Phone number ID and/or access token from Quick start is invalid when used outside Quick start test message.
I've created WhatsApp app in Meta for developers, registered number, sent out test messages from Quick start page. When trying to use same phone number ID and access token from my local script I get this issue:
Do I need to create permanent access token for this user? Where I can find phone number ID?
Related
I want to add phone numbers to meta app. So that if anyone messages to that whatsapp number, I can intercept the message and reply accordingly.
I want to add phone number in "From"
I tried to register the number using system user access token as bearer token. but it shows not enough permission.
My postman request
After validating the user, I'm sending out the access token to the user's email, along with the link to come back to the same page.
[![Access Token email][1]][1]
[1]: https://i.stack.imgur.com/OWezf.png
This works well when the user opens the email in the same browser in which he was previously validated, but if he opens the email on his mobile or some other browser and then clicks on the link, he is taken back to the validation page to enter his user details again.
How can I maintain the same session across multiple platforms in Django? I know methods exist that can accomplish that. For example, an API can take an encrypted request id as a parameter, which will be included as a token in the access code email link to the landing page. The API will decrypt the encrypted request id and then return the payload back, associated with the same request id, and the data can then be used on the front end to identify the user and resume the access-code verification step.
But I don't know how to implement that or if there is a better solution.
I'm working on a Django app, and I would like to authenticate users using their phone numbers, I also would like users to be able to reset their passwords via SMS, is there a way to do it, I can't seem to find anything referencing password reset via SMS in Django, thanks in advance.
When the user requests a password reset, your server must generate a unique token (create a model for storing tokens) and send it to the main device associated with the requesting user via a text message, then the user sends it back to the server and the token can be verified, if it is not valid every existing token associated with the user must be invalidated, tokens must also have a quick expiration (like 3 minutes). You can use a third party service such as AWS Pinpoint (with boto3) or Twilio to send text messages
I'm trying to implement the Azure AD OAuth authentication for our Django app and I would be doing that with Azure AD as an OAuth provider. So now I wanted to know how securely we can store the OAuth access/refresh tokens in the DB that we receive from Azure AD or any OAuth provider.
I want to store the user's access token in DB because we have a feature in our web app where users can send an email with their email ID and we have a periodic job that runs every half an hour and it's gonna fetch user's mails based on a specific subject line. This we're gonna do with the help of Microsoft's Graph API and in order to call Microsoft Graph API, the web app should store the user's access token may be in the DB. But my concern is once we receive the access and refresh token, it shouldn't be accessed by anyone once we store it in the DB. So how securely or in an encrypted way we can store the OAuth2 access tokens in Django.
I have gone through a few articles, QnA, and forums on this concern but wanted to hear from the Django community as well.
Thanks in advance.
Let's start from sending email by graph(https://graph.microsoft.com/v1.0/users/{userId}/sendMail). I've done some test, here's the detail.
When I used credential flow to generate an access token, I can't use it to send email with an error like 'ErrorAccessDenied', it means that we can't generate a token that can be used for many accounts.
When I used auth code flow to generate an access token, I can't use it to send email when I set a different user id with the id that used to generate token in the api url. In this scenario, I also get the same error as above.
When I used ropc flow and I can send email successfully with it, this means I will send email successfully only when I used the correct user id and token.
Error message when failed to send email:
{
"error":{
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
And according to the test result, I think if you decide to store the tokens into the database, you can save it inline with the user id, so when your periodic job executed, your program can query for the correct token which could be decoded first to check if it is expired, and use it to send email.
If I misunderstand in some place, pls point my error out, thanks.
I need to send timeline item to particular subscribed user using Mirror API. I have the user's email id. How can I achive this?
Thanks
Update:
I have GDK app, companion app(which runs on Android mobile device) and Mirror API app. Both GDK app and companion paired via Bluetooth. My use case is I have to send timeline item to uesr if he reached particular location. We are using ibeacon to check user's location. When user reached that particular area, companion app detect it(via bluetooth) and send request to mirror app then mirror app will add timeline item to user's glass. Here my question is how to add the timeline item to one particular user?(not to all subscribed users) And what parameter should I pass to mirror app from companion app?(I was thinking to send the user's email id)
The user will have needed to log into your service using OAuth2 and have granted specific permission for you to access their timeline using the role https://www.googleapis.com/auth/glass.timeline. You should request "offline" access so you will receive both an auth token and a refresh token, which you can use to get a new auth token after an hour.
You will need this auth token when you send a card to the timeline, which also serves as an identifier in this case. Having their email id is not enough, and you don't need it.
See https://developers.google.com/glass/develop/mirror/authorization for some code samples and details.
Update:
So it sounds like you have the following overall work flow:
User creates an account on your website (which is where the Mirror API app is hosted). As part of this, they authorize access to their Glass and either give you their email address or authorize you to get it via Google's API.
You'll store this information (auth_token and refresh_token) in a data store somewhere, indexed against their email address.
They will also install your app on their phone, and it has access to the email address as well.
When the mobile app detects an ibeacon marker it is interested in, it connects to your web service and sends the email address and location.
Your web service looks up the email address, gets the access token to authenticate the connection to the Mirror service, and sends a message to Glass with the location information.
This is a generally reasonable workflow, but there are a couple of important points to make:
The Mirror API is well tuned to sending things to just one person at a time. You sound worried about sending bulk results, but as long as you use the auth token for just one user, it will send it to just that user.
You're using the email address as an index to the entire user account. While this is simple to implement, this is not the best solution, since it means that anyone who has a person's email address and the URL for the endpoint of your service can fake locations. You may consider this an acceptable risk given how you're using the location information (sending it back to the user), but you need to think about how the service could be misused.
You can mitigate the risk in a couple of potential ways:
Instead of an easily guessable email address, you can create and use some other userid which the user will need to enter when they first setup the companion app.
The first time (and only the first time) the app wants to connect to the service, it creates and sends a random secret string which it will use as a password and the web service could store this random string. Afterwards, the companion app would need to send this string along with the email address.
Depending on your needs, you could cut out the webapp completely and have the companion app use the Mirror API directly. This would leave the auth tokens on the phone and would greatly reduce the potential chance to have someone spoof your user. It does have a significant downside - although you can use it to send cards to Glass, it becomes more difficult to get responses from Glass back to the companion device.
As I understand your question and comments above, your user has already authenticated with your Mirror API based application, so you already have the required credentials (auth/refresh tokens). Your companion Android application detects a condition (user in a particular area) and sends a request to your remote endpoint in your Mirror API based application.
The companion app, when sending the request to the remote endpoint, needs to send a common piece of information that can be used to identify that user in your Mirror API app. In this case, you're saying you're sending the users email id.
To send a timeline card to only that particular user, I would take the email id that the companion application has sent, query your database to return the credentials that you saved when the user authenticated originally with your Mirror API based app and then use that to create an authenticated Mirror API request that inserts the timeline item for only that user. I don't know what your Mirror API app is written in, but a basic example in Python might take the following form:
# You sent along the email address
userid = notification['MyCompEmailId']
# set timeline card body
timelinecard_body = {
'notification': {'level': 'DEFAULT'},
'text': "You found a beacon!",
'menuItems': [{'action': 'DELETE'}]
}
# Look up the user in our database and
# get their credentials
#
# _credentials_for_user() basically does a "WHERE userid = 'something'" query
user_credentials = _credentials_for_user(userid).get()
# Create a Mirror API service with some credentials.
authed_mirror_service = build('mirror', 'v1', http=user_credentials.authorize(httplib2.Http()))
# Send a timeline card
authed_mirror_service.timeline().insert(body=timelinecard_body).execute()