I'm building a music website on Symfony 1.4 and Doctrine 1.2. I'm trying to integrate facebook plugins (like, send, post a message buttons) on my pages. For example, I want users to be able to like a song on a song page in my song module. But the problem is, I've used sfDoctrineGuard to secure all modules on my app except for the landing page. So if a user logs in and uses the facebook like button to like a song on the song page, because that song module is secured by sfGuardAuth, facebook API can't talk to it and gets forwarded to the landing page. This means that all likes on my app get posted on facebook activity feed as if the user liked my landing page.
Is there a way to build an exception into sfGuard so that any traffic coming from facebook domain can access that page? Is there a workaround to this? I want to be able to show all the facebook meta data from my secured pages, for whichever song is liked, on a facebook wall. If I disable all sfGuard security, it works fine.
Any help would be great as I'm stumped and haven't found any one else with this problem.
Well, it could be a huge security hole if you want to allow request from Facebook to be able to by pass your sfGuard security. If someone click that link on Facebook, it will also have access to your website without having to be logged in.
You might find a work around by tweaking the Facebook bot who scrape your page. The user agent of the scraper is: "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)". So it could be easy to allow access to its request by looking at the user agent. BUT, any one can spoof a user agent easily today.
Maybe you have to find an other way. I though about a kind of light page wich can be accessible for every one and where you display the minimum information (like only the artist and the song name without being able to play it. But just to be sure that, if someone not logged in try to see the page, it won't be redirect to the login page but to this light page. You get the point?
Then, you can put a huge button to allow new people to register to see the full page.
Anyway, in any case you will find, you should implement it using filter (in filters.yml). Filters are executed before any action. So it's the perfect place for this kind of check.
You will find info about filters:
on the official website (they are 2 links)
here an implementation of a ssl requirement (sorry a googlecache page)
here a basic implementation
edit:
I will go on sth like that. First, create a user called "facebook bot", and put its id in the /apps/frontend/config/app.yml:
all:
facebook_bot_id: 56 // sf_guard_user_id
Then create a simple filter lib/filter/facebookBotFilter.php
<?php
class facebookBotFilter extends sfFilter
{
public function execute ($filterChain)
{
$context = $this->getContext();
$controller = $context->getController();
$request = $context->getRequest();
$user = $context->getUser();
// get the user agent
$pathArray = $request->getPathInfoArray();
$useragent = isset($pathArray['HTTP_USER_AGENT']) ? $pathArray['HTTP_USER_AGENT'] : '';
if (preg_math('/facebookexternalhit', $useragent))
{
$member = Doctrine_Core::getTable('sfGuardUser')->find(sfConfig::get('app_facebook_bot_id'));
// logged in the facebook bot
$user->signIn($member);
}
// execute next filter
$filterChain->execute();
}
}
Don't forget to enabled the filter in apps/frontend/config/filters.yml:
rendering: ~
facebookBotFilter:
class: facebookBotFilter
security: ~
Related
I want to open, from an iOS app, a web page that requires authentication in order to get to that page.
I googled a little bit and I believe I need to use WebKit and Javascript injection, but I am not sure and I have never done something like this, so every bit of information is welcomed or pointing me in the right direction.
I will give an example that I hope will make things more clear(I don't actually want to open facebook, it's just part of the example):
Is it possible to do the following scenario? And if yes, how?
Open a web page from an iOS app, for example: "https://www.facebook.com/profile" without having to go through the login page? I do have the user credentials(username and password), as the user is already logged in with those credentials in the iOS app, but the requirement is to not go through the login page, but to go straight to the profile page.
In general the answer is: no. Even if the user is already logged in and has a valid authentication token that token may only be valid from within your app and not from within the browser. And the login form may be protected by something like a captche preventing you from automatically logging someone in.
There certainly are situation where it is possible: For example if the tokens are not scoped to your app you can try passing them along. Or there is an actual API that you can call with the token that logs the user into the website on the website, etc. But those depend on the specific target website or wether you can control that target website and can add this functionality.
My Ruby on Rails app has a subdomain URL for each user's public page. Eg. username.xyz.com
I want to publish this URL on the user's Facebook Page from Rails.
So far, I have created a Facebook App and set it's Page Tab and URL.
I'm using the fbgraph gem to set this app on the facebook page. (This page will be created by the user and will have admin access of this page.)
I used this code:
user = FbGraph::User.me("USER_TOKEN")
account = user.accounts.select {|account| account if account.name == "PageName"}.first
page = FbGraph::Page.new(account.identifier).fetch(:access_token =>"Access_token",:fields => :access_token)
tab = page.tab!(:app_id => "APP_ID_I_CREATED")
Using this code, every user's page points to the URL defined in the APP's Page Tab URL.
I want every user's page to point to their own subdomain URL (eg: user1.xyz.com)
What do I need to do to achieve this?
The subdomain is not handled by the web server, it's handled by DNS. So first you need to get DNS to route everyuser.xyz.com to the IP address where your web server is.
The way DNS works, you will likely have to have a DNS entry for every user. You might be able to find an API to add DNS subdomains when you create a user.
Don't ask me about how to do this, because I don't know, and am uninterested in researching it.
You also have to get the web application to accept the request, and #lightyrs has a good description on how to do that.
You can do the following:
Edit: Make all of these user.mywebsite.com subdomains resolve to the same URL. At that URL:
Create a catch-all route that will handle all traffic originating from *.facebook.com.
Point that route to a controller action that decodes params[:signed_request].
The decoded signed request will yield the facebook id of the page that is responsible for the request.
Fetch the user in your system that is an admin of the page in question.
Fetch the user's subdomain.
Redirect to the subdomain.
Currently, this is the most common way of solving this problem, however, I'd like to see a solution from facebook in the future that allows us to have some kind of dynamic tab URL based on the page, user, and referral context.
At the moment, using the requests dialogue I can get a multi-friend selector come up when I want the user to invite their friends to my application (that's when the "to" parameter isn't defined). On Chrome / Safari - this is a new window, but is there any way of having all of the users friends already selected?
Otherwise - is there a way to put together a request / invite to all of the users friends? I've tried getting an array of all the user's friends id's into the "to" parameter, but that gives an error on FB.
I've seen a few applications on facebook that do make it possible for the user to "select all" or "invite all" of their friends - http://blog.fbsocialapps.com/2011/10/5-ways-to-tune-your-requests-to-improve-the-virality-of-your-facebook-application/
Edit - As mentioned in the comments, I'm doing this on RoR using the omniauth gem + JS SDK. I was hoping that someone may have come across this problem, and can share a solution. My intentions are not to spam, but make it easier for the user to share the application if it's worth sharing.
Basically what the apps mentioned on the site you posted are doing is to use a custom friend selector (See also: Requests Pro-Tips, Pro-Tip 2: Create a Custom Multi-Friend Selector).
This is pretty easy and straight-forward – read the list of the users friends, generate the kind of HTML you’d like them to be displayed with (a Form, an UL, IMG elements with the friends profile picture, Checkboxes to select friends, …). If you don’t want to use the JS SDK, you can do that (reading friends list + generate the HTML) server-side as well in your RoR app.
Only the part where the user can select all friends at once is probably best done client-side – loop through all the HTML elements representing the listed friends, and check the checkboxes via script. Pretty easy if you are for example using jQuery or something.
(Of course this could also be done by just having a checkbox labeled “send request to all friends”, and see if this is checked server-side and then send request to all friends – but that would not provide direct feedback that all friends are selected now to the user on the page.)
Then you could just send the form with all/some friends marked in it to your server-side app, generate the URL for the request dialog there and put the friend’s ids into the toparameter, and redirect the user’s browser to it.
I am a newbie with facebook applications.
Ok. I should create a fanpage. This should connect to my Rails application.
So If user is a fan I should show "fan page 1", else i should show "fan page 2".
How could ask permissions on facebook fan page?
Thanks in advance and excuse if you don´t understand my question.
You have a couple of options.
The easy one is to use on of the FB apps like Static HTML Tab that lets you put in some HTML (usually an iframe) for the fan, and another for the non fan. Here ar some of the apps:
Static HTML App
http://www.facebook.com/apps/application.php?id=190322544333196
Or a round up (some paid)
http://www.socialmediaexaminer.com/top-10-facebook-apps-for-building-custom-pages-tabs/
Then your second option is to develop it your self. It is not that hard.
In your App Settings there is a field fot your TAB URL. Point that to a file you would like to use as a tab somewhere in the directory of your app. in PHP you_domain.com/app/tab.php
When Facebook loads that URL in a tab it will pass it a signed request that contains basic information about the user Liker or not, Locale etc.
You can extract that data and depending on that information show one piece of content or the other.
Here is a post on how toparse the signed request with rails:
http://qugstart.com/blog/ruby-and-rails/facebook-base64-url-decode-for-signed_request/
I feel incredibly stupid for even asking this since the answer might already be under my nose but here it goes:
TweetMeme has a Re-tweet twitter widget that publishers can place on their blogs. When a user clicks on the widget, it pops open a window which allows the user to authenticate themselves with twitter and then re-tweet.
This seems to use some special Twitter oauth popup form factor - unless there is something fancier happening under the surface to authenticate the user.
The pop-up window looks like this:
http://twitpic.com/1kepcr
I'd rather handle an authentication via a pop-up rather than send the user to a brand new page (for the app I'm working on) and they seem to have the most graceful solution. Thoughts on how they did this?
I think that the process is something like this (I assume that they have used php on server-side):
First it opens a jQuery-like popup, but it's not strictly related to twitter sign in functions.
The real sign-in process begin when you confirm that popup, so it open new popup, with some php inside, that # hold a session.
Those scripts ask to twitter the request tokens, using site's application params, and save them into $_SESSION array.
If it's all-right, twitter send you to twitter authenticate page (https://twitter.com/oauth/authenticate), and after you have inserted your login params, twitter send you to the callback page defiend by that site. Here there is another php page that request access tokens, and save them into $_SESSION array. If it's all-right now the site has params that he needs for querying your profile, so last scripts inside popup refresh opener window (main site) and close himself.
Now main window has all the interesting params inside $_SESSION array.
Check this useful library for all the server-side work.
All they're doing is opening a page http://api.tweetmeme.com/share?url=someURL&source=tweetmeme in a new window (using target _blank), then starting the process from there.
EDIT: I was looking at the wrong retweet button. For your specific example, clicking the retweet button first opens Tweetmeme page http://tweetmeme.com/ajax/partial?... in a new window. Clicking yes then initiates the OAuth process by sending you (still in that window) to https://twitter.com/oauth/authenticate (with appropriate parameters).