We have a request from a client to update facebook status/comments through a text message.
Here is the scenario.
The SMS carries the fb Username,Password and the status/comments and this will goes to a SMS Gateway. Then the USername,Password and the status/comments come to our application and our application should facilitate to update the status and comments on the fb account.
Is there a method to authenticate the user through a SMS (Auth Dialog box) or is there any other method to update status/comments on fb through a sms. This is a PHP application.
Why don't you ask your user to create an account on your site and authorize your Facebook registered App to access his timeline? He would also register his phone number on your site and get a short numeric unique ID.
Then he can just send an SMS and when you detect a phone number or the numeric ID in a SMS, you post with the Facebook API which you are authorized for.
Sending Username and Password via SMS is not a great idea. A numeric ID of the phone number itself is much safer.
PS: I'm not using FBAPI but this is how it's supposed to work, from what I heard.
it is not possible to authenticate using username and password.
you should ask your users to create new application on their profile or authenticate first via your website in order to grant you an access.
after obtaining application_key and application_secret you can manipulate with user's account using these pairs.
please refer to facebook's developer zone to get more details on how fbapi works.
Related
We want to send email to logged in users in our Drupal application. We are authenticating using AAD and our site is hosted in Azure app service.
we have a generic service account with a mailbox attached and we would like to notify the logged in users in case of any event using MS graph API and O365 connections.
Can we please get some guidance in this respect.
You can use the Graph API to send emails from your service account. Where you are going to have a problem is with identifying logged in users. An AAD token will be valid for your site even if the user originally signed in somewhere else, so logging signins isn't foolproof. Unless your users specifically sign out, the token will also be valid past when they stop using the site.
If you wanted to go down this road, then doing some logging of user actions and then sending the email to users that have been active within X amount of time might be an option.
If your goal is to notify users and you don't need an email specifically, then you might want to looking into using websockets or something similar to send notifications to the users within their browser.
I'm Creating a custom User Management system, involves all the App data to be on application server, but the phone should be authenticated by firebase. When New User Register on System, Firebase Phone Authentication takes place. On successful authentication from firebase, Registration Data goes to Server via API. Now the Problem is, how do I check server side that the phone number is authenticated by firebase or not? If I allow registration without server-side firebase auth validation, API Request can be spoofed by someone. I'm currently using kreait/firebase-php ^4.18 Firebase SDK for PHP.
The Flow I'm Using Right Now is Demonstrated below and the flow I want to implement is also can be given as,
Update 25/09/2019
The library Kreait\Firebase helped to achieve to implement flow as given in answer by #jeromegamez in the accepted answer, However, the Kreait\Firebase does not support the idToken validation for ios device.
IOS device has google idToken rather having firebase IdToken and hence Kreait\Firebase failed to validate it. Brief issue is given in Firebase IOS idToken invalid kid Exception in the backend while verifyIdToken in Gmail Auth post.
The Firebase Rest API has the method for that.
On the device, after the user is authenticated and you have the User object, to get the token for verification, you can call
with Android - getIdToken()
with iOS
Swift - getIDToken()
Objective-C - -getIDTokenWithCompletion:
with JS (web or other platforms) - getIdToken()
with React Native - getIdToken()
and bunch of other platforms in the docs
Then, with that temporary id token, you can send a POST request to https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=[API_KEY] (API_KEY being the "Web API Key" of the Firebase project) to get the user info, which will include the phoneNumber of the owner of the token.
Thus you can verify server-side that the owner of the token has that specific phone number.
When a user successfully authenticates with their phone number for the first time, the phone number is stored in the user's record in the Firebase Auth User list and can be considered verified.
Once a phone number is associated with a user in your Auth database, you can be sure that
the phone number is valid
the phone number has successfully been used to authenticate the user at the point in time the number has been associated with said user
the phone number cannot be associated to another user
You should not assume that this phone number is now "verified". As stated in the official Firebase documentation pages:
Security concerns
Authentication using only a phone number, while convenient, is less
secure than the other available methods, because possession of a phone
number can be easily transferred between users. Also, on devices with
multiple user profiles, any user that can receive SMS messages can
sign in to an account using the device's phone number.
If you use phone number based sign-in in your app, you should offer it
alongside more secure sign-in methods, and inform users of the
security tradeoffs of using phone number sign-in.
Source: https://firebase.google.com/docs/auth/web/phone-auth#security-concerns
PS: The only other way to add a phone number to a user is through an Admin SDK, and here it's your responsibility to ensure that the phone number belongs to a user.
PSS: As far as I know (and checked), the Firebase REST APIs don't expose a "verified phone number" information.
I would like to know what are the prerequirements for facebook API to allow a PHP web page to pull the following user data:
name
email
phone
As far as I understand, pulling the phone number requires that your website is whitelisted with facebook / Websense ?
Please advice.
Thank you!
As Facebook uses OAuth, you have to build a so-called login flow. See the docs at
Facebook Login for the Web with the JavaScript SDK
Manually Build a Login Flow
Within this flow, you have to request permissions from the user. For your use case, you'll need
public_profile
email
There's no chance to get the phone number out of the Graph API.
I'm currently building a web service to allow a mobile app to login to our app using Facebook.
What is the best practice on implementing that feature?
My current flow is :
1st condition : User haven't registered yet...
User tap "Login with Facebook" button in the mobile app.
And then, user allows permission for the Facebook app that I created
for the mobile app.
The app retrieved email address, Facebook ID number, and Name from
the Facebook API
The app check if the Facebook ID && Email address already registered
in our database
If not registered :
The email address, Name, will be automatically filled into the
Registration form
After submitting, the app sends the information (Fullname, email,
hashed password, and facebook Id to the server, registering the user)
If already registered :
- The server returns the token code, which used for in-app activity
Do you think there will be a security issue there? I'm thinking if maybe someone knows you, knows your Facebook ID which can be fetched using Graph tool, and possibly know your email address, that people can logged on to the app easily by sending all the data to the server.
ALSO, I'm thinking of implementing the same method with Twitter, but it seems that email cannot be retrieved using Twitter API.
Any work-around on using Twitter API?
Thank you very much for your answer.
I am building an app on top of Google Reader. Since users have to enter their Google Account data, I'd like to use this data to assign personal settings to each user.
However, if I do so and a user would change his email adress or password(for the whole Google Account), I wouldn't be able to identify him anymore.
Thus, I need to know if there's a Google Account ID or something that I can use to identify users regardless of an email adress or password.
Thanks for your help!
If you use the Google Account API, you can connect the user to your app using OpenID or OAuth. Both methods return an account ID which stays static for that user.
More information: http://code.google.com/apis/accounts/