MSGraph Chat API - without reading chat body - microsoft-teams

Our use case demands that we count the number of chat messages a user is receiving in every hour. We don't want to receive or read the body of the chat. This is to ensure that we have a highly trusted and private design to meet privacy and security standards of US/European organizations.
With our research we found two alternatives:
Alternative1:
Get Chat
https://learn.microsoft.com/en-us/graph/api/chat-get?view=graph-rest-1.0&tabs=http
This is ideal for our needs, as the info we need is basic and the permission we seek from Admin is Chat.ReadBasic.All
Though this API needs to get chat ID for the users, for which we need to use List Chat API as well
List Chat
https://learn.microsoft.com/en-us/graph/api/chat-list?view=graph-rest-1.0&tabs=http
The issue with this API is that it does not allow Application level permission, and we are forced to get User's access token to access delegated access to this API - which is not a good security practice.
Alternative2:
**
**
https://learn.microsoft.com/en-us/graph/api/chats-getallmessages?view=graph-rest-1.0&tabs=http
We are able to count the chat messages with the Application level permission without a user level access token. Even though we are receiving the body of the chat messages, we are not reading or saving these.
The issue with this is that we have objections from Teams Admins of US and European companies -- as we do have access to the body of the chat, whether we read or not.
Request your help with
a) Suggest an API similar to List Chat API with Application level permission
b) Suggest an API similar to GetAllMessages API without the chat message body
c) Suggest an alternative we may not have considered
Thanks in advance!

Related

How do I determine which gmail permission is causing Google to send my clients 'Limiting access to data in your Google Account' emails? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 3 years ago.
Improve this question
My clients are receiving emails like this (I quote the text, but it is an html email):
From: Google Accounts
Date: [OMITTED]
Subject: Limiting access to data in your Google Account
To: <[OMITTED my client's email address]>
Hi,
Although you don’t need to do anything, we wanted to let you
know that the following apps may no longer be able to access
some data in your Google Account, including your Gmail content.
If these apps are unable to meet the deadline to comply with our
updated data policy requirements, they'll lose access to your
Account starting July 15th, 2019.
[OMITTED my company's name]
We are making this change as part of ongoing efforts to make
sure your data is protected and private.
You can always view, manage and remove apps you’ve given
access to your account by visiting your Google Account.
Thanks,
The Google Accounts team
I operate a webapp that uses the following gmail API methods:
gmail.users.getProfile
gmail.users.messages.send
gmail.users.threads.get
As far as I know I am following all of the rules. I have searched through the Google APIs Console, but I cannot see what data policy I am violating.
How can I determine the data policy I am violating? Why hasn't Google reached out to me about this?
Is this a convincing phishing scam? These emails are being sent to my clients, so I don't have access to see if they are signed properly, but from what I can tell from the forwarded emails they appear to be authentic.
You are not violating any security policy. This is a standard mail that comes when ever a user connects their account to a new application containing high risk scopes (note as far as I know not all scopes will result in this mail but I haven't actually tested all scopes). This most often comes with the Gmail scopes in applications.
I would double check that your application has been verified it may help to remove some of the notifications your users are getting. Users should be informed by Google when they are accessing third party applications and warned about what that could mean.
The following scope is one of the most critical as far as Google is concerned this is most likely the one that will mean your users will always get this email when they authenticate your application. I wouldn't be surprised if all the Gmail scopes would result in that mail but I haven't tested it.
https://www.googleapis.com/auth/gmail.send
verification
This email is most likely related to the fact that this application has not been verified to use the gmail scopes. Gmail scopes are one of the most sensitive scopes as far as Google is concerned as the chance that they could be abused by malicious developers is even greater.
You should apply for verification as soon as you can google may contact you and ask for a video of your application running.
Unverified apps
In most cases it does NOT cost anything to be verified. In some cases, for particularly sensitive APIs, Google may require an outside audit of your code to make sure it does not put users of your program at risk.
After several hours of piecing together information across multiple sites along with a friend while waiting for further clarification from Google the following information was found which I hope will help developers in the future.
additional reading piecing together information available:
Elevating user trust in our API ecosystem while this page does mention "All fees are paid directly to the assessor and not to Google." it does not state an amount. Again i have never heard
of anyone having to pay for this. However I have contacted Google and requested that the page be updated with more accurate information as to what the fee entails.
Additional Requirements for Specific API Scopes
Why fee clearly states why a fee is charged. These assessments are done by a third party company that must be paid. It would be unrealistic IMO for a company wishing to develop an application using Googles API to expect Google to pay for this: IMO it makes perfect sense that the cost would be transferred to the company developing the application. they will after all be making money on the application.

Skype Bots - Please tell me I'm missing something

Working on an application and developing chat integration bot. Note that contrary to some news bots or other tools, there is no central website or server that the bot gets its data from. The software installation comes with a repository, and that is where the bot connects to. Thus, every user, upon installing the software, will basically get their own copy of the bot, alongside with their own repository, etc.
Now, having done that for Telegram: You open the telegram client, initiate a chat with the botfather, get the token for your new bot with one or two commands, and then add that token to my application. Done. Easy for the user to follow, takes a few minutes at most and they have a working bot.
Trying to do the same with Skype, the users must:
Sign up for an Azure account
Provide credit card and phone number verification (that's probably where some users will stop right away)
Log on to the Azure Portal
Create a bot channel, through a myriad of different screens I have to guide the user through.
Have the user obtain the bot's password, again through a variety of different screens he needs to be guided through. (if the user hasn't given up yet, at this point he'll definitely get grumpy)
Enable the Skype channel, and enable the bot to be added to group chats.
Attempt to locate the bot via Skype and eventually add it in.
Now, if I wanted to document this properly, this will be a 10-15 page document with tons of screenshots and all. To do what Telegram does in two minutes or even less. There's so many opportunities in all of this for something to go wrong, that I can't even consider forcing my users to go through this.
Surely, I must be missing something? It can't be that you have to go through this horrible mess of an over-engineering spectacle that is second to none, just to get the most basic bot to function?
All I need is a means to say "this is the bots name, give me its token and API URL so that it can send messages using the REST API". But I can't seem to find this for Skype.

How to send message to any Facebook Pages with a bot?

I have created Facebook Messenger bots to answer to people talking to my Facebook Pages with a wrapper of Microsoft Bot Framework.
When a human talk to my bot it has a recipient address (composed of multiple fields) used to reply.
Now I'd like my bot to talk to other Facebook page (like a human using a Messenger client)
Questions:
How can I find the "chat" address of a random user that do not already talk to my page/bot ? (It seems a same user has different address when it talk to multiple bots).
How can I use my bot to send messages to other's Facebook Page. To do that I assume the bot has to discover the recipient address of the human or bot behind that page ?
(May be the answer is to use an implementation of a Messenger Client in NodeJS ?)
For Facebook Messenger:
User "chat address", that is to say "Id" property of your Recipient, depends on every bot and cannot be guessed (it is a Page Scoped ID), you have to talk to the bot first. It's a question of security / anti-spam
Same problem to start a conversation with another page: you cannot guess the ID of the human/bot to which you will be talking to.
So currently it is not possible to do what you are trying to do.
Maybe you should have a look directly to Facebook APIs to see if you can at least do your 2nd point. For the 1st one, I found no way

Slack File Library

I really like Slack but my organization won't allow it if we cannot disable file sharing features. I'm trying to find out whether I can either disable uploads of certain file types or hide the file library all together. Their support says there's no way to do this natively but is this possible with the API?
No, not to my knowledge. The main focus of the API is not to configure your Slack team, but to enable bots and 3rd party apps to communicate with your Slack team and retrieve information. All core configuration for your Slack team has to be done in admin settings and apparently you have already learned from Slack support team that you can not deactivate file sharing in admin settings.
But I think I might have a solution for you. You can create a Slack bot that automatically blocks sharing of files in channels. (technically the bot would auto delete any message that is a file share form a user). Users would still be able to upload files, but they wont be able to share them. At least not in any public and known private channel. However there is a caveat: As I understand the bot would not be able to block users from sharing files in direct messaging channels though.
We are using a similar bot to block messages from unauthorized users in some private channels, which works nicely. Our bot is a simple Slack app with a bot user and using the Events API to receive all messages from all channels he is invited too. The bot then checks each new message and deletes the ones that does not fulfill some criteria. In our case if the message comes from a user that is not on the whitelist.

Using linkedin API, which is the better way of know when was accepted my invitation

Which is the best way of know when was accepted an linkedin invitation using API?
I'm developing a social search web site using linkedin among other social networks.
In my site, any user, can add many linkedin user account to your site account, for then find people from linkedin using Linkedin People Search API (http://developer.linkedin.com/docs/DOC-1191.html)
with the peoples found, i could be to send and invitation or a direct message, depend of the level connection of linkedin account using for that...
Then, using Linkedin API, what is the best way to monitoring when the invitation was accepted?...
Per the documentation, there is no way to directly monitor messages or invitations that you send via the API to another user. So you'll need to come up with some way to monitor this off-line if it is something that you really need. One idea would be to keep track of the ID of the member's you are sending invitations to, and on subsequent (or periodic) calls to the Connections API, you could scan the returned list to see if any of the stored ID's are now connections, and take the appropriate action.
Hope this helps!

Resources