Implement a Home Page with facebook link

[corentingiraud]

Goal

Create a home page for Guest visitors. This page will be composed of cards representing a news. The card interface is described below.

A card could be:

• Fetched form the K-Fêt Facebook Page through Facebook API
• Created by a user (barman or specialAccount with appropriated permissions).

Implementation

Front

In sprint 5, we will use material card to display cards. In next sprints, we will implement a unique card view in order to display custom card in a much better way.

API EndPoint

• GET /feed?offset=XX Get the 40 lastest news including facebook news and custom news with XX offset (we will define this figure considering ServerMonitoring logs). This request have to be cached in the server memory (or in a redisDB?). It is computed every X minutes (depends of the facebook application limits).

The following endPoint will be implemented in next sprints:

• POST /feed Create a card
• PUT /feed/{id} Update a card
• DELETE /feed/{id} Delete a card
• GET /feed/categories/ Get all categories.
• POST /feed/categories/ Post a new category
• PUT /feed/categories/{id} Update a new category
• DELETE /feed/categories/{id} Delete a new category

Card Interface

{
  title: String,
  content: String, // Markdown content
  createdAt: Date,
  updatedAt: Date,
  date: Date, // Event date or = createdAt date
  pin: Boolean,
  isFacebook: Boolean,
  media: [
      id: Number,
      url: String,
      type: ENUM(video, image),
    }
  ],
  openLink: string,
  categories: [{
      id: Number,
      name: String,
      shortDescription: String,
    }
  ],
};

Facebook edge to card support

For the begining, we have to support only post. In next sprints, we can implfutherement: link, status, photo, video, offer.

[corentingiraud]

We schouldn't use facebook API page in the client side.

https://stackoverflow.com/a/33078837

[corentingiraud]

We schould use this module in back. As a result, we fetch the event every X minutes. https://github.com/kwhitley/apicache

[corentingiraud]

Also, this package could be very usefull if we want to simplify calls to the facebook API graph page. https://www.npmjs.com/package/fb

[Embraser01]

Ok, nice job !

I don't have much to say.

For caching:

• Why using redis ?
• If we want to save post made by a barman, we will need a database, so why not save facebook post ?
• In this case, we just need to set FB to sent us a notification when a new post is made and just load posts from database (so no cahcing).

For post content:

• I think we should forbid (escape) HTML in the content field.
• If we want to allow it, we could use Markdown

[Embraser01]

Also, does we also post the post made through the K-App in Facebook ?

[Embraser01]

Anyway we will use webhooks to detect new post on the FB page: https://developers.facebook.com/docs/graph-api/webhooks/

We will add a new middleware https://github.com/alexcurtis/express-x-hub

I didn't have time to search for how subscription works, I will do it later

[corentingiraud]

@Embraser01

Why using redis ?

Use redis could save server RAM: check ApiCache wiki

If we want to save post made by a barman, we will need a database, so why not save facebook post ?

Because we have update our database if a Facebook post, link ... is updated or removed. It will be very difficult to maintain. What do you think ?

we just need to set FB to sent us a notification when a new post is made

How ? Oh ok you answer that !

Also, does we also post the post made through the K-App in Facebook ?

No, I don't want to implement it. Maybe someone, one day, will !

Use markdown instead of HTML

Ok ! Great idea. Is that for security reasons ?

[Embraser01]

Ok ! Great idea. Is that for security reasons ?

Yes, exactly :wink:

It will be very difficult to maintain. What do you think ?

Actually, with the webhooks system, it will be easy, as it will be quite the same as updating a post from the website. As I understand:

• At startup, we subscribe to FB for a page,
• Then FB will send updates from the page (create/update/delete/etc...)
• We then just have to call the same services as thus for a post from the webiste

[corentingiraud]

Our new Privacy Policy

[corentingiraud]

Unilited Page Token way

Protocole d'obteintion d'un token d'accès de page illimité (never expired)

https://medium.com/@Jenananthan/how-to-create-non-expiry-facebook-page-token-6505c642d0b1

Debogeur de token

Pour tester la validiter d'un token et obtenir des informations

https://developers.facebook.com/tools/debug/accesstoken/

J'ai donc pu créer un token illimité mais ne peut pas l'utiliser (cf mon post slack):

REPORT

• C'est un coup dur pour l'application K-App & l'intégration des posts facebook !* Pour faire simple, Facebook vient tout juste (il y a 2 jours) de restreindre l'accès à son API à cause des attaques de Cambridge Analytica (la société au coeur du scandale). Renseignez vous sur le web ! L'article officiel sur le blog de facebook (posté le 21 mars). https://newsroom.fb.com/news/2018/03/cracking-down-on-platform-abuse/ Sinon, voici la capture d'ecran qui illustre la restriction (le token d'accès est valide et la requête est censée renvoyer la totalité des posts facebook de la page de la K-Fêt). Bonne nuit Another cool article: https://www.theguardian.com/technology/2018/mar/21/mark-zuckerberg-response-facebook-cambridge-analytica

Webhook way

Not possible due to same reason i suppose.

https://developers.facebook.com/docs/pages/realtime?locale=en_US

In our webhook product configuration (facebook application settings & configuration)

[Embraser01]

It's good now, I will start developping it soon (the back part)

[Embraser01]

So... To resume the path to get webhooks notifications from FB:

• [ ] Create a route to verify the challenge (GET /feed/webhooks)
• [ ] Create a route to handle updates (POST /feed/webhooks)
• [ ] Check for the good X-Hub header

To subscribe for these updates, we have two options:

The first is to directly configure the app through the FB UI, but I don't think it's the best way.

The second way is through the subscriptions edge of FB: A simple request to POST /v2.12/{app-id}/subscriptions with:

• app_id which will be pass by the environnement variable FB_APP_ID
• object the type of object we want (here page)
• callback_url is WEB_CONFIG.publicUrl + '/api/feed/webhooks'
• fields a string listing all the fields wanted (separated by ,)
• include_values to true
• verify_token will be an environnement variable generated at setup
• access_token which will be pass by the environnement variable FB_ACCESS_TOKEN

To be allowed to do that, the app must have access to the page:

See the official explanation to do it directly from the Graph Explorer here.

Or follow these instructions (approximatly the same): (incoming soon..)

[corentingiraud]

Do we need FACEBOOK_APP_ID ENV VAR or a hard coded VAR for dev and prod is enough ?

Do we want that user can update PAGE ID ?

Required config

• Configure two facebook app:
  • For dev
  • For prod
• Create facebook dev page
• New ENV VAR:
  • FACEBOOK_APP_SECRET
  • FACEBOOK_APP_ID
  • ? FACEBOOK_PAGE_ID (in database for client update only in prod ? Security ?)
  • ? FACEBOOK_PAGE_ACCESS_TOKEN (in database for client update only in prod ? Security ?)
• New config var:
  • FACEBOOK_APP_SECRET (depend on FACEBOOK_APP_SECRET on prod & hard coded facebook test app secret on dev)
  • FACEBOOK_APP_ID (depend on FACEBOOK_APP_ID on prod & hard coded facebook test app id on dev)
  • FACEBOOK_PAGE_ID (depend on FACEBOOK_PAGE_ID on prod & hard coded facebook test page id on dev)
  • FACEBOOK_WEBHOOK_URL (depend on PUBLIC_URL on prod & ngrok on dev)
  • FACEBOOK_PAGE_ACCESS_TOKEN (depend on FACEBOOK_PAGE_ACCESS_TOKEN)

Access Tokens

Must read: Facebook documentation

Get an app access token

GET /oauth/access_token with these params:

• client_id = FACEBOOK_APP_ID
• client_secret = FACEBOOK_APP_SECRET
• grant_type = 'manage_pages+publish_pages'

Get a page access token

We have to get two page access token token (one for dev fake facebook page, one for prod real facebook page). These tow tokens have to never expire.

Follow these medium post with a facebook account which is a administrator of the page.

These tokens will never expire until user change the password / user revoke the app.

We have to think of a way to store / modify these tokens

Our server process

• Get an app access token
• Check app subscription through /v3.0/{app-id}/subscriptions (with an app access token)
  • object === 'page'
  • callback_url === ${WEBHOOK_URL}
  • fields include feed
  • active === true

If check succeed, Stop process. If check failed:

• Remove all subcriptions through DELETE /v3.0/{app-id}/subscriptions (with an app access token)
• Get a page access token
• Make sure that page (FACEBOOK_PAGE_ID) have installed the app (FACEBOOK_APP_ID) through GET /v3.0/{page-id}/subscribed_apps (with an page access token)
  • Check body.data[x].id === FACEBOOK_APP_ID
• If not, create a subscribed_apps edge for the page through POST /{page_id}/subscribed_apps (with a page access token)
• Create a new subcription through POST /v3.0/{app-id}/subscriptions (with an app access token)
  • object = 'page'
  • callback_url = ${WEBHOOK_URL}
  • fields = [feed]
  • active = true

Endpoints

Documentation

• GET api/feed/webhook : Verification Request: Verify token + respond with challenge field (to which URL?)
• POST api/feed/webhook : Event Notification

[corentingiraud]

What do you think about his ?

[Embraser01]

Do we need FACEBOOK_APP_ID ENV VAR or a hard coded VAR for dev and prod is enough ?

An env variable is better (no need to edit code in case the app change).

Do we want that user can update PAGE ID ?

Page Id is not necessary, the application can receive update from every pages that allowed the app.

? FACEBOOK_PAGE_ID (in database for client update only in prod ? Security ?) ? FACEBOOK_PAGE_ACCESS_TOKEN (in database for client update only in prod ? Security ?)

There is no need for page id informations as the server will handle every post sent through the endpoint (we will consider it as coming from the K-Fêt page).

New config var: ...

I think we will rely only on ENV variables for dev config because every token is sensible informations and should not be commit. And we will add a failsafe if there is no TOKEN (no facebook feed in this case). And still no page IDs :smiley:

Access Tokens

I think this is for managing the page, but we can't get webhooks from here...

Server Process

I think we shouldn't install the apps from the server. It's a one time operation and should be done by the administrator of the page.

If we have some problems with the subscription edge, we could send an email to the webmaster with some logs describing the issue. This means that we don't know the page, but only the FB app.

GET api/feed/webhook : Verification Request: Verify token + respond with challenge field (to which URL?)

We respond to the request (there isn't another request made).

Models

Do we need a category? (I would say yes probably)

Otherwise it looks good, anyway it is the model sent by the webhook no?

[Embraser01]

Let's close this as it's no longer the goal of the K-App (maybe we can do something like this in https://github.com/K-Fet/kfet-insa.fr). Feel free to re-open it if it still is :wink: