Hello I am looking to build a basic API and application/apps system on my social network something like Facebook or other sites have, my site is in php/mysql. Here are some questions.
1)
Basically what I want to do is give a user a API key and secret. After I have these how can I use them in my php app to authenticate a user request which would come from there server?
2)
I can basically build an API to send a request to my server with CURL and get the result back to the page in XML or JSON or whatever, the problem is when sending the request the user would have to know the user ID they want to send to lookup data against, this is fine for an API but I am wanting to have an Apps section where the user's app site would be using the API and would be loaded into my site in the app section with an iframe, the problem is, I need to find a good way to make it where a logged in user on my site can go to the app section and go to an app and there username should be available to that page loaded in the iframe. Facebook and myspace do this somehow and many other sites; I am lost how to get around this hurdle.
Any help on any of this is really appreciated, thank you
Update:
I just had an idea, if I require a cookie to be set when a user visit's my site, then they would have a cookie and it could hold there User ID, then my API script could look for that cookie to exist and grab it's value?
If you plane on using an IFRAME, then no, your API hosted on a separate website (the website inside the IFRAME) would not be able to grab the cookie. The cookie is only visible on the website that it was set for.
I have only used Facebook API with the FBML (not the IFRAME,) but all they do their is basically replace what's in the page with the info that the "tag" is calling. I'm not sure if there is a better way, but you could possibly call a page on the app's server (say the app is hosted at http://example.com/app/, and you called http://example.com/app/?id=28318&name=John%20Maguire,) and have your API code handle it and turn it into a variable?
Maybe you should look into the source code of the Facebook API client.
Related
So I've start building an application for a website in Swift. The main goal is to have an iOS App which can receive notifications (in JSON from website) and can show all the features of the website.
So I can login and sign-up from the app to my database but the thing is I don't understand how to take out my session login and display it in an UIWebView. So the user has just to log-in and he can see the website with his account. The only thing I can make is to show the website as a guest.
Can someone help me please ?
As far as I know UIWebView does not store/send any cookie(session) for your web site. That means you're always not authenticated.
In order to complete your task you need to create your own cookie handling mechanism.
You need to save auth cookies sent to you by the server in response HTTP header, e.g.
Set-Cookie: JSESSIONID=ABAD1D;
Then you need to make any required request and MANUALLY put cookie header filed in your request header e.g.
Cookie: JSESSIONID=ABAD1D
Save response somewhere and render HTML in a WebView
BOTTOM LINE: All this stuff is a huge overhead to your app. Instead you need to write API of your web-site specifically for iOS(and other) apps, using different authentication approach and data transfer (well known).
What you want to do is basically create a little browser, I don't think it is a good idea.
I'm relatively certain after reading the facebook Open Graph documentation that I can't have a web site 'subscripe' to a public page, unless that page installs my app. Let me know if that is wrong.
What I am trying to make is a photo gallery, pretty simple, but it grabs photos from a public 'page' such as a college or university.
I would like it to update itself anytime there is a change. I was hoping I could do it through the API, possibly using API updates/subscription
Facebook App Subscriptions -
but I don't think that will work. I'm using PHP, are there other ways to listen and see if there has been a change? Other than just firing off a function every now and then, using CRON or some other such server tool. I would think that facebook would probably also not like that behavior, though I'm not sure.
As of right now, I am able to grab JSON from a public page's photo gallery using the API and the photo gallery works just fine, I'm mostly just wondering what the optimal of having it update itself automatically is.
You are correct in assuming that real-time updates for pages require admin access to the page to work. You need a page access token to be able to subscribe to updates for a specific page, and such a page access token you can only get from users that have admin privileges for that page. (The page does not need to install your app as a tab any more, they changed the subscription process in that regard; but the page access token is still necessary. Basically you can say, you can not subscribe to updates for just any arbitrary page, it has to be “your” page.)
Apart from that, all you can do is check for new content by requesting the current data in a sensible interval.
you need to get page access token, which is granted when the user is one of the Page Admin, check the documentation on Facebook
https://developers.facebook.com/docs/graph-api/reference/page
look for this line
"access_token": "The access token you can use to act as the Page. Only visible to Page Admins"
How can I "link" a person's youtube account to an account on my website? I am trying to get Analytics from videos, how much money they have made, etc. I know i am supposed to be using the YouTube Analytics API, but I see tons of different documentation and it gets SO confusing. Are there any PHP libraries I can use to get this data and to link the user's account to my web application? I am also confused on where I get an OAuth Key.
Here are some sites i have looked at:
1) Site One
2) Site Two
On site two, I looked at the examples, but nothing really helped me understand even how to start.
A lot of the relevant info you'll need can be found in this document:
https://developers.google.com/youtube/analytics/authentication
Basically, it outlines the following 4 steps:
1) Register your web app in the Google Cloud Console
This is needed so you can get a client secret and client ID, which your server-side PHP code will need in order to do the oAuth flow (and get the right scope to be able to query analytics data for the user that's authenticating). See here for more info on how to do this:
https://developers.google.com/youtube/analytics/registering_an_application
The most important things to do as your register your app are to turn on the YouTube Analytics API and create a new client ID for your web application.
2) When a user visits your page, you'll need some way (i.e. a login button, for example) to trigger the start of the oAuth flow. When this is triggered, you'll want to redirect the browser to this URL:
https://accounts.google.com/o/oauth2/auth?client_id=[YOUR CLIENT ID]&redirect_uri=[THE URL YOU WANT THE USER TO BE DIRECTED TO AFTER AUTHENTICATION]&scope=https://www.googleapis.com/auth/yt-analytics.readonly&response_type=code&access_type=offline
This will present them with a window asking them if they want to give permission to your app to read their analytics. Note that the client id parameter is the same that you received when you registered your app in step 1. That registration process also will require you to set the allowed redirect URIs, so here you must pass one you set in the registration.
3) The redirect URL will be requested, from step two, by Google's servers with a "code" parameter attched. So when it is requested, it should immediately do a POST to another URL (i.e. with cURL or something similar), that looks like this:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
code=[CODE THAT CAME IN AS A GET PARAMETER] &client_id=[YOUR CLIENT ID]&client_secret=[YOUR CLIENT SECRET]&redirect_uri=[THE REGISTERED REDIRECT URI]&grant_type=authorization_code
If you do it as a POST with cURL, then the response will be a JSON packet that has an access token and a refresh token.
4) Your php page can store these both (in your DB, for example), note that the user should be treated as logged in at this point, and you can use the access token in the header of all API requests send to the analytics API.
https://developers.google.com/youtube/analytics/authentication#OAuth2_Calling_a_Google_API
IT'll expire in an hour, so with each request you should be checking its age (i.e. when you stored it in the DB, you could store the expiry time, for example), and when you're getting close you can use the refresh token to get a new access token.
https://developers.google.com/youtube/analytics/authentication#OAuth2_Refreshing_a_Token
You can now redirect them to wherever your app needs them to be to start interfacing with the API.
Seems like a lot? It can be, but once you get the paradigm down it's pretty simple. And you asked about a client for PHP, and thankfully there is one:
https://github.com/google/google-api-php-client
It's got simple handlers for the whole oAuth2 flow, and also has a YouTube analytics service object that sets the access token automatically for you as it's making its various calls.
I've been working on an app for IG, and was looking at other websites which use the IG API. I came across this website which allows the user to login by entering their username and password directly into the site. It is then able to access the IG API and fetch things like follower count, however without the user authenticating an IG API Client as would normally be required. The app can even perform functions such as liking pictures using your account, which as far as I know also requires you to authenticate an app with elevated privileges.
My question is, how is this app able to login users without using OAUTH which appears to be the only method of authentication?
They probably use a web automation framework like Selenium to take actions like auto-linking content by actually logging in to the Instagram web site with the accounts credentials and simulating mouse clicks, etc. to get the job done. In other words their "script" just looks like a very active user to Instagram because it's all coming from interactions between a web browser and their site.
They definitely are not using the API. Several reasons you can know this:
no OAuth flow to get an access_token
they don't appear in the authorized applications section if you log in and manage your profile
what they are doing is a violation of the API Terms of Use. See the following under "shall not"
Use the Instagram APIs to post automated content to Instagram, including likes and comments that were not initiated and entered by an Instagram user.
I'm no lawyer and I have no inside information, however it seems clear enough to me that Instagram does not want this type of "bot" activity.
They claim that they have the timing set up in a way that they go undetected, but I think it's a safe bet that there are algorithms at Instagram trying to detect and prevent this type of activity and if they do, accounts would be at risk of being disabled, etc. I have not inside knowledge here, just speculation.
The Instagram application that you use from your cellphone uses HTTP/HTTPS communication with their application server. The link that you provided on the question uses to simulate those http calls to mimic as an Instagram application.
You can redirect your cell phone's Internet connection through the proxy(your own proxy server). From your proxy server catch the web requests those are being sent by the Instagram application when you are doing login, liking, etc.
It will be easy for you if the requests are through http channel. But if its through the https, then it will be really difficult to capture those. You can try with Fidler or some sort of similar softwares for this.
What I THINK is happening is the following:
They are logging your PHPSESSID and using that so you have the ability to like pictures and whatnot. They are doing all of the back-end work directly in index.php.
If you track the requests that are being sent to index.php through the Network tab in Chrome, you will see that "Cookie:_ instamacro_advcontent=1; PHPSESSID=" on the index.php file "Headers" tab.
I'm doing the same with my website that uses Vine's API(not public, btw). In a PHP file I created called api.php, I use Vine's API to perform actions. I do not use OAUTH at all. I simply use the users "x-vine-session" cookie.
I have a website I'm working on. It enables users to register and post stuffs within the site. Can I get a link to some sort of api that allows people to add their facebook account (once) and then automatically post what they posted on my site on their facebook newsfeed (the sort of thing that happens when you connect your facebook account to your twitter account) .I've searched and can't seem to get exactly what I want
What you want is pretty common and if you searched you clearly didn't do a good job on the search.
Using the Facebook PHP SDK is pretty straight forward. There is a PHP Library available with a demo of the functionality you want. In your case you need to do some stuff more, so I'll explain globally what you should do:
Get the Facebook PHP SDK and load it into your website, determine what scope you need to perform the actions what you are going to do, in your case you need to have access to their timeline which is called the publish_stream scope. In order to get the Facebook PHP SDK working you need to create an app at http://developers.facebook.com
If a user grants access you need to save the authentication token that the user provides and save it in your database for later use. I'm not 100% sure how long they are valid, I think it's maximum of 30 days at the moment, but you have the ability to refresh the toking in the requests you make (correct me if I'm wrong, it's been a while..)
Everytime an action is done using the Facebook API you inject the usertoken in the request, thus performing the "post" action onto their timeline.
What you are looking for is pretty straight forward and easy to find..