Facebook pinging deauthorize callback url with the wrong request - facebook

I'm working on a facebook tab app. I need to know when the user uninstall the tab app from their page so that I can update my database. While facebook documentation do not specify how that can be accomplished I read that facebook would ping your deauthorize callback url.
On facebook documentation, they say that they will ping the url with a post request sending a signed_request (https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#logout), but whenever I remove the tab app from a page facebook send a GET request to my callback url without any signed_request, which doesn't help me to know which page had the app uninstalled.
Access log from my apache server
The 302 redirect is happening because there is no signed request.
What should I do? I can't query all the pages on my database to find out which one had the tab uninstalled because it wouldn't scale, I would need the manage_pages permission and there is no way, without a signed request, to know that the request came from facebook.

Try changing the callback URL to SSL. We had this issue earlier this year and when sending to http:// it was always a GET request but once we changed it to https:// it was changed back to a POST request with the signed_request in the body.

Related

Facebook App webhooks: Callback URL & Page tab

Hi I am held up with couple of problems from past couple of days. Please can anyone help me out.
I want to get the real time updates of my facebook page. I created an App & added it as the Page tab but I am getting the below message when i clicked the tab in the facebook page.
Method Not Allowed Error 405
Also when subscribing the real time updates/webhooks in facebook, is it necessary to give domain name/callback.php in callback URL? I mean I just want to test the flow right now and don't want to buy a domain for testing.
Also when i am putting this https://graph.facebook.com//subscriptions?access_token=****
I am just getting
{
"data": [
]
}
Subscribing to a page for updates is not done by installing it as a page tab app any more, but by making a POST request to /page/subscriptions
Method Not Allowed means your server did not accept a POST request to the URL. Facebook makes a POST request to load an app into a page tab. If you tried to use that same URL as your webhook callback URL, you need it to accept POST requests as well.
Of course the URL needs to be reachable from the outside, otherwise Facebook could not make a POST request to it. As far as I know Facebook does not accept IP addresses, you need to use a domain name. Plus, webhooks now require an HTTPS URL, with a valid SSL certificate. Self-signed certificates are not accepted, so you practically have no other choice than to use a "real" domain, dyndns or something won't work.
That's because you have not actually subscribed your app for updates of the page. Again, that has nothing to do any more with page tabs, it needs a POST request to that endpoint.

Facebook Login link redirects straight back to my application without ever showing login dialog

I am attempting to implement a simple Facebook login flow for a web application using HTTP redirects, as detailed at https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.2.
For the purposes of making this question generic, let's say the application URL is www.example.com/app.php. On the application page, there is a link which directs users to Facebook's OAuth endpoint, where ideally:
they log in to Facebook (if not already logged in) and approve my application permission to access their public profile
they are then redirected back to my application's URL along with some extra parameters appended (e.g. www.example.com/app.php?code=...&access_token=... if the login was successful, or www.example.com/app.php?error_reason=...&error=...&error_description=... if login/app approval was unsuccessful)
The Facebook OAuth endpoint is:
www.facebook.com/dialog/oauth?client_id=12345&redirect_uri=www.xyz.com/app.php
where I have filled in the client_id and redirect_uri parameters with my application's ID and my application's URL respectively.
What actually happens whenever I access the link is that it immediately redirects back to my application's homepage - without ever showing a login dialog of any kind. This happens with Firefox and with Chrome - both when I am logged in to Facebook and when I am not, in normal sessions and in incognito sessions with no plugins enabled. From the browser inspector, I can see that the Facebook OAuth page is definitely requested but is straight away 302 redirecting to my application page with just a code parameter appended.
www.example.com/app.php?code=...
This also happens when the Facebook OAuth link is accessed from pages other than my application's URL (e.g. if I click the link from www.example.com/other_page.htm).
I am unsure what I am doing wrong here; the application URL (www.example.com/app.php) is approved on my app dashboard in as many places as I could find, and changing the request_uri parameter to any other URL results in an error page. I have also tried urlencode()ing my application URL before passing it in the request_uri parameter, but the result remains the same. I don't know what to try next as as far as I can tell I have followed Facebook's manual login guide as closely as possible.

Link facebook application request to facebook application page. Considered invalid because it is a Facebook url

I can successfully send app requests by using method: 'apprequests' and the receiver gets the notification properly. I know the page to be shown when the user clicks on the request is the one you put as Canvas URL/Secure Canvas URL.
The thing is I had already set up an App Page for my app, so it makes a lot of sense to lead the user to this page when he/she accepts the request. But I cannot put my app url as Canvas URL because Facebook will not allow it (error: is invalid because it is a Facebook url).
In similar questions, many suggest a redirection but I wonder if there is a more direct/proper way.

Facebook not requesting signed_request on page

This is my application on facebook page.
https://www.facebook.com/SlcChallenge/app_439780382750381
Here my problem is that. Facebook sends signed_request for some user and does't returns
from some user. So when facebook doesn't send signed request my page gets error.
my page tab url is https://tippll.com/pagetab.php/
Please help me to find the solution.
Thanks in advance
Krishna Karki
If on canvas load you receive a code instead of a signed_request, this means that Facebook could not authenticate the user (and retrieve an access_token, and has fallen back to sending a code for you to exchange for an access_token.
Double-check your canvas URL settings in your facebook application. This can sometimes happen if you have URL rewriting non-SSL requests through to SSL domains (or even just url rewrites in general).

old session in my website is clear after get signed_request from facebook

Sessions are used in my website, but then when I open an facebook app which redirect to my website, I found out that old sessions are clear.
I assumed that after getting the signed_request, facebook clear my old sessions. Am i right for this assumption ?
The problem is that I want to keep my old session even if i have request a signed_request.
This could be happening because the facebook app doesn’t send a csrf token.
You can fix this by adding removing the protect_from_forgery callback on the facebook app’s action.
Add skip_before_filter :verify_authenticity_token to the controller that facebook apps request or remove protect_from_forgery from application_controller.rb
I have also posted this on my blog here http://wowcode.wordpress.com/