I have a website which uses Facebook's registration plugin.
Everything is working fine, I have one issue though: if somebody was on Facebook and unauthorized my application then never returned to my site, how would I know?
The reason I am asking is I am storing user data in a database, namely the access_token, Facebook ID and (custom field) username, along with their joined date and last_active date.
Is there any way that Facebook can interact with my site when a user has unauthorized my app, allowing me to remove them from my site database?
Even something simple like:
$unauth_url = 'http://example.com/unauthorize';
file_get_contents($unauth_url . '?signed_request=' . $signed_facebook_request);
which runs when the page is app is removed would get the job done.
Is there anything like this available?
There is an interesting option in the fb platform called Deauthorize Callback ... It simple calls a page on your app or site when a user removes your app. Simple put the database record deletion code in this page...
In your configuration of your facebook-app there is an option called deauth-request(or similar to that). There you can define a callback url, which will be invoked if somebody unauthorizes your app. Facebook passes soem POST information with that request to recognize the user for example.
You just have to implement a script on your server which deletes the user with that accesstoken from your database.
Related
I read all the articles on FB regarding PHP login, JS login, Canvas app login, but something remains unclear to me. How does one keep a user logged in after the initial login in JavaScript? You receive a signed_request (which you can use to authenticate the user ONCE (on initial load of a canvas app and on login, right?), let's say you use that information to verify the user server-side. Ok, so far.. But what about subsequent page loads?
Basically my question is this.. Can I use the PHP FB SDK to verify a user is authenticated on each page load without an API call? How? Is there a way to do it that is compatible with canvas?
The reason I don't want any API calls is because I hit the limit once and my app went down for an entire night. Don't want that again...
A workaround I'm thinking of is to store the user token (which I want to anyway) and use that in a session/cookie to authenticate the user on every page load in PHP, but I'm not sure if this is the best approach, because: Using my own session/cookie would allow a user to stay logged in even if they are not logged in FB. Also, I presume FB wouldn't allow this for a canvas app.
I found these relevant questions, but the information is from 2011: PHP: Using Facebook OAuth with less API calls
Facebook Login: How to combine JavaScript with PHP SDK?
The workaround you mentioned is the right way of doing it. Saving tokens, using and updating them as they become expired - the way most companies stick to.
Only in cases of new users or expired tokens the OAuth should be used. The API you use is not important. You can actually retreive authentication through JavaScript and pass it to PHP for further usage.
Cheers.
This is my first question here, so apologies if asking something trivial - though I didn't find an answer after an hour of digging.
I have a PHP website which needs to connect with a Facebook page in the following method:
On certain triggers, the site needs to post to the page's wall as the page itself. This has to be done automatically, even if no user session is available (e.g. if someone uses the site without actually having a Facebook account).
I found solutions using extended token expiration times (offline access), but in those cases, the post will always appear as the site admin (me, in this case). However, I need the post to be written by the page. When using Facebook as the page, I have no right to request an offline access token.
Is this even possible at the moment?
You need to cache the page access token on your server and use that to make the updates - the page login is pretty well documented here: https://developers.facebook.com/docs/authentication/pages/ -
Store the access_token in your server-side code and use that token to post as the page - the page access token won't expire if you have a long-expiry access token for the page admin, unless the user stops being an admin of the page, removes the app, etc.
I'm fairly new to facebook development, but have experience with PHP and JavaScript.
I've been reading through the SDK documentation and various articles regarding facebook integration but have found that a couple of fundamental questions are still open in my head!
I am trying to achieve the following:
Create a website that uses facebook only for registration and login
Use PHP to store facebook user id of registered users in a database on my app server, along with some limited app specific info for those users. All 'generic' info (email address, etc.) should be retreived from facebook.
when a user logs in, get a combination of database records for that user, and facebook stuff.
What I've achieved so far:
I have used the registration plugin to display a register button to unregistered users, and a login button for users who are logged out when they land on the page. I hide the login button using javascript and jquery if the user is already logged in.
I also have a page which receives a registered user and interprets the signed_request, adding the user's id to the users table in my database.
Where my confusion arises:
I want to use the Javascript SDK for user authentication (as it's really easy) - this is obviously done asynchronously on the client side.
Having said that, once a user has logged in using the JS SDK, I need to get some data from my database. I am happy to do this via an AJAX request, BUT that would require passing the facebook user id as part of that request. Surely this could be easily spoofed/changed by a savvy user & they could hence login to my application as someone else?
Question:
How do I securely pass information about a user who has logged in using the JS API to my server?
If the answer is "you can't" then why bother authenticating with the JS API? Is that just for apps that are really light touch?
Thanks in advance for any help!
The simple answer is, you use cookies. This Facebook blog post has a clear example of how to implement a client-side login and expose that data to the server.
Take a look at signed requests: https://developers.facebook.com/docs/authentication/signed_request/
It gives you a nice little primer on how signed requests work and how you can/should use them. If I understand your question correctly, this should answer your question as to why/how you can provide an extra layer of security. Send a signed request that only your application with its own app_secret can decode.
I have a fair amount of Facebook development experience, but this had made me pull my hair. It must be something very small, but I can't get it. I recently saw some Facebook pages with welcome tabs that show user's name "Welcome [YOUR NAME]" who visits their page. Example is here:
https://www.facebook.com/Tony.Samaha.Official.Page
As per my knowledge, we cannot get the user id without the permissions by the user. After the permissions we are able to get the user id in the signed request. How do I get the Facebook user id or name, something similar to the above example? How is this working? Can this be achieved?
FYI: I am using iframe tab.
Check out the documentation on signed_requests. When a user visits your application there will be a signed_request posted to your URL. The documentation states :
A signed_request is passed to Apps on Facebook.com when they are
loaded into the Facebook environment
A signed_request is passed to any
app that has registered an Deauthorized Callback in the Developer App
whenever a given user removes the app using the App Dashboard
A signed_request is passed to apps that use the Registration Plugin
whenever a user successfully registers with their app
You will have to decode this request (see the link above for details) and from there you will be able to extract the user_id of the visiting user. Then all you have to do is query the Graph API like this :
https://graph.facebook.com/USER_ID and you will get back the public information for that user which should include the users name.
The user is still using the old static FBML application, so most likely they are using the fb:name tag. Though, I believe this is now deprecated. So really, the page you linked to needs to be updated.
I almost have facebook connect working the way I need it on my site, I need to work out a couple bugs still, below is from the facebook connect documents, it list the 3 different URL options below in the settings of FB connect. This could be very useful for me because when a user logs in for the 1st time on my site with facebook, I need to create there mysql profile with profile data from facebook.
Ok so I am a bit confused, I understand a Redirect URL just redirects the browser to a page but you can see that 2 of these links I save below are for a Callback URL, so I take it that facebook post data to the URL's I provide? If I am correct, how can I know what data it post back in the Ping?
1)
Post-Authorize Callback URL: Facebook
pings this URL when a user authorizes
your application for the first time.
You can also call users.isAppUser to
determine if the user has authorized
your application.
2)
Post-Authorize Redirect URL: You can
redirect a user to this URL after the
user authorizes your application for
the first time. You can use this URL
only if the user authorizes your
application through login.php and not
the login dialog.
3)
Post-Remove Callback URL: Facebook
pings the URL when a user removes your
application.
When the user redirects in the browser I can run code like this to get there profile data from facebook but I am not sure about when facebook pings data?
$user_details=$fb->api_client->users_getInfo($fb_user, array('last_name', 'first_name', 'proxied_email','birthday_date', 'sex', 'is_app_user', 'current_location', 'about_me', 'activities', 'interests', 'relationship_status', 'pic_big', 'pic_small', 'books'));
$firstName = $user_details[0]['first_name'];
.....
I don't think I completelly understand your question, so I'll try to answer what I can - if there's anything missing, please comment here and I'll edit the answer accordingly.
You're right assuming that Facebook sends POST data when pinging. So, basically what you'd do on the endpoint given (the url you told facebook to ping) is to read the $_REQUEST dict for the data you want. A list of every parameter Facebook sends on ping can be found here.
What would happen is the following:
User clicks to connect with your site with Facebook Connect
A Facebook log-in page shows a confirmation to the user asking if he allows this operation
If allowed, Facebook sends the POST data to the specified URL asap
The same happens when the user removes herself from your site through Facebook Connect.
Please note that you should validate carefully the data received on your endpoint. Since you're creating persistent data on every post request, at least ensure the requests can only be received from facebook.
Alternatively, you can just redirect the user somewhere after the authorization, call users_getInfo and check if is_app_user is true. If so, you go on creating your entities on your database.
1) Post-Authorize Callback is the url Facebook will POST some data to when a user authorizes your application/site. This is through ANY means, not just through Facebook Connect. You should keep the user ID that is passed with this so you can track which users have authorized your application/site. You can then use the user ID to send messages to (i.e. notifications) the user, typical app-to-user messages.
It's "ping" because Facebook ignores any response you send. You don't respond.
2) After a user authorizes your application, you can optionally have Facebook send the user to this URL. For example, a welcome page and/or introduction. This does not happen under Facebook Connect, only under the Facebook platform.
3) Exactly the opposite of #1. Facebook just lets you know that someone removed/deauthorized your application. Again, you don't need to respond.
Items #1 and #2 is how you keep track of which user IDs have authorized your application. You cannot query Facebook for this.
Facebook writes a cookie under your domain if the user is logged into Facebook and has connected with your site. You can always check for this cookie when a user arrives and log them in automatically to your site. You should verify the cookie data, of course. Instructions for doing that are here:
http://wiki.developers.facebook.com/index.php/Verifying_The_Signature