I have a firebase project and I use a simple web page to login to firebase with username and password just like below...
firebase.auth().signInWithEmailAndPassword
('test.account#gmail.com', 'password').
catch(function (error) {
});
And I got the response like below...
{
"kind": "identitytoolkit#VerifyPasswordResponse",
"localId": "iWFUfdgdsdfsC2",
"email": "test.account#gmail.com",
"displayName": "",
"idToken": "whfGUWiyDE74HsnwN5ZkJn7gX",
"registered": true,
"refreshToken": "SZaG1tmzkgn5EImQ_nRj8",
"expiresIn": "3600"
}
I followed "kreait/firebase-bundle". But didn't get any idea.
My question is is there any way to verify the signed user from symfony backend ?
Someone please help me...
Related
In a project I am provided with API endpoints from a Firebase DB.
To retrieve data I authenticate a user with email and password (https://firebase.google.com/docs/reference/rest/auth/#section-sign-in-email-password) and then sign every API call with the token. (These users are set up in Firebase DB)
Now one of the API endpoints returns Firebase Storage objects like this:
"fileReferences": [
{
"id": "",
"name": "images\/-s0m31D\/picture.jpg",
"mediaLink": "https:\/\/www.googleapis.com\/download\/storage\/v1\/b\/BUCKET.appspot.com\/o\/images%2F-s0m31D%2Fpicture.jpg?generation=1537959346600572&alt=media",
"selfLink": "https:\/\/www.googleapis.com\/storage\/v1\/b\/BUCKET.appspot.com\/o\/images%2F-s0m31D%2Fpicture.jpg",
"updated": 1537959346,
"size": 7759448
}
],
when I try to access fileReferences.0.mediaLink, I get an auth error.
If I send my token along with the request to mediaLink I have no luck either (https://cloud.google.com/storage/docs/downloading-objects#download-object-json)
I tried to use the Google API PHP client https://github.com/googleapis/google-api-php-client, but had no idea how I setup the new Google_Client() (I already have my auth token and I expected it to work somehow)
$client = new \Google_Client();
$client->setAccessToken(['access_token' => $token]);
How can I access the media files with my existing auth token? (or do I need a different one?)
To handle the files, I would like to use https://github.com/googleapis/google-api-php-client how can I make that work? Any hint is appreciated
Edit: I got some results in debugging the JavaScript SDK
"All" the SDK does is creating the following URL Schema
printf('https://firebasestorage.googleapis.com/v0/b/bucket.appspot.com/o/%s', urlencode('projects/-id/logo.png'));
//http[s]://firebasestorage.googleapis.com/<api-version>/b/<bucket>/o/<object-path>
You have to sign the call to https://firebasestorage.googleapis.com/v0/b/bucket.appspot.com/o/projects%2F-id%2Flogo.png with your Auth Bearer token header![1]
This returns meta data like this:
{
"name": "projects/-id/logo.png",
"bucket": "bucket.appspot.com",
"generation": "1537960188874518",
"metageneration": "1",
"contentType": "image/png",
"timeCreated": "2018-09-26T11:09:48.874Z",
"updated": "2018-09-26T11:09:48.874Z",
"storageClass": "STANDARD",
"size": "40437",
"md5Hash": "MxkOU+6feyYtdEAgKbDgp5A==",
"contentEncoding": "identity",
"contentDisposition": "inline; filename*=utf-8''logo.png",
"crc32c": "o89Y9dQ==",
"etag": "CJae8pXE2N0CEAE=",
"downloadTokens": "32c339ff9-7e4a-42a2-890a-428f8f45d378"
}
To publicly share your image, add ?alt=media&token=32c339ff9-7e4a-42a2-890a-428f8f45d378
https://firebasestorage.googleapis.com/v0/b/bucket.appspot.com/o/projects%2F-id%2Flogo.png?alt=media&token=32c339ff9-7e4a-42a2-890a-428f8f45d378
You don't need the token, if you send the Auth Header!
I couldn't find any mention of firebase or how to deal with my authentication in https://github.com/googleapis/google-api-php-client, so I have no idea if this would have helped me. But I got down to the basics...
Hope this helps somebody and any clearification is greatly appreciated.
QUESTION for me to better understand this all:
What are mediaLink and selfLink pointing to?
[1] if the access to storage is public you don't need to sign it.
I have implemented Google OAuth login on my website. A user signs in using his/her Google Account, reaches my welcome page & now on my welcome page & other subsequent pages/scripts what are the variables which I need to validate to authenticate & check whether the user is logged in or not. Right now am just doing this :
checklogin.php (using it in require_once in all my subsequent php scripts)
if(isset ( $_SESSION['access_token'] ))
{
//logged in
}
else
{
//NOT LOGGED IN
header('location:login.php');
}
Do I need to check the value also of the access token & any other security variables to make my login inspection process more robust ? If yes, then how can it be checked ? Or is this check just sufficient enough ?
Ripped from comment
$_SESSION['access_token''] = 'foo' and runs it then again my condition will return true and he will just jump in my website and view all the private data of any user?
If you are really woried that someone will do this then the best thing to do would be to validate your access token against the tokeninfo endpoint. Doc
https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=[access_token]
Am not really sure how you think a user could do this as your talking about a session variable in the browser. However browser hacking is not my specialty.
UserInfo endpoint
Another option is to check the user info end point. All identity servers have this endpoint which returns info about the current user. Because you are requesting the profile scope you should be able to see this.
Request
GET www.googleapis.com/userinfo/v2/me
Authorization: Bearer ya29.GluEBbGJOYKQ0gcDAFvU2iRKotG-a6MvbyNP6mUUk96RDKJHIFOR_RKiWxl8vQ01rbgy9lP_KmspvrHDzHMZ_
Response
{
"family_name": "Lawton",
"name": "Linda Lawton",
"picture": "https://lh5.googleusercontent.com/-a1CWlFnA5xE/AAAAAAAAAAI/AAAAAAAAl1I/UcwPajZOuN4/photo.jpg",
"locale": "en",
"gender": "female",
"email": "xxx#gmail.com",
"link": "https://plus.google.com/+LindaLawton",
"given_name": "Linda",
"id": "7200475532672775346",
"verified_email": true
}
The id is my internal id with google
I am trying to get mutual friends from facebook but it is giving me wrong result. The total number of mutual friends count which I am getting is right but when the data is users is not coming
Request
https://graph.facebook.com/v2.8/1744744292507346?fields=context.fields(mutual_friends{name,picture.type(large)})&access_token=access_token
Response
{
"context": {
"mutual_friends": {
"data": [
{
"name": "Gaurav Varshney",
"picture": {
"data": {
"is_silhouette": false,
"url": "https://scontent.xx.fbcdn.net/v/t1.0-1/p200x200/15541198_1872071033026134_3669335060573505093_n.jpg?oh=d4a95ee6cdb8d401be06e8f10fbf6d50&oe=59B0C911"
}
},
"id": "1919297771636793"
}
],
"paging": {
"cursors": {
"before": "MTkxOTI5Nzc3MTYzNjc5MwZDZD",
"after": "MTkxOTI5Nzc3MTYzNjc5MwZDZD"
}
},
"summary": {
"total_count": 2
}
},
"id": "dXNlcl9jb250ZAXh0OgGQHYKW1ALzRNZBAkUhMk2uDFtLZBBkzlasCZAq98zEqnPZBjqy7beHZBJZCVZB7STTw6yMnKC0w4qDA05ZBOGQ3RdRoPjfi1cbAmnChBQ1xLYpJuuKrIEZD"
},
"id": "1744744292507346"
}
I am only getting 1 friend since total_count is showing 2 .Can anyone tell me where I am doing wrong?And how can I use paging ??
When try to hit all_mutual_friends
https://graph.facebook.com/v2.8/1744744292507346?fields=context.fields(all_mutual_friends{name,picture.type(large)})&access_token=access_token
{
"error": {
"message": "(#10) To use all_mutual_friends on behalf of people who are not admins, developers and testers of your app, your use of this endpoint must be reviewed and approved by Facebook. To submit this feature for review please read our documentation on reviewable features: https://developers.facebook.com/docs/apps/review",
"type": "OAuthException",
"code": 10,
"fbtrace_id": "HF3ZO8U3eLW"
}
}
There is a lack of documentation about this feature and I had to dig about it. Mainly regarding on how to request that with Graph API.
That's how I'm doing and it is working, with some flaws that I will explain later:
Let's say we have here UserA and UserB. You need to collect the context-id of each of the user and save it on the server side because it must be used later on.
So, UserA connects and want to request mutual friends with UserB which is already connected. What you will need to do is:
UserA FB Graph request using this:
/'{{UserB context-id}}/all_mutual_friends?limit=5000', 'get'
also sending UserA fbaccesstoken
I use the limit 5000 to avoid pagination on the data results.
Now, the flaws:
The all_mutual_friends is giving me some headaches. I may be completely wrong, of course, but I debugged it for days and it seems there are some issues with Facebook when the feature is still in development mode and not public/authorized by FB. Don't know, I need to ask for permission to see that in production.
On my application I realised there are sometimes some mutual_friends are not actually listed and it is not a fault of the script, but probably some users configuration that avoid using this or some facebook problem. IDN.
Anyways, that's the way you should request mutual friends.
Hope it helps.
i have really a big problem, i have created a login API, and i'm facing a problem, when i access my website from URL it gives me the Code :
{
"status": 200,
"user_data": {
"username": "",
"email": "",
"first_name": "",
"last_name": "",
"gender": "",
"avatar": "",
"cover": ""
}
}
That's mean i have successfully received the data, but when i'm trying to get the data via file_get_contents(); it don't work, and start to give me php errors from the sender server:
{
"errors": {
"error_id": 2,
"error": "User not logged in"
}
}
and that's mean that the user is not logged in, but i'm logged in when i access the URL directly,
the question is how can i generate a JSON data to send it and receive it from another server or domain like Facebook graph, or soundcloud API, they both are working with file_get_contents();
How should your PHP script know, that you are logged in with your browser? Please take a look at oauth2. You have to implement the possibility to authorize your script to get access to the userdata.
I'm sending the following request to the Google Datastore API, via the PHP client, and i'm getting a "503 Backend Error" without any other information. I tried the online client available here, but the error is the same. Maybe something is malformed on my request? The documentation wasn't very helpful:
{
"mode": "NON_TRANSACTIONAL",
"mutation": {
"upsert": [
{
"key": {
"path": [
{
"kind": "Log"
}
]
},
"properties": {
"event": {
"indexed": false,
"stringValue": "new_order"
},
"dataType": {
"indexed": false,
"stringValue": "test"
}
}
}
]
}
}
Any ideas of what might be causing this behavior? Or how to enable more detailed feedback from the API?
When you perform POST https://www.googleapis.com/datastore/<APIversion>/datasets/<datasetId>/commit, make sure that if you created your project using the old Admin Console that your datasetId in the URL is the App Engine application ID, and that if you created your project using the Developer Console, that your datasetId is the project ID you see in the Developer Console.
Also, if you created your project through the new Developer Console, try toggling the API on and off.
Finally, check that you are completing the OAuth flow properly, all your client ID info makes sense, and that you are setting up the right scopes, etc...