Please help!
Short question:
I try to login ParseUser with session token like this:
ParseUser.becomeInBackground(token);
It always goes ok on first login. But it always fails when I retry. I get "invalid session token" error. Session stays the same. Any other info on token is hidden.
Detailed question
I'am building app for parents and kids. It is suggested that 2 users start app on their (different) devices using one account (one ParseUser for various devices logged in at one time).
First a parent signs in on his devices. Then he generates QR-code with session token.
String token = ParseUser.getCurrentUser().getSessionToken();
Bitmap bitmap = encodeAsBitmap(token);
qrView.setImageBitmap(bitmap);
Kid's device reads this QR and logs in.
This procedure goes fine at first time. But if I log out kid's device and try to login by QR for the second time it fails with "invalid session token". It also fails when i try to login second kid's device.
When I delete session manually in parse-dashboard, I can log in kid's device with QR again but only for once.
I tried my best to find some solution here and on the other internet but I didn't succeed.
Dear expert-level developers, help me on this issue.
It seems that I figured it out.
Short answer:
In Parse.com dashboard go to Settings tab. On General tab go to "User Sessions" section. Switch off "Require revocable sessions" toggle.
Details:
Since march 2015 Parse.com started using revocable sessions. It means that when user logs out or session expires it becomes useless. So you have to log out and log in back to use your app as usual.
This is an important security issue. But in case like mine consider switching it off.
I think you problem has to do with Parse.com now using revocable session tokens, see http://blog.parse.com/announcements/announcing-new-enhanced-sessions/
Others are having similar issues here: https://groups.google.com/forum/#!topic/parse-developers/Knxl_MBVlLY
This means that the token is only valid during a session, that is, while the user is logged on the device. Once the user logs out, the session is destroyed together with the token.
Perhaps this could be considered a 'feature' in your app, as the parents can pose control over their kids access to the app. If they log out, so is their child(ren).
If this is too far from the intended usage scenario, you could consider adding third party login such as Auth0 or OAuth
https://auth0.com/docs/scenarios/parse
https://parse.com/tutorials/adding-third-party-authentication-to-your-web-app
Related
Sorry for the ambiguity in the question but it is actually quite a simple one.
When my android Application boots up I initialize AppCenter as follows:
AppCenter.start(
this, BuildConfig.APP_CENTER_SECRET,
Analytics::class.java, Crashes::class.java, Distribute::class.java
)
if(BuildConfig.FLAVOR != ApplicationVariants.ProductFlavors.PRODUCTION){
AppCenter.setLogLevel(Log.VERBOSE)
}
AppCenter.setUserId(UUID.randomUUID().toString())
Distribute.setUpdateTrack(UpdateTrack.PUBLIC)
Distribute.checkForUpdate()
However, when the user logs into the application I would like to set the UserId to the users email as follows once the user logs in:
JwtUtils.getIdentityTokenModel(requireContext())?.let {
AppCenter.setUserId(it.email)
}
Lastly when the user logs out I reset the user Id to a random guid. The reason for this is visibility on which user has which crash logs. This is a requirement from business.
However, in the app center crash logs, it seems the UserId never changes to the email even if an error occurs while the user is logged in.
My question is simple. Is there a restriction on how many times I am allowed to change the AppCenter User Id? I cannot seem to find it anywhere in the docs.
Thanks in advance
Please see these docs about userId API:
The value for the user ID is limited to 256 characters. It will be
shown with your crash reports but not used for aggregation or counts
of affected users. In case you set user ID multiple times, only the
last user ID will be used. You need to set the user ID yourself before
each application launch, because this value isn't stored by the SDK
between launches.
Environment:
Ejabberd Version : 16.04
Smack-android-4.1.0
I'm working on an Android chat application. Currently, same user credentials can be used login from multiple devices.
The current scenario is as follows:
1. User logs in into the app in device A
2. Using the same username and password, the user logs successfully into the app in device B
3. Now device A says, it is disconnected, but continue the chat in device B
However, according to the given requirement, it should behave like this:
1. User logs in into the app in device A
2. Using the same username and password, when the user tries to log in from device B, it should not allow it.
(Since he is already logged in from device A)
Would be glad to hear your solutions/ideas on this. Thanks in advance.
So I managed to resolve the problem using the option resource_conflict
According to Ejabberd Configuring Docs
The option resource_conflict defines the action when a client attempts
to login to an account with a resource that is already connected. The
option syntax is:
resource_conflict: setresource|closenew|closeold: The possible values
match exactly the three possibilities described in XMPP Core: section
7.7.2.2. The default value is closeold. If the client uses old Jabber Non-SASL authentication (XEP-0078), then this option is not respected,
and the action performed is closeold.
So open ejabberd.yml and add the following line to that file.
resource_conflict: closenew
Then restart the ejabberd server.
Now it will disallow the resource binding attempt of the newly connecting client and maintain the session of the currently connected client.
References:
https://www.rfc-editor.org/rfc/rfc6120#section-7.7.2.2
Read #rubycon's answer on this- https://stackoverflow.com/a/51860779/5361779
From XMPP spec:
"If there is already an active resource of the same name, the server MUST either (1) terminate the active resource and allow the newly-requested session, or (2) disallow the newly-requested session and maintain the active resource. Which of these the server does is up to the implementation, although it is RECOMMENDED to implement case #1."
More info here https://xmpp.org/rfcs/rfc3921.html#session
So your current scenario is a recommended one.
However, I have quickly checked for ejabberd src code and found it can be configured somehow (closeold -> closenew)
https://github.com/processone/ejabberd/blob/master/src/ejabberd_c2s.erl#L964
https://github.com/processone/ejabberd/blob/master/src/ejabberd_c2s.erl#L873
I'm not an Erlang specialist, but looks like it can be achieved by modifying the source code
If device B sets as resource one different than device A, both can be connected to the same account correctly. In your tests, device B sets the exact same resource than device A, and then ejabberd kicks the older session.
I see there's an option to limit the number of sessions an account can have active in the server. The problem is that it kicks the older session, but you would like to disallow the new login. See
https://docs.ejabberd.im/admin/configuration/#limiting-opened-sessions-with-acl
I have an Android app, which the user can link to Spotify, with :
AuthenticationClient.openLoginActivity(getActivity(), SPOTIFY_REQUEST_CODE, request);
The problem is that I want the user to change his Spotify account so I want to logout the user from Spotify to log with another account. But the data of the connection are saved in the cache and when I use this line again :
"AuthenticationClient.openLoginActivity(getActivity(), SPOTIFY_REQUEST_CODE, request);", it does not show the connection dialog because the user is already connected.
In the doc, it says :
"To log out and clear all stored tokens, use the AuthenticationClient#clearCookies method. Both Spotify and Facebook tokens will be removed."
But the method clearCookies does not exist anymore. What can I do to logout the user and allow him to connect on another account ?
I've searched on the net and seems that this code
AuthenticationRequest.Builder builder = new AuthenticationRequest.Builder(CLIENT_ID, type, redirectUri)
.setShowDialog(true)
.setScopes(scopes).build();
took from this post it's your only choice to try to logout a user.
I can't test it, so you should try it yourself and see if works.
The documentation on the Spotify Android SDK is outdated and is not reflecting the new Spotify auth library on GitHub.
Spotify's Android SDK documentation is definitely outdated. My observation is that when you call
AuthorizationClient.clearCookies(context)
directly before starting Spotify's auth activity, it just works fine. But if you call it once and then expect that the user is logged out, when you start the activity later in the future, cached credentials keep messing around.
I do not prefer
builder.setScopes(arrayOf("")).setShowDialog(false).build()
as it shows you a "not you? Click to log out" option. So basically you need to log out on the Spotify UI, cannot do it from code.
In my case, the application saves the logged in user's email (I need that to show on the UI, anyway). When I want to log the user out programmatically, I just delete the saved email from the app and call
clearCookies()
when I start Spotify's Activity if the variable is empty.
A bit late, but you can use this AuthorizationClient.clearCookies(this) as
AuthenticationClient no longer exists
First of all I'm sure that my fb app id is valid because users can log in my Android app using facebook credentials until some days ago (I think it's before Feb break change).
Recently new users cannot log in my Android app using facebook any more because facebook keep saying that my fb app invalid (Error is: Invalid application fb-app-id) BUT old users who already authorized my Android app for accessing their info can still log in using facebook. (Old users can still login to my app using facebook credentials but new users cannot)
Does anyone know why this happen to my facebook app and how to fix it?
Edit: When access to https://graph.facebook.com/facebook-app-id I get this error
{
"error": {
"message": "Unsupported get request.",
"type": "GraphMethodException",
"code": 100
}
}
Thanks you.
If you're sure the app is not in sandbox mode (which was gema.megantara's answer), and hasn't been deleted for policy reasons by Facebook the only explanation I can think of is that you've restricted the app demographically (i.e by country or age)
If that's the case the API won't return the app's details unless you make the API call using a user access token for a user who meets whatever restrictions you've applied, and users who don't meet the requirements won't be able to use the app.
If that's what you've done, you can remove the restrictions via the API (via the restrictions field of the Application object or in the ''Advanced'' tab in the app settings in the App Dashboard
If using the frontend interface to change the settings, it's the ''App Restrictions'' field you want to edit, screenshot attached
Basically the same solution as the accepted answer, just updated for the latest FB developer site has been updated so you need do this:
Apps->Your App
Status+Review
Do you want to make this app and all its live features available to the general public? -> Yes
Usually if you get error like that when visit https://graph.facebook.com/523132271032907 is because the sandbox mode is on. Have you try to reset the secret key ?
I think, this is because FB does not check whether application id is valid when the user has already logged in. It likely assumes that if the check passed, the id is valid. Apparently, locking out the users after making the app id invalid has never been a design goal.
try replacing:
<string name="facebook_app_id">CHANGE-ME</string>
with:
<string name="facebook_application_id">CHANGE-ME</string>
I am using the official Facebook SDK for Android in my app.
I have managed to log in successfully,
but the problem arises when I try to log in as another user:
I click on the link that says Logged in as [name]... Not you?
but my application proceeds anyway and posts to my wall...
(as if I have clicked "Allow")
I discovered that clicking on that link throws a facebook exception and retries the request,
so I tried putting a call to logout() in the catch clause.
That made it possible to log in as a new user,
but the next time I run the app,
again, the old user is logged-in...
(Logged in as [old_user]. Not you?)
My question is:
Why does the first user's login persist forever
and how to properly handle a click on "Not You" link?
My current solution is to always call logout() before authorize() method
but this forces the user to always have to enter his/her email/password
which is not acceptable either.
The facebook access token is saved by SessionStore.
When loggin into Facebook, it will try to restore the access token from SessionStore.
So, I think you can explicitly call facebook.logout and SessionStore.clear() when user exit your application.