Request authorization

+1 vote
Didnt find any information about request authorization, i.e. that user can set only his score and not other user's (username parameter is provided to the save score method). If someone extracts apikey and secret, then service methods would be open to fraud requests. SetFbAccessToken looks promising, but I did not find any documentation on that.
asked Apr 8, 2014 in App42 Cloud API-BaaS by admin (15 points)

2 Answers

+1 vote
My suggestion would be to use custom code and key method authorization for achieving this.

You can create different keys (for the same app) and add/remove priveleges for them. This is available in the AppHQ console under "Method Authorization". So the key that you use in the client code that is distributed - you only allow custom code and get score API.

Then you have the clients call your custom code, inside the custom code, you do whatever validation you want and then use the admin keys to actually save the score.

This way you can guard yourself against fraudulent score submission by your own validation inside custom code.
answered Apr 8, 2014 by dhruvc (1,099 points)
+1 vote

ACL comes handy here to use in this kind of situation. If your app is ACL enabled, one user can not access/use the data of other app user unless authorized. To use ACL, your app user either be authenticated using App42 User Service or through Facebook Login. If you are using App42 user service, you have to call setSessionId or if you are using facebook you have to call SetFbAccessToken as described by you.

See complete tutorial here for the same.

 

If you want to create a api key which can only access saveScore method or any xyz method, you can take a approach descibed by dhruvc below.

answered Apr 8, 2014 by ajay123 (899 points)
We are using Facebook login.
So basically for each service call I will have to set Facebook access token (SetFbAccessToken) with current token and your service will check if provided access token belongs to current user (map provided username to fb token)?
Still waiting for an answer..
Sorry for delay reply. You understanding is correct. Server internally checks whether this access token belongs to same user or not. If not, it throws unauthorized exception.
What are the steps for scenarios (using Facebook login):
1. Create user
2. Connect user to the same account on different device

I get unauthorized exception when I call CreateUser service method. ACL is enabled. Thanks
You should just LinkUserWithFacebook and do not to create new user. Although in CreateUser you should not get UnAuthorizedException.
Please make sure your APIKey/SecretKey is correct.
Calling LinkUserWithFacebook returns: "appErrorCode":"2207", "message":"BAD REQUEST", "details":"Session Id not valid" message.

I am using public access API key (not admin). LinkUserWithFacebook is called without appId and appSecret parameters.
just call SetFBAccessToken before calling this method and pass your access token there too.
Ok, it seems that "userName" parameter in LinkUserWithFacebook method is user facebookId! Its kind of frustrating, because there is nothing about this in the documentation (http://api.shephertz.com/app42-docs/social-integration-service/#link_user_facebook_account) and the provided code snippet is incorrect.

Another quick question: calling SaveOrUpdateDocumentByKeyValue in the Storage service returns "Storage with the name ... does not exist". Shouldn't the service create database automatically?

And please work on your API documentation and samples.
This has been explained in our tutorial section here (http://api.shephertz.com/tutorial/Integrating-Facebook/?index=social-fb).
Regarding Storage, you can create your DB from AppHQ console, under Technical Service > Storage Service option. Also, if you insert JSON doc it will create Storage automatically for you.
We will surely work on your kind feedback.
Download Widgets
Welcome to ShepHertz Product line forum, where you can ask questions and receive answers from the community. You can also reach out to us on support@shephertz.com
...