I am trying to configure my bot with facebook messanger through webhooks. But when I put my url into the webhook url field I get a message that it is not an HTTPS url. Did they force it to be only HTTPS? Does that mean that everyone who wants to set up his custom webhooks needs to set up SSL certs too?
Anyways, from facebook's Documentation
Webhook Security
All webhook calls to developer-defined callback URLs are made via HTTPS, ensuring transport-level security for webhook payloads.
To provide additional security a HTTP header X-Hub-Signature is included in each POST payload, which you should use to verify that the payload came from a Facebook server.
Related
I want to setup a webhook for facebook leads. i.e Every time there is a lead in facebook I should get a webhook on the configured URL. I am able to do this with the help of the documentation https://developers.facebook.com/docs/graph-api/webhooks/getting-started/webhooks-for-leadgen
However there is no mention of configuring authentication in the documentation. All the endpoints on my system are configured with Oauth2(client credentials grant type) authentication. How do I configure this on facebook webhook setup ?
I was hoping that facebook would have a way to configure authUrl, clientId and clientSecret along with the webhook url, but that is not the case.
Am I missing something here or is it not possible to do so?
There are questions related to fb messenger. but as none answers my question, here it is.
I have been given a developer account for API to work on which is 'http'. Meaning I won't be able to use it as Callback URL. I am not authorized to request developer for https too.
How should I proceed?
Facebook requires that the callback url for receiving events use HTTPS as the scheme and specify a verify token in the app's webhook section.You should try to get the server you are working with to install the necessary SSL certificate(s) and update your webhook to point at it.
Facebook requires https. You can use ngrok to convert your local URLs to https based public URL and use them on webhook subscription url.
I try to setup a webhook for the facebook messenger api and try to forward to my localhost node.js server via ngrok. The GET request from facebook for checking the server ist working perfect. But when I send a message to my site via the messenger I dont get any response to my webhook. It works ok when I curl the ngrok address. Any suggestions ?
Thanks
I was having similar issue -
My current (semi-working) workaround is to unsubscribe my test page from the Facebook app configuration page (in the app settings page -> Messenger in the left panel -> Webhooks section), and then re-subscribe my test Facebook page. I will immediately receive Http POST message after I type something to my test page in the messenger.
Of course that can only help testing. It doesn't help in the production environment.
As long as the Facebook app you are using for the Messenger integration is in an unpublished state, i.e has not undergone a review process, only messages by admins, developers and testers are relayed through the webhook.
Check if the user you are using has the correct permission on the app.
On some occasions Facebook also stops forwarding messages, e.g if your webhook endpoint is returning errors repeatedly. Check your alert dashboard in the developers.facebook.com platform.
The solution is to unsubscribe and then subscribe a page again.
Further hints:
Depending on the framework you are using on the receiving end it might reject messages with an x-forwarded-for header in the request (Symfony 2 in my case).
Use the -host-header=rewrite option with ngrok to rewrite the request header if you run into issues like that.
I'm performing the server side oAuth2 flow.
I noticed that google has added a cool feature for their oAuth2 signin API which is redirect_uri=postmessage so we don't show the real redirect_uri on the browser url bar and the authorization code won't be included in the redirect url.
For linkedin, when the users accepts to share his personal data with the app, the response url looks like :
http://dev.localhost.com:8080/auth/linkedin?code=xxxxxxxxxxx&state=yyyyyyyyyyyyy
it's the same for Google unless we replace the real redirect_uri by postmessage.
If the redirect_uri + the response code is set in the url Every malicious script could be able to retrieve the returned code from the url and perform its own authentications.
So, is there any way to hide the return parameters and the redirect_uri for LinkedIn and Facebook ?
LinkedIn and Facebook are not vulnerable to malicious scripts accessing the redirect_uri.
Assuming you use the recommended response_type=code both APIs require you make a request from your server that includes your API secret and the code value in order to get the users token. LinkedIn describes this in Exchange Authorization Code for a Request Token and Facebook describes this in Exchanging code for an access token.
Additional security with Facebook can enabled with requiring that every request be signed with your API secret. Additional protection in general can be had by using a strong Content Security Policy to help prevent malicious scripts from running in the first place. And be sure to host your site exclusively over TLS to prevent your own JavaScript from being modified.
I have an app that only runs on https. So my Pag Tab URL and Secured Page Tab URL have the same https url.
I have noticed that I get a blank signed request for users who are using Facebook on http.
Is there a way by which I can get the users to see my secured content even when they are accessing facebook from http?
Facebook says that this configuration is not supported by design. Apps must be available via both HTTP and HTTPS.
Source: http://developers.facebook.com/bugs/210713629051920/
Unfortunately it is necessary you always provide a HTTP alternative
for FB users who want to visit your App under HTTP. In your specific
case, in your http endpoint you will be able to display an specific
message to these users encouraging them to visit the HTTPS version of
your App.