Are facebook developers required to rehost profile pictures? - facebook

I'm developing an app that authenticates users with Facebook. I'd like to display the user's profile picture in their account, which is readily accessible via a public Facebook URL.
Am I permitted to directly link to these images for use in our app, or do we need to download the image and re-host it on our own servers? I wasn't able to find any answer in the terms of service.

You should NOT use the CDN link, because that one may not be valid forever. It is perfectly fine to download the profile image - if you REALLY want to be safe, tell the user about it before he authorizes your App. You need to have a privacy policy anyway, stating what exactly you store about the user.
It is perfectly fine to use the Graph API link though. Depending on how many images you want to show, it may be better to still download them for performance reasons.

Related

Facebook connect service for my customers without appid

I have more than few clients that would like to add facebook connect to their landing pages (managed by me). They are too many and not enough tech-savvy to manually create ad appid for each of them.
So my only solution is to usa my own appid to add facebook connect to all my clients websites, but as far as I know, Facebook doesn't allow to simply use the same appid on any domain.
How can I solve this? I can't find any documentation to solve my issue. Does anyone have a direction for me?
This has been discussed a couple o’ times before already – but I mostly commented on earlier questions, so let me write the whole thing up as a proper answer, for future reference.
[paraphrased] Multiple-client Facebook login via one single app id
Does anyone have a direction for me?
You probably rather don’t want to do that.
It is not really possible to run one simple app one multiple different domains.
As a workaround for only a few domains, people used to specify different domains for the different platforms – Website, Page Tab or Canvas App, plus Mobile alternative for Canvas – without actually using any of those platforms besides Website, which made the app usable on multiple domains as a website app. But since Facebook introduced their login/permission review process¹, you can’t do that any more – they expect you to present actual functionality on all platforms you have configured in your app.
You can kind-off use one single app for login on multiple domains – if you are willing to use only the server-side login flow, and to redirect users to one “main” domain (that gets specified as the app domain in the app settings) to login, and then from there back to the origin domain.
But this has several drawbacks:
It’s not what you’d call a “white label” solution. If your clients expect it to look as if users where logging in via “their” app, it should stay on their domain. Individual branding, in regard to stuff such as app name, app logo that shows in the login dialog, etc., would also not be possible. Additionally, app attribution – the link that shows up under content shared/posted via the app – would only link users back to the main domain, and not to your customer’s.
You would not be able to use the JS SDK for client-side API requests, or even just to embed it to render any of the FB social plugins that require an app id – the SDK checks what domain it is “running on”, and can not be tricked to accept a domain that is not specified in the app settings.
There could be privacy issues. An over-exaggerated example: Just because I as the app user decided to share my photos or videos I have on Facebook with your customer Our-Holy-Mother-of-Christ-Bakery.com, does not necessarily mean I want to share them with your other customer, amateurs-doing-all-kinds-of-nasty-stuff.xxx as well – but if they shared an app id for login purposes, I automatically would. Have fun writin’ the Privacy Policy (which is mandatory if you use FB login functionality, and FB also automatically checks if your app has got one) for that scenario ;-)
Finally, and most importantly: All your customers would be “sitting in the same boat.” If one of them, or in turn their website users, would publish spam via your app id, so that Facebook blocks it, login would not work any more for all of your customer’s websites. And if you decide only then, that setting up an individual app for each of your customers would be the better way to go, they would not be able to recognize their existing users any more, because of user ids being app-scoped since API v2.0 was introduced – so if users logged into this new app, that app would see a totally different user id. (And to rely on an email address as an identifier is risky, too, because you will not get one from the API for every user; for example if they registered using their mobile device.)
Edit: Plus, app/domain insights, as luschn mentioned in his answer.
¹ Yes, the review process has made it more laborious to set up multiple apps for multiple clients. But for apps that do the same stuff/use the same permissions in the same manner, you can refer to an earlier successfully reviewed app id to speed up the process a little. Also, screenshots of how f.e. posts made via the app look on timeline, and what UI components are used, as well as screencasts that you include in your submission could probably be used with little to no alteration.
Apps are not meant be used on several different domains, you will have to create a new App for each domain, i´m afraid. You can use the different platforms in the App settings to use different domains, but there are only a few so it´s pointless. Just create some screenshots and a tutorial for your clients, that´s how it is usually done.
Btw, it would be weird to authorize an App on a website, and the same App would allow you to be authorized on all other client websites. Also, insights are per App, so your clients may want to see their own insights and not the global insights of all domains together.
Many is not defined but i think for being a smart developer you need to create new app_ids for every project you need to use facebook connect. Just my opinion. It also allows you to monitor alot of stuff.

Facebook App Center Game that doesnt use FB API?

Is it possible to submit my 3D WebGL HTML5 / Facebook Canvas app to the App Center, even though it does not use the Facebook API? It isn't integrated with Facebook in any way, other than, being embedded in..
https://apps.facebook.com/flappy-wheels/
..from a Dropbox-hosted URL, if that even counts as a technical "Facebook integration" - which I doubt, as no API usage or Facebook signup or login required to even play it.
I keep on trying to submit it for App Center review but it insists to think I'm using the FB API when I'm not. Does this mean usage of the FB API is absolutely required for App Center submission? What if I dont want my app logging in to people's Facebook accounts? What if I don't want it accessing their personal information, or posting for them, or any of that jank? What if I just want it to be a game to simply be played embedded in a FB app URL, with no actual FB integration or interaction? Can that not be put on the App Center?
It thinks I need 3 permissions, one of which is logging in to people's accounts, I think these 3 permissions are put there in settings by default, how do I removed those permissions from my app settings, as those permissions listed aren't being used in my game, as it isn't using any FB permissions?
A smaller question on the side, what is the "tagline"? Like, it is the keywords / searchable tags, right? I'm used to them being called just "tags" and not a "tagline" so just to be sure I know what it is.
Thank you so much for any help or suggestions!
Yes you can always submit the html5 game on facebook canvas but for App Centre listing its necessary. Also using dropbox, github hosted sited will have less server resources allocted to them and hence high load time - i recommend to use any other hosting services out their, but remember https is a must.
Tagline is like a punch line for any product just go on the same theme.

Facebook Suspicious Login work around from iPad

I am not sure if anyone has ran into the problem but it is really bugging me and affecting our uploading from our iPad to facebook.
I have a local server running XAMMP with a gallery of images displayed via a local web page. These images are from our Photobooths and automatically get added into the gallery when a photo is taken in the booth.
These can then be accessed on the local network via the iPad. Users can then login to facebook and share this images.
Because this is a shared iPad being used by multiple users, is there any way of getting users to login without having to answer security questions?? It used to be fine but now Facebook says the login is suspicious as it does to recognise the device.
I have created an App to post the photos to facebook through the Facebook Development site and it works perfectly from my account and many users, but some seem to get the suspicious login attempt and have to identify friends and date of birth etc.
Is there a correct way to do this?
Thank you Richard.
Is there a correct way to do this?
What you are experiencing is the “correct” way.
Facebook offers this as a security feature – a user can add his devices to his list of “known” devices, from which he will be able to login straight away, and have to answer additional security questions when logging in from a different, “unknown” device.
If users have this feature enabled, they should not be surprised by this happening in your scneario. It’s what they explicitly want, and they’re getting it.
So you should in no way try to mess with that, just because you might think this to be “uncool” or a “nuisance” – it’s not, it’s a feature offering extended security that the user wants and has explicitly chosen.

How to setup Facebook Timeline Cover Photo auto upload in website?

I am new to Facebook API and app development. I am trying to build a facebook timeline cover website where users can auto upload and publish the cover to a new album created in the website/app name. Then they would be redirected to another page on my website with instructions on how to setup the cover on their profile timeline. Most profile cover websites are using the same method such as myfbcovers.com, facebookprofilecovers.com, profilephotocovers.com, facebook.coversdaddy.com, fbcoverlover.com and newfbcovers.com to name a few. I have been searching the facebook developer pages and several tutorials over the net. Some tutorials I checked are:
http://thinkdiff.net/facebook/graph-api-iframe-base-facebook-application-development/
http://daipratt.co.uk/facebook-api-upload-photo/
http://developers.facebook.com/blog/post/498/
And also several youtube videos.
But there are several confusions I have about the app. Sorry for the questions if they are too basic as I am a complete newbie who is willing to learn. One of the main problems is that most of the tutorials are outdated as the facebook app creation page etc. Now is different and there is no callback url etc. or canvas etc. in options now which are used in the tutorials. In the tutorials, it is mentioned that for creating a website app or facebook app for page, I need a callback URL which I cannot see now. Secondly, if it is mentioned in those tutorials that I need SSL in my website for an app but none of the facebook cover websites listed above have SSL it seems. I also do not have SSL on my server. So, not sure if that is needed and if an app is needed at all on my local server. And all the apps are doing things different such as I can see these URLs on clicking on some of the clickable links for uploading the cover button. Here are a few examples:
http://facebookprofilecovers.com/wp-content/themes/fbcovers/fb/?i=http%3A%2F%2Ffacebookprofilecovers.com%2Fwp-content%2Fuploads%2FHappily-Married-Facebook-Timeline-Cover.png
http://freetimelinecovers.net/facebook/?cov_img=/images/sports-covers/manchester-united.jpg
Some have direct link to the facebook app page such as:
http://apps.facebook.com/profilephotocovers/index.php?id=35 broken link
And only one website seems to have the publish_stream etc. in the url itself
https://facebook.com/dialog/oauth?client_id=162046520556852&redirect_uri=http%3A%2F%2Ffacebook.coversdaddy.com%2Fi-m-not-a-monster-1242.html&state=e4abcdc1d9288be8233a7ac4aa243997&scope=user_photos%2Cpublish_stream
On checking through Live HTTP header, it seems all websites are following a similar pattern which is directly used in the URL in the last website. For example, here are a few steps of the other websites I saw while checking with Live HTTP header.
https://graph.facebook.com/oauth/authorize?client_id=112308188876405&redirect_uri=http://www.myfbcovers.com/oauth/callback&scope=publish_stream,user_photos,email
https://facebook.com/dialog/oauth?client_id=237897089598589&redirect_uri=http%3A%2F%2Ffacebookprofilecovers.com%2Fwp-content%2Fthemes%2Ffbcovers%2Ffb%2Findex.php&state=0ca1581f006bdd80bd5da78e95179f3a&scope=publish_stream
And so on.
I could also notice that almost all websites were taking auth for only publish_stream and nothing else. Only myfbcovers.com is an exception which also asks for user_photos and email. Rest are not asking for the same and so perhaps publish_stream is the only permission needed.
So, to create the app is there any tutorial. And do I need to host the app on my own server in a sub directory of the website or does it make direct call to facebook. The reason I am asking is because it seems Facebook apps if hosted on local server needs SSL mandatory whereas none of the above websites have SSL/https. And if I do not need to host the app on my own server then how can I make the photo upload link to facebook and then return back to the website for the rest of the instructions. I am using Wordpress on my website like most of the other sites are doing and so, that should not be a problem I suppose. Any help would be highly appreciated. I am willing to learn properly and some good tutorials for creating the photo album and then uploading the photo to the user's album etc. would be fine too if not with the full code. Any help would be highly appreciated.
NOTE: I have removed the HTTP and WWW part in many of the above URLs as I can only post a maximum of two links being a new user. Please add them if needed in those where they are not present.
Ok, I did not install all the applications above to see exactly what they did. I think your question is long... but pretty straight forward. This is what I understand your question to be :
You would like to create a cover photo generator that will allow users to customize their cover photo by uploading files, maybe doing some editing to them. Also maybe using templates of cool ideas and in the end being able to update their cool new cover photo directly into their profile.
This is not very complicated to do although to this date there is no real documentation (by facebook) about how to dynamically update the cover photo. However there are ways of creating photo albums and uploading photos to there.
If you are planning to make your application run with in facebook - that means use the apps.facebook.com/your_app_name, and have canvas or tab URLS, then you will have to purchase an SSL certificate.
Finnaly, in order to get as close to the functionality your want, you might have to make some sacrifices (becuase changing the cover photo is not possible yet with the Graph API).
To locate the cover photo album you'll have to manually scan through all the users albums names - and for that you'll need the user_photos permission.
Once you have created the photo you want, you could possibly let the user upload it (publish_stream permission needed for this) to a different album, and then give the user some detailed instructions using screen shots and direct them exactly how to change their cover photo.
I recommend you read through the Authentication documentation decide what permissions you need (such as user_photos for the users photos and publish_stream for uploading a new picture or creating an album.)
In addition, there are many many tutorials on the Official Facebook Documentation Pages and their Developers Blog- check them out before going onto other sites that have written their own tutorials. Facebook does update their API quite a bit - but they also (recently) have been pretty good on updating their documentation to mirror the changes to the API...
As serious developers using a 3rd party API (
Graph API ), it is solely our responsibility to keep up to date with changes and to write code and applications that comply with their platform policies.

Is it OK to use Facebook photos in our web apps?

I'd like to offer my users the capability of either uploading a photo, or choosing one of their photos on Facebook (not only their profile photo).
Pulling the photo source from the Graph API isn't hard... However, does Facebook authorize us to use their photo link source in our apps, or must we download the photo, store it on our servers, and source them from there?
The safest bet is certainly to download the photo and save it yourself; as with web links I wouldn't trust that a photo link will be valid later.
That said, you then have to deal with deleted/removed photos and cleaning them up in your application.
I'm not a lawyer but it seems pretty clear either method is fine according to their developer policy. Specifically 2.2 states:
You may cache data you receive through use of the Facebook API in
order to improve your application’s user experience, but you should
try to keep the data up to date. This permission does not give you any
rights to such data.
My only concern would be the privacy settings on the photos and whether people would be able to access it via Facebook's url. But if you test it and it works and if the user explicitly selects the photo themselves, that would seem to be fine and wouldn't be much difference then them re-uploading it to your site.