I have some strange behavior with a Facebook request
My application allows users to send application requests to their friends.
When I process the call back I can't seem to read or write any of the session objects I set prior to or after this act.
What does Facebook do to my session objects?
I found it on another post
$.ajaxSetup({
beforeSend: function(xhr) {
xhr.setRequestHeader('X-CSRF-Token',
$('meta[name="csrf-token"]').attr('content'));
}
});
Related
We are currently calling third party(our API to OPT-IN that user in our system) API using ajax in cart page for OPT-IN feature. Consider that user is already created in our system at the time of registration using webhook. Now just need to OPT-IN that user.
But by calling API using ajax we are making Access Token Visible. So, it's not secure way to implement API'S.
Need API call to create shopify public APP. In that checking the user status in our system using API. Depending upon API response have to decide Show/Hide one button (that button is added in cart page.). I am talking about implementation of our API for creating APP. That API need Access Token which is provided by us.
So, for security purpose of access token need to implement server side API in Shopify cart page.
async function getData(){
const result= await fetch("https://s15.socialannex.net/apiv2/userstatus/SITE_ID/{{ customer.email }}?access_token=ACCESS_TOKEN",{
method: 'POST',
data: {
'first_name': 'Atul'
},
});
var res = await result.json();
if(res.error_code == 0){
$(".join-loyalty-button").css("display","none");
}
}
Above code is working fine but its ajax call. I want to call above API at server side.
You want to use the App Proxy pattern. See the documentation here:
https://help.shopify.com/en/api/guides/application-proxies
With that, you can callback using Ajax to your API with any information important to your callback. Example, the customer ID. The callback is secure, and no security tokens are exposed. You can return JSON meaning your front-end code can show/hide buttons based on an answer from your internal App.
Long story short. I have a login form in the header on every single page, when I log in successfully it works fine but when the user is incorrect for example it redirects to the default login page (a view that was originally created with MVC project) with the model errors. I don't want to do that, I want to show errors next to the login form without redirecting. So I decided to implement a login via WEB API - i.e. it does $.ajax jQuery request to the Login API Controller, tries to log user in and returns errors if needed so I can output them where I want.
All examples I've seen say to use Bearer Access Token. I don't understand why would I need to go this path - save the token somewhere and pass it along with every single request in the headers? That's what I did in my Login API Controller:
var user = await UserManager.FindAsync(model.UserName, model.Password);
if (user != null)
{
Authentication.SignOut(DefaultAuthenticationTypes.ExternalCookie);
var identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);
Authentication.SignIn(new AuthenticationProperties() { IsPersistent = false }, identity);
}
else
{
error = "Invalid username or password.";
}
This is the same functionality that is available out of the box when you create MVC5 project. I just moved it from regular controller to API controller. And it works without needing to take care of some bearer access tokens. What's the point of it if you could just do it like I did? I think it just makes requests more complicated when you use bearer token. Am I missing anything?
As I understand this, the bearer token would make more sense when you need to have a separately available backend authenticated with the same login as the front end we site in a pass through so the back end can "see" the request as coming from the same user.
You can verify that after logging in this way both the front end web site and backend api are sending the same session cookie, and if so you are golden. If on different domains, you may have problems with that, but otherwise not. If so, then a bearer token to pass that user to the backend may come back into play.
I have an MVC4 web application that uses LinqToTwitter to display Tweets when a user's profile page is visited, if they have a Twitter handle.
For this I use ApplicationOnlyAuthorizer:
var auth = new ApplicationOnlyAuthorizer
{
Credentials = new InMemoryCredentials
{
ConsumerKey = "twitterConsumerKey",
ConsumerSecret = "twitterConsumerSecret"
}
};
auth.Authorize();
My problem is that I have found that auth.IsAuthorized always returns false, even when I have call Authorize() and am successfully able to make calls to Twitter. And also, I have found that if I call Authorize() in every call made to Twitter, that an unhandled exception is thrown if I repeat the call enough times.
It seems quite important that I am able to know if auth is authorized before I make the call to Twitter. For now, I have put in a quick fix where I store my own IsAuthorized Session variable - but am not sure how reliable this is, because the Session variable could outlive the actual authentication itself?
Any advice on this would be appreciated.
The first time you authorize, Twitter will return a bearer token. After Authorize, you can grab this from the auth.BearerToken property. On subsequent calls, you can re-use the same bearer token. The bearer token doesn't expire, unless you invalidate it. Twitter's recommendation is that you use the bearer token for about 15 minutes and then re-authorize after that.
I am using parse.com and phonegap, and want to be able to pass user credentials between the native and phonegap/uiwebview part of the app.
I have a valid PFUser in the native side, and want to pass/create the same valid user to the web portion of the app.
Can a user be created using existing credentials, maybe Parse.User.current()._sessionToken?
Given a sessionToken and a User's objectId, you have all the information you should need to re-login a User on the JavaScript side. However, there is no supported method to do it. You would have to do something terrible like:
var user = new Parse.User();
user.id = "the object id";
user._sessionToken = "the session token";
Parse.User._saveCurrentUser(user);
user.fetch({
success: function(user) {
// Now the user is logged in.
}
});
However, this is unsupported, may not work, probably will break in the future, and may burst into flames at any moment. So don't do it. ;-)
I am working on an fbml application which can be added to a fan page. The application then sends ajax request to my php script for data etc.
I have to store some data on my php side against a key or something which remains the same throughout facebook session. How can I implement this? Is there any way to send facebook session id in ajax request? I am using fbml Ajax() element to send ajax request.
Here's a glimpse of code
function do_ajax(path)
{
var sessionKey = '###'; //Something representing fbml app's session state
var ajax = new Ajax();
ajax.responseType = Ajax.FBML;
ajax.ondone = function(data) {
document.getElementById('content').setInnerFBML(data);
}
ajax.post(path+'/'+sessionKey);
}
The visitor may or may not be logged in so I can't use userid. And php session id keeps changing in each request.
Thanks a lot
FBML is being deprecated. See: https://developers.facebook.com/docs/reference/fbml/ No more support for it in 10 days, and then in 6 months it will no longer work. I would suggest using the new Javascript SDK.