How long are password reset links valid for Firebase auth? - firebase-authentication

The title says it all. I tried to find this information in the documentation, but it is not stated there. I read somewhere that the links are valid for 2 to 3 hours. But I would like to know the official duration of the validity.

The duration of password reset links is of 1 hour. According to this post in Github. https://github.com/firebase/firebase-js-sdk/issues/1884

Related

Is there any way to get a Bearer token now, since Robinhood has changed the API again?

We keep playing this cat and mouse game with Robinhood.com. I have a trading app which used to trade stocks with Robinhood, but they keep changing the unsupported unofficial API to make it difficult for traders to use. I know that many people are doing the same thing and I want to reach out to them to see if there is a new answer. The latest problem is when I try to get a Bearer token using the URL https://api.robinhood.com/oauth2/token/ the API returns the following JSON: {"detail":"This version of Robinhood is no longer supported. Please update your app or use Robinhood for Web to log in to your account."}. This started happening on 4/26/2019.
Has anyone found a work around for this, yet, or have they finally beaten us into submission?
A more complete solution (not need browser):
Use requests.session.
Obtain the login page by making a GET request to "https://robinhood.com/login".
At this point the session's cookies will contain 'device_id'.
Obtain this device_id and use it in making the oauth2 token request to "https://api.robinhood.com/oauth2/token/" also add in the data request "challenge_type" (either "sms" or "email").
This request will fail with a 400 error code. Robinhood will send an SMS message or Email with a temporary (5 minute) code.
Also at this point use the 400 response's body to get "id" from "challenge" inside of the JSON object.
Confirm the challenge by making a POST request to "https://api.robinhood.com/challenge/CHALLENGEID/respond/" where CHALLENGEID is the same id mentioned in the first failed /oauth2/token/ POST request.
Make the same POST request to "https://api.robinhood.com/oauth2/token/" and include in the header "X-ROBINHOOD-CHALLENGE-RESPONSE-ID" with the value CHALLENGEID.
You can reuse a device_id with user/pass after this even after logging out.
Be cautious with storing device_id as it is the result of user/pass login and successful SMS/email 2FA.
Just got it working. At the risk of them seeing this post and changing it more, here we go:
First, you're going to want to log into your RH account in a web browser
View Source on the page, and look for clientId - it should be a big hex number separated by dashes
Add that number to your POST requests to /oauth2/token under the field device_token
There's probably another way to retrieve the device token, and I'm not even sure it's unique, but that way should work.
Good to be back here after a very long time.
Not sure if anyone is still looking for answers to this, but I have a very simple solution.
At Robinhood's login screen, enter your username/email and your password, press F12 on your keyboard to bring up the console panel and switch to the "Network" tab then wait for the page to load completely. (During this time you will see a list of items being loaded rapidly depending on the connection speed.)
At this time you can keep clearing the list by clicking on the button highlighted in the below image.
Click on button highlighted repeatedly until the list is empty
Now, log into your Robinhood account. At this point your console should display a list similar to the one shown below.
Look for the name "token/", most likely it will be the second one you get all the information you need. And this information will be under the Headers then Request Payload
I was able to find this with past knowledge and experience of web scraping for fun. And also, I needed to know this as well, since I recently started doing trades via Robinhood.
Hope this help you curious ones out there.
For my Robinhood account I am using Google Authenticator for my 2FA. What I have so far is that I send the original call that I was sending before to https://api.robinhood.com/oauth2/token/. This is giving me a response of:
{"mfa_required":true,"mfa_type":"app"}
I then repeat my oauth token request, but this time providing the value from Google Authenticator (so my GUI has to prompt me to fill it in) with this payload in the request to https://api.robinhood.com/oauth2/token/:
{"grant_type":"password","scope":"internal","client_id":"c82SH0WZOsabOXGP2sxqcj34FxkvfnWRZBKlBjFS","expires_in":86400,"device_token":"***","username":"***","password":"****","mfa_code":"***"}
and then I am getting an access token in reply

Heroku: Login system - authentication loop failure

I am trying to login to my heroku account.
I keep getting an error message that says "There was a problem with your login". There are no details of what the problem is.
I tried changing my password through the forgot password action and I still get directed back around to the above error message.
I can't contact Heroku's support team because I can't login.
Has anyone found this problem and found a way around it - or even a way to contact Heroku?
I had the same problem, couldn't login even after resetting my password. I use the Last Pass chrome extension to fill in forms. When I entered the (same) credentials in manually I was able to login.
I started getting this error very recently. I believe it's linked to a recent email that I got regarding password requirement changes:
Heroku will start resetting user account passwords today, May 4, 2022, as mentioned in our previous notification. We recommend that you reset your user account password in advance here and follow the best practices below:
Minimum of 16 characters
Minimum complexity of 3 out of 4: Uppercase, Lowercase, Numeric, Symbol
Don't just add a letter or a 1 digit number to the existing password while changing
Passwords may not be duplicated across accounts
As mentioned elsewhere, resetting my password and ensuring LastPass included symbols resolved it.
I reset my password and it helped.
After a research I found that Last Pass auto generated password was not strong enough as per Heroku password reset requirement.
I solved it by opening password reset link on different browser (in my case safari). enter strong password (ex: 51lxgpf2F52PgOBAPdAM#)
I had this problem on "Opera", then I went to "Chrome", and still the error, but in the end it worked on "Microsoft Edge". So try changing your browser to this one)

JIRA REST API to get work log - "You do not have the permission to see the specified issue"

I want to get work log of a specified issue on Jira. According to this document https://docs.atlassian.com/jira/REST/latest/#d2e774 I'm using this format giving my issue id:
/rest/api/2/issue/{issueIdOrKey}/worklog
Although I have logged in Jira, I got this error:
{"errorMessages":["You do not have the permission to see the specified issue.","Login Required"],"errors":{}}
Besides, I can see work log on Jira's interface. I don't think there is an permission constraint. Any help to solve?
You REST API request need to be authenticated. Please read Authentication paragraph (4th from the top): https://docs.atlassian.com/jira/REST/latest/
The easiest way is to use /rest/auth/1/session: https://docs.atlassian.com/jira/REST/latest/#d2e3737
I hit this issue when trying to use Cookie-Based authentication, I was following this guide from Atalassian; https://developer.atlassian.com/jiradev/jira-apis/jira-rest-apis/jira-rest-api-tutorials/jira-rest-api-example-cookie-based-authentication
The guide mentions the need for JSESSIONID but does not mention you'll also need to supply studio.crowd.tokenkey, really check what cookie elements you get back when you authenticate in case they change it again, and don't update documentation.
For my own sake I noted down all the code here.

fbDidExtendAccessToken:expiresAt: not returning 60-day token

Before I start, I'd like to state that I am using the new Facebook iOS-SDK (January 18, 2012 release), and setting 'deprecate offline_access' to enabled in my app's Facebook setting page.
When the fbDidExtendAccessToken:expiresAt method is called/reached via the extendAccessTokenIfNeeded (or extendAccessToken) methods, it returns the same token (e.g., the one expiring within a few hours). Also, the token is de-authenticated when restarting app, requiring the user to re-authenticate upon each fresh-launch (this may be a separate issue, or a bug on my end).
The expected results should be the following: Token should expire in 60 days, and token should exist in NSUserDefaults when restarting app.
I do not observe this happening.
Is anyone else having this problem?
Thanks!
I left a post on Facebook's Support forums. Facebook shot me an email saying that they have escalated this bug to 'Medium' priority as of today.
Here's the post: https://developers.facebook.com/bugs/319523108090699

visiting users Facebook ID w/out authorization?

I have a native (FBML) Facebook Application. I do not want to push the application visitors through the authorization process, however I do want to know their Facebook ID.
Is it possible to find the visiting users Facebook ID without requiring them to "Authorize" my Application?
Before, I said it couldn't be done - but it can.
http://developers.facebook.com/docs/authentication/canvas
Read that, it's excellent. You need to decode the Base64 string and check the signature is correct, but other than that it gets you the user id among other stuff (like a temporary access token for graph.facebook.com)
REMEMBER : You need to change the settings in the Migrations tab for the information to come through! It's a vital step, but can be overlooked...
Hope this helps :)
Stuart