The Twitter API documentation for GET users/profile_image/:screen_name states that:
This method should only be used by application developers to lookup or check the profile image URL for a user. This method must not be used as the image source URL presented to users of your application.
This API call returns a 302 redirecting to the profile image url. What is the best practice to make those images available for ones application? The easiest way it seems, would be to use the resulting url string and embbed it in the apps html code (e.g. in the src of an img tag). The alternative would be to store the image locally as a file or in a blob field.
Is linking the image covered by the "must not" or does that mean that you shall not call the API, but you do can use the resulting url?
In the past, I've simply stored the URL in the database and then reused the url when I needed to present the image.
Pulling down and storing the images is more complex and adds a dependency for access to the stored images on your application.
I'd also recommend that you re-fetch the image url periodically as users change their profile pics sometimes.
The twitter api states:
Once an end user has authenticated via Connect with Twitter, you must clearly display the end user's Twitter identity. Twitter identity includes visible display of the end user's avatar, Twitter user name, and the Twitter "bird" mark. Displays of the end user's followers on your Service must clearly show that the relationship is associated with the Twitter service.
Related
With Google requiring everyone to migrate from Google+ sign-in to their native "Google Sign-in" a few changes haven't been properly documented.
In the Google+ sign-in flow you can make a request to get their profile picture and whilst the URL will always be unique there is an "isDefault" field to inform a service if the user has added a custom image.
With the new process the image is included in the token custom data returned if the application has requested the "profile" scope. However there's no obvious way this time to tell if the image is a user-uploaded item or a default. Even image recognition techniques will not work, as the background can be different colours and will include a letter of the user's first initial.
Is there a similar "isDefault" flag buried in some other request one can make?
I am using PHP (for which the library is currently poorly documented) but this would likely apply to any language integration.
I have an upload application that will be accessible by multiple other applications. I want user security from those applications to be federated to this upload hub. I'm doing it with HTTP tokens that are shared between the applications.
I have read 5 different articles on how to secure an API in Rails. I have everything set up properly in the upload hub app. I have keys set up in my User table, and I have shared this key with the user table in the other apps. I have the code in place to check for this key, and to locate the appropriate subscription. Upon failure, the user is redirected to the login page of the source application.
There's just one thing. I can't find anywhere how to create the actual request! I want the users in the other applications to click an "upload" link that will take them to this application. No problem creating the link, of course. The problem is, how do I add the token to the request?
See, I'm not making programmatic requests to an API... The user is actually going from one app to another. I want the upload hub app to check the request and say "Oh, there's this big long key. Let me see if I can find a user associated with that. I'm obviously not going to put it in a query string.
The only thing I've come up with on my own is to have a bit of jQuery code that constructs a form with a hidden item containing the key in it, which it would get from a hidden field on the current page, then do a POST against the upload hub app. That's not really a token, but it's doable. Surely there's a better way?
UPDATE
I went the jQuery "postGo" route where I construct a form with a hidden field and send it as a parameter to the other app. I had forgotten about protect_from_forgery though. However, even after turning protect_from_forgery off, Rails somehow still strips all parameters except for controller and action from outside requests. Undocumented feature? Or maybe I missed the documentation.
Really, I just want SSO on a couple of apps. It looks like I'm going to have to create an Oath provider. Sure are a lot of hoops to jump through to federate a simple session on some apps that I own.
Here's a possible way of doing this.
In the upload controller method of the app, instead of redirecting the user directly, make a request to the upload hub app.
In the upload hub app, add a controller method and generate a token, store it and a user's credential in redis, or other storage of your choice, then response the app with the token.
Your app's upload controller method receive the response from upload hub, then give 302 response back to the client, with the token included in the redirect url.
The client redirects to the upload hub
The upload hub router accepts this format, the token can be in a query string.
Check in redis and find it by the token and match the user's credential
I have twitter ommiauth as my user model and I pull in when they register a link of their profile picture via the hash auth.info.image. Iv noticed some are now breaking where the user has updated their profile picture on Twitter.
I noticed there is a part of the hash that gets the image over https (profile_image_url_https) in the raw_info section. Details here https://github.com/arunagw/omniauth-twitter. is this the best practice to link to so it doesnt happen again?
My issue is that I may have a user that logs in once and leaves a comment but then their profile changes and it breaks on the site.
Is there another way I should be implementing this?
Any information would be much appreciated.
If you are saving the twitter image url when a user creates an account or logs in via oAuth and not checking whether it has changed when attempting to display it this would be expected. The only thing I can think of to fix disappearing links would be to test the data with an http or url call and replace it with a placeholder image or ping the API to retrieve the updated image.
Through RoR gem OmniAuth is possible to get an informations about the users, who log-in to the application through their Twitter or Facebook account. Both of these social sites in their API offers among other also the avatar, what's great.
The worse thing is, that the size of image is 50x50px (I know, avatar).
Exist any way, how to get the original image, from that was created avatar? (The reason why I want it is, that I would like to display a photo of user in the bigger size)
Two options:
GET /${USER_ID}/picture?type=large; the response is a 302 redirect so you can obtain the url from the response header. See the docs for the User object for other values for type. (Contrary to the docs it looks like an access token is required.) This doesn't get you a particularly large image.
GET /${USER_ID}/albums and find the album with type=profile. GET the photos in this album with /${ALBUM_ID}/photos: I think the first photo is the current avatar (it is for me), and more sizes are available than with the first method.
You may try to get from gravatar[1] with email.
http://en.gravatar.com/site/implement
BACKGROUND: Each user has their Facebook profile image URL associated with their account. This image is called using <%= image_tag(#user.facebook_image_url) %>. Each user's Facebook URL takes the following form: http://graph.facebook.com/123456/picture - with 123456 being the user's particular Facebook ID number.
OBJECTIVE: I'd like to prevent other users from being able to figure out who the user is simply by right-clicking 'copy image url' and looking at the ID in the image URL.
Is there a gem/plugin or better way to accomplish this other than downloading the user's image from Facebook's servers?
AFAIK, there are only two options: Either you download the image as you say and deliver it to the browser with your own url, or you let the browser do the work in which case the browser (and it's user) has to know the url.
Have a look at Get Facebook real profile image URL. It seems, facebook performs some kind of redirecting. Perhaps you can use that for your purpose.