| # |
Dec 19th 2017, 21:09 |
 dereuromark |
birdy: thats total BS. query string itself would already suffice for protections. total noobs. |
| # |
Dec 19th 2017, 21:08 |
birdy247 |
@dereuromark we can use the state :slightly_smiling_face: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/#logindialog |
| # |
Dec 19th 2017, 21:08 |
dereuromark |
what kind of annotations do they have/need? https://github.com/dereuromark/cakephp-ide-helper/issues/68 |
| # |
Dec 19th 2017, 21:07 |
dereuromark |
@mail used cells yet? |
| # |
Dec 19th 2017, 21:07 |
birdy247 |
"Strict Mode prevents hijacking of your redirect URIs by requiring an exact match from your Valid OAuth redirect URIs list. For example, if your list contains www.example.com, then Strict Mode won't allow www.example.com/token as a valid redirect. It also won't allow any extra query parameters not present in your Valid OAuth redirect URIs list." |
| # |
Dec 19th 2017, 21:03 |
birdy247 |
ill ask facebook |
| # |
Dec 19th 2017, 21:02 |
dereuromark |
it indeed would then be session that would need remembering |
| # |
Dec 19th 2017, 21:01 |
dereuromark |
everything else is otherwise really annoying |
| # |
Dec 19th 2017, 21:01 |
dereuromark |
URL is until those start usually |
| # |
Dec 19th 2017, 21:00 |
dereuromark |
did you try query strings? I would bet that this is not part of their specs |
| # |
Dec 19th 2017, 21:00 |
birdy247 |
"exactly match the Valid OAuth Redirect URIs" |
| # |
Dec 19th 2017, 20:59 |
birdy247 |
exactly |
| # |
Dec 19th 2017, 20:59 |
birdy247 |
yes |
| # |
Dec 19th 2017, 20:59 |
dereuromark |
you mean with strict that no dynamic part is allowed? |
| # |
Dec 19th 2017, 20:58 |
birdy247 |
but if facebook is mandating that the url must be strict i.e. how can I pass a query string to OAuth |
| # |
Dec 19th 2017, 20:57 |
dereuromark |
as all the rest of cake itself works :slightly_smiling_face: |
| # |
Dec 19th 2017, 20:57 |
dereuromark |
it should point to the own login with redirect query string |
| # |
Dec 19th 2017, 20:57 |
dereuromark |
the callback action is implemented wrong |
| # |
Dec 19th 2017, 20:56 |
birdy247 |
I dont follow |
| # |
Dec 19th 2017, 20:56 |
dereuromark |
as long as the query string is encoded properly |
| # |
Dec 19th 2017, 20:56 |
dereuromark |
its nested basically |
| # |
Dec 19th 2017, 20:56 |
dereuromark |
redirect=ownsite?redirect?... |
| # |
Dec 19th 2017, 20:55 |
dereuromark |
well, that was never how it should be :slightly_smiling_face: |
| # |
Dec 19th 2017, 20:55 |
birdy247 |
https://www.domain.com/hybrid-auth/endpoint?redirect=%2Fenter-race%2F816%23anchorandhauth_done=Facebook |
| # |
Dec 19th 2017, 20:55 |
birdy247 |
i.e. this used to be my redirect uri |
| # |
Dec 19th 2017, 20:54 |
birdy247 |
others will not be allowed |
| # |
Dec 19th 2017, 20:54 |
birdy247 |
the redirect url has to be set in advance |
| # |
Dec 19th 2017, 20:54 |
birdy247 |
but that wont work now will it? |
| # |
Dec 19th 2017, 20:53 |
dereuromark |
that has never changed afaik |
| # |
Dec 19th 2017, 20:53 |
dereuromark |
no, it should always return back to the login which then redirects via query string |
| # |
Dec 19th 2017, 20:53 |
birdy247 |
I guess now we will have to store this in a session or something? |
| # |
Dec 19th 2017, 20:53 |
birdy247 |
at the moment I used the cakephp redirect query string to direct the user to where they wanted to go after the are redirected from the provider |
| # |
Dec 19th 2017, 20:52 |
birdy247 |
it will become mandatory to turn on strict mode |
| # |
Dec 19th 2017, 20:52 |
birdy247 |
Note: Turning on Strict Mode will invalidate any calls from URIs not listed in the Valid OAuth Redirct URI |
| # |
Dec 19th 2017, 20:51 |
dereuromark |
hybrid auth has some issues, so I would also like to change at some point to social auth |
| # |
Dec 19th 2017, 20:51 |
dereuromark |
whats the change? |
| # |
Dec 19th 2017, 20:50 |
birdy247 |
the redirect uri must be fixed |
| # |
Dec 19th 2017, 20:50 |
birdy247 |
facebook just announced a change |
| # |
Dec 19th 2017, 20:50 |
birdy247 |
same |
| # |
Dec 19th 2017, 20:48 |
dereuromark |
I still use the old one |
| # |
Dec 19th 2017, 20:46 |
birdy247 |
is anyone using the social auth plugin |