I am using facebook graph api to like, comment, share on authenticated fan page.
The successfully implement comment on fan page. But when i try like status, i get error "(#100) The parameter url is required"
Following is code:
$params = array(
'access_token' => $token
);
$this->facebook->api('/'.$id.'/likes', 'post', $params);
Where $id is status id (576249592461805) and $token is valid token stored in database.
There are no permission issue because i successfully comment on this post:
https://www.facebook.com/1advertising/posts/576249592461805
I want to like this status via graph api..
Can you try this?
$this->facebook->api("/$id/likes", 'post', function(response) {
if(response === true) {
alert("done!");
}
});
Don't need parameters, qoute:
You can write to the STATUS_MESSAGE_ID/likes connection to like the
status message by issuing an HTTP POST request with the publish_stream
permission. No parameters necessary.
https://developers.facebook.com/docs/reference/api/status/
Related
I was implementing FB social login in website based on PHP. I checked FB website and found it easy to implement. Below is the approach i have followed and i am not sure that i have any security issues here.
I have used Facebook JS SDK approach.
and is as follows:
var appID = 'xxxxxxxxxxxxxxx';
window.fbAsyncInit = function() {
FB.init({
appId : appID, // App ID
channelUrl : '',
status : true,
cookie : true,
xfbml : true,
});
FB.getLoginStatus(function(response) {
if (response.status === 'connected') {
// connected
FB.api('/me?fields=id,name,email,permissions', function(response) {
//alert('Good to see you, ' + response.name + '.');
});
}else{
}
});
};
function login() {
if( navigator.userAgent.match('CriOS') ){
}
else{
FB.login(function(response) {
if (response.authResponse) {
replace_login();
} else {
// cancelled
alert('User cancelled login or did not fully authorize.');
}
},{scope: 'email,public_profile,user_friends'});
}
}
function replace_login(){
FB.api('/me?fields=id,name,email', function(response) {
$.ajax({
url: "s-account",
type: 'POST',
data: response,
dataType: 'json',
beforeSend: function(){
$("#signin_fb").button('loading');
},
success: function(data) {
$("#signin_fb").button('reset');
window.location.reload();
},
error: function(){
$("#signin_fb").button('reset');
}
});
});
}
And in PHP at server side, i am storing user detail like social_id, name and email in database through ajax call and if DB operation is successful then i am setting Session Variable in my website with username and email and user is logged in successfully.
For logout, i am using my own logout function to destroy Website user session and user is successfully logged out.
Now, where is the security risk? because if user is logged out and then try to login again JS SDK shall get a new Access Token through new response.
This whole authentication process boils down to the ajax call to s-account. You're sending name and email from FB.api() to your back end application in a POST request and as you didn't mention, I presume you're not verifying the access token with these details on the server side and you're simply making a session based on these details.
The security issue
Now, the security issue is that you're using a client side authentication on the server side. A user can simply generate a POST request to s-account with a fake response like Facebook with any username and email address and your PHP application will authenticate the user and make a valid session without verifying if the details are coming from a legit source. Your authentication is completely broken at this stage because a malicious user can login with any account by generating a simple POST request to s-account with any email and username.
How to fix
Facebook provides an end-point in the graph API which validates an access token and returns the details of the user associated with this access token. From the Docs:
This endpoint returns metadata about a given access token. This
includes data such as the user for which the token was issued, whether
the token is still valid, when it expires, and what permissions the
app has for the given user.
The Fb.Login() will generate the access token as response.authResponse.accessToken and userId as response.authResponse.userID. You need to send this accessToken & userID along with the other user details in your ajax call to s-account and then use the following API end-point to validate if the details are legit.
curl -X GET "https://graph.facebook.com/v2.6/debug_token?input_token=USER_ACCESS_TOKEN_FROM_AJAX_CALL&access_token=YOUR_APP_ACCESS_TOKEN"
If the the access token is valid, you'll get the following response with the userID for which this token was issued.
{
"data": {
"app_id": "YOUR_APP_ID",
"application": "YOUR_APP_NAME",
"expires_at": 1462777200,
"is_valid": true,
"scopes": [
"email",
"manage_pages",
"pages_messaging",
"pages_messaging_phone_number",
"public_profile"
],
"user_id": "THE_USER_ID_ASSOCIATED_WITH_THE_TOKEN"
}
}
Now you can compare this userID with the userID you received in the ajax call and check if the details are legit.
How to get your APP_ACCESS_TOKEN
To debug the user access token using the debug_token API, you need to generate your APP access token on the server side using the following API end-point.
curl -X GET "https://graph.facebook.com/v2.6/oauth/access_token?client_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET&grant_type=client_credentials"
This will return your app access token in response.
{
"access_token": "YOUR_APP_ACCESS_TOKEN_HERE",
"token_type": "bearer"
}
I am having trouble using permissions to upload to a specific Facebook album.
I am set to an admin to a specific Facebook page, however whenever I try to upload a photo I cannot seem to get access to do it.
The error I get is:
Fatal error: Uncaught OAuthException: (#120) Invalid album id thrown
If I explore using the Graph explorer, I can see this album without any access token required.
The URL I am using is https://graph.facebook.com/albumId/photos
The album I am trying to upload is an album within a Facebook page, which I created within Facebook.
The permissions I have set are:
user_photos
friends_photos
publish_actions
manage_pages
publish_stream
photo_upload
Any help appreciated.
First, check if the user is logged in:
function getLoginStatus() {
FB.getLoginStatus(function (response) {
if (response.status === 'connected') {
// the user is logged in and connected to your
// app, and response.authResponse supplies
// the user's ID, a valid access token, a signed
// request, and the time the access token
// and signed request each expire
var uid = response.authResponse.userID;
var accessToken = response.authResponse.accessToken;
getPageAccess();
} else if (response.status === 'not_authorized') {
// the user is logged in to Facebook,
//but not connected to the app
logIn();
} else {
// the user isn't even logged in to Facebook.
logIn();
}
});
}
Then get the page access token associated to the user:
function getPageAccess() {
FB.api('/PAGE_ID?fields=access_token', function (resp) {
var pageAccessToken = resp.access_token;
});
}
This seems a common issue. If you want to impersonate Facebook Page (that is, act as page itself for uploading, posting and sharing) you have to first obtain an access token for that page:
Issue a GET Request to '/me/accounts' using user access token
Loop the result set and look for the page (pay attention to category property of each item, skip "application" as it's considered an account)
Store access token for that page.
Then (using PHP SDK):
$page = '432652662'; // Your page id
$album = '128949205'; // Your album id
$source = 'mypic.png';
$payload = array('source' => '#' . $source,
'access_token' => 'page access token');
// Upload photo for specific page and album
$sdk->api("/$page/$album/photos", 'POST', $payload);
Ok, I think I have found the solution.
If you go to https://graph.facebook.com/me/accounts
Each account will have its own access_token. When uploading an image to a Facebook page, you will need to pass that access_token as a parameter.
I have managed to send and retrieve data from facebook for invitatin using
FB.ui({
method: 'apprequests',
to: sendto,
message: 'Win Mega Prizes!',
title: 'Enter in this contest!'
},
function (response) {
if (response && response.request_ids) {
var requests = response.request_ids.join(',');
alert(requests);
window.location.href = "http://www.rmyserver/index.php?invitations="+requests+"&contest_id="+c_id+"&page_id="+page_id+"&user="+from+"&g_id="+g_id+"&sendto="+sendto+"&single=1";
} else {
alert('canceled');
}
PHP
foreach($requests as $request_id) {
// Get the request details using Graph API
echo $request_content = json_decode(file_get_contents("https://graph.facebook.com/$request_id?$app_token"), TRUE);
But i want to use single user app request , as per docs i need to use TO: filed but this doesnt work, request is sent as well i get invitation id but php code used above returns false.
Am i missing something
you can try direct url example given here https://developers.facebook.com/docs/reference/dialogs/requests/#frictionless_requests
that should work fine from php
This works for me:
FB.ui({
method:'apprequests',
message:'I want you to open up your heart a little.',
to:123456798,
// filters:['app_non_users'], // commented: let users send notifications to app users too, probably a good idea to make them revisit?
data:'' // send data what you would like to track, FB will send that back in the URL for us
// #todo send google campaign parameters
});
Moreover you are doing it wrong on PHP side, you would need to redirect the user to a URL where the invitation friend selector would be displayed. There is no way in my knowledge to directly send an invitation to users using PHP.
Can I use Facebook PHP SDK to deauthorize my app for a particular user, basically I like to have a toggle so the user can link or unlink their facebook account to my site, I have the link part working, now just need the unlink part.
Thanks
Now Graph API has a way to do this: https://developers.facebook.com/docs/reference/api/user/#permissions
Delete
You can de-authorize an application entirely, or just revoke a specific permission on behalf of a user by issuing an HTTP DELETE to USER_ID/permissions or USER_ID/permissions/PERMISSION_NAME
respectively. This request must be made with a valid user access_token or an app access token for the current app.
Using the graph API, this works fine:
$ret = $this->Facebook->api('/me/permissions', 'DELETE');
Not using the currently supported Graph API: as currently setup there is no interface in the Graph API (or even the legacy APIs) to deauthorize an application. The user has to explicitly choose to do it themselves through the Facebook settings pages.
However...
The legacy REST api has http://developers.facebook.com/docs/reference/rest/auth.revokeAuthorization/, which SOUNDS like it does what you want.
Let me know if that works for you: I'm curious.
Please note Facebook in the process of deprecating the REST API, and have adding equivalent support to the Graph API User object for "auth.revokeAuthorization" method.
For delinking or deauthorization the user by making app call:
$user_id = $this->facebook->getUser();
$access_token=$this->facebook->getAccessToken();
$result = $this->facebook->api(array(
'method' => 'auth.revokeAuthorization',
'uid' =>$user_id,
'access_token'=>$access_token
));
Using the JS API an app can be deauthorized like this:
FB.api('/me/permissions', 'DELETE', function(res){
if(res === true){
console.log('app deauthorized');
}else if(res.error){
console.error(res.error.type + ': ' + res.error.message);
}else{
console.log(res);
}
});
Or delete a specific permission:
FB.api('/me/permissions/user_birthday', 'DELETE', function(res){
if(res === true){
console.log('permission removed');
}else if(res.error){
console.error(res.error.type + ': ' + res.error.message);
}else{
console.log(res);
}
});
If you go to Facebook Developer, then select your application, then under the "Advanced" menu there is a field called "Deauthorize Callback". Set this as a URL on your domain which is pinged when a user deauthorizes themselves, there is some documentation on the format of the data it requests here.
I have just about got the Facebook connect working on my site. I am able to log in and PHP has all the users details. I would now like to post a status when a user logs in with the Facebook connect.
I have searched everywhere on how to do this, tried lots of code. And I'm still unable to get anywhere with it. Please be very specific with me as I am new to the Facebook Connect.
It sounds to me like you're looking for the Javascript Facebook SDK. More info about publishing to the stream through javascript can be found at http://developers.facebook.com/docs/reference/javascript/FB.ui.
Have you tried this, from the documentation, on the Publishing section?
You can publish to the Facebook graph
by issuing HTTP POST requests to the
appropriate connection URLs, using an
access token on behalf of the user or
an application access token (for Open
Graph Pages). For example, you can
post a new wall post on Arjun's wall
by issuing a POST request to
https://graph.facebook.com/arjun/feed
EDIT
Snipped from this part of the documentation:
If you have an authenticated user with
the publish_stream permission, and
want to publish a new story to their
feed:
var body = 'Reading Connect JS documentation';
FB.api('/me/feed', 'post', { body: body }, function(response) {
if (!response || response.error) {
alert('Error occured');
} else {
alert('Post ID: ' + response);
}
});