Similar to this question. However, I am looking for a way to add a token to the invitation link so that an android application can read such said token and then "automatically" join that user to that particular chat room. However, I haven't found example in a repo or the docs. So how if possible can I achieve this goal? Is invitation links the best way to achieve this?
You can pass a URL to your dynamic link with setLink(url). This URL is passed to your application when/after the user has installed that and it is up to your application to call getLink() and then interpret the URL. You can see an example of handling the link in the Firebase documentation.
So if your chat room has a unique ID (if you're using the realtime database, typically that'd be the key that you use in the JSON), then you'd include that key in the link/URL.
Note that the user might also open the URL in a web browser. So it's best to ensure that it's a complete URL that resolves to a reasonable web page for the chat room. That URL would still include the key of the chat room, so that it works both on the web and in your Android app.
Related
I have an android and iPhone app, and the apps are getting data
from my website based on some conditions they select on the app.
I created a secured url that is not open to the public (can't be find on our website) and using a hash code that I thought was secure enough. Something like the following
http://test.com/data/get_data.php?key=akl;sd8234
The extra conditions they select in the app will be append as query parameters to the same url.
Base on the condition, the php file will then out data in json format.
However, I discovered recently someone else create the exact same app and actually getting data from my server, and from the secret url that I created. The reason I know is because I change something on that secret get_data.php page and it reflected on their app.
I don't know who they get a hold to my url, is there a way to create a more secure way to pass the data from my web server to the app so others can't steal my data?
You should create an API with Basic Auth or OAuth. You can't rely on your URL because it can be caught in logs.
Check this course out
In addition to shayegh's answer, you need to understand that every endpoint that you access within your application is public by nature. Everyone can access your server's endpoint just as well as your mobile application (created by you) can. However, you can make your server's endpoint protected by adding authorization requirements on your endpoint.
Authorization
There are many authorization protocols out there, OAuth, OAuth2.0, Basic Auth (credentials like email and password), etc. All of these are just ways to grant anyone access to resources in your endpoint. Think of it as a lock on your home door, only someone with a key can go into your house and make a mess.
Please keep in mind that this is a very simplified version of what authorization protocols actually look like, how it actually secures the distribution of access keys/tokens, etc.
Additional questions and answers
I tried to generate log files from my android phone, and I can't seem to find the .php file from the log files. Is that possible for someone to decode the android app or the iphone app so that they can view my source code?
Answer: I would always assume that everything that is happening on client's side (mobile app, WebApp's front end, etc) is beyond my control. That means anyone can access, read, tweak my client applications. With that said, I would assume that it is indeed possible for someone to unravel your android / iPhone app (get the source code) to get your client side keys.
How would this (OAuth/basic) help? Surely the person creating the other app would just add the OAuth/basic auth as well, wouldn't they?
In order for that other person to access the protected endpoint they would need to have access to your access tokens of the original app. On top of that, they would need to do it fast because usually access tokens only lasts for a short period of time.
Will using Basic Auth or OAuth key works if they are able to see my code?
Yes and no, depending on your implementation, attackers might be able to unravel your app and somehow fetch user's credentials or tokens from bad practices.
So I am currently struggling with 3 aspects related to email verification and setting it up in a way where when user clicks link in email he / she goes to app where I can then check if email was verified and show new view, aka dynamic linking?
1) I assume correct way to achieve this is by using User.sendEmailVerification(completion) ? I am struggling with setting up the completion step and would appreciate if someone could guide me through the process, also I am not 100% sure that this configures the deeplink, I might've miss-understood it.
2) If my assumption above is wrong, do I need to set up a dynamic link in firebase and then in my email templates section set it as url instead of default one i.e. myApp.firebaseapp.com/__/auth etc... If I do it this way I can retrieve token for verifying user, do I need to perform a call in app to post it to firebase somehow once I have it?
3) If I do need to use approach no.2, is there a way to use my own domain for dynamic links? i.e. I can set up small landing page with app-associate file for iOS and equivalent for Android, will this be enough? Do I miss out on any things like analytics here? Would you recommend for or against using custom domain for dynamic links?
https://firebase.google.com/docs/auth/ios/passing-state-in-email-actions is the primary guide for this.
user.sendEmailVerification(withActionCodeSettings:actionCodeSettings) - see the snippet in the doc above.
You need to support Dynamic Links, that is how the user is returned to your app.
Your own domain is not necessary.
So, I am trying to use GroupMe's API. The issue is that I don't really know how to get the users access_token once I send them to the site to login. I don't really know how to create a callback or how to use it. So to sum it up
I need to send users to this site
https://oauth.groupme.com/oauth/authorize?client_id=CLIENT_ID,
then they login and groupme sends them to here
https://YOUR_CALLBACK_URL/?access_token=ACCESS_TOKEN.
But I don't know how/where to create a callback url. Then I don't know how to send that access_token back to the app.
Thanks.
A callback URL is simply a url exposed by your app that groupme can redirect users to. The page can be anything, however, oftentimes it takes the user back to your app if it is a webapp, or tells the user to close the page.
The important part is that the url is one that the app controls, so that it can get the contents of the url that contain the token and other data.
If you are writing a web app, then the framework or language should a method or variable you can call or read to get the url. If you are writing a desktop/moble app, one way of creating a callback url is to listen on a tcp port and speak http to the browser. Another way is using a lightweight web server library, or use a lightweight external server like lighthttp and communicate using cgi/fastcgi. All that matters is that you can get the url that groupme se,t the user to.
If you need anymore help, you are using Oauth2 so search for help with that. Nothing that you asked about here is specfic to groupme, so you should be able to use any OAuth2 library.
I am currently using api.ai , to create agent to perform specific tasks, but one question i don't have answer to is , can i make it learn something while chatting , mean that i speak my name is 'John Cena' and she should store it and then whenever i ask her again bot should answer me that. i know there is a way to do it by logging into api.ai web and manually add entries , but it will not help, is there any work around programmatically or automatically ? the file i've been using to practice is given in github . and here is working DEMO
You basically need for your bot to "learn" facts. There are many different ways to achieve this, but recently the most common way is to arrange knowledge into Semantic "Triples" and store the knowledge into a Graph repository (like Neo4j, Titan, Spark Graph, etc). In your example, "my name is John Cena" would translate into a Triple like ("anubava","Name","John Cena"). That way, the next time you are logged in as anubhava and ask "What is my name?", it would translate into a Graph search that will return "John Cena". A word of caution, achieving this is not trivial and would require some significant amount of fine tuning. For more info, you can check here and here.
Finally, most complete solutions (that I know of), are Server Side solutions. If you want for the whole knowledge base to reside in your mobile device, you could probably use the resources there as inspiration, and build your own Linked Data repository using an embedded database.
Hope this helps. Good luck.
To store and recall the user's name, you'll need to set up a webhook with some basic data persistence capabilities. Any database or key-value store would work fine.
Here's the breakdown:
Implement webhook fulfillment for the intent that captures the user's name. The webhook should store the name along with a unique, identifying ID that you should supply from your front-end in either the sessionId or as a context parameter in your call to /query.
Implement webhook fulfillment for the intent that reads the user's name. The webhook should look up the name by ID and return a response that tells the user their name.
The high-level docs for writing a fulfillment webhook are here:
https://docs.api.ai/docs/webhook
I would like to map the gcm reg id to individual users on my site.
What is the best way to accomplish this?
I have a webview in android that loads my site where users are required to login, until login users are anonymous so i can only map the users after login.
some thoughts are,
Set the user agent string to the reg id if its not been registered, when logged in , if no id is mapped to the user then grab it from the user agent string.
^^ that seems the easiest way for me as i'm a beginner but i can think of some flaws straight away.
Monitor the page url, if this can be done. when the webview detects the url is "index.php"(user is logged in) then executes the function within the application to send the reg id to the server.
inject the code into a hidden field in the page before login and submit it with that?
I'm not sure if any of these methods are viable, any help would be much appreciated. I'm still pretty much beginner so laymans terms would be also appreciated.
You can pass data from the java code that receives the Registration ID (from Google) to your Web View by using javascript, as explained in the answer to this question.
Or you can load the Web View only after getting the Registration ID from Google. This way you can pass it as a parameter to the URL you are loading.
Ok by far the best way for me was to expose the javascript interface in the webview, i placed a check in my sessions.php after authentication, if the registration key wasn't in the database then it would call a java function in the application that is essentially an ajax call to another script on the website in which the reg key is passed to and saved in the database along with the user id.