I'm trying to write a web application that would use Twitter via OAuth.
I run my local server as 'localhost', so I need the callback URL to be something like http://localhost/something/twitter.do but Twitter doesn't like that: Not a valid URL format
I'm probably going to do a lot of tests, but once I've approved my app with my username, I can't test again can I? Am I supposed to create multiple twitter accounts? Or can you remove an app and do it again?
You can use 127.0.0.1 instead of localhost.
You can authorize your app as many times as you like from the same twitter account without the necessity to revoke it. However, the authenticate action will only prompt for Allow/Deny once and all subsequent authenticate requests will just pass through until you revoke the privilege.
Twitter's "rate limiting" for API GET calls is based on IP address of the caller. So, you can test your app from your server, using the same IP address, and get (once approved) 15,000 API calls per hour. That means you can pound on your app with many different usernames, as long as your approved IP address remains the same.
When you send the e-mail to Twitter to ask for an increase to your rate limit, you can also ask for the increase to apply to your Twitter username too.
I believe Twitter requires you - if you need to change your IP address, or change the username that is using the app - to send in another request asking for the rate limit increase for that new IP address or username. But, in my experience, Twitter has been pretty quick at turning around these requests (maybe less than 48 hours?).
use like this
for Website :http://127.0.0.1
and for callback URL: http://127.0.0.1/home
or any of your page address like http://127.0.0.1/index
Have you tried creating your own caching mechanism? You can take the result of an initial query, cache it on thread local, and given an expiration time, refresh from Twitter. This would allow you to test your app against Twitter data without incurring call penalties.
There is also another solution (a workaround, rather) which requires you to edit your hosts file.
Here is how you do it on a linux box:
Open your /etc/hosts file as root. To do this, you can open a terminal and type something like sudo vi /etc/hosts.
Pick a non-existent domain to use as your local address, and add it to your hosts file. For example, you will need to add something similar to the following at the end.
127.0.0.1 localhost.cep # this domain name was accepted.
So, that's pretty much it. Pointing your browser to localhost.cep will now take you to your local server. Hope that helped :)
In answer to (1), see this thread, in particular episod's replies: https://dev.twitter.com/discussions/5749
It doesn't matter what callback URL you put in your app's management page on dev.twitter.com (as long as you don't use localhost). You provide the 'real' callback URL as part of your request for an OAuth token.
1.) Don't use localhost. That's not helpful. Why not stand up another server instance or get a testing vm slice from slicehost?
2.) You probably want a bunch of different user accounts and a couple different OAuth key/secret credentials for testing.
You were on the right track though: DO test revoking the app's credentials via your twitter account's connections setting. That should happen gracefully. You might want to store a status value alongside the access token information, so you can mark tokens as revoked.
Related
I have an iOS app where the user can makes HTTP requests from their phones and the HTTP returns information based on the zip code that the user provides through the phone.
My issue is that anyone can type the URL and the server would respond with the information that corresponds to the zip code they input e.g. http://example.com/zip-code/78515.
My questions is, can I limit the server to only respond to requests made from my iOS app without the user having to create a user and password? In other words, if someone types http://example.com/zip-code/78515 directly in a browser I want the server to ignore the request but if the request comes from my iOS app I want the server to respond accordingly.
For the HTTP request I'm using Laravel.
Here is my Laravel code.
Route:
Route::get('zip-code/{zipCode}', 'AppsAPIController#information');
Controller:
class AppsAPIController extends Controller
{
public function information($zipCode)
{
$info = CityInfo::where('ZipCode', $zipCode)->get();
return ($info);
}
}
Request:
http://example.com/zip-code/78515
Again, the question is, how can I limit the server to only respond to requests made from my iOS app without the user having to create a username and password?
This package seems to do that
https://github.com/spinen/laravel-browser-filter
Basically, you are adding a middleware that reads the user agent out of the request, and denies the rest.
There is no foolproof way to respond only to requests made by your app.
User agent sniffing, navigator feature detection, and like measures may deter most basic attempts to load information from that url (like search engine bots), but anyone with a little time can learn to replicate the HTTP requests made by your app, defeating those measures.
Even requiring a login will not prevent external request (they can send requests matching your login workflow to obtain a valid token, then request the restricted url with it).
(via the comments) I just don’t want to overload the server with unnecessary requests.
In that case, there's a much better solution. Laravel ships with a throttle middleware, which you can use to limit the number of requests per minute per IP (or per logged-in user, if they're authenticated).
Just add throttle:60,1 to your route's middleware and it'll max out at 60 requests per minute for a particular IP address. Set it to something relatively high (so normal use doesn't hit it), but it'll prevent millions of requests from the same IP from using up too many resources.
How do I test the Google OAuth 2.0 on my app with localhost, since Google requires a top private domain as the authorized domain?
I tried to look up solutions, but all the solutions given have been a while ago, and I think Google has changed their service since then.
localhost is not a valid top-level domain, and it won't let you generate credentials without setting up a consent screen. You can add more than one authorized domain if you'd like, but you can't leave it empty. But you CAN delete the field if you have no domains / would not like to add domains for now. you just can't LEAVE it empty.
Notice the description -- "When a domain is used". so it's not an obligation to add authorized domain for consent screen. Moreover, the authorized domain here is only related with consent screen. Authorized origins and Authorized redirect URLs needs to be specified in the credentials part, which is all that matters; specifying the origin from which requests will be accepted and where it will be redirected. So just omit the authorized domain in the consent screen.
So how to delete it? Just in case if you haven't noticed, just hover over the field and this little man will pop up. delete it. that's all. Now you should be able to save and continue, where it might ask you to setup scopes.
I know it's really late, hoping it might help others..
After about an hour banging my head against the wall I found this article that has a step by step solution that works (as of July 2020).
Basically you need to create a service account, share the sheet with that account, and then it should work.
All of the other auth methods I tried either raised nonsense errors, or simply silently didn't work.
The list of authorized domains is required before you submit a request for app verification. If you want to configure a localhost redirect URI, that is configurable in your web OAuth client ID configuration.
In case anyone has struck out on the suggestions above, this answer did the trick for me. Set my authorized JavaScript origins URI to http://localhost:8080 in the google API console then emptied my Chrome cache.
Just add an OAuth-consent-screen from here without a domain or valid domain that's up to you, after that create Credentials from here, then select OAuth client ID and enter your from here you can add javascript origin url and there you go you've done.
You add your final domain for when you are ready to become verified. Until then you will generate an OAuth client ID and enable https://localhost:3000 in "Authorized JavaScript origins"
Simple screenshot of the field you can enter localhost
Not beautiful, but works!
I've made local website(domain) on Xampp like test1.com, added that domain in Authorized domains and started Chrome from separate shortcut with parameter --ignore-certificate-errors
Note, that when you start with this flag, Chrome must not be running!
It cause Chrome to open web site in the xampp\htdocs folder and I was forced to go to folder test1.git and then to public folder, where finally site opened and the url was: https://test1.com/test1.git/public
ps. Use port 80 in httpd-vhosts.conf and not 443!
I have "unverified app screen" when I request access to Google accounts.
To get rid of it I want to fill out OAuth Developer Verification Form. But, I got some problems with that due to some restrictions on my environment.
There is a field:
Homepage URL for your app *
The problem is that in my application my home page is not accessible publicly. Usually, it can only be accessed using VPN connection.
For push notifications, I use different URL that only handles them, but for the UI there is no access from the world without VPN. I was thinking of overcoming the issue and have a few ideas, but I'm not sure whether they will work.
Inform Google of restricted access to the home page via this field:
Is there any other information you can provide that will be useful?
However, this approach might not work due to the fact that it's not said that I can omit to specify the home page.
Find out what addresses google requests homepage from and to allow access to it from those addresses. But, firstly it's insecure and secondly, it's still a question how to get these addresses.
Make some static resource stub page and place it somewhere where I can provide access. For instance, I can put it near privacy policy file that is publicly accessible.
Is there a more suitable way of addressing this issue or some of these options might still work?
I'm quite familiar with OAuth 2 for other providers, but haven't used it for Instagram before.
Like many developers, I have multiple domains where my app may run, eg:
http://www.foo.com/oauth2callback
https://www.foo.com/oauth2callback
http://localhost:3000/oauth2callback
https://localhost:3000/oauth2callback
Other OAuth 2 providers I have used, eg, Google, allow multiple entries in a redirect_uris parameter.
However Instagram only seems to allow a single Redirect URI parameter per registered app.
Can I have multiple redirect URIs for a single Instagram app or do I have to register multiple apps, each with a different redirect URI?
With Instagram apps that I have created, I have created a separate app per place I want to redirect to, although I haven't discriminated by ssl. I then load the api credentials into the app based on the environment it is running in.
It is a pain that you have to do that, as Instagram also restrict you to 5 registered apps per account too. It would be useful to be able register multiple redirects for that reason. But on the other hand, it would be just as good, for me, to not be restricted to the number of apps you can create (I've got more Twitter apps than I even remember creating!).
It looks like now you can set multiple Redirect URL(s) when you register/edit a Client in Instagram:
I think this is one of those scenarios that you feel back in the Atari.
anyway, I found useful doing this one:
edit your hosts file (in unix based OS: /etc/hosts)
make sure you add a line like this:
127.0.0.1 registeredomain.com
Where registeredomain.com is the domain you have in instagram as your production return uri.
In this way your app will return uri to registeredomain.com that is equivalent to localhost in your local machine, accepting the login.
btw: why? why? why? why instagram, why you have to force one return uri? any reason for that?
I'm trying to implement Soundcloud connect and having a weird issue.
First thing I do is send my users to
https://soundcloud.com/connect?client_id=MY_CLIENT_ID&redirect_uri=http://myredirecturl.example.com&state=RANDOM_STRING&display=page&response_type=code&scope=email
When users connect they get redirected to
http://myredirecturl.example.com?error=invalid_scope&error_description=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed.&state=RANDOM_STRING
The same happens if I use scope=*.
However, if I use scope=non-expiring it lets me go through, but I need the users email and that type of scope doesn't have enough grants.
I thought it had something to do with my app being in development mode, but Osman at Soundcloud said it doesn't.
Thanks.
The 'email' scope is not available to all integrations. It's used for a few custom integrations that have provided us with accepted terms of service / privacy policies. There is no way to get a user's email address using the SoundCloud API.
You should however be able to use the '*' scope to get an expiring access token. I'll check with our app team to see why this is giving you an error. I'll edit my answer once I have more information there.
For your purposes, I would stay with the 'non-expiring' scope and simply prompt a user for their email address (providing them with a way to agree to your terms of use / privacy information).
Using scope=* sometimes doesn't work because the url is not properly encoded. If you are getting this error while using the * wildcard, try properly encoding the url, using a function like urlencode() (for PHP).