Facebook Pages Access Token (multiple) to a single Webhook - facebook-apps

I am trying to add about 10 different Pages Access Tokens as ".env" in order to send the "verify token" to a single webhook, because all pages will use the same Facebook App.
I am using a Heroku "Node.JS" app and my goal is replicating the same I managed to deploy for a single page, with a single Page Acees Token, recalled from an .env file.
Is there any module to do that?
Any guidance will be super appreciated.
Thanks in Advance guys!
When I do it using Page Access Token recalling one .env, I do it like this:
const MY_VERIFY_TOKEN = process.env.MY_VERIFY_TOKEN;
Then I recall it like this:
let getWebHook = (req, res) => {
// Your verify token. Should be a random string.
let VERIFY_TOKEN = MY_VERIFY_TOKEN;

Related

Google OAuth2 fails to redirect back to site, instead takes me to Google's My Account Page

I am using Google's PHP API client within a Laravel application to authorize a user via OAuth2 for the Analytics read-only API. I've used similar code on a previous project without issues, but this time it takes me to either Google's My Account page, or YouTube's account page, depending on the account I try to authorize with.
I have verified it is receiving the correct redirect_uri.
Here's some relevant code:
$google = new \Google_Client();
$google->setAuthConfig(resource_path('../client_secrets.json'));
$google->setRedirectUri(url()->to('/google/authorize'));
$google->addScope(\Google_Service_Analytics::ANALYTICS_READONLY);
$google->setAccessType("offline");
$google->setApprovalPrompt('force');
// No code? Then we need to authorize with Google.
if (! $request->has('code')) {
$authUrl = $google->createAuthUrl();
return redirect()->to($authUrl);
}
FIXED.
Turns out Google was redirecting properly but for some reason the code wasn't recognizing it had the code query value attached properly. Split the redirect to a different method and got it working that way.

best practices for authentication in react native

I'm a beginner in react native and I'm creating an app. I've done some research about how to make a secured react native app, but I didn't found much information. I've come up with a "solution" myself, but I want to make sure this is the right way to do this. So I need the help of some react native/javascript/security experts if possible, to quickly check if my approach is OK or not?
I have included 3 questions in this text, but obviously they're related. I've put them in bold. Feel free to answer one or more questions, I appreciate every answer!
I'm creating an app in react native. For a user to be able to use the app, the user should create an account and sign in. I'm using an JSON web token as an access token to authorize the requests made from the app to the server, and to identify the user (I store the user ID in the JSON web token).
At my server, I first check if the access token is valid. If so, I get the user ID out of the access token and use this user ID to identify the user.
For extra security, I'm also using refresh tokens, because an access token is only valid for 10 minutes. When a user send a request with an expired access token, the server responds with a 401 not authorized status.
To make my code more "managable", I've created a wrapper function in react native. I wrap every "request function" (every function where I do a GET/POST/PUT/DELETE request to the server) with this wrapper function. This wrapper function checks the response of the request. If the response status is 200, the response is returned to the code. If the response status is 401, the refresh token is send to a specific endpoint to obtain a new access token. When the access token arrives at the app, the previous request is made again with the new access token. The wrapper function also stores the new access token in (temporary) redux (keychain or shared preferences). 1. Is a wrapper function a good idea? For me, it's more manageble because now I'm reusing the code.
Every time the user opens the app, a new access token is requested, and when a user closes the app, the current access token is deleted, even if it is not expired yet. That way, I want to make sure that every app "session" starts with a new access token. 2. Is this okay? Or should I prevent unnecessary requests to the server when I still have a (possibly) valid access token?
In my react native app, this wrapper function is located in a context component. This "authentication" context is wrapper around my other components in App.js like this:
<AuthenticationProvider>
<AppNavigator />
</AuthenticationProvider>
This way, my wrapper function is accessible to all my other components. My authentication context looks like this:
const AuthenticationContext = createContext({
accessToken: null,
wrapperFunction: () => {}
})
const AuthenticationProvider = (props) => {
let accessToken = null
const refreshToken = useSelector(state => state.auth.refreshToken)
const wrapperFunction = () => {
// wrapper function
// set the access token
// await fetch('server endpoint')...
}
return (
<AuthenticationContext.Provider value={{ accessToken, wrapperFunction }}>
{props.children}
</AuthenticationContext.Provider>
)
}
3. Is using a context a good practice to do stuff like this?
Server-side, I store every refresh token in a database. When a user requests a new access token, I check if the sent request token still exists in the database. If not, I have revoked access for this user and the user should be logged out. This way, I want to make sure I can "manage" users.
Yes, it makes sense. Actually I can't think of a better way to manage the scenario you mentioned. When you wanna temper the request before it's sent, you will need a single function to do so. You could also use some hooks e.g. onBeforeSend and onAfterReceive, but in your case I don't see any extra value for this.
I do not agree with the deletion of a valid token. You can still send request to server on every app start to get user's last data -might have changed on another device-. I don't understand the logic of starting the app with a new session -maybe more information?
I don't think you need to pass the wrapperFunction/token using context. It would be best if you could send user data by context. you wrapper function can access the token directly from asyncStorage. And each component can call the function directly by importing it.
I believe you are taking the approach of using a wrapper function since the relevant API requests are made directly in components. The best practice is to move such requests outside (E.g. Redux actions with a middleware like redux-thunk) the components.
It's better to check if the access token is expired (by decoding the token) before sending the API request and retrieve the new access token. This will reduce the amount of requests to server. You can implement a common request method which handle this check as well.
I think since your access token expires every 10 mins this is unnecessary. Is there a specific reason to start each session with a new access token?
You can pass in user access details using the context. I think it's matter of preference. Passing in the wrapper function is not needed if you're handing the requests through a common request method.

Bigcommerce - Get Product Custom Field

I wanted to use the Bigcommerce API from here , and fetch all custom product fileds, so I used this get path:
GET /stores/{store_hash}/v2/products/{product_id}/custom_fields/{id}.
Bacause I needed {store_hash} I visited this site , and creted "Legacy API Account" and created in admin panel legacy api account and generated: Api path and Api token.
I thought that the store_hash is the same as api token, but it wasn't.
What am I do now, how does look like the full path to using this clause :
for "OAuth" :
GET /stores/{store_hash}/v2/products/{product_id}/custom_fields/{id}.
or for "Basic Auth" :
GET /api/v2/products/{product_id}/custom_fields/{id}
In this way, I would like to do:
$.getJSON( "/stores/{store_hash}/v2/products/{product_id}/custom_fields/{id}", function( data ) { // custom code with data });
Thank you in advance for any help
Paul
If you're just using the legacy API you can request directly from the store's API path.
$.getJSON( "https://store-XXXXX.mybigcommerce.com/api/v2/products/{product_id}/custom_fields/{id}")
If the store has their own private SSL installed that API address will be their domain instead of the .mybigcommerce address

MVC 5 Web API Login without Bearer Token

Long story short. I have a login form in the header on every single page, when I log in successfully it works fine but when the user is incorrect for example it redirects to the default login page (a view that was originally created with MVC project) with the model errors. I don't want to do that, I want to show errors next to the login form without redirecting. So I decided to implement a login via WEB API - i.e. it does $.ajax jQuery request to the Login API Controller, tries to log user in and returns errors if needed so I can output them where I want.
All examples I've seen say to use Bearer Access Token. I don't understand why would I need to go this path - save the token somewhere and pass it along with every single request in the headers? That's what I did in my Login API Controller:
var user = await UserManager.FindAsync(model.UserName, model.Password);
if (user != null)
{
Authentication.SignOut(DefaultAuthenticationTypes.ExternalCookie);
var identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);
Authentication.SignIn(new AuthenticationProperties() { IsPersistent = false }, identity);
}
else
{
error = "Invalid username or password.";
}
This is the same functionality that is available out of the box when you create MVC5 project. I just moved it from regular controller to API controller. And it works without needing to take care of some bearer access tokens. What's the point of it if you could just do it like I did? I think it just makes requests more complicated when you use bearer token. Am I missing anything?
As I understand this, the bearer token would make more sense when you need to have a separately available backend authenticated with the same login as the front end we site in a pass through so the back end can "see" the request as coming from the same user.
You can verify that after logging in this way both the front end web site and backend api are sending the same session cookie, and if so you are golden. If on different domains, you may have problems with that, but otherwise not. If so, then a bearer token to pass that user to the backend may come back into play.

Facebook Javascript SDK - Chrome issue of access token

I am facing one serious issue on chrome for facebook access token. Following is the code from where i get user id and access token. This access token is later used for accessing various facebook functions.
FB.getLoginStatus(function(response) {
if (response.status === 'connected') {
uid = response.authResponse.userID;
accessToken = response.authResponse.accessToken;
} else if (response.status === 'not_authorized') {
In chrome, when i load the page first time.. It comes fine with access token. but when i refresh it few times, sometime it gives me access token as 0. Due to this nothing works. CAn anyone please help me out of this?
David
You may want to try setting the forcing a roundtrip to Facebook's server on page load so that you can always get the most up to date status of the user. The JavaScript SDK automatically caches the login status the first time the user views the page, but you can override it like this:
FB.getLoginStatus(function(response) {
// this will be called when the roundtrip to Facebook has completed
}, true);
Just make sure that the forced roundtrip doesn't add too much unnecessary latency! You can read more on the page for FB.getLoginStatus(). The section about the forced roundtrip is about halfway down the page.
Happy coding!