Does anyone have experience using Selenium to automate testing of a webapp that uses Facebook Connect for user login? Any tips or methods that you recommend?
Depends what you want to do?
Will you be using a real-real Facebook User (which is phone verified by Facebook)?
Safest and most reliable ,but very difficult (impossible) to gather "real" users (phone verified by FB).
In terms of defining aspects of the user/connections details, like education history, work history, name, age etc(specially if you do not have access to all the "real" facebook accounts).
Fake facebook users created for testing the app (not verified by Fb)?
Probably the easiest to setup, as all are fake users, no Phone verification(with FB) required.
But email ids for all users would need to be created.
Even though the connection info can be tailored to your liking. One of the main drawbacks(and it has happened to me), is if Fb detects the user is not legit, FB would freeze all accounts. Which would make all your Fb user specific automated tests all useless in the blink of an eye. And there is not much you can do(Unless you plan to get a brand new phone connection to verify those accounts, no google number, no skype, no ip based phones allowed. FB is very strict with that). Also one number can authorize only 1 account.
Will you be using the Facebook APIs to create Fb test users?
Probably the ideal way (according to FB)to use Facebook connect to test your app. click here for documentation on how to use it.
It may seem straight forward, but it has its downfalls(major ones). Very un-relaible, the API returns an error 10-20% of the time, and extremly slow the other times. No way to retrieve the password of a FB test user if misplaced once. Connection info cannot be easily customized. A fair amount of effort required to set it up something without being sure it work each time.
I have personally opted for the second option. Facebook detects the legitimacy of the user (I guess) based on parallel logins across multiple ips. I have selenium RCs running across various servers, which run these tests in parallel, which could have possibly raised a red flag. So i just schedule these scripts in a more organized manner, so as to avoid login overlaps.
I hope in this long explanation you find your answer. :)
For the perl implementation -
$sel->start();
$sel->open_ok("$URL");
$sel->set_speed("500");
$sel->click_ok("//img[\#alt='Facebook']",'User clicks on Facebook Login');
$sel->wait_for_pop_up_ok("", "30000",'Facebook Login Popup Loading');
$sel->select_pop_up("null");
$sel->type_ok("email", "email\#email.com",'User enters Facebook credentials - Username');
$sel->type_ok("pass", "password",'User enters Facebook credentials - Password');
$sel->key_press("pass", "\\13",'User returns Facebook Login credentials');
$sel->select_window("null");
Related
I'm trying to figure out how Likeboost or LikeHero work, 'cause I believe Instagram doesn't allow you to use Like endpoint to add a like to an image and they require you to submit the app for review as they stated here:
To request access to this endpoint, please complete this form.
But these apps just ask for your username and password (Surprisingly you don't get transferred to Safari for authentication process) and then you could like an image from that particular app. How do they do that? Isn't this against the following paragraph?
The ability to POST and DELETE likes, follows and comments is restricted to applications that offer business services and not consumer facing apps.
That applications that you are mentioning are using a fake native login page in order to avoid you leave from the application (like #Matthew Antolovich said). Once they get the access_token, there are no more dificulties and they can use the API calls.
As you can see in the Authentication documentation they might be using the Client-Side (Implicit) that is less secure but it works for they purposes.
They are giving permissions only to trusty applications in order to avoid that fake applications (bot apps, fake users, ...) use some API functionalities.
If you want to use these calls, you should fulfill the form that they are giving to you once your application is finished. If you are still developing the application you have to trust the Like documentation without the capability of test if it works.
There are other ways to restrict apps to use some calls (limit of requests per day, ...) but this is how they are doing it so, we must adapt.
Like #Matthew Antolovich said in his comment, if those apps are asking you for your user and password, they can log-in using the same requests present on the web. They could (and probably are) make their own API by reverse engineering the http requests.
On a side note, I would personally never trust those kind of apps.
I have this question in mind and I wanted to get other developer's opinion on this issue.
For creating a user (like in Facebook or creating an account in Gmail), some people suggested to have an public/private (means we don't tell developers how to use it) action in API for it. I, however, think it is a security risk as even if it is not documented, a hacker can simple see the calls and http requests when our front-end app is using that api action to create a new user (using a web debugger like fiddler) and can find the url to that action so simple ! like this POST ~/api/user/create
and then he/she can send thousands of requests to create user, users needs to be verified but still he/she is adding a lot of junk users in our database and puts a lot of pressure on our servers.
So the question is how do we handle this? Allow this only on our website or what?
Thanks
You can use CAPTCHA to verify that's a real user.
I am well aware of the security implications of this, so much so that I'm betting it doesn't exist, so before you call me crazy, that's why I'm asking.
I got really tired of having only my phone on me and installing a new app/whatever and finding myself needing to suddenly create a new application-specific password on the fly, and having to navigate Google's decidedly non-mobile-friendly security page to do that. I want to create an app of some kind that allows me to generate an application-specific password, whether by text or an Android app itself or something else. As I see it, there are two options here:
Use some Google Account Security API (if it exists) to create the application-specific password
Do scraping-type behavior (with proper credentials, of course) to automate its creation. I really don't want to do this.
Does anyone know (a) if this type of API exists, or (b) if there are any other ways to go about doing this? This app would be published on Github for self-hosting, obviously.
There is no official API to generate application-specific passwords.
I've solved this myself by doing a couple of things:
1) printing out the QR Code for the account that can be scanned by the Authenticator app in order to generate codes. I keep it secured in my desk. This allows me to reformat my phone without needing to turn two-step off each time.
2) use the browser sign-in for my Android device. When adding a Google account to an Android phone, just before the screen where you enter your username and password, click the menu button (or 3 dots on the screen if you have no menu button) and choose Browser sign-in. This allows you to login to an Android device with your username, real password and verification code rather than an application specific password.
This saves me from needing to generate application-specific passwords 95% of the time.
Jay
So when you put the login button plugin on an app it seems to display the user's friends that are using said app. It displays this even to users that have NOT allowed the app access yet. For example, if you go to "Henry's Cooking App" but have never Logged into the app thru facebook, it will still show you your friends that are using the app.
What I'm trying to do is use this feature to grab an array of fb-userids from the plugin so I can do a query on my DB to show the POTENTIAL user a little more info. For example let's say you have 2 friends that already use "Henry's Cooking App": Joe and Karen. If I could get their userid I could then show you something like "Joe just cooked Veal Scallopini, and Karen is perfecting her Tonkatsu Curry".
I know you could do this easily IF you had the authentication token, but that is only obtained after the user logs in. I'm trying to leverage the fact that fb seems to think it's OK to show your friends that are using the app BEFORE you sign up for the app.
The only super hacky way I could think of to do it is the fact that I could pull the href attribute of elements matching $(".uiFacePileItem a") which gives a link to the user profile which I could then grab the username or UID from. This seems like it could break easily though, anyone have a better idea? Thanks!
The only super hacky way I could think of to do it is the fact that I could pull the href attribute of elements matching $(".uiFacePileItem a") which gives a link to the user profile which I could then grab the username or UID from.
You can’t do that, because the Facebook login dialogs are not running under your domain – so the Same Origin Policy prevents you from interacting with the DOM of these dialogs.
I'm trying to leverage the fact that fb seems to think it's OK to show your friends that are using the app BEFORE you sign up for the app.
Well, it’s certainly (more) OK if Facebook does that – because that doesn’t give any information away to third parties (meaning you as the app developer/provider) – only the user sees that.
It would not be OK if Facebook would let you access this info, at a point where I haven’t even decided to use your app yet – totally a case of „none of your business”.
After I decide to use your app, you may have access to certain information. Before that – No Way, José.
I am thinking of tying in a Facebook JavaScript-based application with an existing website that has it's own user accounts, but have a question about a specific user situation.
The website is run almost 100% of the time from 'shared' computers, like those found in a career center. User A comes to my website, signs into the site and then authorizes the Facebook app, which stores their session in the browser, along with, effectively, signing them into Facebook.com.
User A now leaves my application by signing out of my site - but not closing the browser.
User B arrives, logs into my site with their login, but the Facebook session is still active (due to the browser staying open), so any FB app integrations I've included will show as if it is still user A, correct?
So the question is, what are the recommended ways to deal with this? Two options come to mind:
When the user signs out of my website, I fire an FB.logout call, so that all of the sessions are killed. Pros - I can ensure that user's signing into the site will not have old sessions hanging around. Cons - a user who is returning shortly after leaving will have to re-login to FB as well as my site to see the FB integrations - I'd love to avoid the user ALWAYS having to do two logins. Secondly, forcing the FB.logout when they leave my site kills any active sessions they have at facebook.com, which makes for a bad user experience as they would not 'get' why logging out of my site has anything to do with facebook.com, and will then have to re-signin to facebook.com.
The second option would be that when the user authorizes the FB app, I take their member ID and store that locally and persistently (database). Then, when a user returns to the site and signs in, I check their FB auth status, and if logged in to FB, pull their member ID and check it against the one I have stored locally. If they match, I have the correct user, if not, I do FB.logout and have them sign in to FB. Pros - this should ensure I always have the correct user to the site. Cons - not sure if getting, storing the member ID is feasible.
Any suggestions or pointers to the 'best practice' when it comes to ensuring that the current user is indeed the one associated with the FB account, specifically in this 'shared computing' situation where sessions may overlap?
Thanks
The second option looks to me to be the better choice. You can indeed store the users facebook id. By storing it locally i'm assuming you are talking using a cookie; however storing in a database is just as feasible.
Facebook user id's should be stored with a BIGINT(20) data type - such are the recommendations from facebook.
Taken from the user section of the facebook api refrence :
Looks like they changed their recomendations...