I have twitter ommiauth as my user model and I pull in when they register a link of their profile picture via the hash auth.info.image. Iv noticed some are now breaking where the user has updated their profile picture on Twitter.
I noticed there is a part of the hash that gets the image over https (profile_image_url_https) in the raw_info section. Details here https://github.com/arunagw/omniauth-twitter. is this the best practice to link to so it doesnt happen again?
My issue is that I may have a user that logs in once and leaves a comment but then their profile changes and it breaks on the site.
Is there another way I should be implementing this?
Any information would be much appreciated.
If you are saving the twitter image url when a user creates an account or logs in via oAuth and not checking whether it has changed when attempting to display it this would be expected. The only thing I can think of to fix disappearing links would be to test the data with an http or url call and replace it with a placeholder image or ping the API to retrieve the updated image.
Related
I'm using omniauth to authenticate a user via Google. When the user logs in via Google, I check if an account already exists with the same email (if it does, I reject sign in).
When I create the new User model, I give it the name, email, and the URL of the user's 'image'. I am not sure how to dynamically update the information in my database when the user changes their settings on Google, including the image_url when they change their profile image.
A good example of this scenario is this Stack Overflow; I signed up to SO with Google. Having changed my profile image (recently), I was surprised to find that my old Google image remains attached to my SO profile. Maybe it takes time for Google to change the old URL to represent the new image. I have noticed that some parts of Google use my new image, and other parts continue to use my old. Of course, this question doesn't have much to do with Google's profile image mechanism, I just think this is a perfect example.
My questions are:
Should I want to do this, or should I instead provide the user the ability to change their details through my site, completely ignoring what happens to their Google profile?
If I should do this, what is the best way? Checking on every login isn't ideal as the user might not log out for days or even weeks.
Should I be storing the Google auth token? Currently, I'm not as I don't need to make any Google API calls -- I only use OAuth for the 'uid' to ensure it's the same account logging in (the email isn't used at all).
I don't think the answer will be "don't store user info, query Google instead", so I'm not really sure what best practice is in this scenario. A brief walkthrough on proper procedure would be very helpful.
Normally, oauth applications will use the endpoint /me.json as part of the login process: After the user is signed in, the app uses that fresh token to query their profile info right away and update data. In your case, I understand you ignore when email already exists. You should probably add a new step there, to update your local record if it already exists instead of purely ignoring it.
In other words, your app wont be automatically notified if users change their profile pictures. But you can always use their log in action to fetch the latest image (or use their token in a background job that runs every n periods of time using something like cron + whenever, assuming the oauth scope authorizes offline access)
I have an upload application that will be accessible by multiple other applications. I want user security from those applications to be federated to this upload hub. I'm doing it with HTTP tokens that are shared between the applications.
I have read 5 different articles on how to secure an API in Rails. I have everything set up properly in the upload hub app. I have keys set up in my User table, and I have shared this key with the user table in the other apps. I have the code in place to check for this key, and to locate the appropriate subscription. Upon failure, the user is redirected to the login page of the source application.
There's just one thing. I can't find anywhere how to create the actual request! I want the users in the other applications to click an "upload" link that will take them to this application. No problem creating the link, of course. The problem is, how do I add the token to the request?
See, I'm not making programmatic requests to an API... The user is actually going from one app to another. I want the upload hub app to check the request and say "Oh, there's this big long key. Let me see if I can find a user associated with that. I'm obviously not going to put it in a query string.
The only thing I've come up with on my own is to have a bit of jQuery code that constructs a form with a hidden item containing the key in it, which it would get from a hidden field on the current page, then do a POST against the upload hub app. That's not really a token, but it's doable. Surely there's a better way?
UPDATE
I went the jQuery "postGo" route where I construct a form with a hidden field and send it as a parameter to the other app. I had forgotten about protect_from_forgery though. However, even after turning protect_from_forgery off, Rails somehow still strips all parameters except for controller and action from outside requests. Undocumented feature? Or maybe I missed the documentation.
Really, I just want SSO on a couple of apps. It looks like I'm going to have to create an Oath provider. Sure are a lot of hoops to jump through to federate a simple session on some apps that I own.
Here's a possible way of doing this.
In the upload controller method of the app, instead of redirecting the user directly, make a request to the upload hub app.
In the upload hub app, add a controller method and generate a token, store it and a user's credential in redis, or other storage of your choice, then response the app with the token.
Your app's upload controller method receive the response from upload hub, then give 302 response back to the client, with the token included in the redirect url.
The client redirects to the upload hub
The upload hub router accepts this format, the token can be in a query string.
Check in redis and find it by the token and match the user's credential
I'm making Rails app that needs to view and post photo to a specific Album of a Page.
So User can view and Admin can upload.
I finished the uploading part but got a problem. The problem is: All photos that are uploaded by the App doesn't show up with the Graph API (/<album_id>/photos) even though it says Public when I view it in facebook.com.
I tried uploading the photo manually to the album and it shows up in my App just fine.
Is this intended behavior or there's a parameter that I need to pass?
[EDIT]
I just tested with Graph API Explorer. If I'm logged in with the Page's admin account, I can view all. If other account, can only view the photos that are uploaded via facebook.com.
Thanks
While posting photo data to graph API, you need to set privacy of the photo.
You need to pass {'value': 'EVERYONE'} as the value for privacy in your API call.
Just got this figured out. My app is still on development mode. Activate it and all the photo will appear in the API call.
The Twitter API documentation for GET users/profile_image/:screen_name states that:
This method should only be used by application developers to lookup or check the profile image URL for a user. This method must not be used as the image source URL presented to users of your application.
This API call returns a 302 redirecting to the profile image url. What is the best practice to make those images available for ones application? The easiest way it seems, would be to use the resulting url string and embbed it in the apps html code (e.g. in the src of an img tag). The alternative would be to store the image locally as a file or in a blob field.
Is linking the image covered by the "must not" or does that mean that you shall not call the API, but you do can use the resulting url?
In the past, I've simply stored the URL in the database and then reused the url when I needed to present the image.
Pulling down and storing the images is more complex and adds a dependency for access to the stored images on your application.
I'd also recommend that you re-fetch the image url periodically as users change their profile pics sometimes.
The twitter api states:
Once an end user has authenticated via Connect with Twitter, you must clearly display the end user's Twitter identity. Twitter identity includes visible display of the end user's avatar, Twitter user name, and the Twitter "bird" mark. Displays of the end user's followers on your Service must clearly show that the relationship is associated with the Twitter service.
Through RoR gem OmniAuth is possible to get an informations about the users, who log-in to the application through their Twitter or Facebook account. Both of these social sites in their API offers among other also the avatar, what's great.
The worse thing is, that the size of image is 50x50px (I know, avatar).
Exist any way, how to get the original image, from that was created avatar? (The reason why I want it is, that I would like to display a photo of user in the bigger size)
Two options:
GET /${USER_ID}/picture?type=large; the response is a 302 redirect so you can obtain the url from the response header. See the docs for the User object for other values for type. (Contrary to the docs it looks like an access token is required.) This doesn't get you a particularly large image.
GET /${USER_ID}/albums and find the album with type=profile. GET the photos in this album with /${ALBUM_ID}/photos: I think the first photo is the current avatar (it is for me), and more sizes are available than with the first method.
You may try to get from gravatar[1] with email.
http://en.gravatar.com/site/implement