Getstream.io throws exception when using the "to" field - hashtag

I have two flat Feed Groups, main, the primary news feed, and main_topics.
I can make a post to either one successfully.
But when I try to 'cc' the other using the to field, like, to: ["main_topics:donuts"] I get:
code: 17
detail: "You do not have permission to do this, you got this error because there are no policies allowing this request on this application. Please consult the documentation https://getstream.io/docs/"
duration: "0.16ms"
exception: "NotAllowedException"
status_code: 403
Log:
The request didn't have the right permissions or autorization. Please check our docs about how to sign requests.
We're generating user tokens server-side, and the token works to read and write to both groups without to.
// on server
stream_client.user(user.user_id).create({
name: user.name,
username: user.username,
});
Post body:
actor: "SU:5f40650ad9b60a00370686d7"
attachments: {images: [], files: []}
foreign_id: "post:1598391531232"
object: "Newsfeed"
text: "Yum #donuts"
time: "2020-08-25T14:38:51.232"
to: ["main_topics:donuts", "main_topics:all"]
verb: "post"
The docs show an example with to: ['team:barcelona', 'match:1'], and say you need to create the feed groups in the panel, but mention nothing about setting up specific permissions to use this feature.
Any idea why this would happen? Note that I'm trying to create the new topics (donuts, all) which don't exist when this post is made. However, the docs don't specify that feeds need to be explicitly created first - maybe that's the missing piece?

If you haven’t already tried creating the feed first, then try that. Besides that, the default permissions restrict a user from posting on another’s feed. I think it’s acceptable to do this if it’s a notification feed but not user or timeline.
You can email the getstream support to change the default permissions because these are not manageable from the dashboard.
Or you can do this call server side as an admin permissions.

Related

intermittent error from rally 'Not authorized to perform action: Invalid key' for POST request in chrome extension

I developed a chrome extension using Rally's WSAPI v2.0, and it basically does the following things:
get user and project, and store them
get current iteration everytime
send a post request to create a workitem
For the THIRD step, I sometimes get error ["Not authorized to perform action: Invalid key"] since end of last month.
[updated]Error can be reproduced everytime if I log in Rally website via SSO before using the extension to send requests via apikey.
What's the best practice to send subsequent requests via apikey in my extension since I can't control end users' habits?
I did see some similar posts but none of them is helpful... and in case it helps:
I'm adding ZSESSIONID:apikey in my request header, instead of user /
password to authenticate, so I believe no security token is needed
(https://comm.support.ca.com/kb/api-key-and-oauth-client-faq/kb000011568)
url starts with https://rally1.rallydev.com/slm/webservice/v2.0/
issue is fixed after clearing cookies for
https://rally1.rallydev.com/, but somehow it appears again some time
later
I checked the cookie when the issue was reproduced, and found one with name of ZSESSIONID and its value became something else rather than the apikey. Not sure if that matters though...
code for request:
function initXHR(method, url, apikey, cbFunc) {
let httpRequest = new XMLHttpRequest();
...
httpRequest.open(method, url);
httpRequest.setRequestHeader('Content-Type', ' application\/json');
httpRequest.setRequestHeader('Accept', ' application\/json');
httpRequest.setRequestHeader('ZSESSIONID', apikey);
httpRequest.onreadystatechange = function() {
...
};
return httpRequest;
}
...
usReq = initXHR ('POST', baseURL+'hierarchicalrequirement/create', apikey, function(){...});
Anyone has any idea / suggestion? Thanks a million!
I've seen this error when the API key had both read-only and full-access grants configured. I would start by making sure your key only has the full-access grant.

slashDB accessing a database via POST request and using APIkey yields 403 error

Question about security for POST method of HTTP:
I made a user called "MyAPP":
{
"userdef": [
"view",
"create"
],
"api_key": "dzn8k7hj2sdgddlvymfmefh1k2ddjl05",
"user_id": "MyAPP",
"name": "MyAPP",
"creator": "admin",
"edit": [],
"dbdef": [
"view",
"create"
],
"querydef": [
"view",
"create"
],
"databases": {
"Gaming": {
"dbuser": "mydbuser_here",
"dbpass": "mypass_here"
}
},
"password":
"$6$rounds=665736$x/Xp0k6Nj.5qzuM5$G.3w6Py1s.xZ83RHDU55qonNMpJe4Le8nD8PqjYKoOtgbab7T22knJPqwHspoT6BQxp.5gieLFuD0SdD9dyvi/",
"email": "",
"view": []
}
Then I wanted to issue a POST in order to execute a SQL Pass-thru
such as this:
http:///query/InsertBestScore/Score/99/ScreenName/GollyGolly.xml?apikey=dzn8k7hj2sdgddlvymfmefh1k2ddjl05
Where I built a query and named it "InsertBestScore":
insert into Gaming.Leaderboard
(ScreenName, Score)
values
(:ScreenName, :Score);
If I run this via POSTMAN using the POST method:
... then I get an access, 403 :
<?xml version="1.0" encoding="utf-8"?>
<SlashDB>
<http_code>403</http_code>
<description>Access was denied to this resource. Please log in with your username/password or resend your request with a valid API key.</description>
<url_template>/query/InsertBestScore/Score/{Score}/ScreenName/{ScreenName}.xml</url_template>
</SlashDB>
Also, I would be calling this POST (or PUT) request from an application, in my case a Python program running from within a AWS Lambda Function.
Now, I came across this in the documentation:
Two parameters API key
SlashDB also allows a two parameters credentials in this authentication method - app id and api key. This may come handy when integrating with API management systems like 3Scale. By default header and query string argument would be:
• appid - identifies certain application
• apikey - secret for the application
Request with API key in header - Access granted
... however in the example above, I don't see where the appid comes into play.
Can you tell me how one would call the SlashDB endpoint and pass a APIkey and assure that the userid is known as MyAPP.
So, to sum up, the Documentation mentions:
• Another application utilizes an API key to authenticate, which is sent with every request. The application is recognized as SlashDB user App2, which uses database login db_admin. Effectively this application can SELECT, UPDATE, INSERT and DELETE data.
So I want to actually, do just what is in that bullet: Identify myself as the user (instead of App2, I'm user MyAPP), and then use the dbuser and dbpass that was assigned to access that "Gaming" database.
Idea?
Make sure you've given user MyAPP permission to execute the query.
To do so:
login as admin,
go to Configure -> Queries,
open your query definition,
update field Execute. It accepts comma separated user ids.
OK, there are really two questions here:
Why was access denied?
What is the appid and how to use it.
Ad. 1: There are two authorization barriers that the request has to clear.
The first one is imposed by SlashDB in that the user executing the query must be listed in the Execute field on the query definition screen. This is done under Configure -> Queries -> "edit" button on your query.
The second barrier is imposed by the database. The SlashDB user who is executing your POST request must be mapped to a physical database user with INSERT privileges to the Gaming.Leaderboard table. It goes without saying that this database user must be associated with the database schema in which the table exists.
Ad. 2. To enable the appid the user api key must be composed out of two parts separated by colon ":". The first part will be interpreted as the appid and the second will be the apikey.
To do that, use Configuration -> Users -> 'edit' button for the user in question. Then simply add a colon at the beginning of the API key and type in your desired appid to the left of the colon. The app will have to supply both keys to execute the request. Note that the names of those keys (i.e. appid) are configurable in /etc/slashdb/slashdb.ini.
The reasoning behind this feature is to facilitate API Management platforms, which can help with key management, especially when API will be exposed to third party developers.

Receiving "Invalid policy document or request headers!"

I am attempting to upload a file to S3 following the examples provided in your documentation and source files. Unfortunately, I'm receiving the following errors when attempting an upload:
[Fine Uploader 5.3.2] Invalid policy document or request headers!
[Fine Uploader 5.3.2] Policy signing failed. Invalid policy document
or request headers!
I found a few posts on here with similar errors, but those solutions didn't help me.
Here is my jQuery:
<script>
$('#fine-uploader').fineUploaderS3({
request: {
endpoint: "http://mybucket.s3.amazonaws.com",
accessKey: "changeme"
},
signature: {
endpoint: "endpoint.php"
},
uploadSuccess: {
endpoint: "success.html"
},
template: 'qq-template'
});
</script>
(Please note that I changed the keys/bucket names for security sake.)
I used your endpoint-cors.php as a model and have included the portions that I modified here:
require 'assets/aws/aws-autoloader.php';
use Aws\S3\S3Client;
// These assume you have the associated AWS keys stored in
// the associated system environment variables
$clientPrivateKey = $_ENV['changeme'];
// These two keys are only needed if the delete file feature is enabled
// or if you are, for example, confirming the file size in a successEndpoint
// handler via S3's SDK, as we are doing in this example.
$serverPublicKey = $_ENV['AWS_SERVER_PUBLIC_KEY'];
$serverPrivateKey = $_ENV['AWS_SERVER_PRIVATE_KEY'];
// The following variables are used when validating the policy document
// sent by the uploader.
$expectedBucketName = $_ENV['mybucket'];
// $expectedMaxSize is the value you set the sizeLimit property of the
// validation option. We assume it is `null` here. If you are performing
// validation, then change this to match the integer value you specified
// otherwise your policy document will be invalid.
// http://docs.fineuploader.com/branch/develop/api/options.html#validation-option
$expectedMaxSize = (isset($_ENV['S3_MAX_FILE_SIZE']) ? $_ENV['S3_MAX_FILE_SIZE'] : null);
I also changed this:
// Only needed in cross-origin setups
function handleCorsRequest() {
// If you are relying on CORS, you will need to adjust the allowed domain here.
header('Access-Control-Allow-Origin: http://test.mydomain.com');
}
The POST seems to work:
POST http://test.mydomain.com/somepath/endpoint.php 200 OK
318ms
...but that's where the success ends.
I think part of the problem is that I'm not sure what to enter for "clientPrivateKey". Is that my "Secret Access Key" I set up with IAM?
And I'm definitely unclear on where I get the serverPublicKey and serverPrivateKey. Where am I generating a key-pair on the S3? I've combed through the docs, and perhaps I missed it.
Thank you in advance for your assistance!
First off, you are using endpoint-cors.php in a non-CORS environment. Communication between the browser and your endpoint appears to be same-origin, based on the URL of your signature endpoint. Switch to the endpoint.php example.
Regarding your questions about the keys, you should have create two distinct IAM users: one for client-side operations (heavily restricted) and one for server-side operations (an admin user). For each user, you'll have an access key (public) and a secret key (private). You always supply Fine Uploader with your client-side public key, and use your client-side private key to sign requests server-side. To perform other, more restricted operations (such as deleting files), you should use your server user keys.

Unable to get loginForm after addSiteAccount to update credentials

I am using the rest api. After retrieving the login form for a site, I input incorrect login information. I need to now go back and correct the mistake. At first I tried calling GetSiteLoginForm, which isn't allowed since the user is already associated to the site. I then tried to SiteTraversal/getSiteInfo with valid cobSessionToken and &siteFilter.reqSpecfier=16&siteFilter.siteId=643.
The response I get is:
{"popularity":0,"siteId":643,"orgId":520,"defaultDisplayName":"Chase (US)","defaultOrgDisplayName":"Chase Manhattan Bank","contentServiceInfos":[{"contentServiceId":663,"siteId":643,"containerInfo":{"containerName":"bank","assetType":1}},{"contentServiceId":10441,"siteId":643,"containerInfo":{"containerName":"bill_payment","assetType":0}},{"contentServiceId":3163,"siteId":643,"containerInfo":{"containerName":"credits","assetType":2}},{"contentServiceId":3483,"siteId":643,"containerInfo":{"containerName":"stocks","assetType":1}},{"contentServiceId":7100,"siteId":643,"containerInfo":{"containerName":"loans","assetType":2}},{"contentServiceId":3861,"siteId":643,"containerInfo":{"containerName":"mortgage","assetType":2}},{"contentServiceId":12049,"siteId":643,"containerInfo":{"containerName":"miles","assetType":0}}],"enabledContainers":[{"containerName":"bank","assetType":1},{"containerName":"bill_payment","assetType":0},{"containerName":"credits","assetType":2},{"containerName":"stocks","assetType":1},{"containerName":"loans","assetType":2},{"containerName":"mortgage","assetType":2},{"containerName":"miles","assetType":0}],"baseUrl":"http://www.chase.com/","loginForms":[],"isHeld":false,"isCustom":false,"siteSearchVisibility":true}
Note loginForms is empty. How do I get this value? I tried different values of siteFilter.reqSpecfier and always get the same result. Other things I tried were using both the our public and private urls. I duplicated all of this with Dag Site as well.
There is typo in one of the input parameters because of which the parameter is not being recognized by our API’s and hence returning Null LoginForms.
[ siteFilter.reqSpecifier is incorrectly spelled as siteFilter.reqSpecfier ]
Your Excerpt from below email:
cobSessionToken=11182013_0%3A8e8a9caa264e3b26f15c3c9a3ee05680b2edb76272d0a425852a803e6002383b89847d388de38394b4f08efbb881536b496e323ee4e42c9df7dfdcdc8ae10e16&siteFilter.**reqSpecfier**=16&siteFilter.siteId=643
This should be :
cobSessionToken=11182013_0%3A8e8a9caa264e3b26f15c3c9a3ee05680b2edb76272d0a425852a803e6002383b89847d388de38394b4f08efbb881536b496e323ee4e42c9df7dfdcdc8ae10e16&siteFilter.**reqSpecifier**=16&siteFilter.siteId=643
With corrected parameter I was able to query Site 643 and get the loginForm Array. Below is the response with loginForms[]
{"popularity":0
"siteId":643
"orgId":520
"defaultDisplayName":"Chase"
"defaultOrgDisplayName":"Chase Manhattan Bank"
"contentServiceInfos":[{"contentServiceId":663}
{"contentServiceId":10441}
{"contentServiceId":3163}
{"contentServiceId":3483}
{"contentServiceId":7100}
{"contentServiceId":3861}
{"contentServiceId":12049}]
"enabledContainers":[{
"containerName":"bank","assetType":1}
{"containerName":"bill_payment","assetType":0}
{"containerName":"credits","assetType":2}
{"containerName":"stocks","assetType":1}
{"containerName":"loans","assetType":2}
{"containerName":"mortgage","assetType":2}
{"containerName":"miles","assetType":0}]
"baseUrl":"http://www.chase.com/"
"loginForms":[{"conjunctionOp":{"conjuctionOp":1}
"componentList":[
{"valueIdentifier":"LOGIN","valueMask":"LOGIN_FIELD","fieldType":{"typeName":"TEXT"},"size":20,"maxlength":32
"name":"LOGIN","displayName":"User ID","isEditable":true,"isOptional":false,"isEscaped":false,"helpText":"4710","isOptionalMFA":false
"isMFA":false},
{"valueIdentifier":"PASSWORD","valueMask":"LOGIN_FIELD","fieldType":{"typeName":"IF_PASSWORD"},"size":20,"maxlength":40
"name":"PASSWORD","displayName":"Password","isEditable":true,"isOptional":false,"isEscaped":false,"helpText":"11976","isOptionalMFA":false
"isMFA":false}
]
"defaultHelpText":"324"}]
"isHeld":false
"isCustom":false
"siteSearchVisibility":true}
This should resolve your problem
Regards,
Vishal
Yodlee Team
The flow for updating the credentials is listed in this article UpdateCredentials Flow
You can follow the exact steps from the article.
Even when the user is associated to a particular site , you can still pull the login form using getSiteLoginForm and show the form to the user to enter the correct credentials and then pass the login form in updateSiteAccountCredentials and then proceed with the normal refresh flow.

How Can i share a post using the post id

I am using Koala gem and in my UI i have an share link. How can i share the posts using the post id. Can it be done like this.
#facebook = FacebookToken.first
#graph = Koala::Facebook::API.new(#facebook.access_token)
#graph.put_object(params[:post_id], "share",:message => "First!")
It gives the following error
Koala::Facebook::ClientError: type: OAuthException, code: 240, message: (#240) Requires a valid user is specified (either via the session or via the API parameter for specifying the user. [HTTP 403]
I thing something going wrong with permission. I have added the following permission in the fave bool app
"share_item,manage_pages,publish_stream,read_stream,offline_access,create_event,read_insights, manage_notifications"
Do I need to some other permission to share a post using post id
The first parameter in put_object is not the post ID, but the ID of who is sharing it, be it a page or user.
So instead of saying:
#graph.put_object(params[:post_id] ...
You would say:
//the current user
#graph.put_object('me' ...
or
//any user that you have a UID for
#graph.put_object(#user.uid ...
or
//a page that you have post permissions for
#graph.put_object(#facebook_page.id ...
Also in a future version of Koala, put_object will be a bit different, and you should go ahead and switch over to put_connection.