requestor (sic). Despite a 7-year-old feature request, there is no API that supports this.
So what will work?
If you're willing to forego the form and spreadsheet, each requester can send their own email, which will ensure that their credentials are used to display a user profile on the groups page. To guide use of standardized fields, you can provide a mailto link with the body of the email pre-formatted for users.
mailto:work-group#googlegroups.com?subject=Work+Request&body=Request+Type:+%0dProgram:+%0dWork+Package+Name:+
Such a mailto link can be embedded on a web page, or kept as a browser shortcut to make it easy on users.
I develop an ASP.NET website. It will contain text articles and some of them will contain pictures from my facebook account above and beyond the text. Note that I'm going to use only the public albums from my account.
So I created a sql table and binded the articles, the albums and the photos (in fact the IDs of all of them). I already used facebook api sdk and it was a great library.
Obviously any visitor of my website (even he doesn't have a facebook account) mignt be able to see the articles and the pictures withount visiting facebook and without authentication via facebook oAuth to access them.
Well here are the questions:
1) How do I get the photos a public album contains by album id and user id without authentication? (I don't know, maybe I should use the other parameters than album id and user id)
2) How do I get the properties (name, id, etc) of a public album?
With out an access token there's very little you can get from the graph api.
Just try yourself by directing your browser to: http://graph.facebook.com/YOU_USER_ID.
You can also check the fields/connections tables in the User object documentation, where it says "No access_token required" in the Permissions column (3rd) you can get with out a token.
If you want to get other data of yourself and serve it publicly on your site you have two options:
Use the server-side authentication flow, get a long lived access token (60 days), save that and use it for the following 60 days to get your data from facebook.
Then, when it gets expired go through the authentication process again.
It will just be you who needs to go through it, not your users, and only once every 60 days.
Log in yourself, authenticate against your app, get all the data and persist it on your db, then just present that to your users.
You'll need to update things every once in a while.
Edit
The server side authentication flow guide has an example written in php.
It's a simple example which does not cover all scenarios but it's a good start.
I have implemented this in python and java but it's not something that can easily be shared since it spans across multiple requests and states, and so I'll just describe the flow I think that you should use:
Inside facebook you go to your canvas app
Facebook will make a POST into an iframe with your canvas url
In the post data you will get a signed request, decode it and check if it has an access token, if so check when it expires. If all is good save that token and the auth process is over, otherwise:
Redirect the user to the oAuth dialog along with your redirect url and permissions that you require.
After you allow your own app you will be redirected to your "recirect_uri" with the code parameter (in the querystring).
Exchange the code for an access token against the facebook servers and save the token.
You can then redirect yourself to the canvas app or just stop there.
That should do it for a long lived access token which you can then use for 60 days.
As for persisting your fb data on your own db, it's a pretty trivial operation to save data on a db, and it all depends on what data you want to save, how you need to encode/use it (json, xml, plain text).
For example, let's say you want the display your own photos, then after you get the token (as described above) just query from your server for your photos by issues an http request to: https://graph.facebook.com/me/photos?access_token=XXXXXX.
You should get a json encoded result, iterate over that and save each picture as a record on your db.
To retrieve list of user's albums you need to issue next GET request to Graph API:
https://graph.facebook.com/me/albums?access_token=...
And to retrieve list of photos:
https://graph.facebook.com/ALBUM_ID?access_token=...
But you cannot read user's albums (and photos) without authentication and requesting user_photos permission.
According to album documentation:
To read an Album you need
Any valid access token if it is public and belongs to a Page
The user_photos permission if it belongs to a User
The friend_photos permission if it belongs to a User's friend
So generally you have only two options to achieve the result you want:
Use Facebook Page to store all the Albums/Photos you want to display on site
Read 'em using Application access_token.
This will allow you to completely bypass authentication flow at all.
Use your personal account to store Albums/Photos
Authorize application (client-side/server-side) and grant user_photos permissions
Extend access_token for your user and store it
Use your personal access_token to access your Albums/Photos
Is there a way to create an RSS feed that only customers who have logins to our customer portal would be able to see the content of the feeds? I know I can secure the RSS feed using standard ASP.Net authentication which would be fine for viewing while on our site... but how would a reader be able to subscribe to the feed then?
I'm pretty sure the answer to this is No... but maybe there's another solution I'm not seeing?
Thanks!
You can secure it with a other auth cookie, with a long time out like in this article
http://www.andreas-kraus.net/blog/increase-aspnet-authentication-membership-cookie-timeout/
but i prefer another approach. If you have a user, than its always good to give the user an uuid column in the database. Then you could give the user a link to your feed with his uuid and can check if he is allowed too consume it without other authentification.
hope that helps
You can not use forms authentication as an RSS client would not know how to handle that. What you could do though is secure it with basic authentication and let the users that are suppose to be able to access the RSS feed include the username and password in the URL. E.g. like:
http://username:password#www.domain.com/feeds/rss
This should be supported by any RSS client as this is a perfectly valid URI. Preferable use https though as the username and password are sent in the clear.
Note: Recent versions of Internet Explorer do not support this anymore as it was subject to spoofing. For example, spam mail could be sent containing links to:
http://www.trustedbanksite.com#somewhere.ru/
This could easily fool users into thinking that they are actually visiting the website of their bank. I don't know how the support is in other browsers.
There are some question on the StackOverflow about facebook & email, but after reading them I still have a problem with retrieving users emails.
Our app implemented on Flex and uses REST API. And previously it used notifications.sendEmail.
App has publish_stream and email permissions (checked with users.hasAppPermission).
I tried users.getInfo for get proxied_email address.
But this function does not return email address of the friend..
Then I performed the following test using Graph API and web browser:
Opened the following link for authorization with extended permissions:
https://graph.facebook.com/oauth/authorize?client_id=[app_id]&scope=publish_stream,offline_access,email&redirect_uri=http://www.facebook.com/connect/login_success.html
It returned code for retrieving access_token
Oppened the following link for retrieving access_token
graph.facebook.com/oauth/access_token?client_id=[app_id]&client_secret=[secret]&code=[code]&redirect_uri=http://www.facebook.com/connect/login_success.html
It returned access_token. And now I can use GraphAPI.
Tested with my account
graph.facebook.com/me?access_token=[token]
Ok. It returned my emal.
Tested with my friend
graph.facebook.com/[friend_id]?access_token=[token]
And here is no email field!
So my questions are
Where did I go wrong?
Is it possible to get friend's email via Facebook API (GraphAPI or REST API)?
Thanks.
Email permission gives access to your email only.
If you look at the extended permissions page it says:
Likewise, to protect the privacy of users who have not explicitly authorized your application, your application will only be able to access the basic profile information about a user's friends, like their names and profile pictures. If your application needs to access other data about a user's friends to enable social functionality, you will need to request some of the special friends permissions listed below.
And if you look at the table below, it says "not available" for email permission for friends.
there ought to be some way else how does JanRain does it?
http://www.janrain.com/products/engage/invite-friends
I think that getting friends' email ids is not permitted by Facebook; at least, that's what my research tells me.
#helloworld: Who told you that janrain gets users' friends' email ids?
Only with the extended permission you can specify via the scope attribute, when obtaining the access token
Example:
https://graph.facebook.com/oauth/authorize?
client_id=...&
redirect_uri=http://www.example.com/callback&
scope=email