lancejpollard / authlogic-connect Goto Github PK

We're seeing a problem case where a user initiates the OAuth flow and the session gets populated with auth_callback_method set to POST. Something keeps the full flow from completing (we're doing this on mobile phones, so that's not unlikely). So the user is back navigating the rest of our application with that parameter still stuck in the session.

As long as they try to hit URLs that do not work with POST, the Authlogic Connect code will continue to turn the requests into POSTs and result in 404s. It seems like the auth_callback_method handling should be restricted to particular URLs.

After going through a "register" action on my site, with Google OAuth, it creates the user and logs in all correctly. But, signing out, and trying to simply "login" again fails - it cannot find a token, then tries to deref a nil object.

The nil deref is easy enough to avoid (lib/authlogic_connect/oauth/session.rb line 61):

token = oauth_token.find_by_key(key, :include => [:user]) # some weird error if I leave out the include          
self.attempted_record = token.user

But the thing that worries me is the token not being found - testing with Facebook and Twitter does not exhibit this behavior. I'd really like to get Google OAuth working as my users will likely be using that service the most. Any clues?

I'm using the plugin to connect to google Oauth.
It is working fine, user and token are created but once logged in, the active token is not set:
'active_token_id' in User and 'active' flag in AccessToken remain 'nil'.

It seems that the method 'complete_oauth_transaction' in authlogic_connect/oauth/user.rb is never called, the one in authlogic_conncet/oauth/session.rb is called fine.

Any idea what is happening ?

Using facebook oauth.

The active_token_id field never gets populated in the User table. tokens and active_token always return nil. They key (for facebook) and active fields(both fb and twitter) in the access_tokens also never get filled.

@user.get_token(:facebook) works as expected.

Should have option to set whether or not to use popups (similar to how RPXNow works) for authentication. The people who created RPXNow made the ruby-openid gem, so they set the standards :).

Handle case where user tries to login to an account they haven't registered for.

hi there, great gem, thanks for all the work!

seems the migrations included and the rails 2 example appear to be out of sync with the code.

in terms of migrations:

1. the code expects "access_tokens" table, not "tokens" which is currently in the included migrations

2. the code expects "token" field in the "access_tokens" table, which is currently missing from the included migration.

cheers

Making a request to verify_credentials gets a 401, Incorrect signature error. (as does making a post request from the token's client to, say, create a friendship).

this came up on a first-search-attempt: http://groups.google.com/group/twitter-development-talk/browse_thread/thread/a5e0bfd8e1cd4177 Might be relevant, but I haven't had the chance to really look at it.

I'll look into this in the morning.

The twitter authorize_url should be set to:
https://api.twitter.com/oauth/authenticate
instead of:
http://api.twitter.com/oauth/authenticate

I'm not sure what a Facebook stream publish would look like. Something along the lines of:
def facebook
if token = authenticated_with?(:facebook)
@facebook ||= JSON.parse(token.post("/me/feed", {:message => "test"}))
puts "FACEBOOK LOG: "[email protected]
end
end

...but this just returns a 500 error from Facebook. Am I close?

(side note: the permissions requested might be better off someplace besides inside the gem)

I'm trying to get a copy of an app that works fine in OSX up and running on Ubuntu, but it looks like AuthlogicConnect isn't loading properly. When it hits the line:
AuthlogicConnect.config = YAML.load_file("config/acc.yml")
it throws an error: uninitialized constant AuthlogicConnect (NameError)

Bundle install says that everything is installed fine, and the config is identical to two other machines which have no issues.
ruby --version
ruby 1.9.2dev (2010-07-11 revision 28618) [i686-linux]

rails --version
Rails 3.0.0.beta4

I'm not sure where to troubleshoot this....

When attempting to install via:

sudo gem install authlogic-connect

on Rails 2.3.8, one is presented with this message:

Building native extensions. This could take a while...
ERROR: Error installing authlogic-connect:
activemodel requires activesupport (= 3.0.0, runtime)

Thoughts?

If the user tries to create an account that they already have, throw error.

If they press cancel while at the oauth provider, it will redirect back and we get an error. Needs to render some helpful screen.

I can't seem to find native support for making post requests to the API. Am I just looking in the wrong place, or is this coming in the future? (I'll try to add it in in the meantime . . . )

Thanks!

http://groups.google.com/group/foursquare-api/browse_thread/thread/e85c855e79750db7

"/oauth/authenticate endpoint serves the same function as /oauth/authorize, but it will auto redirect the user if they've already authorized your app"

Current endpoint required user to allow the app everytime. this is more streamlined.

Foursquare does rate-limiting based on the user-agent.

Right now, the main way to set the user-agent is to pass user-agent in to the options hash of the AccessToken's get and post methods. I kind of like the idea of adding user-agent as an option in the config files (as is done for scope, and for api_version in my fork). Any thoughts?

Hi we found that you symbolize keys of session, which make flash bad.
in:
lib/authlogic_connect/common/variables.rb:

23: def auth_session
24: return nil unless auth_controller?
25: auth_controller.session.symbolize_keys!

Also after reviewing this method, I do not see where you use symbols, you use strings for compare:

27: if key.to_s =~ /^OpenID/

My solution is to remove 25 line.

My rails version is 2.3.10, where FlashNow use session["flash"].

With regards,
Paul

Wouldn't it be good if the exception will be raised when trying to save User (< ActiveRecord::Base) with "authentication_type => :session" or UserSession (< Authlogic::Session::Base) with "authentication_type => :user" ?

Or maybe it should be mentioned in README... Otherwise it could be difficult to figure out why no redirect happened (well, at least for me it was).

Not all openid/oauth providers give you the email, which can be considered a globally unique user friendly identifier. So if we set "validate_email_field", authlogic-connect should bring up a "confirm email" screen that prompts them to type in their email. We need to temporarily create a user though, in the database, so we could use a state machine ("confirmed", "active", etc.), or just a simple boolean ("confirmed"). Probably identify by the persistence_token, is that acceptable (so in confirmation form, it would store persistence_token in a hidden field)?

After installing the rails 3 example project, trying to run it generated a 500 error pointing back to authlogic-connect:

I've tried both 4.05 and 4.06 -- same results. I'm not familiar enough with what is being done here to troubleshoot it effectivel, but I do see notes in the rails 3 changelog that this method was removed as part of beta 3. Is there a simple fix?

I get the following error when I use the facebook option in the sample app.

{
"error": {
"type": "OAuthException",
"message": "Invalid redirect_uri: Given URL is not allowed by the Application configuration."
}
}

Here is the url

https://graph.facebook.com/oauth/authorize_success?scope=email%2C+offline_access&client_id=d8c9cc1521eec67e81a5ea559825e92f&type=web_server&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fsignup&perms=email%2Coffline_access&selected_profiles=100000602003987&session={%22session_key%22%3A%221be4416fff1c2146eb8c69e7-100000602003987%22%2C%22uid%22%3A100000602003987%2C%22expires%22%3A0%2C%22secret%22%3A%2218e034775dd34b496eae41124355970b%22%2C%22sig%22%3A%22aacc5303f6c178cdbd72e28395227003%22}

I'm having trouble following the recent changes for api_versions. There's an api_version method in access_token.rb that returns config[:api], implying that the api_version should be specified amongst the settings in the token class. But in FoursquareToken, :api_versions and :api_version are defined, not :api.

It also doesn't look like that api_version is ever actually merged in when there's a request.

The example app for both rails 3 and 2.3.* are not working for me.
When i do click on facebook, the url generated is something like "https://graph.facebook.com/oauth/authorize?scope=email,%20offline_access&client_id=&type=web_server&redirect_uri=http://192.168.0.121:3000/authenticate"

where the client_id is null.There is no provision to specify it.
Where as the live example on heroku is working fine.
What is the problem, am I doing something wrong??
Also, if i do add the client_id in the url, it authenticates the user, but again throws some exception while requesting the access token, as client_id id missing there too..

Thanks

in the example app, the params for UserSessionsController#create are processed via

@user_session = UserSession.new(params[:user_session])

however the form in the example has the params bare. when i change them to be scoped via user_session things break.

I think that's because authlogic connect is not actually using the params passed to UserSession. It looks like it reads the params directly from the controller here:
AuthlogicConnect::Common::Variables#auth_params

Hi, this looks great, have yet to try it but wanted to know how this was similiar/different from using omniauth? thanks!

The traditional model has it so the user has to use two pages: Register, and Login. However, that doesn't provide the best user experience when using Oauth and OpenID. It should be the same thing to the end user, similar to how StackOverflow, TwitPic, and RPXNow work.

Example:

If user has logged in through Twitter, and then logged out, they now have an account and an OauthToken for twitter. Now if they login through MySpace, and we have the confirmation email thing setup, when they enter their email, we should find the user by that email, and associate that account with them, not create a new user.

I've not had a chance to have a proper look, but it would appear that OAuth authentication breaks with the latest security release of rails (3.0.4).

If I get the chance, I'll try and uncover why, but thought I'd post here now in case anyone else experiences this in the meantime.

Getting invalid gemspec error when specifying authlogic-connect's git repo.

Works fine if I specify the gem.

Can anybody else reproduce this?

Is there a way to access the AccessToken returned from the OAuth provider before/after a save/update_attributes fails due to the AccessToken already belonging to a different user?

I'd really like to be able to query the API using the new AccessToken so that I can, e.g., pull the user name of the AccessToken to present in the error message, so that instead of saying:
"Sorry, that Twitter account is already linked", I could say "Sorry, the Twitter account [username] is already linked."

AFAI understand, the token/secret pair should get updated every login. There many reasons why, e.g. token can expire ... Unfortunately now doesnt get updated, so if you have expired token in the DB, it never gets updated and you cant use the api...

Hi Lance,

What's the best way to support dynamically setting the scope (in particular, for Facebook)? Right now it's handled by the settings config, correct?

Thanks,
Andrew

In Edge Rails (rails-3.0.0-beta4), load_paths has been renamed to autoload_paths, resulting in this error:

/Users/peter/.rvm/gems/ruby-1.9.2-preview3@rails3edge/gems/authlogic-connect-0.0.5.1/lib/authlogic-connect.rb:26:in block in <top (required)>': undefined methodload_paths' for ActiveSupport::Dependencies:Module (NoMethodError)

I am using rails 2.3.5

1 - In the sample there is a oauth_consume method implemented. Is that necessary. How should it be done if there are multiple oauth_consumers?

2 - The sample app only works with twiter, is that correct?

Thanks for the great gem, I am looking forward to using it!

The plugin has been helpful, thanks!

Two questions are:

1. I tested to avoid requiring the "offline access" permission for Facebook Connect. I realize that the privilege is required so that Facebook will return a permanent access token, which is used in authlogic-connect to uniquely identity a Facebook user. I tested removing the "offline access" request with the authlogic-connet-rails2-example and it works fine by creating a new user record for every fresh login to Facebook. I wonder if we could (and how to) modify the plugin so that somewhere during the 'save' process, the application will check if a Facebook user has previously login (based on his email address) and return this record (instead of creating a new record). IMHO, the requested "offline access" privilege may not popular for end users.
2. Can authlogic-connect logout a user 'from Facebook'?

Thanks!

My app requires teh email field to be mandatory. I notice that in some other authlogic add_ons (like authlogic_rpx), it is possible to save to session record optimistically, and then later prompt the user to enter the required field. Is it possible to do that authlogic-connect?

Thanks

Handle case where, if use is logged in through say twitter, and they try to create an account with twitter again.

Object#returning has been removed from ActiveSupport in version 3.0.0.rc of Rails. You are supposed to use Object#tap now, which is defined in all versions of Ruby supported by Rails 3 and defined in ActiveSupport in earlier versions of Rails so it is safe to always use tap instead of returning.

Sorry for the cross-post (I put this issue on the example project as well). Please let me know which project this is more appropriate in and I'll delete the other one.

I'm running rails 3.0.5 on ruby 1.9.2 and when I try to generate a model for the AccessToken I get the following error:

$ rails generate model AccessToken user_id:integer type:string key:string token:string
secret:string active:boolean
invoke active_record
The name 'AccessToken' is either already used in your application or reserved by Ruby on
Rails. Please choose an alternative and run this generator again.

I'll try hand coding the migration to add the table to the database but I'm concerned that AccessToken may be a rails reserved key word and I'll run into trouble down the line. Any help understanding what is going on here would be greatly appreciated.

Thanks!

User should be able to create a new account by logging in. This would go through the user_sessions_controller, run through the authentication protocol, and create a new user if there isn't one. This should be the default.

can't login with twitter and facebook when using authlogic 2.1.6, only works for odorcicd's fork

Because I'm storing a few variables in the session, the following situation will break:

• User clicks to authenticate with Google
• When Google asks for confirmation, user presses back button
• User then decides to authenticate with Twitter.

I need a way to better manage/reset the session variables, coming soon.

Hey Lance,

I thought my reset_consumer fix would be sufficient for this . . . but it only works in the happy land of a single user/single access test environment. As soon as any user authorizes (in particular, with Foursquare), that network's OauthToken's consumer will be corrupted, so any future API calls will be directed to the wrong address. It works in the single user/access case simply because there aren't API calls being made concurrently to the auth process.

Any thoughts on the best way to fix this? Is there anything wrong with just building a new consumer every time instead of caching it? (or maybe, every time for auth . . . and only caching for API or something?)

-Andrew

i upgraed oauth2 to version 0.2.0
and authorize of facebook, twiiter did fail.

Hi,

I have AbstractController::DoubleRenderError in UsersController#create when I'm trying to create user account via OpenID.

The code of create action:

def create
  @user = User.new(params[:user])
  @user.save do |result|
    if result
      flash[:notice] = "Account registered!"
      redirect_to root_url
    else
      redirect_to sign_up_url
    end
  end
end

Parameters for create action:

{"commit"=>"Register",
"authentication_type"=>"user",
"authenticity_token"=>"+X7c+p3LvOQ0Bt38wvu3kykY2UAkKyqaII0yiCPQ7ks=",
"utf8"=>"\342\234\223",
"openid_identifier"=>"username.myopenid.com"}

I'm using Rails 3 and REE.

Save is currently tied to a context that it shouldn't be, so if you save it in the terminal, it will throw an error. This is a quick fix.