It is very common in an OAuth environment to have some sort of "Get User" call, to gather info on who just logged in; I cannot find any similar call in BIM 360 and related libraries, however. I can get lists of all the account users, or all the users in a project, or info on a specific user IF I somehow know who that user is; but after a fairly thorough search of all the options, I do not see such a call that gives me the original user. Am I missing something?
UPDATE: I'll answer my own question, since no one else will. The call is GET https://developer.api.autodesk.com/userprofile/v1/users/#me [https://forge.autodesk.com/en/docs/oauth/v1/reference/http/users-#me-GET/]
Yes, the endpoint below will tell the user information of the logged user of the oAuth.
https://forge.autodesk.com/en/docs/oauth/v1/reference/http/users-#me-GET/
Related
I'm looking to add 2 factor login to my Silex app.
However, I'm having some road blocks on how to get this working correctly.
my biggest sticking point is having the firewall not fully log the user in and instead direct them to a page to confirm their identity.
I've thought about using Symfony Guard, but looking at the documentation, I didn't see anything that would let me prevent the user from being logged in.
I don't have any code yet, at this point, I'm just tying to design the flow and after I have a concrete execution plan, I was going to then begin writing code.
I remember reading a blog post about doing this in Sf2, but I cannot find it now. Here's the gist:
the login part is the usual one
create a listener for the controller event, and redirect to the 2FA controller unless the user has a role (ROLE_GOOGLE_AUTHENTICATED or similar) and unless the user is requesting that route
on that url render a form and check if it's a post, and if the code verifies add that role to the user
I'm sure you can adapt it for silex. You can also check the bundles that exist for Sf2 on how they work exactly.
Getting insights for page posts returning []
This is for the adidas page
pp graph.get_object("182162001806727/insights/")
It generally returns fields for country data and nothing for page_impressions or page_engagement, etc
Even though the docs mention that Insights are generated for a psot/page with more than 30 likes, but still nothing.
Infact, insights for the first post of Adidas page returns absolutely nothing
pp graph.get_object("182162001806727_1189840444372206/insights")
or
graph.get_connections('182162001806727_1189840444372206', 'insights/page_impressions_frequency_distribution', period: 'week'
even though it has high amount of likes and comments, if you check their feed.
So, what is the correct method or is it even possible or publicly available.
And, for pages, is the page_impression/engagement data available?
https://developers.facebook.com/docs/graph-api/reference/v2.7/insights#reading:
Permissions:
- Any valid access token can be used for publicly available metrics (currently page_fans_country or page_storytellers_by_country)
- A user access token with read_insights permission can retrieve metrics for all pages and domains owned by this user.
- A page access token with read_insights permission can retrieve all metrics for that Page.
Those two permissions highlighted in bold are the only two publicly available ones. For everything else, you need an admin user token or a page token.
I use Devise to do the oauth with Github for my users. On login we ask for two basic scopes (for regular users) but if a user wants to perform some action (like setting up a new github organization in our product) we need to require some other scopes in addition to the ones we asked already.
I got it working for the most part the question is about how to better put everything together. This is the timeline of events:
User login (scope email)
User wants to perform setup action (POST /organizations)
in POST /organizations we check for the scopes of the current user and redirect to github to ask for the extra permissions if needed
User accepts the permissions and we get the oauth callback in the callbacks controller.
What I want is to continue with the process have at POST /organizations but the callback is in a different controller (obviously).
I've looked into omniauth.origin but that will only work for a GET redirect and this is a POST.
Any ideas how to better structure a solution for this?
Thank you!
Let's imagine I have following scenario
User receives an email that there is a new item waiting for her
Clicks on a link and is able to either confirm or reject item (details skipped)
Can then access a list of all her items
The trick is that I would like to allow all this happen without user signing in but then limit access to other parts of the website (like sending an item to another user)
How I see it is that:
when user clicks a link she is signed in but only on tier 1 - with access only to confirm/reject action and read only to index of items (that's when Devise session is created)
when user wants to access other part of the website the sign in page is presented
when user comes to the website just by typing in the url http://example.com and wants to access own account she is asked to sign in.
after sign in session is "promoted" to tier which allows full access
after some time of inactivity session is downgraded to tier 1 for security reasons
My inspiration comes from how Amazon works - you can access in read-only most parts of the account but before performing any destructible actions you need to sign in.
Does anyone have any experience with such approach or can share some blog posts, etc?
I didn's find anything on SO and Google mostly returned things about two-factor auth which is not the case here.
I also understand that there are security concerns with links in email.
I have implemented a very similar behavior few months ago. I don't have very interesting resources to show you but I can explain a bit how you could organize or think about the problem to solve.
Description
For the problem you state, it looks like once you have identified a user, you have two different states you can give him:
limited access (perform certain actions, read most of the resources, etc)
full access (allows them to do anything they would normally do).
Having stated that, what you need to do is figure out in which cases you will give a user each access state (for example):
signing in with email token -> limited access
password -> full access
authentication_token -> full access
omniauth -> full access
After that, you will need to save this information in the user session. This should be done anytime the user is authenticated, as you will know what strategy was used to authenticate the user.
To know if a user can or cannot perform an action you will need two things, know what the user can do, and the current "access state". Depending on those you will decide wether the user is allowed or not to perform a certain action.
Whenever a user can't perform an action and is logged in with limited access you should bring him to the flow for verifying his crendetials. This flow is pretty simple, almost like a sign in but just with the password. Once you verify his crendetials you can upgrade his authorization to a full access one.
Implementation details
I recommend you to create a Authorization model which will represent the "access states" that I mentioned. This model will have to be serialized in the session so you should be able to build it from a simple structure and serialize it again into that structure. The simplest the better (a boolean flag, an array or maybe a hash). For the case mentioned, it looks like a boolean would do the job.
Regarding implementation details, I recommend you implementing this with a Warden after_atuhentication callback.
You could implement this with CanCan by creating you own Ability that would be built with an Authorization instance and a User instance.
I think you're confusing authorization and authentication. Devise is an authentication solution, meaning it handles the "proof me you are who you say you are" part. Authorization is the "Ok, I know who you are, now let's see what can you do". Devise doesn't provide an authorization system beyond the simple "logged/not logged". If you need a more complex authorization system, use an authorization gem. CanCan is very popular.
How do I "log out" a user? Know that this is not officially supported, but I need a quick and dirty hack. Saw somewhere I just throw out a 401 access denied - but anyone know the syntax
http://httpd.apache.org/docs/1.3/howto/auth.html#basicfaq
Since browsers first started
implementing basic authentication,
website administrators have wanted to
know how to let the user log out.
Since the browser caches the username
and password with the authentication
realm, as described earlier in this
tutorial, this is not a function of
the server configuration, but is a
question of getting the browser to
forget the credential information, so
that the next time the resource is
requested, the username and password
must be supplied again. There are
numerous situations in which this is
desirable, such as when using a
browser in a public location, and not
wishing to leave the browser logged
in, so that the next person can get
into your bank account.
However, although this is perhaps the
most frequently asked question about
basic authentication, thus far none of
the major browser manufacturers have
seen this as being a desirable feature
to put into their products.
Consequently, the answer to this
question is, you can't. Sorry.
As you can see from the full explanation above, you can't.
The only workaround is to invalidate the user session and cause the browser to request username and password again.
Additionally, you can try (I haven't tried it yet) to empty the WWW-Authenticate HTTP header.