YAFLogo

johnk
  • johnk
  • 74.8% (Friendly)
  • YAF All-the-Time Topic Starter
11 years ago
I notices that the twitter single sign on requires both read and write access from end users. When user clicks on register with twitter, twitter tells the end user that

This application will be able to:

Read Tweets from your timeline.

See who you follow, and follow new people.

Update your profile.

Post Tweets for you.

Since YAF does not do any of the four option above, why not remove write option and make it as read option only (in twitter settings).

We only need to read user details to register (or login) users on the forum. We would not be adding anything to their twitter profile or posting any messages on their behalf.

I personally do not generally use applications which requires all four options listed above. It may lead to many users not using twitter as login option.

Sponsor
johnk
  • johnk
  • 74.8% (Friendly)
  • YAF All-the-Time Topic Starter
11 years ago
Related bug in FB SSO:

When you click on "register with facebook", it takes you to facebook page and gives option "Okay" or cancel".

If I click on cancel, it again redirects me back to same two options "okay" and "cancel".

Clicking cancel second time redirects to FB error page:

I'm stuck in an app that keeps asking to access my info or post on my behalf, and I can't dismiss the message.

If an app asks to access your info or post on your behalf and won't allow you to decline or click Cancel, it isn't following our policies.

Please report the app if it continues to ask for your info. We appreciate your patience, and thanks for helping us enforce our policies.

johnk
  • johnk
  • 74.8% (Friendly)
  • YAF All-the-Time Topic Starter
11 years ago
A bug in Google SSO:

When you click on "register with google", it redirect you to page with "accept" or "cancel" button. When you click on cancel button, it gives this error message:

Error: invalid_request

http://www.example.com/forum/auth.aspx?auth=google&error=access_denied 

Learn more

Request Details

https://www.googleapis.com/auth/userinfo.email 

response_type=code

redirect_uri=http://www.example.com/forum/auth.aspx?auth=google&error=access_denied

client_id=181937474123.apps.googleusercontent.com

Feel free to move these two posts or entire thread to bugs forum.

johnk
  • johnk
  • 74.8% (Friendly)
  • YAF All-the-Time Topic Starter
11 years ago
My event log has many errors for Facebook SSO and so far no one seems to have been able to use FB SSO to register.

Error while trying to login or register the facebook user System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\DWASFiles\Sites\domain\VirtualDirectory0\site\wwwroot\forumresources\ProviderExceptions.xml'. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize) at System.Xml.XmlDownloadManager.GetStream(Uri uri, ICredentials credentials, IWebProxy proxy, RequestCachePolicy cachePolicy) at System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri, String role, Type ofObjectToReturn) at System.Xml.XmlTextReaderImpl.OpenUrlDelegate(Object xmlResolver) at System.Threading.CompressedStack.runTryCode(Object userData) at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData) at System.Threading.CompressedStack.Run(CompressedStack compressedStack, ContextCallback callback, Object state) at System.Xml.XmlTextReaderImpl.OpenUrl() at System.Xml.XmlTextReaderImpl.Read() at System.Xml.XmlLoader.Load(XmlDocument doc, XmlReader reader, Boolean preserveWhitespace) at System.Xml.XmlDocument.Load(XmlReader reader) at System.Xml.XmlDocument.Load(String filename) at YAF.Providers.Utils.ExceptionReporter.ExceptionXML() in d:\YAFNET-master\yafsrc\YAF.Providers\Utils\ExceptionReporter.cs:line 182 at YAF.Providers.Utils.ExceptionReporter.GetReport(String providerSection, String tag) in d:\YAFNET-master\yafsrc\YAF.Providers\Utils\ExceptionReporter.cs:line 73 at YAF.Providers.Utils.ExceptionReporter.ThrowArgumentNull(String providerSection, String tag) in d:\YAFNET-master\yafsrc\YAF.Providers\Utils\ExceptionReporter.cs:line 135 at YAF.Providers.Membership.YafMembershipProvider.GetUserNameByEmail(String email) in d:\YAFNET-master\yafsrc\YAF.Providers\Membership\YafMembershipProvider.cs:line 1051 at YAF.Core.Services.Auth.Facebook.LoginOrCreateUser(HttpRequest request, String parameters, String& message) in d:\YAFNET-master\yafsrc\YAF.Core\Services\Auth\Facebook.cs:line 155 at YAF.Auth.HandleFacebookReturn()
tha_watcha
  • tha_watcha
  • 100% (Exalted)
  • YAF.NET Project Lead 🤴 YAF Version: 4.0.0 rc 2
11 years ago

We only need to read user details to register (or login) users on the forum. We would not be adding anything to their twitter profile or posting any messages on their behalf.

Actually yaf do tweets but NOT automatically. The user can tweet a topic or a single message

When you click on "register with google", it redirect you to page with "accept" or "cancel" button. When you click on cancel button, it gives this error message:

Fixed

Related bug in FB SSO:

When you click on "register with facebook", it takes you to facebook page and gives option "Okay" or cancel".

If I click on cancel, it again redirects me back to same two options "okay" and "cancel".

Clicking cancel second time redirects to FB error page:

Fixed

My event log has many errors for Facebook SSO and so far no one seems to have been able to use FB SSO to register.

fixed, this issue is not related to SSO itself.

johnk
  • johnk
  • 74.8% (Friendly)
  • YAF All-the-Time Topic Starter
11 years ago

Actually yaf do tweets but NOT automatically. The user can tweet a topic or a single message

Thank you tha_watcha. If that is the only scenario, why dont we either (a) default back to old ways in which the tweet button in YAF 1.9.6 worked (open pop up window and twitter will ask them if they want to tweet) or (b) Use the simple tweet button which is now used probably in millions of websites (with same functionality).

I am concerned that if forum is hacked (weak password, asp.net bug, iis bug, etc), the hacker can have access to lots of members personal details (by adding a new page on website and pulling personal tweets, etc).

As you may have heard, about 30,000 vbulletin sites were hacked few weeks ago. The hacker was able to create admin account using the install folder.

Hence it would be very helpful to limit the data we ask from users (a) that we do not really need and (b) provide exact same functionality with just a simple tweet button.

Many people would not use any forum which asks so many twitter permissions just for registration/login.

tha_watcha
  • tha_watcha
  • 100% (Exalted)
  • YAF.NET Project Lead 🤴 YAF Version: 4.0.0 rc 2
11 years ago

I am concerned that if forum is hacked (weak password, asp.net bug, iis bug, etc), the hacker can have access to lots of members personal details (by adding a new page on website and pulling personal tweets, etc).

That wouldn't be a problem, because i had that concern to i decided that the access token that are needed for the application to tweet are not saved in the database only temporarily in the session state.

The actual reason why yaf needs write access is, when private messages are disabled in yaf it send the user after registration a dm message to let the user know, that they need to enter the correct email address in the user profile.

johnk
  • johnk
  • 74.8% (Friendly)
  • YAF All-the-Time Topic Starter
11 years ago

The actual reason why yaf needs write access is, when private messages are disabled in yaf it send the user after registration a dm message to let the user know, that they need to enter the correct email address in the user profile.

I think twitter verifies email address when user registers at twitter. So if we use this verified address from twitter during registration, why do ask them to enter the correct email address again? I am just curious. 🙂

tha_watcha
  • tha_watcha
  • 100% (Exalted)
  • YAF.NET Project Lead 🤴 YAF Version: 4.0.0 rc 2
11 years ago

The actual reason why yaf needs write access is, when private messages are disabled in yaf it send the user after registration a dm message to let the user know, that they need to enter the correct email address in the user profile.

Originally Posted by: johnk 

I think twitter verifies email address when user registers at twitter. So if we use this verified address from twitter during registration, why do ask them to enter the correct email address again? I am just curious. 🙂

Because twitter doesn't share the email address with oAuth, when a user registers on the forum via twitter. Currently yaf uses the dummy address username@twitter.com.

To make things like email notifications work the correct email address is required.