Restrict quickblox user creation - quickblox

When a user registers at my website I also need to create a quickblox user. I got this procedure to work:
Get a session token from API route "api.quickblox.com/session.json". But to do so I need a user. So I use my own login to quickblox dashboard.
Create the user by hitting API route "/users.json". Fair eanough, it works!
Questions
It feels strange using my own dashboard login as the token generator account. Is there not some other way?
The newly created user can create more users! That is, I created a new token with the details from the just created user, whom in turn was allowed to create further users. This cant be right? What am I doing wrong?
Quickblox chat example available here: http://quickblox.github.io/quickblox-javascript-sdk/samples/chat/# serves the keys and secret in the open, like this:
QBApp = { appId: 46126, authKey: 'Nyc2fwgg8QeFJpS', authSecret: SUv3grsaDMx5'}; Is that the way to do it? Then atleast I would like to control the creation of new users..
Thanks!

Hope you doing well !!
For Quickblox must have manage session for each and every users,you have to download and integrate quickblox SDK into your web app.
You have to follow this steps:
1) Create a app on Quickblox and add credentials into your javascript SDK or configure your javascript SDK.
2) Whenever user is logged-in to you app you must have to login quickblox as well and get session for logged-in user.
3) Do whatever operation with user created session like (chat,viedo call, audio call)
4) When user log-out from your, you have to manage like user also logout form quickblox and destroy previously created sessions.
5) When registering new user you have to also register that user into your quickblox app.
this way you have to manage user management.
hope this will help you.

To create a user with an arbetary session/token this function can be used (for JS SDK)
var params = {login: 'test3', password: '12345678'};
function createUser(params) {
QB.createSession(function(err, result) {
QB.users.create(params, function(err, user) {
if (user) {
// user - JS obejct with QB user
alert("successfully created a user!");
} else {
alert("error!");
}
});
});
}
"The newly created user can create more users!"
After further research I have concuded this is a part of the design and not to worry about. I will add a job to clean up any users created by spammers.

Related

Strapi, use Auth0 to access user data in Strapi

I have a React Native app that uses Strapi for its main API.
Some of the API endpoints require authentication so I've used the Auth0 provider and that's all working fine.
A user is now able to log in and I'm securely storing their access_tokens.
So far, Auth0 only gives me an access_token, a refresh_token, an id_token (jwt containing name and email etc) and expiry times for the tokens.
But I'm wondering if it's possible to be able to store a users preferences like whether they prefer dark or light theme etc and extra info such as a user_id in Strapi and let them update it after logging in with Auth0.
The catch is that only that user should have read/write access to their own data.
I can't see any docs or guidance on this kind of thing. Has anyone else managed to implement this kind of thing and if so, a rough approach would be great!
Thanks!
Well, one way of the doing this is creating a OAuthUsers collection in strapi, which will hold basic details of a user like:
first_name
last_name
email
When a user registers on Auth0 and returns back to your site, you can take the basic details that were returned from the identity management platform and store it in strapi under the OAuthUsers collection.
Now, coming to your question on how to store the preferences of the user, what you can do is create another collection called preferences with following attributes:
is_dark_theme
OAuthUser (Make this a one-to-one relation with OAuthUsers collection )
Every time a logged in user updates his preferences it will first come and create an entry in this collection if not already existing. How you can check if an entry exists for a user is by using the email from the JWT token itself, that you attach as the bearer token on the API calls. I will assume, you already know how to decode a JWT token.
So a rudimentary design would be like so:
const is_dark_theme = request.body.is_dark_theme; // 1 or 0 for light theme
const user = await strapi.services.OAuthUsers.find({ email: '[email from JWT]'});
const preference = await strapi.services.preferences.find({ OAuthUser: user.id });
if(preference)
await strapi.services.preferences.update({is_dark_theme}, {id: preference.id});
else
await strapi.services.preferences.create({is_dark_theme, user: user.id});
So per this, what will happen is the user will only be able to update his own details and never be able to touch the preferences of other users as the user will only be able to pass the is_dark_theme parameter from front end and rest of the information will be taken from the JWT token.

Persistent User Session on React Native App

I have already implemented a user authentication, in which the user can log in again or register.
I would now like to avoid that the user must register again after each closing of the app. For this reason I have to request a refresh token at certain intervals (Max 1 hour, as long as the cookie is valid). my question: how do I do that best? the refresh should work for both open and closed apps. I saw the possibility of the React Native Background task, but apparently only runs when the app is closed.
You have to create a flag in AsyncStorage when the user is authenticated.
And then you have to check that flag each time on opening the app.
Here is the sample snippet.
AsyncStorage.setItem('loggedIn', true);
And in your app.js you can check this flag in constructor
AsyncStorage.getItem('loggedIn').then((value) => {
if (value) {
//user logged in logic goes here
} else {
// user logged out. You need to login him again
}
});
Considering that you need to persist user's login forever and still be able to refresh the token, one possible way is to store the user's credentials (username and password) in some secure storage like react-native-keychain and then refresh the token every time the user opens the app.
Or more precisely, automate the login with the credentials you stored whenever the user launches the app with the help of useEffect hook(componentDidMount).
Note: This is not a good implementation if your app uses push notifications. Push notifications demand the user to be authorized all the time.

Firebase Auth linking anonymous auth user with custom auth user

So I saw here: https://firebase.google.com/docs/auth/web/account-linking#link-auth-provider-credentials-to-a-user-account That it is now possible to link user accounts in Firebase. I also saw that Firebase provides the functionality of anonymous authentication, where it creates a user session for a user, without any credentials.
In our application we normally use CustomAuthentication with Firebase, as we have our own authentication service. This works perfectly, and we are able to use the same Auth system in-between systems that use Firebase, and the ones that don't.
Now we got to the point where we wanted to take advantage of the anonymous authentication of Firebase, to allow users to use the apps without registering, and just transfer their details after they log in. So I thought that account linking is what I need. But I can't find a way to link an anonymous account with a custom authentication account. Is something like this possible with Firebase?
I have not found linking between anonymous and custom signIns too, so I just use signInAnonymously and pass it's uid to signInWithCustomToken.
Step 1.
To be able acheive this, you should grab an uid from signInAnonymously function like this:
var uid;
auth().signInAnonymously().then(user => {
uid = user.uid;
});
Step 2.
Save current user data like this:
database().ref(`users/${uid}`).set({ some: 'data' });
Step 3.
Send this uid to your server which returns custom token. On your server you just pass this uid to firebase.auth().createCustomToken(uid) function and send this custom token back. It will contain the uid.
Step 4.
When you receive custom token, you can sign in with it like this:
auth().signInWithCustomToken(authKey);
And that's it. You are signed in with your custom token and can access your anonymous user data saved on the step 2.
I had a similar problem but I believe Firebase does not allow this type of linking because it would require linking two separate firebase user ids: the id of the custom token created user and the id of the anonymous user.
Firebase docs say:
Users are identifiable by the same Firebase user ID regardless of the authentication provider they used to sign in.
So handling linking between two user ID's would cause inconsistencies.
I got around this problem by doing a merge of the data between the two accounts.
For example (from Firebase docs):
// Get reference to the currently signed-in user
var prevUser = auth.currentUser;
// Sign in user with another account
auth.signInWithCredential(credential).then(function(user) {
console.log("Sign In Success", user);
var currentUser = user;
// Merge prevUser and currentUser accounts and data
// ...
}, function(error) {
console.log("Sign In Error", error);
});
Caveat: I've never done this. Have you seen this page? Down at the bottom, under the heading "Email-password sign-in", it lists this code fragment:
var credential = firebase.auth.EmailPasswordAuthProvider.credential(email, password);
You can then (apparently) link the credential like this:
auth.currentUser.link(credential).then(function(user) {
console.log("Anonymous account successfully upgraded", user);
}, function(error) {
console.log("Error upgrading anonymous account", error);
});

transfer authenticated user between native and web javascript

I am using parse.com and phonegap, and want to be able to pass user credentials between the native and phonegap/uiwebview part of the app.
I have a valid PFUser in the native side, and want to pass/create the same valid user to the web portion of the app.
Can a user be created using existing credentials, maybe Parse.User.current()._sessionToken?
Given a sessionToken and a User's objectId, you have all the information you should need to re-login a User on the JavaScript side. However, there is no supported method to do it. You would have to do something terrible like:
var user = new Parse.User();
user.id = "the object id";
user._sessionToken = "the session token";
Parse.User._saveCurrentUser(user);
user.fetch({
success: function(user) {
// Now the user is logged in.
}
});
However, this is unsupported, may not work, probably will break in the future, and may burst into flames at any moment. So don't do it. ;-)

Facebook API Authentication in Coldfusion without login box

I have been looking for information on how to authenticate to the facebook api without a login button and haven't been able to find anything. Essentially I want to pull data from a static user (I don't want to pull information about every person that visits the page specifically, I want to pull information from a specific user account).
I want to convert the feed I retrieve into an rss feed, or an ATOM feed for my client to display in their website.
Is there any information about how to authenticate in this way?
An example of info I would want to pull would be to pull the wall posts from their facebook account and display them as a feed.
No matter what you do, login button or not, you will have to have your user Authenticate with your application in order to retrieve any sort of data.
The easiest way to do it is to use either the facebook login button or use the Javascript SDK and do something like this...
FB.login(function(response) {
if (response.session) {
if (response.perms) {
// user is logged in and granted some permissions.
// perms is a comma separated list of granted permissions
} else {
// user is logged in, but did not grant any permissions
}
} else {
// user is not logged in
}
}, {perms:'read_stream,publish_stream,offline_access'});
http://developers.facebook.com/docs/reference/javascript/FB.login/
Then once you get the user authenticated you can grab the cookie that is created by doing
<cfscript>
var fbcookie = cookie.fbs_YOURAPIKEYGOESHERE;
</cfscript>
There is more info on the cookie here...
http://jcreamerlive.com/2011/01/12/facebook-and-coldfusion/
From there you can use the javascript FB.api and do FQL queries http://developers.facebook.com/docs/reference/javascript/
Or you can use cfhttp posts to the Graph API
http://developers.facebook.com/docs/reference/api/
Have fun!
You need to authenticate the app using oauth2 method with a offline_access permission. You will get an access token that does not require user login to access to the account.
I give a more detail and links to the relevant fb documentation pages in this answer:
Is it possible to do Server -> Facebook authentication?