I am trying to shorten a really long URL with the Google API. This URL contains some information about a User of a program, and if clicked, there happens some magic on the server, and the magic should only happen if the user itself has clicked the Link.
Now if I shorten a Link with the Google-URL-Shortener, Google automatically calls that Link which lets the server do some action. I think this is a validaton check or something.
Is there a way to deactivate that or do I need to use an other provider?
Thanks for your help
From what I've read google and other url shorteners will visit the url to create a preview. I had the same issue when trying to shorten an unsubscribe url and decided to add a confirmation step so that the subscription wouldn't be unsubscribed when shortening the url.
Another solution is to key off the User Agent field and prevent the default action if the User Agent is a url shortening bot.
Since I don't control the User Agent field I was concerned the url shortener service might change the User Agent value in the future and hose everything so I decided not to do it this way.
Related
Is there a way to automatically authenticate the google javascript api client, without user interaction?
Something like this:
User loads webpage -> webpage automatically signs in into a predefined user account -> api calls get executed
Basically i want to prevent the popup where you have to select an account and sign in to it. As the account which will be signed in is always the same.
EDIT:
pinoyyid answer looks promising and is what im looking for. But this only works if the user has signed in with an account at least once, if im not mistaken.
Now i dont want to use an account supplied by the user, but a predefined account which i am the owner of and sign this account in.
Im not entirely sure if this is even possible, as i have to provide the password/some authentication code to google and somehow do this in a secure way.
Use Case: The website will create a Youtube Broadcast via the Youtube Data/Livestream API for the specified account.
Yes you can do that. Referring to https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow
there are three pieces of information that will get you where you want to be:-
The OAuth URL can include a login_hint which is the email of your intended user
The OAuth URL can also include prompt=none which will do its work silently
This all needs to run in an iframe because this is based on origins and redirects.
==EDIT==
If the requirement is for a browser client to connect to a Google Account other than that of the browser user, then this is not possible. It's kinda obvious really that to do so would require a credential in the browser which by definition is not a secure environment.
The approach I would take would be to use a service such as Lambda or Google Cloud Functions (or whatever marketing name they have this week) to create a proxy for the corresponding Google API using a credential stored server-side.
I have a newsletter powered by an laravel application. It lets subscribers select an area and set some filters to receive mail notifications on new housing for sale.
To solve this in an easy way for the user I did not want to use passwords and a long registration process with names etc. Instead, you just get an email, in that email there is an edit link with a secret token:
https://myapp.com/subscribers/42/edit?token=gwoi6n4ginagrpoargp4ar5gp14a
Would this be considered a safe approach?
When a user clicks the link, it is over HTTPS so it is encrypted, but it will still show in the current browsers history..
Will I get flamed for doing this and if so what are some ways to improve it?
with encrypted data in ssl communications yes it's safe. but in my opinion there is some offers:
1-remove token word from the address.
2- this link should not show the user edit page directly. instead sends arguments to a controller and controller redirects user to a new page with a clean link. just save token in the page for authorizing your user.
3- why not to produce longer (just a bit longer!) tokens?
4- for being safer each link should have an expire time. new link will be sent with each newsletter mail.
The new Gmail API allows us to create and view drafts, but is there a way to get a URL link to view the draft?
I can manually create the link using the draft's ThreadId with something like this:
https://mail.google.com/mail/u/0/#drafts?compose={ThreadId}
But that is somewhat fragile if Google decides to change how those URLs are structured. I also don't know if the URL will be different for people in other countries. The 0 will also change depending on how many accounts you are logged into in the browser. Is there a better way to get this link than creating it manually like I am?
Also, is there a way to pass authentication information along with the URL so that user is logged in when going to the webpage? I'm assuming that there is no way to do this, but I wanted to check. If a user is not logged in, the draft link brings up the login page and the draft is not displayed after logging in.
No, creating the URL manually is currently your best option. You can drop the u/0/ if you want and Gmail will automatically use the first authenticated account.
No, there is not a way for you to automatically sign a user into Gmail.
For exposing URL to a draft created by API, this works:
...
final Gmail.Users.Drafts.Create request = gmailService.users().drafts().create("me", content);
final Draft response = request.execute();
final String url = "https://mail.google.com/mail/ca/u/0/#drafts/"
+ response.getMessage().getThreadId()
...
When the user clicks on it, gmail will translate (and redirect) to a different URL, but opens the correct draft.
I however did not find mention of this in the docs, so it might be an unsupported feature that stops working one day.
Credits: #Chris Wood from this SO question stackoverflow.com/q/50124112/455449 (see his comment below question)
Concerning passing authentication info:
passing account id is probably not possible
passing password in url would be a security nonsense (so I trust it is not possible)
I have a google calendar that I have marked as shared. it stores all appointments for the day.
I have a webpage. from the webpage, the user enters a date and I use the google api (javascript) to pull back all info from my shared calendar for that date and present it to the user.
I also want the user to be able to make appointments during free times on any given day.
problem is, I must be signed in to my google account. if I am NOT signed in, I get a little popup asking for my userid/password.
how do I get rid of that? I had hoped that making the calendar shared and specifying the client ID and api key (assigned via Google's API Console) would have been enough.
I've run across this: http://cornempire.net/2012/01/08/part-2-oauth2-and-configuring-your-application-with-google/ which explains doing this via Oath and refresh tokens in PHP.
unfortunately, I'm doing this in javascript and MUST do it from the client side. is that possible?
I think you should look into using a service acccount for this.
http://code.google.com/p/google-api-php-client/wiki/OAuth2#Service_Accounts
By using a service account you wont have to worry about people loging in. They will have access to the calender for the service account.
Update: I have searched for examples of how to do this in Javascript and have been unable to find any. After considering this issue for a while now i have come to the conculsiton that even if you could use a service account via javascript for security reasons its probably not a good idea.
Unfortuantly this leaves me to beleave that the anwser to your question is No. You cant do this client sided. If you use normal OAuth2 its still going to prompt you for the autentication. You need to try and reconsider a server sidded option. PHP for example
I am looking for a way to verify a users facebook id when posting user specific data using ajax.
I want to be able to verify that a facebook user id is correct when posting data using ajax.
The problem being, that if I post the facebook id as part of my ajax data, it can be edited in the javascript. I could make a graph call on the server side, but these are really slow, so I want to keep graph calls to a minimum. Preferably only calling it at the beginning.
Can any suggest an efficient/secure method?
In the end my solution was to grab the users facebook id via the php sdk and creating a hash of it by adding a salt and encoding it with md5. When posting the form I include both the facebook id and the hash. I can then use the same salt value to double check that the facebook idea is correct before using it. This seems to provide enough security for my needs.
I know you want to avoid doing graph calls, but you can make a call client side as well and call the Facebook API:
FB.api('/me', function(response) {
// Check that response.id matches the submitting user id
});
This will allow you to check against the logged in user's Facebook id. There's no way you can really modify anything in the javascript to 'fake' being a different logged in Facebook user.
Otherwise, I'm not sure how else you can verify the id unless you have a whole login system yourself, where by you can match session data to saved user data on the database on the server side.