Meteor Github authorization - authorization

I am using the meteor accounts-github module to handle my authentication/account creation in my application.
I want to ensure that any new user who attempts to sign into the application is a member of a particular Github organisation. I also want to verify this not just when the user is first created, but on every sign in. If the user has been removed from this Github organisation then they should not be able to sign in to my application.
Essentially, I am adding some admin functionality to a website, and I only want Github users who are members of a particular organisation to be allowed to sign in and perform this admin functionality (such as update some basic content).
Is there a way to perform this Github API call on every user creation and sign in event?

you will need to customize the authentication a bit, checkout my project:
https://github.com/534N/miProfile
I implemented it so that only github account is accepted.

Related

Can I log in a user with email and password from node using the Firebase Admin SDK

With Firebase's Admin SDK, I want to allow a user to login (verify the user with my Firebase instance) without any JavaScript on the front end. Just an old fashioned POST, with the form data in the request body.
Then in node (server side) verify the email and password on the back-end, retrieve a token, update the user's session, pass back a cookie, etc. I've been digging around various examples and the Firebase Admin SDK docs but have not found an answer.
I can do it if I run the non-admin-SDK Firebase module, in node, but this seems like an odd approach to me, especially as I need the Admin SDK for some other things.
I could see why they want to force a "triangle" approach like say payment auths use.
Authorize with Firebase on the front end and pass a token to the back-end.
Not allowing the password to possibly be sent or stored on the node server unencrypted.
But I want to pass as little JS to the client as possible and I want my site (MPA) to be progressive (not need JS). It seems odd they would not address this in their docs. Other than in some explanation of how to write one's own validation or integrate with another.
If anyone can describe how this can be done or what the recommended approach is, I would be very happy.
Firebase's Admin SDKs are designed to be stateless, so don't have a concept of a current user. The recommended approach is what Firebase Authentication does, sign in on the client and pass an ID token with every request/connection to establish the identity of the user.
If you don't want to use Firebase's SDKs in your client-side application, you can call the REST API. I'm not sure if you can construct the right call with a FORM post though.
Also check:
Sign in with Firebase-Admin using node.js, the main answer is the recommend approach.
How to authenticate an user in firebase-admin in nodejs? shows how to sign in a user in Node.js with the regular/non-Admin SDK. This is probably closest to what you want to accomplish.

Twitter Bot: Get access token for another account without 3-legged OAuth flow?

I am in control of three twitter accounts: One is my main account, the other two are supposed to automatically post content via a bot. I created the bot logic and added it to Twitter's development tools and I can easily use it to post to my main account.
Now I need to add the access tokens for my two secondary accounts. My question is - what's the easiest way to do this.
As far as I can see, Twitter only enables one way to do this: 3-legged OAuth flow. It is not too complex, but it seems to me to require setting up a mock website with callback url, which seems like too much considering I only need to generate two api tokens. Am I missing something?
There are some alternative ways to generate access token and access token secret for OAuth 1.0A via command line tools which allow you to use the “PIN-based” OAuth flow.
One example would be Twitter’s own twurl tool for API testing, which requires you to also have Ruby installed. This will let you authenticate a user account (it still pops open a window onto twitter.com to have you do the authentication) and stores them into the ~/.twurlrc file in your home directory. There is also tw-oob-oauth-cli which is a standalone app for doing the same thing.
You're not missing something. The reason this is required is to force users have a browser they trust open and see that they are on https://twitter.com/, so they can trust that it's a safe place to put in their password.

How do I use Gemfury tokens securely in CircleCI?

I'm using gemfury to host a private package that will be used by other people in my github organization. I'm also using CircleCI (but this applies to any CI system) for building/pushing.
My CI setup watches for any new tags in github and then pushes this new tag to gemfury.
My issue with the current setup is that I'm using my personal access token to authenticate. To me, this means the builds are dependent on my status as collaborator of the organization, and would break if I were to leave. I know I could instead use the Account token, but it feels insecure (what happens if the token is compromised?).
Ideally I would be able to generate application-specific push tokens that belong to the organization, and use those in CircleCI. If the token is compromised, it could be easily revoked and it wouldn't break other applications. However, gemfury does not offer this option.
I think my only option is to create a "fake" CI user add add it to my github organization. I could then use this user's personal token to push builds. Is this correct? Are there any other better approaches? I don't want to have to add a fake user for every package.
You are in luck!
Under the menu item Tokens when logged in, you can find a tabbed interface, where Push tokens can be created:
Push tokens βeta
These tokens can authorize new package uploads for this account.
You can integrate these into your CI builds, etc.
These are impersonal, and can be used for this!
Good luck!

Twitter API: allow authenticated user to post tweets on another user's behalf

Twitter API allows to update "the authenticating user’s current status", as explained in the documentation page.
What I'd like to achieve instead is to update another user's current status. Consider a magazine's twitter account. I'd like different people to be able to update the magazine's status. Tweetdeck allows this, but it also allows a whole lot of other things like access to Direct Messages. I only want to provide certain authenticated users an interface (similar to Twitter's post-a-tweet interface) to post status and images to the shared account.
I could not find a simple explanation of how to use Twitter API to achieve the above functionality. Could someone please help?
If you have an app that implements the status update API and it is delivered to different people and they authorize the app with the magazine's twitter account, then the app will update that status. I can show an example also with code if this is what you're asking. However the main point is that, once a user has authorized the app, she/he doesn't need to be connected with the shared login any longer because the app will do that on the magazine's behalf.
BTW, similar question here: Twitter API: post on behalf of whom?
Edit
Just to summarize the comments:
The standard OAuth authentication requires the following main steps
1) to develop an app (registered with OAuth consumer key and secret) that implements the API update status 2) to install and authorize the app: during this step the onwer will be requested to enter the credentials of the passive account in a Twitter link opened with the browser, 3) then - after a fallback - the app will store the access token and any user of the app will be able to update the status without login
Once you have developed an app that can post tweets on behalf of a passive twitter account using the standard OAuth, you could make that functionality available to the authenticated users of a website.

Regain access to an app created by a FB Page Account

Several month ago, before FB restricting the ability of a Page Account to create apps, I have created an application and linked to the page.
Now I cannot access anymore to the developers page with this account. I had to create a new app with my personal account, but I can't find a way to remove or unlink the old app from the page.
I cannot create a new page, as a result of nearly one year of activity on the current page, and trying to link the new app to the old page I get an undefined error.
We are in a sort of limbo...
Anyone has an idea on how to solve this situation?
I'm assuming you mean 'business account', not Page?
If so, and you're still able to log into the business account to manage your ads and pages, you can authorise your app by manually calling the Oauth dialog with the client-side Oauth flow, then use the access token (which will be for your business account, the admin of the app), to add your real user account as an additional admin
https://developers.facebook.com/docs/reference/api/application/#roles
You can define a role for a user by issuing an HTTP POST request to
APP_ID/roles with a user access token for an administrator of the app...
So a call to https://graph.facebook.com/<APP ID>/roles?user=<USER ID OF REAL ACCOUNT>&role= administrators&access_token=<ACCESS TOKEN>&message=POST will add another admin