I’m trying to add social logins in my app.
It’s not quite clear now. First of all, I don’t see this section in javascript documentation. Ok, let’s try what’s in REST API section:
trying “second method” - without provider sdk.
First hiccup - in Get Authorization URL API it says
“https://xxxx.backendless.app/api/users/oauth/providerCode/request_url”
where as by trial and error I found that actual url is
https://api.backendless.com/“appid”/“restkey”/users/social/oauth/facebook/request_url
next hiccup - when I logged using this url page redirected to
https://api.backendless.com/“appid”/“restkey”/users/social/facebook/authorize?
code=XXXXXX
and page content was
{“code”:1011,“message”:“User has no permission to create entity”,“errorData”:{}}
I cannot find info how and where my app should process it, where to react/intercept? and why error message here?
Hello, @yuriy.
In your case, you need to correct the permissions in your application (Data-> Permissions-> Role Permissions). Because of this, you get this error.
You can also try turning off the afterLogin handler.
But all the same, it would be more correct to correctly configure the permissions
Regards, Nikita.
permissions to what?
In your case, adding the FacebookUser Create permission should solve the problem.
hmm, it doesn’t look good to enable “create” from security point of view. But, ok, let’s suppose I’m enabling it for tests. I now get user object in response, but I cannot understand scenario to use it, how my app supposed to intercept it?
The user at login has a role corresponding to the key and the provider through which he entered.
I don’t quite understand your second question: what exactly do you want to intercept? And where exactly?
I’m trying to understand workflow of social login (“without sdk” case) in my webapp. I thought, maybe there is some ready made methods or code samples how to get data from login callback. But it seems to me this method is targeted at mobile apps
Let’s address your first hiccup first. Do you have a backendless.app domain assigned to your app? If you do not, you can get one on the Manage > App Settings > Custom Domain screen:
Now the second hiccup: does the RestUser role have permissions to write to the Users table? Make changes in the Users table?
first topic - no custom domain in my app.
second topic - my tests showed that (in my existing restrictive permissions setup) for this API call to work it is required to enable “create” permissions on Users table for both facebookUser and socialUser. Still seems a bit broad.
first topic - the URL in the docs talks about the routes using backendless.app domain. You can get one for your app on the Manage > App Settings > Custom Domain. The docs also talk about that.
second topic - a record needs to be created in the Users table for the user object. A permission is needed for that.
first topic - I still don’t get what you mean here, I’ve simply stated that the “Endpoint URL” mentioned in the official documentation is not working.
second topic - doesn’t that mean that any user who have “social login” can abuse the system and create new users entries by API calls?
still, I don’t get last part:
“I now get user object in response returned after social login”, but I cannot understand where my apps get it?
“I’m trying to understand workflow of social login (“without sdk” case) in my webapp. I thought, maybe there is some ready made methods or code samples how to get data from login callback. But it seems to me this method is targeted at mobile apps”
first topic - let’s clarify that the “Endpoint URL” is not working for you. I tried to explain why. Let’s revisit. For this, take a closer look at the documentation, specifically the highlighted parts:
As you can see, the URL explicitly references a backendless.app subdomain, which you confirmed you do not have. Can you get one? Of course, for that, I suggested navigating to Manage > App Settings > Custom Domains where you can get one. Once you do, the Endpoint URL will work like a clock.
second topic - the API key in the callback URL is REST by default, however, you can use any API key (including a custom one) with all the permissions assigned to it, this eliminates the possibility of users hijacking your app. Additionally, the /authorize URL is not supposed to be used directly. The documentation describes the API call to exchange the OAuth token to BackendlessUser:
Hope this helps.
Mark
ah, let me rephrase - I would like to read in the documentation the endpoint URL for the default case, with no subdomain. I believe this is true for a substantial part of users.
sorry, not quite understand - this call is still going on the client side, so the user still can get it. So, user would have this key that have enabled creation of new entries in Users table, correct?
well, it’s clicked by the user who tries to log in, I don’t know if it’s direct use or indirect. Anyway, it seems approach “without provider sdk” isn’t much easier to try than “with using provider sdk” so I’ll try with sdk
Every application in Backendless gets a backendless.app subdomain. Yours was created before we released the feature, so you’d need to catch up to be there. The case in docs is the standard way now.
I believe you should re-read the REST doc for Oauth2 login, it seems there is a gap in understanding of how the APIs should be used. The chapter has graphics illustrating the entire process step by step.
ah, I didn’t realize that. Tried that now, can confirm URL is correct in this case. Sorry then, my bad.
I’m going to evaluate “with sdk” approach now