What I'm trying to do is implement a "log in with Facebook button" on my site. I think I have understood most of the Facebook JS API, yet I am not certain of how I securely can tie information in my own databases up against a Facebook user. My current theory is:
1. Register Facebook's UID for the user in database for further reference.
2. Tie all further information from the user (the infromation inputted by the user in the application) up to the user ID after verifying the Facebook access token (in the backend), to prevent user from adding/removing information on behalf of another user.
3. When the user makes a query for information, you verify the access token issued by the JS API in your backend up against Facebook's APIs before returning any information related to the user, to prevent the user from spoofing his own ID
Side note: Not sure if Stack Overflow is the correct place to post this question.I know that there is an enormous number of sub sections on Stack Exchange. If this isn't the place then let me know :)
I implemented a login with Facebook module in my recent node project. When the user logs into Facebook successfully, it usually returns a unique Facebook ID (along with a lot of other data). You could then create a relation table in your database that relates the unique Facebook ID with a special user ID for your site.
If you have facebook info you are going to need frequently like profile image... I would grab the url every time and store it in a session variable when the user logs in simply because it can change.
Related
I have a fair amount of Facebook development experience, but this had made me pull my hair. It must be something very small, but I can't get it. I recently saw some Facebook pages with welcome tabs that show user's name "Welcome [YOUR NAME]" who visits their page. Example is here:
https://www.facebook.com/Tony.Samaha.Official.Page
As per my knowledge, we cannot get the user id without the permissions by the user. After the permissions we are able to get the user id in the signed request. How do I get the Facebook user id or name, something similar to the above example? How is this working? Can this be achieved?
FYI: I am using iframe tab.
Check out the documentation on signed_requests. When a user visits your application there will be a signed_request posted to your URL. The documentation states :
A signed_request is passed to Apps on Facebook.com when they are
loaded into the Facebook environment
A signed_request is passed to any
app that has registered an Deauthorized Callback in the Developer App
whenever a given user removes the app using the App Dashboard
A signed_request is passed to apps that use the Registration Plugin
whenever a user successfully registers with their app
You will have to decode this request (see the link above for details) and from there you will be able to extract the user_id of the visiting user. Then all you have to do is query the Graph API like this :
https://graph.facebook.com/USER_ID and you will get back the public information for that user which should include the users name.
The user is still using the old static FBML application, so most likely they are using the fb:name tag. Though, I believe this is now deprecated. So really, the page you linked to needs to be updated.
I am integrating GFC with my web app (PHP). In this app I have a list of user IDs and I need to fetch their profile details like their display name, profile pic url etc. using a HTTP call.
For example, I am trying to fetch data of user with id: $userId = 1234567
If a viewer (need not the user with above id) is logged in, I am able to fetch data by making a call to following URL.
http://www.google.com/friendconnect/api/people/$userId/#self?fcauth=$fcauth
But, if viewer is not logged in, the above URL replies the following
Anonymous requests are not allowed to fetch data
Error 401
I would like to know what URL should be used to fetch the user data even if no one is logged in.
Thanks!!
The fcauth mechanism is designed for access while the user is online. The fcauth tokens expire fairly rapidly, and no guarantee is made about how long they're valid for. You should assume that they'll only work while the user is online.
If you need offline access, you need to use OAuth. OAuth tokens are valid until manually revoked.
The API call you're making is the correct one, you just need to do it with OAuth instead of fcauth.
First of all, thanks in advance for reading. I've already posted this question in the facebook forums but after a couple of hours I'm not getting any responses.
I've got this app where an user can choose a piece (like in a puzzle). After the user picks a piece, he is redirected to the facebook authorize page and then returned to the app, then I save the user ID and his chosen piece in the database. At this point I've got everything alright... but the problem comes when...
If anyone see the app, he should be able to see the pieces and the PIECES OWNER INFO (name and profile picture).
The problem is if the user has not allowed the app yet (facebook authorization page), I can't use the facebook API to get the users who have already allowed the app (because I need an access token and the access token is given only to users who has authorized the app).
So, in short:
I need: get name and profile picture of users who have already authorized the app, without authenticating all users.
P.S: I was trying the "Authenticating as an App" option with PHP+libCURL but didn't work (or I did it the wrong way).
P.S2: Sorry if I have writing mistakes, my speaking language is spanish.
Thanks again... A LOT!!!!
No authentication nor breach of TOS required if you have the IDs, as profile pic and name are public information
Proof?? Right Here in this JSON.
I'm a new Facebook developer. I'm creating a game and want to include a leader board.
I'd like to build a fairly detailed leader board including the following information:
1) Name
2) Pic_Square or profile_pic
3) A general location (UK, USA or LONDON, NY)
4) Score
I'm aware of how to get a current users basic information from the either the old REST API or the Graph API. However from what I understand of the Facebook rules I can't store the information I want to use from the API.
This leads me to the conclusion I should be polling the Facebook API using the information I can store (FB user ID's). When querying the API for specific user ID's (the ones for the test users I have generated) API methods (user.getInfo and fql.query) return either just the ID of the user or the fields I have requested with null values.
When querying my own ID I can access all the data.
Are there any methods to obtain publicly available data via the any of the APIs?
Thanks for your help!
Ben
Why do you think that you can't store this info? On the user table page it even says:
You can cache this data and subscribe to real time updates on any of its fields which are also fields in the corresponding Graph API version.
If you request offline_access permission you would be able to get user information even when a user is not currently logged in to your app.
You should be able to get any user public info without permissions or access token by going to:
https://graph.facebook.com/<USER_ID>
To display avatar you can use this code:
<img src="https://graph.facebook.com/<USER_ID>/picture"/>
I don't think you would be able to get location without requesting extra permissions.
I am developing a PHP/MySQL e-commerce site with some social aspects, and am looking to integrate it with Facebook. I already have a native user registration/session handling system. I have managed to include the iframe "Social Plugins" such as a "Like" button. But I really would like to offer users the option of registering with the site via Facebook over the native registration process.
I understand the idea of getting an access token via the OAuth protocol, and eventually getting a user ID. My concerns are two-fold:
Is this method secure? This is an e-commerce site, but I am not storing any credit cards or any other sensitive data. I can't think of how this could be exploited, but I am only one head!
I understand how to retrieve the initial token and get the user ID during the registration process. But how do I recognize a return (session) user? Do I have to implement the Javascript SDK for that (something I want to avoid)? Or, do I handle the sessions just like they already are handled natively, but replace a normal user ID in the session cookie with a Facebook user ID when appropriate?
I apologize if the answers are obvious. I have scoured Google and the Facebook documentation, but half the links I find are to deprecated FBConnect wiki articles, and the new docs are helpful, but sparse on the examples. I have no idea what is still supported, what is new, and how to do this!
Yes Oauth is very secure. Many many applications rely on it and there are no known ways to exploit it.
One way you could do this is store the Facebook id's of users so when they come back you can see that their id already exists in your records and know it is a returning user. Their session may be different (expired since last visit for example) so you don't want to store their access token; but their Facebook user id is always be the same.
How I basically integrated Facebook registration/login on my site is I added a facebook_id column in my users table and a "Register with Facebook" button. If the user clicks, authenticates with Facebook and I get back a session and the user is new, I redirect to the registration page, prefill as many fields as I can with data from Facebook (like their name), and add the Facebook id as a hidden input field. Therefore when they register, their facebook_id will be filled in the database. This is the same registration page as the standard one, so the only difference with a non-Facebook user is that the facebook_id field will be empty. If you want, you can also not require a password for Facebook users.
For the user to log in, the user would just click a "Login with Facebook" button and authenticate with Facebook. Once Facebook gives me the session, I log the user in as whatever user has the facebook_id as the one in Facebook's session. Since you are worried about security, I'll note that this session cannot be forged as it is signed with the application secret key that only you and Facebook know. If you use Facebook's SDK (which you should) you do not have to worry about the signing and signature verification. The fact that you can read coherent information from the session means that Facebook's SDK has verified it.
This Facebook page is a great guide on integrating registration with Facebook.