Matching a page-scoped ID and a chatbot-scoped ID: several questions - facebook

I have a web site (gigsnet) with a Facebook login. I did it using Passport/oauth.
I want to implement a chatbot, so that our users can chat to the "Gigsnet" page, and get personalised responses from the chatbot.
I realise that the IDs won't match, and that some "magic" is necessary here. So, here we go.
SOME IDS
This is what my server receives when a message by myself (page admin) arrives:
Requested: /app/chatbot
REQUEST BODY: { object: 'page',
entry:
[ { id: '1130858117040228',
time: 1495584613258,
messaging:
[ { sender: { id: '119XXXXXX7137093' },
recipient: { id: '1130858117040228' },
timestamp: 1495584613013,
message:
{ mid: 'mid.$cAAQEgkm16DpiaQ9qlVcN8ohagocY',
seq: 290123,
text: 'd' } } ] } ] }
POST /app/chatbot 200 1.581 ms - -
This tells me that my user ID for the chatbot is 119XXXXXX7137093.
Also, this is what I have on my DB for authenticated users:
{ "_id" : ObjectId("5924c947b0d5a1095c8f326c"), "strategyId" : "facebook", "field1" : "636379230", "field3" : "EAAGcvqGZBOtkBAFuHIC4U9CxB8vEFcL25iQ6vsVkT9s1CKfJtqPPg6YhJjZAepu2v6EqtOjj6UDCaTYxca9UbRReIhKeIu4UGmEW4L9lJcGDXXXXXXXXXXXXXXXl4YgoMx8ExmI0zZCEsbZBYtZA9SR3PW9FkMdZCkgZD", "userId" : ObjectId("59239720a04b2e1de8e103d8"), "id" : ObjectId("5924c947b0d5a1095c8f326b"), "_children" : { }, "_clean" : true }
This particular user happens to be admin of the pages, the app, and owner of the company that owns page and app.
So:
USER ID (CHATBOT SCOPE): 119XXXXXX7137093
USER ID (LOGIN APP SCOPE): 636379230 WITH ADMIN ACCESS TOKEN: EAAGcvqGZBOtkBAFuHIC4U9CxB8vEFcL25iQ6vsVkT9s1CKfJtqPPg6YhJjZAepu2v6EqtOjj6UDCaTYxca9UbRReIhKeIu4UGmEW4L9lJcGDXXXXXXXXXXXXXXXl4YgoMx8ExmI0zZCEsbZBYtZA9SR3PW9FkMdZCkgZD
PAGE ID: gigsnetco
APP ID (LOGIN APP): 453817548028633
The access token is important as I am the admin for the pages.
USER ID IN MESSENGER BOT -> USER ID IN LOGIN APP (with extra step)
To make this call, I need FIRST an access token for the page. So, here I am using my user's oauth access token from the database in order to get another access token, the one to administer pages.
curl "https://graph.facebook.com/v2.9/gigsnetco?access_token=EAAGcvqGZBOtkBAFuHIC4U9CxB8vEFcL25iQ6vsVkT9s1CKfJtqPPg6YhJjZAepu2v6EqtOjj6UDCaTYxca9UbRReIhKeIu4UGmEW4L9lJcGDXXXXXXXXXXXXXXXl4YgoMx8ExmI0zZCEsbZBYtZA9SR3PW9FkMdZCkgZD&fields=access_token"
{"access_token":"EAAGcvqGZBOtkBAMeNZAE09EsRndMYvDlVpNeE6HT05zxqeL2XXXXXXXXXXXXXXXXDs2vdiSYlErrdw8ZAF3uBdUiIjnioXxohljA3mLjlKbgFZC5tfz7ivGHCHb4LubXHBNx7wLMMLcl7WrZC627uca2HW18dQZBH5MGhOqvHRyYXQZDZD","id":"1130858117040228"}
I now use the token for the page ID above to make a request on the user 119XXXXXX7137093 (chatbot) asking it the list of ids for linked pages.
Note: I am using the user id 119XXXXXX7137093, filtering by app ID, using the page's access token.
curl "https://graph.facebook.com/v2.9/119XXXXXX7137093/ids_for_apps?app=453817548028633&access_token=EAAGcvqGZBOtkBAMeNZAE09EsRndMYvDlVpNeE6HT05zxqeL2XXXXXXXXXXXXXXXXDs2vdiSYlErrdw8ZAF3uBdUiIjnioXxohljA3mLjlKbgFZC5tfz7ivGHCHb4LubXHBNx7wLMMLcl7WrZC627uca2HW18dQZBH5MGhOqvHRyYXQZDZD"
{"data":[{"id":"636379230","app":{"link":"http:\/\/www.gigsnet.com\/","name":"Login","id":"453817548028633"}}],"paging":{"cursors":{"before":"NDUzODE3NTQ4MDI4NjMz","after":"NDUzODE3NTQ4MDI4NjMz"}}}
Bingo! I have 636379230. When a user types anything to the chatbot, I can now cross-reference them with a user who has previously logged in, and provide personalised information.
USER ID IN LOGIN ALL -> USER ID IN MESSENGER
Here I am using the access token from the screen https://developers.facebook.com/apps/453817548028633/messenger/ in "Token generation".
curl "https://graph.facebook.com/v2.9/636379230/ids_for_apps?app=453817548028633&access_token=EAAGcvqGZBOtkBAKycZAeDI4D13sOVZAZAlNJqZCTXXXXXXXXXXXXXXXxsyaOs9WgQO2jcnHJeEYAbUlEdCU1xejYjTlWE1w4tEfe7IZAAw8i3X2qn1AKwDlHhwHbQsoylxPZAcPagVKemSd6KQwUP2gB8pkm61PumqLiVuIw3B3lQZDZD"
{"data":[{"id":"636379230","app":{"link":"http:\/\/www.gigsnet.com\/","name":"Login","id":"453817548028633"}}],"paging":{"cursors":{"before":"NDUzODE3NTQ4MDI4NjMz","after":"NDUzODE3NTQ4MDI4NjMz"}}}
Note that my own access token (I guess because I am the page admin) ALSO works:
curl "https://graph.facebook.com/v2.9/636379230/ids_for_apps?app=453817548028633&access_token=EAAGcvqGZBOtkBAFuHIC4U9CxB8vEFcL25iQ6vsVkT9s1CKfJtqPPg6YhJjZAepu2v6EqtOjj6UDCaTYxca9UbRReIhKeIu4UGmEW4L9lJcGDXXXXXXXXXXXXXXXl4YgoMx8ExmI0zZCEsbZBYtZA9SR3PW9FkMdZCkgZD"
{"data":[{"id":"636379230","app":{"link":"http:\/\/www.gigsnet.com\/","name":"Login","id":"453817548028633"}}],"paging":{"cursors":{"before":"NDUzODE3NTQ4MDI4NjMz","after":"NDUzODE3NTQ4MDI4NjMz"}}}
Bingo! 636379230 is the user ID for messenger.
QUESTIONS
The API documentation mentions that I should provide appsecret_proof in order to get ids_for_pages to work. However, I didn't have to (plus, you only provide a PHP example, and I couldn't find an example in node). Is it OK not to provide appsecret_proof?
In order to make calls, I am using my own access token (as the page admin); I obtained this access token using oauth, using my app (I am using passport on nodejs).
Will this token expire after 60 days?
If so, does that mean that I ought to link/unlink my account so that I generate a new access token? (Or, use an API command to get a new access token? (If so, which one?)
Since the access token expires, shall I keep on refreshing it for logged in users as well? The problem is that once a user is logged in, they are alogged in.
Does the page access token also expire? How often shall I re-generate it? Surely, regenerate it for every received message would be wasteful on my end and your end...!
Are scoped IDs stable? Do I absolutely know that the IDs will never change? Once I make the connection, can I save it and have it like that forever? Even if a user unlinks themselves with oauth and then link themselves back? Or in case the access tokens expire for example. If they do change, how do I know if they are expired/?
Thank you!

Related

Post to Instagram via Facebook Graph API - unable to get the correct ig-user-id permission

I need to create a Meta application that posts scheduled content on the Instagram page of the company. The app is now in dev mode, and used through the Graph API and cURL.
After getting an Instagram user token on the Graph Explorer with all the required permissions (email, pages_show_list, ads_management, business_management, instagram_basic, instagram_content_publish, publish_to_groups, pages_read_engagement, pages_manage_posts, public_profile) and getting the ig-user-id through the GET /v13.0/me?fields=id,name API call, i make the container generation call, as described in the docs:
curl -i -X POST https://graph.facebook.com/{{ig-user-id}}/media?
image_url=https://{{image-url}}&caption={{text}}&access_token={{token}}
To which I get as a response:
Unsupported post request. Object with ID '{{ig-user-id}}' does not exist, cannot be
loaded due to missing permissions, or does not support this operation.
I tried to generate a Page token in spite of an User token, to use the Page ID in spite of the Used scoped app ID provided by the Graph API but the result has always been the same. One thing I noticed is, trying to get the IG user ID as described on the getting started page, point 5, to my request:
curl -i -X GET "https://graph.facebook.com/v13.0/{{page-id}}?
fields=instagram_business_account&access_token={{token}}"
The response is just {"id":"{{page-id}}"} in spite of the expected
{
"instagram_business_account": {
"id": "17841405822304914" // Connected IG User ID
},
"id": "134895793791914" // Facebook Page ID
}
So it appears it might be a permissions issue. Now, on the Business Settings for the business the app is related:
I'm listed under Users -> People as Administrator and Developer
I'm listed under Account -> Instagram Account -> People with all the permissions (Content, Community Activity, etc.) granted but messages (Impossible to assign - Available only on Instagram)
I'm listed onder Account -> Apps -> {{App Name}} -> People twice with all permissions granted.
Could anyone help me solve the issue? Thanks in advance.

monday.com Access token received via OAuth is not valid to make API requests

I have a monday.com App in place. The current flow is as below.
App in installed in the account
Add any recipe to board
User will be redirected to sign-in page
Login to our product
Redirected back to Monday to authorize the app. Here will monday.com will list out required permissions and all.
Once authorized, monday.com will provide us with an access token, token type, etc…
The problem, with this access_token, not able to make API calls to monday.com.
API Endpoint: https://api.monday.com/v2
Method: POST
Authentication type: Bearer token
Request Body:
{
"query" : "{ boards (limit:1) {id name} }"
}
Received response from monday
{
"errors": [
"Not Authenticated"
]
}
As I understand monday OAuth does not have refresh token logic and access token will stay as long as app in installed in the account.
Posted the same question in monday.com as well
For javascript users, they can make use of the npm package [monday-sdk-js][https://www.npmjs.com/package/monday-sdk-js].
Here is an example for calling the endpoint for displaying the data. Provide your access token and run the script.
const mondaySdk = require("monday-sdk-js");
const monday = mondaySdk();
const your_token ="<--your_access_token-->";
monday.setToken(your_token);
// query to display
monday.api(`query { boards (limit:1) {id name} }`).then(res => {
console.log(res);
});
[1]: https://www.npmjs.com/package/monday-sdk-js

get conversations of FB page via open graph api

I've registered an Facebook-App and created a token with all permissions I need. Among them
manage_pages
read_mailbox
read_page_mailbox
Now I want to use the Facebook open graph API to read some data from my own FB-page. I want to read the private messages that the page received and that I sent to some of the fans on my pages behalf.
I know I can get all information by sending a http-request like this:
https://graph.facebook.com/{page-id}/{object}?access_token={token}
where {something} are placeholders for actual values. To give an working example, I can read the postings that appeared on my page by sending this request:
https://graph.facebook.com/141928949155955/posts?access_token={my secret token}
As I said, this works fine, since more than two years. (I just need to update the token from time to time)
But now I want to read the private conversations between the page and it's fans. I want to extract all conversations and insert them into a spreadsheet. I want to do it once, and maybe in 1 or 2 years again. I could extract them manually from the browser window by copy and paste for each conversation, but since there are so many conversations I think it costs less time to let a program do it for me.
If I understand Facebooks Documentation correct, then the keyword that I must use must be conversations. But I get this:
https://graph.facebook.com/141928949155955/conversations?access_token={secret token}
{
"error": {
"message": "(#210) Subject must be a page.",
"type": "OAuthException",
"code": 210
}
}
But 141928949155955 is a page. I don't know what I'm doing wrong. What is the correct request that I must send to receive a pages private conversations?
EDIT (June 16th):
I can read my personal conversations with this request:
https://graph.facebook.com/me/conversations?access_token={secret token}
But I don't want to read the conversations that I made as a person. I need those of one of my pages.
I found the solution for my problem. (Thanks kush, your answer helped a lot, but I want to add some more information)
My problem was that I misunderstood the error message "Subject must be a page." I thought that "Subject" refers to a part in the query string. But it refers to the token! A message like "Token must be a Page Access Token" would have saved me WEEKS of needless searching over a period of more than two years! How can you use a term like "Subject" when you nowhere define what "Subject" is?
So it was not the query string that was wrong. It was the type of the token!
Now here is the complete procedure to solve the problem (get a Page Access Token)
SOLUTION
Step 1
Get a User Access Token for your App that you can use later to get a Page Access Token
1.1 Go to Graph API Explorer https://developers.facebook.com/tools/explorer/
1.2 Select your App from the "Application:" drop down menu.
1.3 Click "Get Access Token".
1.4 From the tab "Extended Permissions" select "manage_pages".
Additionally select all permissions you need for the Page Access Token. (Although now you don't create a Page Access Token, just a User Access Token)
1.5 Click "Get Access Token".
1.6 Grant the permissions by clicking "OK".
In the field "Access Token:" you find now a Token that is an User Access Token. It is not a Page Access Token! This Token has all permissions you need to manage your page (including the permission "manage_pages"), but you can't use it to manage pages since it is the wrong type of token. You need this token only for one reason: To create a new token.
Step 2
Use the User Access Token you just got to create a Page Access Token
2.1 Enter "me/accounts" in the query field
2.2 Click "Submit"
You get a list of your pages, each with an "access_token" (which is now a Page Access Token). Each of this tokens did inherit the permissions from the User Access Token you used when you called "me/accounts".
This Page Access Token expires after one hour.
supplement
If you want a Page Access Token that never expires, do it this way:
A.1 Go to https://developers.facebook.com
A.2 From the drop down menu "Apps" select the App you want to use.
A.3 Click on "show" in the field "App Secret" (you need to enter your Facebook Password)
A.4 Open a new tab in your browser and there execute steps 1.1 to 1.6 from above to generate a short-lived User Access Token
A.5 Open a third Tab in your browser and there enter this string into the address field of your browser:
https://graph.facebook.com/v2.0/oauth/access_token?grant_type=fb_exchange_token&client_id={app-id}&client_secret={app-secret}&fb_exchange_token={short-lived-token} (do not press enter!) If this strings disappears when switching from one browser tab to another use any text editor to assemble the string and copy it later into the address field.
A.6 In this string replace {app-id} and {app-secret} by the values from the browser tab that still shows your Apps data.
A.7 Replace {short-lived-token} with the User Access Token you find in the field "Access Token:" from the Graph API Explorer.
(After this step there are no more curly brackets in the address string)
A.8 send this request (press Enter now)
Your browser window now shows a String with the fields "access_token" and "expires", separated by an ampersand ("&") which is not part of the token. This Token is a long lived User Access Token that will expire in two month.
A.9 Execute Steps 2.1 and 2.2 using the "access_token" from step A.8
The result is a Page Access Tokes with all permissions you selected in Step 1.4 and that never will expire.
Good luck!
Using page access token should help since you are reading from the page ..
Graph api node: GET me/accounts
me/accounts would give you the pages you are admin for and use access token coming in the page info dictionary.
you should get the following data from me/accounts
{
"data": [
{
"category": "Product/service",
"name": "Sample Page",
"access_token": "{page-access-token}",
"id": "1234567890",
"perms": [
"ADMINISTER",
"EDIT_PROFILE",
"CREATE_CONTENT",
"MODERATE_CONTENT",
"CREATE_ADS",
"BASIC_ADMIN"
]
},
}
Use page-access-token to access data from page as the page admin and thou shall receive data :) let me know if this works :)
A successful authorization would return an access token to your app, which you can then use to perform actions to the Facebook API. The error message displayed means you do not have a valid access token which means you probably did not authenticate the app correctly. I would put some logging on the onFacebookError and onError methods to see what the problem is.
Request Permission At Login time So Its Authentication Error
Permission List
https://developers.facebook.com/docs/facebook-login/access-tokens/
Set Permission Reference
https://developers.facebook.com/docs/android/login-with-facebook#permissions

Validating the user of an access_token

In the Facebook dev article Manually Building a Login Flow, there is a section entitled "Confirming Identity". It mentions that you need to validate codes and tokens that you receive from them via your redirect_uri.
My question: Since you don't know anything about the user that just logged in, how do you validate that the user_id that you see in the response from the token inspection endpoint is correct?
The article says:
As a result, your app should confirm that the person using the app is the same person that you have response data for before generating an access token for them.
But, how can you actually do that? Are we expected to show publicly available info about that user_id back to the user with a UI that asks "Is this you?". I haven't seen any apps/sites that do that, so I'm assuming that this isn't practically done.
Am I missing something?
You can use FB.getLoginStatus to retrieve information about the logged in user. It returns a response object for the user. If the user has authenticated your application, the response object will look like this:
{
status: 'connected',
authResponse: {
accessToken: '...',
expiresIn:'...',
signedRequest:'...',
userID:'...'
}
}
You can use the UserId returned in this object to verify the user's identity.

Facebook access token server-side validation for iPhone app

I'm developing iPhone application, that is based on communication with server, and I want to use Facebook authentication mechanisms.
Basically, I think it should work like this:
In my iPhone app, user logs in to Facebook, using his email and password.
User allows access to his data for related Facebook application.
My iPhone app receives access token, after successful log in.
In further communication with my server, my iPhone application should use the received Facebook access token (for example: in queries).
When my server receives some query from iPhone app, with access token, it should ask Facebook that this token is valid (and for who), and if yes, server should assume that user is authenticated with Facebook.
My question is: how the server should ask Facebook if given access token is valid? I think I should somehow check if the token is valid for my Facebook app.
I've tried many Facebook queries to graph API, that I've found, but nothing worked as I expected. Can you provide me some example?
Here's a two step process you can use to validate that a user access token belongs to your App:
1) Generate an App Access token
(https://developers.facebook.com/docs/howtos/login/login-as-app/)
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID
&client_secret=YOUR_APP_SECRET
&grant_type=client_credentials
2) Debug the User Access token
(https://developers.facebook.com/docs/howtos/login/debugging-access-tokens/)
https://graph.facebook.com/debug_token?
input_token=INPUT_TOKEN
&access_token=ACCESS_TOKEN
Where INPUT_TOKEN is the user access token you want to verify, and ACCESS_TOKEN is your app's token that you got from step 1.
The debug endpoint basically dumps all information about a token, so it'll respond with something like this:
{
data: {
app_id: YOUR_APP_ID,
is_valid: true,
metadata: {
sso: "iphone-safari"
},
application: YOUR_APP_NAMESPACE,
user_id: USER_ID,
issued_at: 1366236791,
expires_at: 1371420791,
scopes: [ ]
}
}
If that token isn't from "your app" then it will return an error response.
Update: this answer seems insecure since it doesn't validate the token
first as belonging to your app, see the comments, original answer as
follows:
I assume that you already have the access token in hand. In such a case the simplest way to validate an access token is to issue the following request
https://graph.facebook.com/me?fields=id&access_token=#accesstoken
Here replace #accesstoken with the access token you have. I will breakdown the url and will explain each.
We are issuing a graph api request here which will return the Facebook User Id of the owner of the access token as a JSON string. The keyword 'me' represents the currently logged in user or the owner of the access token. For this request access token is a mandatory parameter.
If the provided access token is not valid or expired Facebook will just return an error message of some sort.
For a valid access token the result will somehow look like this
{
"id": "ID_VALUE"
}
Another solution would be to use https://graph.facebook.com/app/?access_token=[user_access_token] as described by Get application id from user access token (or verify the source application for a token).
This appears to be an undocumented feature, but returns JSON containing the id of the app the token was generated for. If the token wasn't for your app, it returns a 400.
In the latest version of facebook (2.2) you can do it this way:
https://developers.facebook.com/docs/graph-api/reference/v2.2/debug_token
Sample output:
{
"data": {
"app_id": "THE APP ID",
"application": "APP NAME",
"expires_at": 1427245200,
"is_valid": true,
"scopes": [
"public_profile",
"basic_info",
"read_stream",
"email",
"publish_actions",
"read_friendlists",
"user_birthday",
"user_hometown",
"user_location",
"user_likes",
"user_photos",
"user_videos",
"user_friends",
"user_posts"
],
"user_id": "THE USER ID"
}
}
private function facebookRequestMe($access_token)
{
include_once "facebook.php";
$facebook = new Facebook(array(
"appId" => "your_application_id",
"secret" => "your_application_secret"
));
$facebook->setAccessToken($access_token);
return $facebook->api("/me", "GET");
}
You can download the Facebook SDK for PHP from GitHub.
If a user has passed you a Facebook UID that they claim is theirs and you want to check if it's legit, this is a Python function that will verify it against their access token (an implementation of Robin Jome's answer):
def verify_facebook_id(id, access_token):
import requests
import simplejson
params = {'fields': 'id', 'access_token': access_token}
text = requests.get("https://graph.facebook.com/me", params=params).text
json = simplejson.loads(text)
response_id = json["id"]
return response_id == id
This is the only secure method to verify user token using just one request:
https://graph.facebook.com/debug_token?input_token={token-to-inspect}&access_token={app_id}|{app_secret}
Note that a sign "|" in the above URL isn't used as OR but as separator and must be there after fill the other fields.
The response will be JSON looking like that:
{
data: {
app_id: {app_id},
application: {app_name},
expires_at: {some_number},
is_valid: {true|false}
scopes: {array_of_permissions},
user_id: {user_id}
}
}
Reference: https://developers.facebook.com/docs/facebook-login/access-tokens/#apptokens
(above method is mentioned at the bottom of this section)
Along with an access token Facebook also sends an "expires_in" parameter, which is an offset value. Use that to compute for when the access token will expire as an NSDate. Then when you need to do a request compare the current date with the expiration date.
Also try to inspect the status codes and response strings Facebook sends back.