I have a Shopify App that deals with products and shipping. The current scope is:
scope = ["read_shipping", "write_shipping", "read_products"]
New functionality needs new scope as:
scope = ["read_shipping", "write_shipping", "read_products",
"write_products", "read_inventory", "write_inventory",
"read_fulfillments", "write_fulfillments", "read_price_rules",
"write_price_rules"]
For new App users everything is fine. How do I introduce this new scope to existing App users by:
Requesting App users to accept the new scope permissions
Not interrupting existing functionality for App users who never end up accepting new scope permissions
You add the new scopes you need to your App. Whenever ANYONE re-authenticates they will be prompted by Shopify to accept the new scopes. That is the only way to do it. No you cannot sneak in new scopes with existing installs, hoping they will just get the new scopes without them knowing about it.
Related
I am currently building a Flutter app which lets users do personality tests, and until now I planned to do it without forcing users to register an account via Firebase (as this is annoying for many users).
Problem I am facing now is that I need the results from the tests from the users, so that I can tell the users in the result section how these results are compared to the average of all people who have done the test.
If a user would now register, the test results would be saved locally on the device. Will it then still be possible to save the test results in a online database?
If you don't want to force users to sign in but still need to differentiate between them, you can use Firebase Anonymous Authentication which will create a user account in Firebase and return a UID similar to any other auth method. A new anonymous authentication can be created by using signInAnonymously() method:
UserCredential userCredential = await FirebaseAuth.instance.signInAnonymously();
As you get a unique UID for each user, you can then store data in database itself instead of storing locally. If the user proceeds with registration, you can convert this anonymous account to a permanent account using linkWithCredential method. The UID of user remains the same.
Do note that if the user logs out of the anonymous account, then there is no way to retrieve that same anonymous account back.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
I have a legacy system that needs some tiny improvements to enable the system to run without interruptions. I got recently a security notification from Salesforce that there are some upcoming changes coming with the Winter ‘21 release that is going to have an effect on my system. The Secure guest user record access is going to start to be compulsory. By turning this setting on as a test prevents my system from working properly right now. The system has currently been set up to use the Visualforce page to access APEX scripts that make some business logic and even update/insert some data to Salesforce. That Visualforce page has been called from another system that runs totally separately. As much as I follow the upcoming Salesforce release makes it impossible to insert/update data in the way I have been currently doing. I realized I need to secure this with some kind of authentication so I can keep my system working when the Secure guest user record access option has been ticked. I want to add a user authentication for my apex script. I created a new Connected App and did the following:
Enabled OAuth Settings
Set OAuth Scopes Full access (full)
Set IP Relaxation to Relax IP restrictions
Exposed Apex Classes as REST Web Services
I have currently been using Salesforce Sandbox as a test. I created a new connected app and made a login call first. That all worked fine and returned me access token. I did make sure that I didn't have any sessions open when I called the apex script via the Visualforce page where I have defined a new apex:page. For some reason, my Visualforce page is always public and allows me access to everything without asking me any token.
After having done all this I can still get access to everything without doing any user authentications.
Can someone please advise me on this.
Here I am calling Visualforce page that in return calls APEX script:
HttpRequestMessage apiRequest = new HttpRequestMessage(HttpMethod.Post, restCallURL);
apiRequest.Headers.Accept.Add(new System.Net.Http.Headers.MediaTypeWithQualityHeaderValue("application/json"));
apiRequest.Headers.Add("Authorization", $"Bearer {authToken}"); //check Bearer
It works fine even without me setting a token to it.
This is how my Visualforce page looks like:
<apex:page controller="TestGatewayResource" sidebar="false" showheader="false" contenttype="text/plain" action="{!action1}">{!StringCodeReturned}</apex:page>
This is my test Apex script:
#RestResource(urlMapping='/test_defined_type/*')
global class TestGatewayResource
{
String StringCodeReturned = ""; // very simplified to give an idea what I am doing.
#HttpPost
global static String activate()
{
// makes some work by calling other classes and inserting/updating data to Salesforce
}
}
Edit: I added more background information to understand better my issue. I also added some code samples. Tyi I have no more experience than a week working with Salesforce trying to figure things out.
(too long for a comment)
Your question is confusing, what are you trying to do? Connected apps are for API access (REST, SOAP) but then you write about Visualforce page, that's for normal browser-based access.
As internal user you'll have access to all VF pages (well, if you're sysadmin or your profile has them assigned). No connected apps needed. If you're external user (guest) you can still access a VF page if it was exposed on a Site. No login needed = no OAuth2.
With API access you need to make login call first (few ways to do it, SOAP or there are ~9 OAuth2 options to choose from) and then you'd access apex REST services for example (again, if your profile allows).
If you want to do programmatic screenscraping (pull html of VF pages instead of calling APIs) that's doable too but you need to pass a session id as cookie instead of Authorization header. That's not an officially supported API though.
What are you trying to do? Can you post any code maybe?
I am trying to create an app using firebase auth and firestore where new users can be invited via email to work on a project. The problem is, I do not know the best way to store the temporary user project permissions before they have a uid. I want the user that got invited via email to get access to the project upon opening the link sent to them.
I had tried two different ways
Having a sub collection doc for every user in the project
/project/{projectId}/users/{userId}
When a new user is invited, the userId was set to their email, having a cloud function that triggered when a new user was created to send the invite email to the user. Once the user opened the link, it deleted their user document and a cloud function ran that created a new doc with the users id now that they had once since they were authenticated.
This worked, but left a 10 second period where the user can't interact with the project because the cloud function for making the new user doc is running. Also it just seemed like a bad way to do it.
Having a single document with all of the user information
/project/{projectId}/users/users
users:{
roles: {
users_id: 'admin',
new_user_email: 'admin',
}
}
This one I was not able to get to work as firestore does not let you create a key with a period in it, but if there was a way around this, it would work as well. I had also set up firestore security rules which made it so they could only edit fields where the key was there uid or their email if they were not an editor/admin.
Consider creating an anonymous account in Firebase Authentication first, which requires no input from the user. It will receive a UID that you can use to store data for that account. Then, you can convert that account to a normal account after the signup or login succeeds.
Since you didn't say which mobile platform you're using, I linked you to the web docs, but the procedure is generally the same for each one.
I have an Angular 4 app that uses Firebase UI (web) with Google auth. For our company staff users, I need to ask for more permission scopes than non-staff users. I don't necessarily need those extra scopes right away, though.
I'm thinking that the login screen will have a "staff login" checkbox that toggles the config. However, the new firebaseui.auth.AuthUI(firebase.auth()) call has already been made.
Is it bad if I call ui.start() a second time with a different config?
Or: is there something I should make sure I do to cleanly dispose of
the prior AuthUI before creating a new one?
Or: (ideally) is there a way to simply force a prompt later for additional scopes, only when needed?
You can re-render the widget with:
ui.reset();
ui.start('#firebaseui-container', myNewConfig);
We're running a web service that's been using OAuth2 Login for Google Accounts for the past 10 months.
I'm wondering if there are any known or potential issues when using the new incremental auth for adding new scopes to old tokens, e.g. tokens that were granted up to several months ago?
We're running into a problem that's been verified by two of our devs, but is hard to reproduce since we only have so many accounts with old refresh tokens in a non-production environment. See below for the full story. I'd be curious to hear from anyone at Google whether this may be a bug, or more likely something we're doing wrong on our side.
We were excited to see the new incremental auth, since we're just about to launch a new feature that involves accessing a user's Google Contacts, but only for a specific use case.
So we added a new OAuth endpoint on our server that includes the include_granted_scopes flag and requests only the Contacts scope:
my $url = URI->new('https://accounts.google.com/o/oauth2/auth');
my $params = {
state => 'code_request_contacts',
response_type => 'code',
client_id => $config->{oauth_client_id},
redirect_uri => $c->host . '/auth/oauth',
scope => 'https://www.google.com/m8/feeds',
access_type => 'offline',
approval_prompt => 'force',
include_granted_scopes => 'true'
};
When testing on our local dev machines this worked beautifully: contacts access was granted, and the same token would work for both contacts and the existing scopes (which included userinfo.profile, userinfo.email, and drive.file).
However, when we started testing on our pre-production server which had existing access tokens and Google Accounts connected, we ran into problems: once the contacts authorization completed, the returned tokens would work ONLY for contacts, failing with a "403 insufficientPermissions" when used to make any Drive API requests.
After seeing those errors, we tried (a) revoking access via the Account Permissions page (https://security.google.com/settings/security/permissions), (b) logging out of our app, and (c) logging in again to get a fresh token with the basic scopes. Strangely, at this point the incremental auth for contacts would work like a charm, and the new tokens had all combined scopes as expected.
So this is where are now — we've twice seen a problem that would be a show-stopper for rolling this out to production, but we can't reliably reproduce if its behavior involves old tokens.
Our current workaround is to have the Contacts OAuth request also include all of our initials scopes. This leads to a longer list of warnings when the Contacts popup appears, but it otherwise seems to achieve the desired end result.
Could it be that you have another difference in the new code, e.g., using a different client_id from the one used in the old tokens?