First, thank you to those of you who have put in a tremendous amount of work into building and developing Drupal-iOS-SDK. It is an amazing piece of work and I am impressed by its power daily.
Second, as a bit of background, I am writing an iOS app that allows users to login to my Drupal site with their iPhone/iPad and access their inputted data currently stored/displayed in Views.
Now, to my question/problem. So far, I have been able to successfully login to my Drupal site with the iOS app with OAuth and Session Authentication switched to off. However, as soon as I enable Session Authentication, I get a 406 error. I have tried looking online for a solution but, unfortunately, I have been unable to do so. What could be causing this problem and how would you recommend that I go about trying to resolve it?
On a similar note, my hypothesis is that disabling Session Authentication is what is causing me to get a 401 error when trying to get the app to display the views I've created. Could that be the case? Will resolving my issue above so that I can enable Session Authentication then allow me to access the views?
Thank you in advance for your help and have a great day!
Okay--I think I'm making some progress.
For the time being, I've disabled Session Authentication and don't have to deal with the 406 error. Additionally, I adjusted my Drupal views settings and now am no longer getting a 401 error when using DIOSView's viewGet. However, the responseObject for viewGet is a blank set that contains no view information. As a test, I implemented nodeGet that retrieves the node my view is linked to. I then ran the app and observed that the information returned in nodeGet's responseObject doesn't match the information for the user that successfully logged in. This makes me think that the session and/or user information is not getting passed from the app's first view (login view) to the app's second view (view that implements viewGet).
Can anybody help? I know the Drupal community, and Drupal-iOS-SDK community, is quite large and active. As such, I'm hopeful that someone can provide me with some insights and point me in the right direction.
Thanks in advance!
Check the 'sessions' table in the database. Remove any rows that have the 'uid' of the user you are logging in as and/or the 'hostname' (ip address) of the iDevice you are using to log in with. I had the same issue, getting 406 when enabling session authentication in services using drupal-ios-sdk, and this is what resolved the problem for me.
The 401 "Unauthorized" status code is because the request requires authentication. Once you get the session authentication working, check your roles and permissions. Once you are authenticated, the user should be able to access the view if they have the correct roles/permissions.
I found this problem too.
Try following this method here. It works for me
https://github.com/workhabitinc/drupal-ios-sdk/issues/30
Related
I have successfully implemented the LDAP authentication in APEX 4.2. I am now trying to extend the functionality by using the policy that users are locked after trying to login x times.
This is correctly used in my LDAP server, a user can not login after trying (atm) 3 times. The problem is that APEX displays this as a failed login instead of a message that the user is locked, so the user has no way of knowing why he can't login.
How can this be displayed accordingly?
I am using PL/SQL, for which the package DBMS_LDAP.simple_bind_s doesn't indicate the reason why the login failed. So I checked out the DBMS_LDAP_UTIL package because this gives more return values. Is this the way to go by adding a procedure checking if the user is locked out, or is there another way?
I can't get the DBMS_LDAP_UTIL.authenticate to work though. I copied the existe_user function mentioned here: http://fdegrelle.over-blog.com/article-1311889.html
Running this says my Authentication failed, although I do use the correct user and password.
Any ideas to help me out? Thanks in advance!
If you want everything the password policy extension provides, you have to use the password policy extended operations and controls. In this case you need to use the password policy request control on the bind operation. Then you will get a password policy response control with the response, that will give you the information you need.
I want to build a custom asp.net control to put on a webpage that will allow people to see a piece of information from my facebook account that requires auth. For the sake of simplicity let's just say I'd like it to display the last thing that I liked. I don't want the visitor to my site to have to be logged into facebook (nor would they have to be my friend on fb). I want my site to somehow store a token that I have authorized and then it will use this token for the access. I know this can be done initially, but I'm confused what happens when the token expires. Or for that matter if I log out from facebook. Is there some type of token or secret or something that I can request that can be auto-renewed again and again by my website independent of any login state that I have as an fb user? Does this require me creating an fb app and associating the token to it?
I don't have any code at this point, I'm looking for a higher level of guidance on the protocol that should be used here, from there I can hopefully figure out the code from existing samples, docs, etc. This is my first code interaction with facebook so don't assume that I know very much at this point :-)
EDIT: I've been reading everything I can about this topic and I can't seem to find a solution. In the past there was an RSS feed but that appears to be gone now. Then there was also the offline_access permission which is no longer available. This seems like such a simple task but I'm just not able to connect the dots. I have been able to get the initial user token with perms for reading "likes", that's easy. Now I can store that in my website's db and use it to make requests for that data anytime someone loads my page. But eventually the token will expire and I'm not seeing any automatic way to renew it that wouldn't potentially involve user "Larry", who happens to be browsing my website, being asked to supply MY facebook credentials. Basically it seems as though I could never log out from facebook or I'd be risking a broken feed on my website. Is the fb auth model just not set up to allow for thist? To summarize again - a user Bob wants to give his permission to acme.com to always be able to display Bob's most recent like regardless of whether Bob is logged in to fb or not. He would only want to have this stop working if he revoked authorization to the WhatDoesBobLike app which runs on acme.com. Possible?
-JT
You would need an extended access token. It will only last up to 60 days and from then you would need to re-extend.
If it were a page you could extend the user access token then grab the page access token which would never expire.
Read more at
http://developers.facebook.com/roadmap/offline-access-removal/
I am currently working on the linqtotwitter library.
I am using cookies to store the token and key. My problem isnt with the api as much. It is more with ASP net and page life cycle.
The problem i have with my webform app is the same with the aspnet webform defaultasp sample same at linqtotwitter site.
This is how the api works
You pass the Credentials to Authorize object to Twitter context in a nut shell.
In the sample you authorize and etc. Once the page load the auth.screenname label is changed to your twitter handle because you authenicated and it passed the auth.credentials to the twittercontext.
This is where my problem is. If I hit refresh the label is cleared out but I am still authenicated with twitter so I can post except i can not get values from the auth objects.
How would I keep the state on a refresh so I keep something like the auth.screenname or something else in memory.
I think i would need to preload the twitter authorized context but I have no idea about doing that.
I do not think using a hidden form element is proper because your masking the underlying problem.
If you want to see what linqtotwitter is, it is at http://linqtotwitter.codeplex.com/
You could throw the tokens into Session if you have it enabled, that might solve your issue.
I am attempting to create a Facebook IFrame Application using the Facebook Developer's Toolkit (language I'm using is VB). No matter what I do, I cannot get past this error message from Facebook.
App may not request permissions that
do not apply to all profiles in the
selector
I have tried dropping a CanvasIFrameLoginControl with requirelogin=true
i have also tried inheriting Facebook.Web.CanvasIFrameMasterPage then adding Me.RequireLogin = True to the Page_Init event. Both of these do require login. As soon as I add Required permissions, however, I get the API Error Code 100 - an app may not request permissions that do not apply to all profiles in the selector error from facebook. Does anyone have any idea how I can get past this issue?
You have to get extended permission to access the user's information like email,birthday etc..
Check This
I'm thinking of creating a diagnostics page for an ASP.NET app, which would be mostly intended for admin use to get more information about the application for diagnosing problems.
Examples of the info the page might have :
System.Environment.MachineName (might be useful in web farm scenarios)
System.Environment.Version
Environment.UserName
database name
current user's session ID
Some of the info on this page might be sensitive from a security perspective.
If you've done this sort of page before, what sort of security did you put on access to this page ? .
EDIT :
I should add - occasionally it might be useful to see this page whilst logged in as a specific (i.e. real) end user. e.g. say a problem can only be reproduced when logged in as a particular user. Being able to see the diagnostics page for that user might be useful. e.g. knowing the current session ID might be helpful for debugging.
EDIT 2 :
I'm starting to think that this diagnostics page should in fact be two different pages. One to display stuff which is the same for all users (e.g. database name, CLR version), and another for stuff which can vary by session (e.g. browser info, session ID).
Then you could lock down security more for the first page.
Yes, I've added this sort of page before (and found it useful). The security was pretty simple: the page contained a password form. The server-side code checked this password against a configured value and, if correct, displayed the real content and set a value in the user's session to say that they've been authenticated as a developer, so that they're not prompted again next time.
I suppose there was also a little security by obscurity, since the URL of the page wasn't published anywhere.
I was also careful not to reveal anything really sensitive on the page. For example, it allowed viewing our application config values, but masked out anything with "password" in it - hey, if we really want to see the password we can open a remote desktop session to the server.
There's also a couple of other ways you could do this:
If your web application has user authentication, restrict access to this page by checking that the user is flagged as an administrator or belongs to some kind of admin role.
Use a simple if (Request.IsLocal) ... type check, though the downside of this is that you still have to connect to the server and browse the website locally - which might not always be possible. However, this does still have the benefit of being able to easily view key system settings.
Personally, I've used a combination of both methods where a local request always allows access, and non-local requests require an admin user - eg. if (!Request.IsLocal && !IsAdminUser()) throw new SecurityException().
Also, I'm in agreement with Evgeny - be careful not to reveal anything really sensitive on this page (such as application connection strings or passwords).
use forms authentication and setup a user or two with access to that page. that way you can change passwords and revoke access once the site is deployed.
It sounds like you want a robust solution for your error page. I would take a look at open source projects like Elmah (http://code.google.com/p/elmah/) for a good example of a robust error page which includes configurable security. To give you an idea, here is a post on configuring Elmah which takes you through setting up the security. The security I have tested allows me to use my domain credentials to login.