I stumbled across a website a while back where it showed the privacy repercussions of logging in to Spotify using the web version. I believe it used JavaScript but I can't be too sure. Anyway, this unrelated website was able to display my Spotify username despite me not authorizing anything. If I remember correctly, it also had slots for other services that I didn't use so it couldn't show my username there.
But what I'm interested in learning about is how it managed to get my Spotify username. Not because I plan to use the method but out of curiosity with how the whole thing works. When I found out about that page/site awhile back, it spooked me enough that I started using a different browser profile specifically for Spotify going forward because of it but I never got around to digging deeper into how it actually did what it did.
Cookies save your an access token for Spotify account after to success login of Spotify.
Next time, if open your browser go to
https://open.spotify.com/
It's java-script to access from your PC's cookies,
call this API with cookies an access token, get your information.
Then display your user name in the web page.
https://api.spotify.com/v1/me
If I copy from my Chrome browser the access-token and API URL,
Then access by Postman.
I can get the my user name.
Each browser has own location to save a cookies,
if you never login before other browser, will not pick up your information.
I did not login before by Firefox.
This is screen of login.
Related
I need to book an appointment on a website. These appointments are released sporadically and booked up quickly. To even see available appointment times, you have to login & complete a reCaptcha. If I wanted to write a scraper using Headless Chrome to continually scrape the site and notify me when a new appointment comes up, following the login flow each time would require beating the reCaptcha, which is at least non-zero difficult.
A better approach (I thought) would be to log in once manually, grab my session cookies, and then load them into Headless Chrome before making a request directly to the appointment times page. The server would see my request, see my session cookies, and respond as if the manually-logged in session had been refreshed. This is pretty much as outlined in the answer to this StackOverflow question: how to manage log in session through headless chrome?
But this doesn't work, and I can't figure out why. I get redirected every time straight back to the login page. I've tried on Chrome & Firefox, and with several other login-requiring websites (Facebook, Reddit, etc.).
How can these servers possibly discern between the original client and the one using copied cookies, when the cookies are what the servers use to identify clients in the first place?
Exact steps to reproduce:
Login to site of your choice on Chrome, let's say Facebook.
Export your cookies to your clipboard from the site using the EditThisCookie Extension
Launch an incognito window (to reset your active cookies) and import those session cookies with the same handy extension.
Navigate to the target, past-the-login-form url.
Get redirected.
Get frustrated.
I am working on a local application that needs to retrieve data from user's Facebook profile. As long as I can see, by default I can only get name, picture and age range, but I need many others information like education, location, likes and so on. I tried to submit approval for these items, but Facebook won't set my submission because I don't have a Privacy Policy URL added. I don't know what Privacy Policy URL to add because I'm working on localhost.
Please help me figure it out and excuse me if my question is wrong, it's the first time when I work with fb api. Also, if there is another way to retrieve this items, I would be more than happy to hear about it.
Have a look at
https://developers.facebook.com/docs/apps/review/login#do-you-need-review
It's saying that
in order to help you craft your Facebook Login experience, your app's developers will be able to see, and grant, any permission without requiring review by Facebook.
and
Also, if you're the developer of an app and are the only person using it, then your app doesn't need to go through review. Since you're the developer, all app capabilities should be available. You will still need to take your app out of developer mode, but you should be able to do that without going through review.
So, to be able to develop your app and request extended permissions, you don't need to pass your app to review, as long as you test with an app admin/developer/tester.
Our desktop application integrates with Facebook using the desktop app workflow and for approx. 18 months has been working without any problems. However, we are starting to get reports from some users that they cannot get past the login process.
When the login is successful Facebook should be attaching the access_token to the redirect_uri. Our application detects this and moves the user to the main part of our Facebook integration. What appears to be happening in some situations is that the access_token parameter is missing which causes our application to leave our embedded browser window open with the following message from Facebook:
"Success
SECURITY WARNING: Please treat the URL above as you would your password and do not share it with anyone."
What is strange is that this does not occur with all Facebook accounts and which Facebook accounts it occurs with seems to be changing. For example, we had a report of this approx. 1 week ago but could not duplicate it with my own Facebook account or with a colleague's Facebook account. Today, I still cannot duplicate it with my own Facebook account but my colleague now gets the problem.
The URL our code sends to Facebook is:
https://graph.facebook.com/oauth/authorize?client_id=xxxx&redirect_uri=http://www.facebook.com/connect/login_success.html&type=user_agent&display=popup&scope=read_friendlists,user_photos,friends_photos,user_photo_video_tags,friends_photo_video_tags,user_events,friends_events,user_groups,friends_groups
Reading the latest API documentation it looks like they recommend a different way to connect which we have also tried:
https://www.facebook.com/dialog/oauth?client_id=xxxx&redirect_uri=http://www.facebook.com/connect/login_success.html&scope=read_friendlists,user_photos,friends_photos,user_photo_video_tags,friends_photo_video_tags,user_events,friends_events,user_groups,friends_groups&response_type=token
To rule out our application as the cause we have tried these URLs directly within a web browser. What we find is that when using my Facebook account the browser re-directs to the success URL that includes the access_token parameter but when using my colleague's account the browser re-directs to the success URL that includes the access_token and then immediately re-directs again to the success URL without the access_token.
so... As far as we can tell this is either:
a) A change to the API which we cannot find documented anywhere
b) A bug in Facebook
c) Something that is now controlled by the user's Facebook security settings
Is there anybody who could explain why Facebook is acting differently with different accounts and how we can go about fixing this?
Thanks.
Kevin.
I have the same problem in my desktop applications.
And I just solve it with careful reading in ht*ps://developers.facebook.com/docs/howtos/login/login-for-desktop/. The solution is to change redirect_uri from ht*p://www.facebook.com/... into ht*ps://www.facebook.com/...
Hope this will help you just like it help me
NB:
change ht*p into http
sorry i have to change the http into ht*p so that i can post the answer.
i am trying to use /me/likes/pageID the same way i used pages.isFan (REST API).
But it always uses the user/page as me for which i created the access token and not the current active user.
can't get my head around this one, any help is appreciated!
thanks
[from comments] but do i really need to create an application to "just" check if the user is fan of my own page? and even ask his authorization?
Yes, you will need an app in any case.
If you run your app as a canvas or page tab app inside of Facebook, then you get the info if the current user liked the very Facebook fan page the app is running in(!) directly from the signed_request parameter.
If you want to query this infor for other pages, and/or your app is running outside of Facebook, then you have to have the user connect to your app and ask permission to read his likes first, before you can get this info.
For information on the latter case, see https://developers.facebook.com/docs/authentication/, https://developers.facebook.com/docs/authentication/permissions/#user_friends_perms, https://developers.facebook.com/docs/reference/api/user/#likes
It is easy: With the new Graph API, the owner of the access token is me. You can see this by pasting an access token into the debugger.
You should be authenticating your user and gaining an access token in their name each time they visit your site. Then use only this access token when you make your query.
This process is easiest if you use one of the Facebook SDKs.
I am using using ColdFusion 9.0.1
I am building a site that will use Facebook connections extensively, so we need the Facebook one click sign on. Specifically, to vote on our site, visitors will just "log in with Facebook" and can do all sorts of cools things while we track what they do using their email address.
I am only slightly confused by the Facebook documentation. And with their recent security change, most of the tutorials and help files I find elsewhere are out of date. So....
I have the single click sign on form on my page. When I am logged out of Facebook, I can use the "log into Facebook" link on my site to log in to my site as well as Facebook. So, I know the form works and the cookie works too.
From what I understand, I am supposed to read the cookie that Facebook sets in the browser and then parse it to access the info I need. Here's the cookie for my site:
cookie.fbsr_252075631496861
When I CFDUMP this cookie, here's what I get:
P2Hlk0UVT2EXc8LiaH48vmL_gI7Y4mwkto0IoSUN9mI.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUiOiIyLkFRQ0VLMC1ibzhqeVhJSzYuMzYwMC4xMzI0MzM5MjAwLjEtMTAwMDAwNTg3NDM1OTY1fFNrYkQ1NU9UWndFMTh3cGE4TUZLZkpLalZzdyIsImlzc3VlZF9hdCI6MTMyNDMzNTU2OCwidXNlcl9pZCI6IjEwMDAwMDU4NzQzNTk2NSJ9
I have found a few tutorials on how to parse this string, but nothing works. I don't really know if I am acessing the right cookie.
Now that the user is logged into my site via Facebook, I just need their FBID to access their info. I believe the FBID is buried in this cryptic string.
Can you provide any help?
Once you get parsed signed_request (stored in your cookie) you can use user_id (which is Facebook User Id) and oauth_token (aka access_token) to get needed info via Graph API or FQL.