to access users info when they are offline,
the user grants offline_access and I store them by this :
$session=$facebook->getSession();
if($session)
{
$access_token=$session['access_token'];
}
$qq=sprintf("insert into `tokens`(`uid`,`access_token`) values ('%s','%s')",$myid,$access_token);
$res1=mysql_query($qq);
but when I try to use graph.facebook.com to collect information from them , it sometimes work and some times doesn't and gives me this error :
Error validating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons
i use graph.facebook.com/[function]?access_token=[the access token saved in DB]
what's my fault?
First, the access token with the offline_access permission can become invalid if :
the user de-authorizes your app in his privacy settings
the user changes his password
You can read a blog post from Facebook about how to handle expired tokens.
Then, you should not :
make API urls directly with URLs, like you do when you call graph.facebook.com/[function]..., but use the Facebook PHP SDK functions to make API calls.
use the version of the PHP SDK you are using ($facebook->getSession() is from v2.x) is deprecated, that might be the causes of your problems.
Here is an answer on Stackoverflow about how to handle offline_access access tokens with the Facebook PHP SDK v3.x.
Hope that helps !
Related
I'm using directus to grant users access to ressources required by an SPA written in Angular. To authenticate users I created an auth service and interceptor to handle sessions and attach the "Authorization" header. Those services work fine and login as intended. But here comes the problem:
Directus session times are configured with default values (15 min validity for access_token, 7d for refresh_token) but as soon as the access_token expires I cannot retrieve a new one using the refresh token. This bugs me, because the goal is to keep users logged in for the next 7d (refresh_token lifespan) or until logout if they check this option.
My attempts at achieving this:
Since i'm using graphQL, i tried the "auth_refresh" mutation from the authentication documentation. While the access token is still valid, refreshing works fine. After the access token expired there is no way to retrieve a new one via a valid refresh token.
Alternatively I tried to achieve a refresh via the POST request specified by the docs (to double check if it was some sort of config error with graphql) but I encounter exactly the same problems as with graphQL. Directus returns either "401 unauthorized : Token expired."
if i extend the lifespan of the access token for longer than the server defined lifetime,
Response: Sending a token with prolonged life
or "401 unauthorized : Invalid user credentials." if I request a new token without an
"Authorization" header.
Response: Sending no access token
The refresh token is correctly loaded and sent to the server as specified in the docs in both
cases.
Now my questions are:
Am I missing something? I haven't found any further specification in the docs and the Auth0 protocol specifies that a new access token should be retrievable with a valid refresh token.
If this feature is not intended: How could I achieve a "keep me signed in" option with directus? I would like to keep user rights management in one place and do not really want to handle user auth redundantly for my current use case.
2b. Why is the lifespan of the refresh token so much longer than the lifespan of the access token if this isn't intended?
One of my thoughts is, that it has to do with access rights of the "public" role on the "directus_sessions" table. But I can't think of a way to grant only read rights for owned/received tokens, since there are no payload variables available inside the filters. Could this be the cause? Would there be a way to achieve this?
Thx&Greetz
My user has granted all permissions for authentication scopes to google calendar, but the API is returning a 403 error. However, this only happens for some users. Most user do not have any problem.
I reviewed this live with the user as they granted access and can confirm that they did grant access to all the scopes but the issue still persists.
When you are accessing an api endpoint that requests privet user data you must be authorized to access that data. You haven't posted your code or stated which method you are trying to use but as an example lets look at
Events.list in order to use this method the documentation tells us that you need to authorize the user with one of the following scopes
If you authorize your application with a difference scope and not one of these you will get the error message you are seeing Insufficient authentication scopes.
The key to fixing this will be to fix your code to ensure that you are sending the proper scopes, then to revoke the users access and force the system to prompt the user for consent again. The user must see the consent screen again showing the new scope required. Once the user has authorized with the new scope it will work.
It is probably running on an old access token and refresh token without prompting the user for authorize again.
The insufficient scopes means that the user has authorized your application bu
Recently i build a app using Firebase, But after i got Some users through advertisement, Someone just hacked Firebase database and Updated all user datas like .
Username
Profile pic path
They set it to a bad word and bad pic.
So then i Also Checked the Firebase rules and redefined them..
Like
Only Authenticated users can read/write.
But problem is.
The hacker is still updated the Value on firebase db.
and i want to know what i am missing.
Is it possible to update a Firebase db without the whole secure key and things..
using a browser may be?
User data of a single user ...
email : "https://m.me.developer.scg"
lastseen : "1617987743"
pic : "https://www.dropbox.com/s/03a50cx4adxqepk/(url cannot be posted publically it contains nude images)"
privacy : "PU"
state : "offline"
status : "Lets watch some movies"
type : "FREE USER"
username : "FU*KED BY DreamPLAY"
Here the hacker updated the 3 fields.
email :
pic:
username:
You have to know that as soon as (1) someone has the apiKey of your Firebase Project and (2) the email/password sign-in method is enabled, this person can use the Firebase Auth REST API and sign-up to your project (i.e. create a new account).
Getting the apiKey is not very difficult if you deploy an app linked to your Firebase project (Android, iOS, Web...).
Consequently, rules only based on auth != null allow anyone that has signed-up through the REST API accessing your Realtime Database. No need to use any GUI: after having been identified through the Auth REST API, the user can use the RTDB REST API.
One classical approach to avoid "non-desired" users to access data, is to add one or more Custom Claims to the desired accounts and use these claims in the Security Rules: See the doc for more details.
I will answer as parts :
Reason of Problem :
The Hacker found your API then created project and added your API to it then he
created authenticated user then he updated the fields , So this the reason of
problem
Solution :
First : is to create unique Fields (e.g Email to 1234567890Email as
Example but more secure)
Second : is to connect to Google Cloud Platform then setup Google Cloud Platform HTTP with your Domain (As Firebase will only accept data from your Domain ONLY)
Third : Is to create more secure rules as to denied access to Entire Database but just
give access to some collections or even documents So it will be more
secure
I just covered the most famous actions (You can see more but by google your problem)
& Wish I helped you :)
I just thought of a way to secure Firebase credentials so thought of a way to use a custom cloud functions authentication function (URL based function) to accept user credentials like username and password via URL encoded parameters. This method will only use database(firestore would be preferable). The function will only have to create custom tokens and send it to the user while keeping the user's temporary data like IP addresses etc. So request to write or read to the database will only be granted to this function.
You CAN prevent all those non authencated activities right from your firebase console.
GO to your firebase console, Open your project's android app.
Add SHA fingerprints of your app's SHA signing certificate fingerprints.
Getting likes from facebook using following command
x <- getLikes(XXX, token=token)
XXX is the user ID of facebook account of person and token is created by Graph API Explorer.
Using this command, I find like activity of user and user's friend account. Out of 10 friends, I got the following Error for some users
likes <- getLikes(XXX, token=token)
Error in getLikes(XXX, token = token) :
User not found, or token is not authorized.
I create new token also but still I get same Error.
Please tell me what should I do to resolve this.
While authorizing a user are you enabling extended permissions as true?
If not, then you have to enable extended permissions as follows
fbOAuth(app_id="Your_app_id",app_secret="your_app_secret",extended_permissions=TRUE)
Once you do this the getLikes function should work properly for all users
It isn't working for you because facebook has stopped the service. Unless the user that you are requesting details from authorizes your application, you wont be getting the data
After authenticating the user, I save the authorization token insidea database. Than I save his Id inside a cookie. Each time he accesses a page I check to see if the cookie is there. If it s not there, I try to get another authorization cookie and replace the old in the database, and create that cookie.
I have a deep feeling I am wrong:0 Can you tell me how should I handle this?
You should not deal directly with cookies but use a SDK that do it for you. For C#, you can use the Facebook C# SDK. Check out the API Quickstart guide if you want to have a good overview.
You should store the token in you database only if you ask the offline_access permission when you get the access token because token expires after a few hours.
If you do ask for the offline_access permission when you get the token, then you can store it in your database and make API calls with that token anytime you want (without having to check the user session or cookie).
Hope that helps !