I'm using Google plus API in my website to Sign In users and it does work great, However because I only need the user email since I create my own Auth Token I no longer need to use Google plus API because Gmail API provide all the information I need Also give more daily query Which is 1,000,000,000 compared to 20,000,000 for Google plus API.
The Problem is:
When I used Gmail API I got the same information that Google plus API provided, Which is great.
However, going to my dashboard inside Google Cloud Console >> OAuth consent screen Tap >> OAuth rate limits.
It says that Your token grant rate = Your current per day token grant rate limit is 10,000 grants per day. The per day token grant rate resets every day
So, Do I miss something?
Note: When I switched to Gmail API, I did change the client key, secret key, and Google Sign In URL.
There is a difference between the OAuth Rate Limits and the Gmail API Usage Limits. When designing your app you have two take into consideration these two factors:
1) OAuth
The OAuth Rate Limits refers to the number of tokens that your application can request to Google in order to be able to have permission to sensitive scopes from the users that are utilizing your app and in that way allow to access their data (how much data depends in the scopes) when calling the Gooogle's APIs.
2) Gmail API
The Gmail API Usage Limits refers to the number of requests that your app can do to the API, no matter the number of users(as long as it doesn't surpass the limit) because it was previously checked by the OAuth rate limit.
Related
I am building a cross-platform app and using PHP and MySQLi. Users sign up with either their Facebook account or phone number. If they choose phone number, they enter their number and an SMS is sent containing the verification code. The user enters the code and an API token is sent back to be used across the API requests. Tinder (for example) is this way.
I am considering Twilio for the verification.
My issue comes down to the security of this login process. Can a malicious user just rapid-fire the login request that creates a verification code over and over again... sending plenty of SMS and costing me a fortune on my Twilio account? Should I only allow so many attempts? Can a bot just eventually guess the code?
What is the security behind Tinder's API?
things to consider:
1- limit request per phone number
2- limit request per user (by ip)
3- use captcha (only after second attempts to keep your app user friendly)
4- use honeypots
"can a bot guess the code?"
verification codes should have a time constraint. after like 2 mins they should be invalid. time constraint and request limiting should make it very very unlikely for a bot to guess the code.
if you are using laravel it already have rate limiting middleware (limit by ip).
Twilio developer evangelist here.
I agree with all the things that Shalior says in their answer, so I'm not going to reiterate that.
What I wanted to share was this article on falsehoods programmers believe about phone numbers. It is a good reminder that phone numbers don't necessarily uniquely define a user, and worth keeping in mind if this is your intention for a passwordless login.
I use Gmail API to get users emails from Google using scope(email) and It does work great.
However, As mentioned in this Google article Not only I have 1,000,000,000 Daily quota but also getProfile Method cost me only 1 quota.
So, Doing some math, I should be able to Sign In 1,000,000,000 Users to my Website daily.
But, That's not the case, Actually Google allow me for only 10,000 Requests daily.
What I need to know:
Why is that? (1,000,000,000 Quota => 10,000 Requests).
Is there another way to get Google Users email without using Google API Client?
How many Sign In requests can I send to google Daily?
Note: I have no interest in Google access token since I generate my
own access token for every user (I only need the email).
Thank you!
You are not using Gmail API. Gmail API is intended to interface with a Google user's Gmail mailbox (sent/received emails). OAUth scope email does not grant you any access to Gmail API. What it does allow is access to get the Google user's email address (may be #gmail.com or may be another domain).
See Google's list of OAuth scopes. email is listed under Google Sign-in.
To my knowledge, there are no quotas around usage of email scope and sign-in.
I'm Creating a custom User Management system, involves all the App data to be on application server, but the phone should be authenticated by firebase. When New User Register on System, Firebase Phone Authentication takes place. On successful authentication from firebase, Registration Data goes to Server via API. Now the Problem is, how do I check server side that the phone number is authenticated by firebase or not? If I allow registration without server-side firebase auth validation, API Request can be spoofed by someone. I'm currently using kreait/firebase-php ^4.18 Firebase SDK for PHP.
The Flow I'm Using Right Now is Demonstrated below and the flow I want to implement is also can be given as,
Update 25/09/2019
The library Kreait\Firebase helped to achieve to implement flow as given in answer by #jeromegamez in the accepted answer, However, the Kreait\Firebase does not support the idToken validation for ios device.
IOS device has google idToken rather having firebase IdToken and hence Kreait\Firebase failed to validate it. Brief issue is given in Firebase IOS idToken invalid kid Exception in the backend while verifyIdToken in Gmail Auth post.
The Firebase Rest API has the method for that.
On the device, after the user is authenticated and you have the User object, to get the token for verification, you can call
with Android - getIdToken()
with iOS
Swift - getIDToken()
Objective-C - -getIDTokenWithCompletion:
with JS (web or other platforms) - getIdToken()
with React Native - getIdToken()
and bunch of other platforms in the docs
Then, with that temporary id token, you can send a POST request to https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=[API_KEY] (API_KEY being the "Web API Key" of the Firebase project) to get the user info, which will include the phoneNumber of the owner of the token.
Thus you can verify server-side that the owner of the token has that specific phone number.
When a user successfully authenticates with their phone number for the first time, the phone number is stored in the user's record in the Firebase Auth User list and can be considered verified.
Once a phone number is associated with a user in your Auth database, you can be sure that
the phone number is valid
the phone number has successfully been used to authenticate the user at the point in time the number has been associated with said user
the phone number cannot be associated to another user
You should not assume that this phone number is now "verified". As stated in the official Firebase documentation pages:
Security concerns
Authentication using only a phone number, while convenient, is less
secure than the other available methods, because possession of a phone
number can be easily transferred between users. Also, on devices with
multiple user profiles, any user that can receive SMS messages can
sign in to an account using the device's phone number.
If you use phone number based sign-in in your app, you should offer it
alongside more secure sign-in methods, and inform users of the
security tradeoffs of using phone number sign-in.
Source: https://firebase.google.com/docs/auth/web/phone-auth#security-concerns
PS: The only other way to add a phone number to a user is through an Admin SDK, and here it's your responsibility to ensure that the phone number belongs to a user.
PSS: As far as I know (and checked), the Firebase REST APIs don't expose a "verified phone number" information.
Is there any limit to access graph API or php sdk in facebook (like XXX no. of hits allowed per day/hour)
See Policies, Features and Functionality point five:
https://developers.facebook.com/policy/
" If you exceed, or plan to exceed, any of the following thresholds please contact us by creating a confidential bug report with the "threshold policy" tag as you may be subject to additional terms: (>5M MAU) or (>100M API calls per day) or (>50M impressions per day)."
100 million API calls a day is hard to hit eh? :)
If you are using a token from the current logged in user, the limit was 600 requests/minute a few months ago, haven't checked since. If you are using an application token, I haven't seen any limits, at least ones that can be tested by a mid-range server.
Is it possible to track how often and/or when a Facebook user is using any facebook app? What if they have installed one of your apps, can this be used to collect statistics about app usage? For instance, you could say that a user spent 8 hours playing Farmville in the past 24 hours. Or even total usage of a specific app. What statistic can be collected about the use of facebook apps and how can this be done?
When you register your application, you can get detailed analytics about the demographics of your users and how users are sharing from your application with Insights.
The Graph API provides programmatic access to all of this data so you can integrate Platform data into your own, custom analytics systems.
To download Insights data, you first need to obtain an OAuth access token associated with your application via the OAuth Client Credentials Flow. You can obtain an access token for your application with:
curl -F grant_type=client_credentials \
-F client_id=your_app_id \
-F client_secret=your_app_secret \
https://graph.facebook.com/oauth/access_token
Once you have your application access token, you can download analytics data for your application at:
https://graph.facebook.com/app_id/insights?access_token=...
That URL outputs all of the analytics data available via the API, including the total number of users, number of active users, and a number of other detailed metrics. For example, you can get the number of users who have seen pages shared from your site with:
https://graph.facebook.com/app_id/insights/share_views/day?access_token=...
You can use since and until to specify the time range for which you want data. Both arguments accept times in almost any valid date format:
https://graph.facebook.com/app_id/insights?access_token=...&since=yesterday
Explore the Insights product and the base /insights URL for more a complete list of metrics available.
I hope it will help you.
App statistics can be extracted from insights, metrics, and application tables through FQL.