How to re-request FB permissions in Hello.js? - hello.js

I am using Hello.js to connect with FB (asking for the default permissions). However a user has an option to edit his provided info and uncheck an email address. I can capture this action, but not sure how to re-request the permissions again, so he would have to grant his email in order to proceed.
My coffescript snippet:
hello('facebook').login().then ((json) =>
hello('facebook').api( '/me' ).then((json) =>
if json.email
#proceed(json)
else
#rerequestPermissions(json)
return
)
return
)

Related

Why is the Facebook login modal not prompting users for access to their email address?

I'm trying to integrate the Facebook login flow into a website (as per this page: https://developers.facebook.com/docs/facebook-login/web), and I'm having issues with trying to force the login modal to request access to the user's Facebook email address.
Specifically, I'm executing the following code from my JS:
FB.login((response) => {
if (response.status === 'connected' &&
response.authResponse) {
// Do something with the response here.
}
}, {
scope: 'email',
return_scopes: true
});
The response is coming back as connected when the user successfully logs in, and I am getting the user's user ID, access token, etc., but when they click on the button in my UI that calls FB.login, the modal that pops up for Facebook does not ask the user if they want to grant access to their email address. Why?
For the site I'm building, I need access to the user's Facebook email address. If they were to be asked and deny access, that's one thing, but the modal that pops up isn't even asking them for access to their email address, and I don't get their email address back in the response.
Furthermore, if I make a subsequent call to the following, the email permission comes back as declined:
FB.api(`/${response.authResponse.userID}/permissions`, (response) => {
console.log(response);
});
Does anyone know why I can't prompt the user for access to their email address? Thanks.
Edit: It might be worth mentioning that I'm testing this on localhost, and I wonder if that's having an effect. In the Facebook for Developers dashboard, I did set my localhost virtual host (e.g., site-name.test) as an allowed URL for redirects, and it does let me log in with Facebook and get the user ID, etc., but it just never prompts the user for access to their email address. Thanks.
Thanks again to misorude for the answer. Without that, I would have never figured this out. To sum everything up, the problem was that during testing, I had apparently already once declined the request to provide access to my email address, and after that, it no longer asked me for permission to access it.
As such, you have to pass an extra parameter to FB.login in order to force it to re-ask the user for access to their email address. Specifically, it's the authType parameter, and here's how you pass it:
FB.login((response) => {
if (response.status === 'connected' &&
response.authResponse) {
// Do something with the response here.
}
}, {
scope: 'email',
authType: 'rerequest'
});
That will give you access to the email address (assuming a user has one registered; again, thanks to misorude for noting that), but it doesn't actually return the email address. To get that, you then have to send an API request to /me with a fields parameter requesting the email address to get it. I figured out how to get that via the following SO answer: https://stackoverflow.com/a/31763373/1992973
Specifically, a full solution is something like the following:
FB.login((response) => {
if (response.status === 'connected' &&
response.authResponse) {
FB.api('/me?fields=email', (response) => {
// The email should be in the response, assuming the user has one registered with FB.
});
}
}, {
scope: 'email',
authType: 'rerequest'
});

"getLoginStatusUrl()" from the Facebook PHP sdk not working properly?

I am trying to determine whether a user is logged into Facebook or not. In the case that I am working with I would like to force him to log into my site even if he is logged into facebook already and has previously given me permissions.
$params = array(
'ok_session' => 'http://localhost/fb_connect?ok_session=1',
'no_user' => 'http://localhost/fb_connect?no_user=1',
'no_session' => 'http://localhost/fb_connect?no_session=1',
);
$next_url = $facebook->getLoginStatusUrl($params);
I was trying to use the code above (per the instructions on http://developers.facebook.com/docs/reference/php/facebook-getLoginStatusUrl/) to determine what flow I need to guide my users through, but in the case when there is 'no_session' aka nobody is logged into Facebook, instead of getting the 'no_session' url specified by the $params, I get the message Application Error on the facebook "check login status page"
Any suggestions are welcome
You're correct, its broken:
http://developers.facebook.com/bugs/295348980494364

How do I check if a facebook account is currently logged in before requesting permission for my app? (using php sdk)

I'm using the php sdk v3.0.1.
I am trying to get offline access from users.
When my app requests permission from the user, it does so for the currently logged in user. I'd like to first check if a facebook account is logged in, and if so display a message. for example:
User "John Doe" is currently logged in.
then I'd have a link to "log out" or a link to continue to the permission page.
I was trying this but it always returns 0:
$facebook = new Facebook(array(
'appId' => 'XXX',
'secret' => 'YYYYYYYYY',
));
// Get User ID
$user = $facebook->getUser();
if($user)...
else...
the if statement always fails and then when the else is procesed and I send them to the login page, it requests permission for the currently logged in user (which I don't want).
I've searched extensively and can't find an answer. :-/ Any help or suggestions would be appreciated. I'm completely new to the facebook api.
Basically you would like authentication and permission requests to be separate. Correct me if I'm wrong about that. So you can just send users through a plain authentication step:
$loginUrl = $facebook->getLoginUrl();
and then later send them through again with the proper permissions.
$arg['req_perms'] = "[permissions here]";
$loginUrl = $facebook->getLoginUrl($arg);
This will get you a separate login and permission request step.

Prevent signups with Facebook proxy email

Problem is, when a user clicks on FB Login button on my site, Facebook API throws him with a window which ask for access permissions(which is the usual flow). But when the user chooses the proxy mail address (anonymous), then I want to force the user to login only using his real email id.
How am I supposed to handle this ?
I can detect that user used proxy email and prevent him from registering, but then I can't remove my app from his list of authorized apps - meaning I can't get him to that initial dialog for choosing which email he will provide.
You can't force the user to go through the authorization dialog again, because as far as Facebook is concerned, the user has installed your application and nothing else needs to happen. The best thing you can do here is write your own form which informs the user that the Facebook proxy e-mail address is unacceptable and you need a real e-mail address. Unfortunately, this does not force the user to give you their Facebook account e-mail address, or even a real e-mail address. This is the best we have via Facebook though, and it's just something we have to deal with.
UPDATE 5/10/11
I was browsing around the Facebook documentation, and found a method that exists in the old Legacy REST API which actually allows you to remove extended permissions for your app from a user. I think you could use this exact API call to manage getting non-proxy addresses from your Facebook user, while still using the native install dialog.
I tested this using the FB JS SDK and it worked! The method you need to use is the auth.revokeExtendedPermission method. Here are 2 examples of calling that method via the JS SDK and the PHP SDK.
Javascript:
<script>
FB.api({
method: 'auth.revokeExtendedPermission',
perm: 'read_stream'
}, function(response)
{
console.log(response)
});
</script>
PHP:
<?php
$facebook->api(array(
'method' => 'auth.revokeExtendedPermission',
'perm' => 'email',
'uid' => $uid
));
Because these use the Legacy REST API they're not as "supported" as the new Graph API. I've not seen anything regarding migrating this feature to the Graph API. Hopefully they will.
Invoke revocation of the app through graph api (as below) with the php sdk then redirect user back through your dialog with this non-proxy requirement explained.
private function revokeAccess() {
$access_token = $this->facebook->getAccessToken();
$result = $this->facebook->api(array(
'method' => 'auth.revokeAuthorization',
'uid' => $this->{facebook id here},
'access_token' => $access_token
));
return $result;
}
This code is php.
This completely removes the app.
Returns 1 on success; 0 on failure.
$this->facebook == facebook object from the facebook php sdk.

Login using facebook connect question

I want to implement facebook connect on my site. I have used the oauth api to obtain a permissions request for the app.
However, I am having the following problem.
If a user signs into my site for the first time using facebook connect, i need to create a new username / password for him (on my site) to be able to surf my site and have all the session variables set. However, what should i use as the username / password ?
I understand that a facebook user can change his email address.
How do i handle users who are logging in using facebook connect for the second or third time (who are already members of my site) ? I need not create a user for them on my site as its already created when he logged in for the first time. Do i check for email address to see if the facebook user's email address exists in the database ? Also, comes the same problem that a facebook user can change his email address.
What is the one thing that does not change for a facebook user that i can use for his username ? Also, what do i use for his password ? Also, i understand that if i use username/password from available app data, then using normal mechanism a user can login to my site too. How do i prevent this security hole ?
Please help.
I use the information that facebook send in the callback (facebook unique user id or normal id)and then check if the user is on my database, if not i insert him but i leaving blank the othe rstuff like password or user email (also you can request that info too check the line 418 in the php api and add "'req_perms' => 'email',")because i can retrive that data when they connect again and then set the sessions like allways.
if the users change teh email just check that on every login and update the data.
example:
$facebook = new Facebook(array(
'appId' => 'xxxxxxxxx',
'secret' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
'cookie' => true,
));
$session = $facebook->getSession();
$me = null;
// Session based API call.
if ($session) {
try {
$uid = $facebook->getUser();
$me = $facebook->api('/me');
} catch (FacebookApiException $e) {
error_log($e);
}
}
// login or logout url will be needed depending on current user state.
if ($me) {
$logoutUrl = $facebook->getLogoutUrl();
} else {
$loginUrl = $facebook->getLoginUrl();
}
if ($me) {
if (!isset($_SESSION["usr_id"])){
$_SESSION["usr_id"] =$me['id'];
$_SESSION["usr_name"]=$me['name'];
// or do your sql verification and then set the sessions
}
}
/////////////////////////////////////////////
Facebook offers user's unique ID. You can recognize user with this information.