Synapse ahd XOAUTH2 (gmail)?

[rvk]

I found that these lines (in setxoauth2.pas) were not only useless
but disrupted the code, when there is no tokens.dat

Yup. I already mentioned I had the feeling that when there is no tokens.dat the getaccess would be called twice.

But furthermore, I have no idea where you took your
SearchFor := 'readonly="readonly" value="';

That's the problem with the body-html method. The source-code is an undocumented way to get the code and can change at any moment. That said... for me it's still this:

Code: [Select]

<input id="code" style="width: 300px;"
   onclick="this.focus();this.select();"
   type="text" readonly="readonly" value="4/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
Are you sure you don't have that readonly before it. I wasn't sure every page that is returned (also in case of error) didn't have "value=" in the source so I used this one.

But again... It's best to keep using the UseBrowserTitle:=true according to Google.

If you set the redirect_uri to urn:ietf:wg:oauth:2.0:oob, Google's authorization server will return a page to the browser like the one shown below. Your application can then extract the authorization code from the page title.

So the browser-title should always be correct. Was it not correct for you??? Last time I had a cut-off code was about a year ago and I figured Google fixed it for IE by now.

When there is no code in the title the code goes to searching the body automatically. This will only work if there is really no code. If the code is cut-off then an invalid code is received and the library thinks it can work with that. That's why I implemented this workaround, but only to be used if the Title-method failed. Maybe it would have been best to retrieve both the title-code and the body-html code and first check, in code, if it can gain access with the title-code and if not give the other code back to the user. That's for the future and only necessary if the Title-code is faulty on some system. That's why I wanted to know if the Title-code failed at your end.

[epergola]

No, the title code did not fail with me.
Since you had that html check part in your code and said that the title check once failed with you, I wanted to test it.
Hence I did the change.
I put some debug lines written to a file
(attached), and this is my conclusion.
1. 'value="'
    is not present in my html,
    'value='
    is
2. I went then to  check for 'value='    and found.
   So I did not realize that even the Browser.LocationName contained the code.
3. However I think that looking for 'this.select(); value=' is the safe way, b/c that is what is copied to the clipboard if the user selects it.

[epergola]

I forgot to add this.
You say:
"Maybe it would have been best to retrieve both the title-code and the body-html code"

I showed you my change in the 2nd last attachment, that should accomplish that:
        if UseBrowserTitle then begin
          Found := Browser.LocationName;
          Authorize_token := Copy(Found, Length(SearchFor) + 1, 1000);
          DebugLine('Authorization: We used the browser-title');
        end;                    ;
        if Authorize_token = '' then begin   
           <do the html stuff>

[rvk]

3. However I think that looking for 'this.select(); value=' is the safe way, b/c that is what is copied to the clipboard if the user selects it.

O, wow. That html-code really has some differences from mine (attached).

I wouldn't check on 'this.select(); value=' because in my case there is " type="text" readonly="readonly"  in between there. And there could be for your users too. In your case I would only check for value= and optionally remove " or ' if they are around the result.

Your code even has an invalid onclick-javascript. It should be surounded by " or ' (shouldn't it?).

Code: [Select]

<INPUT style="WIDTH: 300px" id=code onclick=this.focus();this.select(); value=4/vD6ZfA6444pVKWI............D5fRTCLqpGD6fReg readOnly type=text>

So best is to go for the browser title and if that doesn't work go for value=?xxxx? (where ? could or could not be " or ').

I showed you my change in the 2nd last attachment, that should accomplish that:
        if UseBrowserTitle then begin
          Found := Browser.LocationName;
          Authorize_token := Copy(Found, Length(SearchFor) + 1, 1000);
          DebugLine('Authorization: We used the browser-title');
        end;                    ;
        if Authorize_token = '' then begin   
           <do the html stuff>

Yep. That's a useful addition. However if the code is cut off in the browser-title (which it once was for me) the check for html would not be done (because Authorize_token <> '' but invalid). So retrieving both and checking the browser-title code and if that one is not correct use the html-body one is the safest way.

But then again... maybe the whole html-body check isn't necessary anymore (if Google fixed it). This was, if I remember correctly, when the code could contain invalid url-characters like & and +. In that case there was a problem retrieving it. But I haven't seen that in a long time.

[epergola]

For curiousity, could you attach your html?

[rvk]

3. However I think that looking for 'this.select(); value=' is the safe way, b/c that is what is copied to the clipboard if the user selects it.

O, wow. That html-code really has some differences from mine (attached).

Woops, yes, forgot to attached it. (now it is) It's copied from the debug screen from my demo-program so has some lines around it.

I also recently saw a final screen (after the consent-screen) with code to be copied, which was completely different from the standard. I think it was the authentication for sign up for a free Sublight subtitle downloader-account. I haven't seen the option in the Google Console but maybe the final screen is also (re-)designable.

Edit:
I also attached that one. You'll see it's completely different but checking for value="xxx" would still work.

[epergola]

Well i do not know what those are.
In my code, i simply did this:

Found := Body.InnerHtml;
writeln(f,found)
            SearchFor := 'value=';
            n:=Pos(SearchFor, Found);
and the text file showed what I sent you.
One more question, if  Authorize_token = '' then
does not work, how can we check if Authorize_token is invalid?

[rvk]

I've changed my code at github:
https://github.com/rvk01/google-oauth2

What I've done is always read the Authentication_token and Authentication_token_html. Then in GetRefresh_token it will first check Authentication_token. If it doesn't get a valid access_token the procedure is run again but now with Authentication_token_html (they are swapped just before).

last part of GetRefresh_token:

Code: [Select]

procedure TGoogleOAuth2.GetRefresh_token;
//...

  // If we haven't got a Authentication token we need to ask permission
  if Authorize_token = '' then
    GetAuthorize_token_interactive;
  if (Authorize_token = '') then
    exit;

  LogLine('Getting new Refresh_token');
  //...
  // getting the real refreshtoken
  //...

  // finally check if we have a access_token otherwise run again
  if (access_token = '') and (Authorize_token_html <> '') then
  begin
    LogLine('Using backup Authentication token (html)');
    Authorize_token := Authorize_token_html;
    Authorize_token_html := '';
    GetRefresh_token;
  end;

end;

(I haven't changed the value="" yet, it still reads that "readonly". But I will change that later)

[epergola]

I don't understand.
You said that if the Authorize_token is not blank.
But you still check if it is blank?

if Authorize_token = '' then
    GetAuthorize_token_interactive;
  if (Authorize_token = '') then
    exit;
P.S.
I do not undeerstand the "read only" stuff. In the InnerHtml, there is no read-only and the value es extracted correctly.

[rvk]

You said that if the Authorize_token is not blank.
But you still check if it is blank?

It's blank if you first go into the procedure and GetAuthorize_token_interactive is executed the first time. But at the end of the procedure I swap the Authorize_token for Authorize_token_html and I run the same procedure again. But the second time the GetAuthorize_token_interactive must not execute because we already got that Authorize_token (which was the Authorize_token_html from before).

And exiting GetAuthorize_token_interactive the Authorize_token could still be blank if the authentication was cancelled or in case of manual input there was nothing entered. So checking afterwards is still necessary.

I do not undeerstand the "read only" stuff. In the InnerHtml, there is no read-only and the value es extracted correctly.

There is for me. And if there is for me, there could be for your users too. I changed it in my latest version to only check value=?xxx? where ? could be " or ' or empty. Because for you the authentication code was not surround by " but for me it was.

But I must state again. I'm not sure if the browser-title method will ever fail. Google changed something (the code doesn't contain invalid characters anymore) so it will always succeed. If I don't hear from errors in the browser-title, I might remove the html-method in the future.

Here was the original message from me on the dutch forum where I discovered the browser-title was cut off due to invalid characters. It was in october 2014. But I haven't seen it since. So I don't think this will happen again. So putting much effort in the html-method might be a waste of time.