Hi I am held up with couple of problems from past couple of days. Please can anyone help me out.
I want to get the real time updates of my facebook page. I created an App & added it as the Page tab but I am getting the below message when i clicked the tab in the facebook page.
Method Not Allowed Error 405
Also when subscribing the real time updates/webhooks in facebook, is it necessary to give domain name/callback.php in callback URL? I mean I just want to test the flow right now and don't want to buy a domain for testing.
Also when i am putting this https://graph.facebook.com//subscriptions?access_token=****
I am just getting
{
"data": [
]
}
Subscribing to a page for updates is not done by installing it as a page tab app any more, but by making a POST request to /page/subscriptions
Method Not Allowed means your server did not accept a POST request to the URL. Facebook makes a POST request to load an app into a page tab. If you tried to use that same URL as your webhook callback URL, you need it to accept POST requests as well.
Of course the URL needs to be reachable from the outside, otherwise Facebook could not make a POST request to it. As far as I know Facebook does not accept IP addresses, you need to use a domain name. Plus, webhooks now require an HTTPS URL, with a valid SSL certificate. Self-signed certificates are not accepted, so you practically have no other choice than to use a "real" domain, dyndns or something won't work.
That's because you have not actually subscribed your app for updates of the page. Again, that has nothing to do any more with page tabs, it needs a POST request to that endpoint.
Related
I'm working on a facebook tab app. I need to know when the user uninstall the tab app from their page so that I can update my database. While facebook documentation do not specify how that can be accomplished I read that facebook would ping your deauthorize callback url.
On facebook documentation, they say that they will ping the url with a post request sending a signed_request (https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#logout), but whenever I remove the tab app from a page facebook send a GET request to my callback url without any signed_request, which doesn't help me to know which page had the app uninstalled.
Access log from my apache server
The 302 redirect is happening because there is no signed request.
What should I do? I can't query all the pages on my database to find out which one had the tab uninstalled because it wouldn't scale, I would need the manage_pages permission and there is no way, without a signed request, to know that the request came from facebook.
Try changing the callback URL to SSL. We had this issue earlier this year and when sending to http:// it was always a GET request but once we changed it to https:// it was changed back to a POST request with the signed_request in the body.
We have a Proof of Concept requirement that from a static URL posted in an advertisement on Facebook, we identify the unique individual that clicked our link and has landed on our page (external to Facebook).
This static advertisement will have no coding associated with it (that is part of our challenge - and will just redirect the user to our site).
Is there anything within the stream of data that is sent in a normal redirect or available to us in anyway that would allow for the following:
Identify the user that clicked
Allow for a callback to Facebook to
get any unique user information
Not sure it matters -- but we are looking at a .NET C# site as the landing page...
You can´t identify the Facebook user in any way without authorization. So when he visits the link, you need to implement authorization and you can check if it´s the same user with FB.getLoginStatus, for example. That function of the JavaScript SDK refreshes the Access Token so you don´t need to redirect to another page when it´s not valid anymore.
Here´s a tutorial, just in case: http://www.devils-heaven.com/facebook-javascript-sdk-login/
But remember: Nothing without authorization.
I can successfully send app requests by using method: 'apprequests' and the receiver gets the notification properly. I know the page to be shown when the user clicks on the request is the one you put as Canvas URL/Secure Canvas URL.
The thing is I had already set up an App Page for my app, so it makes a lot of sense to lead the user to this page when he/she accepts the request. But I cannot put my app url as Canvas URL because Facebook will not allow it (error: is invalid because it is a Facebook url).
In similar questions, many suggest a redirection but I wonder if there is a more direct/proper way.
Situation: I am developing a facebook canvas app. Facebook is sending my sever a POST request with the signed_request each time that a page is render. Inside my app I have all my links with target="_top" because if I don't, facebook send my server a common GET without the signed request. So I cann't check the user info.
Problem: It is too slow! even if I am testing it in local, each click that I press takes 1 sec to render and my canvas becomes completely white and then the info is shown, It will be a bad user experience.
My tests: If I remove the target=_top and I point all my links' href to my server without the app.facebook.com/whatever, it loads very quickly.
My doubts: Is there any security issue with this? If I point all the links to my server (no apps.facebook.com) I can not check the signed request, I will only check it in the main page..
Any advice? any tutorial? Do I have any misundestanding of this? (It is my first facebook app)
Have you read the Server-Side Authentication tutorial?
You're doing it wrong.
Once the users lands in your app you should keep all links in the same frame, loading the entire window along with facebook is completely redundant.
What you should do:
When you get the POST with the signed request, decode it and check if the user is authenticated, if he is persist the data (token and such) somewhere (session, db, cache).
If he is not authenticated send him to the auth dialog as noted in the tutorial, when he gets back exchange the code you get (in GET) for the token (also shown in the tutorial), then redirect him to http(s)://apps.facebook.com/YOUR_APP and you'll be posted with the authenticated signed request, save it, etc..
Since you persist the data, in every request that is not POST or don't include the signed_request check your persistency choice for the data, and use it.
There should be only two times where facebook sends you the request, once it is POST when your canvas is loaded, the 2nd is when the user returns from the authentication dialog, in which you either get the code parameter or error in case the user declined the authentication.
Other requests should be from your app (inside the iframe) into the app servers.
JDL,
I believe you are querying the graph API at each request (and that's why you always need the signed_request). Is this right?
The graph API is pretty slow (~ 1 second/query) and you should use only when necessary. For example, when you first receive the access_token you should save it in your session and query the graph API to retrieve the respective facebook user info. But then you should put the info you need about this user in your session and only refresh it (using the graph API) when the signed_request access token is different from the one you have saved in your session.
The behavior of adding _top to the target of your links is ok and a good practice within facebook canvas.
I am writing a Facebook Tab application. I have set it up to be dynamic based on the page that the Facebook user is adding our tab to. When developing, all of my requests are coming to my application as POST requests and included the signed_request parameter. As soon as I got this thing on our production server, it started sending all requests as GET nd did not include the signed_request. The only changes that I made prior to launching was to modify the URLs in the Facebook tab settings to point to our server as opposed to localhost. What is going on here? Why is Facebook changing the request type?