So, I have my web app connected with Foursquare API up and running. It has it's own secret keys and everything. It listens to the incoming push notifications and trying to react on connected users's checkins. So far so good, however, when I'm trying to post something back on user's checkin via one of these:
checkins/reply
checkins/addpost
checkins/addcomment
I got 403 Forbidden error. I know, that I'm messed up something with OAuth tokens but I'm really stuck here and feel a bit puzzled. I try to summarize what's the current status and what I've tried so far:
I Have the App's: clientId, clientSecret, pushSecret
I also connected the Foursquare Account on which the app is creared into my web App, so I get the accessToken, let's name it: appAccessToken
Users are getting registered to my web app, so I get userAccessToken for one of each.
And here we go:
Trying to reply for a user's checkin fails when I'm using appAccessToken. From what I understand, it's like replying on behalf on my App's account, and since that account isn't on the user's "friend list", I get 403.
On the other hand, I'm able to post reply when I use userAccessToken but then, It looks like the user is commenting itself on their own checkins which dosn't have much sense.
I was even so desperate that tried to use clientSecret but no avail...
Can anyone point me out what am I doing wrong here? From what I understand from the Documentation it is, in fact, possible to reply as an App... The only question is, how? :-)
There's ostensibly no difference between the two "types" of access token you describe: appAccessToken and userAccessToken are really two instances of the same thing (a user's access token), one just happens to be associated with the user account that created the app.
For each check-in you are pushed, you should use that user's access token when making a call to checkins/reply. This will reply to the check-in in the style of our Apps Platform. I think in your second comment, you're using the user's access token to add a post to the check-in, which will make it look like the user is commenting on their own check-in.
Related
I'm currently working out a concept for an (REST)-API / Backend for an App, completly theoretical at the moment.
Since I have never done that before, I'm pretty unsure if things work like I think they do.
So I want to have an Login, where user send their username and password to the server and get an authentication-token, which will be used for future requests. (I think this should be correct to this point)
Now for what I don't know how it exaclty works:
When the client has a authentication token and makes a request to get something for the specific, logged in user, do I have to submit some kind of ID linked to the profile of this user in each request?
Or can the server find the correct user and accordingly the corresponding data for the response depending on the authentication token?
I have a chatbot running on a site and I'd like to be able to integrate flattr into it. It's built in Node and has no front-end, it just uses an API to interact with the site.
I'd like to be able to do something like this
note: all commands for the bot begin with "!"
!flattr #username to flattr a user
I understand this would mean people who want to either receive or give flattr would have to create accounts
Just looking for some guidance as to how to start this.
Here's what I'm thinking I need to:
Create an application, get Client ID and Secret, go through Oauth flow and get Bearer token. Including the scope for flattr thing in this process
How long are your tokens set to expire? Should be I updating this token often?
Then I guess I would just need to use the flattr thing api endpoint? Is a user considered a 'thing' in your api? Is the :id for a thing secret or can it be public without harm?
Does a user know their id or can they easily find it? Or would I need to use the Users endpoint to get that info? And does that mean adding an additional scope?
This is my ideal situation. In the chat all Users setup a flattr account and can connect the bot to Flattr by doing:
!flattr addme [flattr username] (alternatively they could use flattr ID if accessible)
then like I mentioned above, they can just use !flattr #[username] and that's it
thanks!
You do need API credentials but the ‘flattr’ scope should be enough.
You need to solve three problems, identifying users, authenticating users and then flattring URL:s (because the Flattr system only works with URL:s).
The later is easy, the best thing would be if your application/site provided a profile page for each user.
Something like ‘http://example.com/user/francisc0'. You would then just call the /flattr endpoint with that URL.
The response of the URL would either have to contain something that Flattr could use to ID the Flattr user or
you would have to pass the user id along with the flattr request. Read up on auto submit URL:s.
But in short, an auto-submit URL looks like
https://flattr.com/submit/auto?fid=abc123&url=http%3A%2F%2Fexample.com%2Fuser%2Ffrancisc0
In order to identify your users they need to have unique usernames on the chat (or something else that is unique that you are able to lookup from a username). Each user would also have to tell your application what their flattr id is.
This can be as simple as a input field where the user manually adds their id or you could fetch it from the API (look at the /user endpoint).
Now in order to flattr an URL your application (api client) needs to be authenticated as a Flattr user. As the Flattr user that typed the command “!flattr #username”. So my suggestion is that when a user wants to enable the ability to flattr on the chat you perform an oauth authentication for them and save the access token (they never expire btw).
When the user types “!flattr #username” in the chat you retrieve the access token for that user from storage and then send the flattr request as that user.
That should be it.
I did something similar for IRC a few years back and it worked great so it should work for your use case too.
Pro tips: Avoid using the /thing endpoints as they will be deprecated very soon.
The api documentation isn’t really up to date but that is also something that is changing very soon.
The user objects will soon include an ‘idv3’ attribute, use that as the user id instead of ‘id’.
Source: am Flattr dev.
I have this question in mind and I wanted to get other developer's opinion on this issue.
For creating a user (like in Facebook or creating an account in Gmail), some people suggested to have an public/private (means we don't tell developers how to use it) action in API for it. I, however, think it is a security risk as even if it is not documented, a hacker can simple see the calls and http requests when our front-end app is using that api action to create a new user (using a web debugger like fiddler) and can find the url to that action so simple ! like this POST ~/api/user/create
and then he/she can send thousands of requests to create user, users needs to be verified but still he/she is adding a lot of junk users in our database and puts a lot of pressure on our servers.
So the question is how do we handle this? Allow this only on our website or what?
Thanks
You can use CAPTCHA to verify that's a real user.
I am a new member of a team at my company reviving a legacy product that had Facebook integration, and we wish to continue developing the Facebook side of things, but we can't seem to find the credentials for logging into the app, or even who has access to it.
The app we are trying to recover is "HaloMobile". One thing to note though is the app name on posts is no longer a link. Does this mean the app has been disabled somehow?
I'm obviously not asking for credentials. At this point I'm just trying to "find" the app and possibly determine who is currently assigned as the administrator role, or what my options are. If there is an email address associated with the app, perhaps we can send a transfer request to that email?
If you could get retrieve two piece of information from your code-base, which are App ID and App Secret then you can retrieve the list of roles assigned in app using the following end point,
https://graph.facebook.com/<App_ID>/roles?access_token=<App_ID>|<App_Secret>
And once you know the role, along with the user Ids of the user assigned to it, you can move forward to recover the App by contacting him.
Also, you might want to give this documentation about Application a look, which lists out various fields you can retrieve for getting the required information to get access to your application back, like user_support_email
https://graph.facebook.com/<App_ID>?
fields=name,description,creator_uid,user_support_email
&access_token=<App_ID>|<App_Secret>
I have a twitter app with access level "Read, write, and direct messages"
I am using omniauth-twitter gem along with devise for letting users sign up and log into my site through twitter. All is fine till now.
It would be nice if the user is able to send direct messages to the his/her followers.
To fetch the list of followers I am using twitter gem. Now how do I let the user send the message he wants?
I have tried almost anything but all returns This application is not allowed to access or delete your direct messages error. This has been killing me for the past week
When I do Twitter.verify_credentials there is no error raised and a User object is returned. But when I call Twitter.direct_messages the above errors is raised. Am i missing something obvious here?
Thanks in advance.
Update: When I tried Twitter.direct_message_create() it worked like a charm! Would like to know as to why Twitter.direct_messages didn't work.
Check https://twitter.com/settings/applications to make sure that DM permissions are actually authorized. If not revoke and reauthorize. Make sure the OAuth tokens the account has granted to the app actually include DM access. Sometimes an app will not have DM acces, OAuth tokens will get authorized then DM access gets added to the app settings and the OAuth token for the account doesn't have DM access authorized.
To answer your update question:
Update: When I tried Twitter.direct_message_create() it worked like a
charm. Would like to know as to why Twitter.direct_messages didn't
work.
Twitter.direct_message(id)
Is used to retrieve existing DMs, whereas:
Twitter.direct_message_create(user, text)
is used to send a DM.
See here: http://rubydoc.info/github/jnunemaker/twitter/master/Twitter/Client/DirectMessages
As an update to #auxbuss's answer, the method has been renamed to:
Twitter.create_direct_message(user,text,options={})
The documentation has also moved:
http://rubydoc.info/github/sferik/twitter/master/Twitter/REST/DirectMessages.