These are chat archives for MrSwitch/node-oauth-shim

10th
Mar 2016
Imanol Yáñez Sastre
@bordemof
Mar 10 2016 16:04
@MrSwitch So node-oauth-shim has an endpoint to check the token authenticity?
Andrew Dodson
@MrSwitch
Mar 10 2016 17:39
No, its actually quite difficult to explain. Basically there are four parts to making a signed OAuth1 call, oauth_token, oauth_token_secret, oauth_consumer_key, oauth_consumer_secret
The node_oauth_shim keeps the oauth_consumer_secret ... a secret. Pass it the other three parts and it'll create a signature to authenticate the request being made.
Imanol Yáñez Sastre
@bordemof
Mar 10 2016 17:47
Im trying to understand if there is way where i can check the authenticity of the twitter account after the response its returned to the front with hellojs. Maybe modifing the node-oauth-shim?
A way where with something(Maybe a token) i can check the authenticity of that information retrieved with hellojs @MrSwitch
Andrew Dodson
@MrSwitch
Mar 10 2016 17:50
@bordemof i'm assuming this is for federated authentication. Checkout https://github.com/MrSwitch/hellojs-signin-demo
Imanol Yáñez Sastre
@bordemof
Mar 10 2016 17:55
Can i expose my use of case to you?
Andrew Dodson
@MrSwitch
Mar 10 2016 17:55
@bordemof sure
Imanol Yáñez Sastre
@bordemof
Mar 10 2016 17:55
Im not sure if the federated suits my situaiton
I have some users that are not really registered into my app
For example i have a profile of arnold_swarzenegger
That profile had manually seted a twitter handle
So i would want to give the ownership of that account if the real arnold logs into my app
with twitter
The problem im facing
Its that i cannot check the authenticity of a twitter registration after it returns from my client/hellojs
Imanol Yáñez Sastre
@bordemof
Mar 10 2016 18:00
Someone could be faking that custom call im doing with the result of the hellojs process
Andrew Dodson
@MrSwitch
Mar 10 2016 18:05
I'm not sure i follow. It sounds like federated authentication.
In the demo app the users profile is obtained server-to-server, and their session is built around it.
One cannot believe what the client sends to a server, unless it can be verified with the thirdparty provider from which it came.
Imanol Yáñez Sastre
@bordemof
Mar 10 2016 18:08
Exactly
With facebook you can check the token to see if the information sended match
But im not seeing the way to do this with twitter
strategies[network].userProfile(data.oauth_token, data.oauth_token_secret, data, setSession.bind(null, req, network));
Andrew Dodson
@MrSwitch
Mar 10 2016 18:11
Exactly!
Imanol Yáñez Sastre
@bordemof
Mar 10 2016 18:11
That line checks the authenticity right? Im doing something similar in my backend
Andrew Dodson
@MrSwitch
Mar 10 2016 18:11
Correct, your on track
Imanol Yáñez Sastre
@bordemof
Mar 10 2016 18:13
For twitter service what endpoint its hitting the userProfile method?
Its my impression or Oauth1 its a pain to work with?
Andrew Dodson
@MrSwitch
Mar 10 2016 18:21
Please defer to the passport.js module which is handling that twitter profile request backend
Yes OAuth1 is hard, which is why i think people like the fact that i shimmed it. :)
Imanol Yáñez Sastre
@bordemof
Mar 10 2016 18:23
Ok im going to read that module slowly to understand correctly if there is a solution to my problem. Thank you so much @MrSwitch you have been so helpfull