Can I send test_event_code without any value in FB conversions API? Will this be considered or rejected?
Related
Say you have a Facebook app which uses an external API to fetch relevant data for the user using this app. The API needs the user's access_token to retrieve this relevant data. Since the API is a separate service, it needs to be provided with a Facebook access_token to retrieve the relevant data (it cannot get the access_token of the logged in user because it runs on a separate domain than the one the user is logged into).
One way of giving the access_token to the API is by making an HTTP request (sync or async, doesn't matter).
The question is, what can somebody do if it intercepts this access_token (because, obviously, it can be intercepted in an HTTP request)? Is it somehow protected by unauthorized use or it can be used by anyone to query the Facebook API on whatever that individual wants?
We're using the Facebook JS SDK to authenticate users to our application, then sending that information to the server back end to log our user into the application (we support multiple forms of authentication but we can only support FB using a client side flow).
FB is able to log in correctly, I'm able to authenticate the user and everything else, but there's one wrinkle that I'm not sure how to handle, and I'm having difficulty finding anything in the documentation about it. Facebook sends back an accessToken in addition to an id. My question is, how do I verify on the server side that the accessToken is correct for the given id? I want to make sure that the data the user sends us matches what Facebook sent them, and I can't imagine this is that out of the ordinary, yet I can't seem to find any documentation on it.
In the response from Facebook should be a signed_request string that can authenticate that the data is genuine with and decoded to yield the user id and an oauth token for the user.
Passing this along with the other response to your server-side code should allow you to validate everything pretty easily.
May I suggest this answer from another question! It uses try-catch. It is probably the only way to verify that the authentication and the permissions are valid! That's how they do in their examples
Facebook OAuthException: (#1)
I dont think facebook provides any other way of checking
I'm creating a Facebook app. Facebook displays the app view in iframe and gives it signed_request in a POST parameter.
If someone get other's signed_request string, he can post it to the app.
curl -F "signed_request=CCuTU8c2…NjMwOTMxIn0" https://app.mydomain.xx/
Signed_request is registant to tampering. On the other hand, the app accepts the data which isn't tempered.
Should Facebook apps check something for it? For example, the value of issued_at. I wonder how to handle signed_request. Facebook's PHP SDK sets it to cookie. It's OK?
This cannot be faked, if you check it properly. It is a JSON data object that has been encrypted with your application-secret. An attacker would not be able to encrypt with this key, cos you never let anyone know it, right? --if you have ever leaked your application-secret, your seriously boned in lots of other ways; a faked signed_request is the last of your worries.
You need to decrypt the data and parse the resultant JSON to ensure it matches the request you have received. If an attacker sends a signed-request that he has sniffed from a previous use, then he can't just send it with an arbitrary request, as it will only match the request from which it was stolen. But it is the responsibility of your code to perform this check. It is possible that this may be a feature of your Facebook API client library, depending on the library and configuration used.
Please see the signed request page at Facebook Developers
And for further reading on Facebook security, please see the excellent Developing Secure Facebook Apps document at OWASP.
I hope my question doesnt sound stupid, But i really want to know this..
Is signed_request an alternative to access_code?
If so, How do i receive the signed_request for desktop clients?
I mean flow that i follow in my desktop client is:
Call https://www.facebook.com/dialog/oauth?client_id=xxxx&redirect_uri=https://www.facebook.com/connect/login_success.html&response_type=token&scope=publish_stream
Take the access_token returned from (1) and fetch user information.
So will 1. and 2. be merged in a single request call to signed_request which says it will give the JSON object of user information in it.
How to make this call to get signed_request for desktop clients?
Two problems with your theory here:
In order to get a valid access_token within the signed_request, you'll still need to authenticate and request permission from a user, so in that case it's probably simpler to use the authentication flow fully rather than trying to parse the signed_request.
As stated in the Signed Request docs you will not receive any signed_request if you are building a desktop/device app.
I have a facebook connect app all set up using oauth and after the final
transaction I receive an access_token that looks something like -
559514387926|f53be3fc76b8e243aaf2944b-502835064|moXh_HOIga8b32txRdwkan-5NW9.
The part in bold seems to be facebook user id of the current user. I checked this
with all the access_tokens of the users I have thus far and it matches in every case.
Is there any documentation that states that this is a reliable way to obtain
the facebook user id ?
I want to use the facebook user id directly to make leaner calls for existing users
pulling only picture and pulling a lot more data for a first time user.
Do not parse the token, this is bad practise and since Facebook is in the middle of adding new features to the Graph API it is very susceptible to breaking changes. Make an API call to
https://graph.facebook.com/me?access_token=...
And then parse out the id parameter and use that from then on!