Which are the required rules to allow a Facebook login?
I currently allow these:
defaultSrc: ["'self'",
'*.facebook.com',
'*.akamaihd.net'],
scriptSrc: ["'self'",
'*.facebook.com',
'*.akamaihd.net',
"'unsafe-inline'",
"'unsafe-eval'"],
frameSrc: [
"'self'",
'*.facebook.com',
'*.akamaihd.net',
styleSrc: ["'self'",
"'unsafe-inline'"],
imgSrc: ["'self'",
'*.akamaihd.net',
'*.facebook.com']
I'm using just
{
'default-src': "'none'",
'script-src': "'self' 'unsafe-inline' 'unsafe-eval' connect.facebook.net",
'connect-src': "'self'",
'img-src': "'self' www.facebook.com",
'style-src': "'self' 'unsafe-inline'",
'frame-src': "s-static.ak.facebook.com static.ak.facebook.com www.facebook.com",
}
but I'm not sure if there's anything missing.
I don't think you'll need to allow *.akamaihd.net since this is just the CDN Facebook uses, and it is not required for Facebook Login.
Related
I use to login via schema configuration (nuxt.config.js):
strategies: {
/**
* #description OAuth 2.0 authentication scheme
* {#link https://auth.nuxtjs.org/reference/schemes/oauth2}
*/
keycloak: {
_scheme: 'oauth2',
client_id: CLIENT_ID,
authorization_endpoint: NUXT_ENV_AUTH_LOGIN,
userinfo_endpoint: NUXT_ENV_AUTH_USER_INFO_ENDPOINT,
access_token_endpoint: NUXT_ENV_AUTH_ACCESS_TOKEN_ENDPOINT,
response_type: 'token id_token',
token_type: 'Bearer',
token_key: 'access_token',
scope: ['openid', 'profile', 'email'],
},
},
and it work perfectly using the classic form login.
Now i would like to login a user without a form but starting from a valid access_token generated by a CURL (curl or whatever....).
At the moment i can't figure out how to make it work. I tried to invoke methods like explained here https://auth.nuxtjs.org/api/auth/#refreshtokens but without a good result.
What's required to be loggog in, i suppose is to have a token set into localStorage and cookie (as i see post a normal login) and set the user data into the nuxt store.
Thank you for any advice.
When I query GitHub's GraphQL API with the following:
query RetrievePackagesAssociatedWithRepo($repo: String!, $owner: String!) {
repository(name: $repo, owner: $owner) {
packages(packageType: NPM, first: 10) {
edges {
node {
id
name
packageType
}
}
}
}
}
I received an error stating:
{
"errors": [
{
"type": "INSUFFICIENT_SCOPES",
"locations": [
{
"line": 6,
"column": 11
}
],
"message": "Your token has not been granted the required scopes to execute this query. The 'id' field requires one of the following scopes: ['read:packages'], but your token has only been granted the: ['read:gpg_key', 'read:org', 'read:public_key', 'read:repo_hook', 'repo', 'user'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens."
},
I followed the link https://github.com/settings/tokens and added the necessary permissions.
I tried to Authorizing a personal access token for use with SAML single sign-on but, the SSO button to enable is not present.
development settings token
Documentations I Followed: Creating Personal Token! | Authorizing Personal Token!
After trying out theses methods, the same error message persists "Your token has not been granted the required scopes".
My goal, through Github's API, is to retrieve packages associated with its repository.
Is there something I'm missing.
I'm working with a react-native application where i have implement the Authentication flow using AWS Amplify and Federated signin. This is the amplify configuration:
Auth: {
identityPoolId: 'XXX',
region: 'XXX',
mandatorySignIn: false,
userPoolId: 'XXX',
userPoolWebClientId: 'XXX',
oauth: {
domain: env.AWS_OAUTH_DOMAIN,
scope: ['email', 'profile', 'openid','aws.cognito.signin.user.admin', 'given_name', 'family_name', 'user_gender', 'user_birthday', 'user_location'],
redirectSignIn: myapp://signin,
redirectSignOut: myapp://logout,
responseType: 'code',
},
},
Everything works fine. Until now.
Now i have to add another OAuth authentication for other purposes (connecting Strava to my application). Everything works fine, until the Strava authorization dialog redirect to my app at the url: runcard://profilo/servizi?code=XXX&scope=activity%3Aread%2Cread (this callback url is different from the one i've set for amplify configuration). Once redirected, amplify is there, ready to raise an exception by Amplify OAuth:
WARN Possible Unhandled Promise Rejection (id: 0):
TypeError: undefined is not an object (evaluating '_a.accessToken')
I believe that since the callback url has a code parameter, Amplify is trying to do the job himself. Without success.
Does anyone faced the same issue?
I found the cause of the issue!
Amplify is specifically looking for a param in any deeplinked URL called code.
I too was using code for a purpose other than the oauth callback (sign up confirmation code).
Changing the param to anything else (e.g. confirmationCode) prevents the accessToken error.
At the end, I've used this workaround: I removed the Amplify listener and I added a new listener that will parse only Amplify OAuth URLs.
Amplify.configure({ ... });
Analytics.getInstance();
// Workaround: this is to avoid that Amplify OAuth try to parse EVERY url as a OAuth callback url
// https://stackoverflow.com/questions/59883011/how-to-avoid-that-aws-amplify-oauth-tries-to-parse-every-oauth-process
Linking.removeAllListeners('url');
Linking.addEventListener('url', (url) => {
if (url.url.indexOf(AWS_OAUTH_REDIRECT_SIGNIN !== -1 || url.url.indexOf(AWS_OAUTH_REDIRECT_SIGNOUT) !== -1) {
Amplify.Auth._handleAuthResponse(url.url);
}
});
AWS_OAUTH_REDIRECT_SIGNIN and AWS_OAUTH_REDIRECT_SIGNOUT are the same specified in Amplify configuration:
AWS: {
Auth: {
oauth: {
redirectSignIn: AWS_OAUTH_REDIRECT_SIGNIN,
redirectSignOut: AWS_OAUTH_REDIRECT_SIGNOUT,
responseType: 'code'
}
}
}
My application is built on Polymer v2 and uses the Firebase Auth service for authentication. Actually, I use the login-fire element. For a better experience on mobile devices, I choose to sign-in with redirect.
In the "network" tab of the DevTool (in Chrome) I see that a request containing the /__/auth/handler? pattern is sent for requesting Google authentication (for example, if the provider used is Google).
With the service workers enabled, this request is caught and the response is the login page of my application. No login attempted, the response comes from the service worker and I get a Network Error from Firebase API because of a timeout.
When I deploy the app without service workers the authentication process is working and I can reach the app.
I tried many ways to config the service workers to ignore all requests to a URL with the /auth/ pattern but I failed.
See the last version of my config file bellow.
sw-precache-config.js
module.exports = {
globPatterns: ['**\/*.{html,js,css,ico}'],
staticFileGlobs: [
'bower_components/webcomponentsjs/webcomponents-loader.js',
'images/*',
'manifest.json',
],
clientsClaim: true,
skipWaiting: true,
navigateFallback: 'index.html',
runtimeCaching: [
{
urlPattern: /\/auth\//,
handler: 'networkOnly',
},
{
urlPattern: /\/bower_components\/webcomponentsjs\/.*.js/,
handler: 'fastest',
options: {
cache: {
name: 'webcomponentsjs-polyfills-cache',
},
},
},
{
urlPattern: /\/images\//,
handler: 'cacheFirst',
options: {
cacheableResponse: {
statuses: [0, 200],
},
},
},
],
};
Do you have a better solution? Do you notice what I missed?
Thank you for your help.
You can add this to your sw-precache-config.js file
navigateFallbackWhitelist: [/^(?!\/auth\/)/],
You should only whitelist the paths of your application. This should be known to you.
So everything you do not whitelist, will not be served from the serviceworker.
navigateFallbackWhitelist: [/^\/news\//,/^\/msg\//, /^\/settings\//],
With this example, only news/*, msg/*,settings/* will be delivered.
/auth/*,/api/*,... will not be caught.
I can request a token for a user by visiting the following url:
https://trello.com/1/connect?key=<key>&name=appName&response_type=token&scope=read,write&expiration=never
However, when I request the token's info through the API, I get a response that looks like this:
{
"id": "...",
"identifier": "appName",
"idMember": "...",
"dateCreated": "2015-10-15T05:21:19.886Z",
"dateExpires": null,
"permissions": [
{
"idModel": "*",
"modelType": "Board",
"read": true,
"write": true
},
{
"idModel": "*",
"modelType": "Organization",
"read": true,
"write": true
}
]
}
I'd like to be able to request a token only grant privileges to a specific organization. But I can't seem to find clear documentation on what kinds of options the /1/connect endpoint accepts, or what other method I can use to obtain a token for a specific organization that does not expire.
I could make a machine user with access only to the organization, but it would be a shame to pay for another user account when I only want a subset of the permissions I already have.
I don't think that would be possible as you just authenticate against the API as that user and therefore have the ability to see everything that user can. The only way I'm aware of would be (as you suggested) to create a new user and limit what they can see.