Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I've built a website that authenticates users via facebook.
The way I've set it up is like this: The website uses the facebook JS SDK on the front end, and when the user authenticates with facebook their access_token is sent to my server via an ajax call (using HTTPS for security) - where the graph api is queried and their session is initiated server-side (Using a database for secure session storage of user data).
Can anyone think of any potential problems this approach might lead to? Thanks!
This is a very common scenario. The only issue is that unless you request offline_access that token you get is only valid for an hour.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 months ago.
Improve this question
I am building a desktop application that will have a settings screen in web. If the user click on the settings button it shall open laravel web application and shall authenticate automatically. So I need a deeplink to login directly into the application and redirect user to settings page.
Is there any way to solve this scenario with laravel Auth or any further suggestions?
I guess that for deep link you mean "very long and difficult to guess url".
I suggest you to manage the access using an authentication token (is generally used for API, but also "remember me" functionality use a token stored in cookie) and make it possible to configure the token in the desktop application.
this allow you to:
disable a token at any time
create different tokens for different users
much better security compared to hidden url
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 1 year ago.
Improve this question
I am developing an android application (begginer) that will manage a database on a server using http requests to a php file system.
My question is: What is the best way to restrict traffic to those php files? because I only want those php files to be executed by requests from my application and not by request from other programs(postman),services, etc ...
You will not be able to disallow your API for any particular client. You can reject the request based on the source IP or port, the headers including user agent, API keys or other credentials, but if your API can be accessed at all, then it can be accessed by postman or any other client using the same data.
To limit the way how people can access the data you can add API keys and user credentials, but the same user with the same API key and credentials will be able to access your API using any other software and there is no way around it.
One thing you could do would be to e.g. require some headers that are restricted for postman - see Restricted headers and cookies in the Postman documentation:
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I'm not quite sure if this is possible, but I am looking for a way to get the twitter username of a person visiting a website. Does anyone know if there is a way to do this, or if I always need a user to confirm that I am seeing this data?
Preferably I'm looking for a PHP library that I can do this with.
No, that is not possible. Think of the security vulnerabilities: if any website could access your Twitter account information without your permission, then you essentially have no privacy.
You need to use OAuth to first ask the user to sign in. Then, you will have limited access to that user's account information.
Here is a list of PHP libraries to help you do this.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
I'm building a website, and the website has a running facebook page. I want to be able to post to my page from my cms.
The problem is that for getting those permissions I must approve my facebook app the they require things like a screencast of how users are going to login to my app etc.
Is there a simple way to generate an access token for my own page so I can make api calls to manage it?
Daniel.
You do not have to go through app approval if you're just using it for your own purposes. Users with admin/developer/tester roles on the app can use permissions that require review without a review.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I'm developing a mobile application using Titanium Studio and the server side is written in PHP. I want the app to get data from the server and display them to the user?
What approach is good for this case? I'm thinking of using a REST API, however the app will display data before the user has logged in, only certain parts are required to login first. How I want it to behave:
Fetch data from the server via the client app I've built only, no other access possible
Login the user through the app client -> server. How do I do this using an API?
The API isn't public to everyone, just the app I've built.
To answer your points:
(1) A REST API which returns JSON/XML etc can be used by your client app. If you want to restrict access to the REST service to your mobile clients only, then an authentication token can be passed with the client requests
(2) Same as above, you can have a login method to validate the user, and then return an authentication token which may be used while requesting subscription/secure data
(3) Unless you have made the API/URI public it is not known to others. And this is where you can pass a GUID token or reference string from the client to the service and the service will know the requests are coming from your clients.
Hope this answers your questions.