Facebook graph real-time updates, verify callback_url on local - facebook-graph-api

In my development enviroment (localhost of course).
Based on this documentation I've sucessfully created a apps token with this:
https://graph.facebook.com/oauth/access_token?client_id=<app-id>&client_secret=<app-secret>&grant_type=client_credentials
then make post request to verify my callback_url to FB graph, like this
https://graph.facebook.com/<app-id>/subscriptions?access_token=my_apps_access_token=user&fields=first_name&callback_url=http://localhost:3000&verify_token=mystringtoken
but it's always return :
{"error":{"message":"(#2200) callback verification failed: ","type":"OAuthException"}}
(I've try using lvh.me:3000)
Is there possible to verify the callback_url using localhost?

From the API documentation:
Your callback server must handle two types of requests.
Facebook servers will make a single HTTP GET to your callback URL when you try to add or modify a subscription. After a successful subscription, Facebook servers will notify your server of changes by issuing HTTP POST requests to the same URL.
From this statement, I would presume that you must provide a publicly accessible URL.

Here is How to . I've explained the proccess.

Related

Is it possible to send data from a client to a server without the API being public?

I'm currently trying to make an account signup page for a small project I'm working on and I don't know how to send data back to the server (I'm using the Flask framework) without also allowing everyone to send data. Let's say that I've set up an API endpoint on /createAccount. I can then send POST requests to that endpoint: {"username": "test", "password": "test"}. The web server will then handle that request by inserting that data into a database and responding with 201. The problem is, anybody would be able to send these requests, and I only want users to be able to register through the login page, and not by making an API call. Is there any way of doing this?
Edit: I've given this problem a bit more thought and I think that the only API that is difficult to secure is the signup API. When a user has created an account, I can just assign them an API key, which they will send to the API every time they want to make a request, which means that an account is required to make API calls. If a certain key is making too many requests, they can be rate limited or temporarily banned from making further requests. The problem with the signup API however, is that there is no information by witch a request sender could be identified. I could use the IP address, but that can be changed and wouldn't really help if multiple IPs are spamming the API at the same time. Is there a way I can identify non-registered users?
Short answer: no.
You have to check data to make sure the account being created is something legit and not trash data to fill your database or any other malicious intents.
This is the reason you usually have to confirm an account clicking on a confirmation link sent to your mail: this way the app is sure that your account is legit.
You could also check info on the front end, but that is never as secure as back end checking, because of your concern in the question: in the end, anyone who gets to know your endpoints could potentially send direct requests to your server with whatever data they wanted.
Assuming you have a trusted source of registrations, an if that source can make an ssh connection to the server where your Flask app is running, an alternative to trying to lock down a registration API is to provide a command line script to do the registration.
The trusted source does something like
ssh someuser#youripaddress /path/to/register.py "username" "password" "other info"
If you use a Flask custom command you can share model definitions db configuration.

How can I debug my SNS subscription?

I have created a basic SNS topic. It's a HTTP (and HTTPS) request a an endpoint on my web server. The web server is not on AWS.
The endpoint the SNS subscription points to sends me an email containing all of the headers of the request. Even if the headers are empty and email will be sent. A request of any kind will result in an email.
The endpoint will process the request regardless of the HTTP verb used (GET, POST, etc).
If I visit the endpoint in my browser, I receive an email. When I try to request a confirmation within the AWS control panel, I get nothing.
I thought this could be down to me using a Let's Encrypt SSL, but I have also tried using a HTTP endpoint, rather than HTTPS, but get the same issue.
How can I debug this? Is there any way of seeing why the request is failing?
When I need to debug http web hooks and such like this, I use this tool:
https://ngrok.com/
to setup a public endpoint that points to my local web server, that I am running in my development environment, so I can see the request come in, and depending on the language (usually .net for me), I can step thru the code as the request is received in my debugger. You'll need to temporarily point your sns topic to this endpoint.
This won't help if you are not getting the request at all, but if there is any question that the request is coming in, but its not being processed correctly, this may help.

Identify URL of webpage when I can only receive API calls from the websites backend server

So I have a tricky problem of trying to somehow identify the url of a webpage, but I only have info on it's backend server that makes API calls to my server.
I have a server that receives API calls from another server running PHP. The clients PHP server receives information from a webform on their website. I am trying to the match API calls I receive with the webpage that submitted the data. Requesting the client to add a url in the API call will not guarantee that they haven't provided a fake one.
I was wondering if there is something I could do with a hidden iframe that could receive some sort of token or cookie from my server, then pass it to the PHP server who then includes it in the API call. Then I could match the url of the page I sent the token to with the API call.
Is this practical / possible? Any other suggestions of how to solve this problem??

Oauth2 code from mobile app

I'm writing an Android app which will authenticate itself using OAuth2 to a Web server under my control.
I'm using Apache Amber on the client side, and oauth2app with Django on the server side.
From the client, I can generate an authorization request, and start a browser Activity that goes to a page asking whether to allow the client access, and after answering in the affirmative, redirects to a page with a "code" parameter.
But how do I get the "code" back to my client, in order to make the subsequent access_token request?
Do I need to bypass the browser entirely? How would that work?
I believe you have a couple of choices here.
The redirect_uri parameter will indicate to the server where it should send the code.
From the ouath2app docs:
If a request is authorized, Authorizer:grant_response() will serialize an object into a JSON response will return a redirect response to the client’s redirect_uri with information on the authorization code passed as query string parameters (response_type CODE) or access token passed as URI fragments.
So armed with that:
If that value is a location on your server, then your mobile browser is going to get the value as part of the redirect. Specifically, you're trying to read the URI fragments in the redirect. I believe this is the intended usage for an application like yours. This blog post seems to have code that might be relevant, under the section "Retrieving the access token".
Alternatively, as you pointed out, you could send the token to a different handler on your server, and then pass it back to your client. It must the callback URL defined in the service.
I found a different blog post, specific to OAuth 2:
http://blog.doityourselfandroid.com/2011/08/06/oauth-2-0-flow-android/
The trick is to fire up a new Activity whose content is provided by a WebView (rather than a layout). You can attach a handler to the WebView that's called on the redirect to the page containing the "code" parameter.
Some of the specifics in the blog post concern Google APIs, but so far my experiments suggest that it will work in my situation.

What are steps a simple http C++ server should perform to let user login via OpenID authentication?

I have created a simple server accepting tcp and http requests and parsing them in C++. Now I want to create an openID login system which would support Google open ID. I use boost and Curl in my server. Currently I have no ssh in my server except curl can make ssh requests.
So what do I have:
html get/posts requests parsing into maps of map<string, string>
curl with ssh support
file returning server functionality (with modified response arguments)
What else shall I implement to support the possibility of google OpenID login? (I need only some basic unique identifier from user - not his\her name or any other details)
What shall be my steps in order to get unique user ID in server that recieved request with something like openIdLogin :https://www.google.com/accounts/o8/id in it?
I need some simple, readable instructions like once provided by google for reCAPTCHA Verifying the User's Answer Without Plugins - where shall user be redirected, what shall be in Request, Response etc. (not pure Specs)
From the open ID wiki
http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong
or from Google's own doc
http://code.google.com/apis/accounts/docs/OpenID.html#Interaction
What it sounds like you are looking for is Google's Federated Login. What it basically amounts to is sending some url requests to Google's servers and providing a callback url where you want the user to return to after they login on Google's servers.
Towards the bottom of the page there are some sample requests and responses that should help you get started.