Chrome extension for facebook - facebook

I am trying to build an google chrome extension for Facebook.
I should be able to access the facebook api without actually asking the user to authenticate explicitly for my extension.
Is there a way to do that?

The answer is yes and no.
Yes: You can "read" as much as a they have loaded in their page through a Content Script that reads the window document. A good example could be the following.
In the manifest.json
"content_scripts" : [{
"matches" : ["http://www.facebook.com/*"],
"js" : ["js/vendor/jquery.min.js", "js/content.js"],
"run_at" : "document_end"
}]
In the js/content.js
var document = jQuery(window.document);
var posts = document.find("div[role='article']");
and then you can read as much as you wish of the user, or well, as much as the page loads. You could have some sort of timeout mechanism that checks whether there's new content in the page, or new elements were added to the dom, but at the end the user has to scroll down to load information, or you can hack this through Javascript.
No (and why you shouldn't): I'm not a legal guy, but I had been developing long enough to know that whenever a platform gives you an API, you are supposed to use it. Why? Because they can control what information you are reading, and they can protect their user information that way.
This is actually a delicate line, because sometimes you can enhance a website experience without necessary using a website API (and sometimes they don't even have one). This is then even appreciated if you are actually improving the user experience. In this case thought, I wouldn't do it though, because:
It's Facebook, I'm pretty sure they have in some Terms of Service a line where they describe what I just wrote about reading user's information through external scripts.
External applications that crawl your data have had bad reputation since day one (automatic posts, scamming, scrapping information, etc)
Facebook API is now based in Oauth2, which in its foundation was made to protect the users; through a token denial, a user can stop at any time an application from reading his/her data, while your application has no mechanism for that (uninstall may be it, but you may have stored already his/her data)
It's not that hard asking for permission and you would be saving yourself a lot of trouble.
How to do it the right way? Request an application ID, and load the facebook SDK in a Background Page. Prompt the user permissions (yes, the right way includes asking the user for permission on what you can read so he/she can deny you access to them if you misbehave) and then query the Facebook API with that.
Think about it. You can create an extension that reads the content of a user page whenever he logs into his/her bank. Or his email. Actually, anything that a user sees inside a browser window can be retrieved by an extension. This is extremely dangerous to the user if there's no control over which information is being taken from him!
Ask for permission first. Don't be THAT guy ;)

Related

Separate cache for logged in users

I currently have a website where I have roughly 20 separate pages. All pages have two versions... a version where the viewer has not logged in yet, along with a logged in version. The logged in version can vary quite differently from the non-logged in version...
I was wondering if there is a simple way to tell browsers to 'invalidate' all cached pages for my domain when a user logs in or logs out.
Example: A non-logged in viewer visits many of the pages on my site, which causes their browser to cache all of these pages. Upon logon can I supply the user with a particular header which will make their browser to not use the cached version the next time the page loads? This needs to happen on both log-in and log-out.
Any tips or tricks would be super helpful, I am fairly new at caching...
Thanks :)
No, you cannot tell the user's browser to un-cache pages. You could use different URLs for logged-in users than for logged out users (adding a query string would suffice), or, not allow caching of any of them in the first place.
ideally you wouldn't have separate pages to represent a user's logged-in state. that attribute of your application really belongs in the model not the view as it were. i imagine a logged-in user would never see the non-logged-in page via the controller, right? in which case i'd offer that it doesn't matter which page is cached and which isn't.
the following is the only way that occurs to me to do what you want, but it isn't pretty... if a user has logged in, but requests the non-logged-in page, expire the page (e.g. $q->header( -expires => 'now' )) and send the logged-in user to non-logged-in page. but, as above, i doubt you want to do that. you could reference a .js file that has js/ajax that detects such a scenario and then redirects the user back to the logged-in page.
you can see what an ordeal this could be. i'd suggest tightening up your application design such that this problem goes away. hopefully this was helpful. good luck!
Have a look at Force browser to clear cache. There are some promissing leads in there.
Otherwise, tell your users to Shift-Click the reload button. ;-)

iPhone App to read Facebook wall

I want to create an iPhone app that displays (among other things) a specific Facebook wall. For a good user experience I didn't want an app that required the user to have a Facebook account and I didn't want to force the user to have to log in to Facebook to see the latest "news" in the app. I started out by getting the wall RSS feed and tried parsing it ... I can "see" all the data I need ... but that is getting complicated quickly and has too many variables that are making the final results less than stellar. I have read through the Facebook iOS programming tutorials and it seems to me like the SDK forces the user log in, which I don't like.
My question ... Is there a way to use the Facebook SDK with hard coded profile credentials to access a specific wall without forcing the user to login? If possible, is that a recommended approach? Any other ways to skin this cat?
I have read through the Facebook tutorial and searched through many postings on this site but haven't found an answer to this ... sorry if this a newbie question and has already been answered.
Item I.2. of the Facebook API policy list says
You must not include functionality that proxies, requests or collects
Facebook usernames or passwords.
It sounds to me like that's what you're proposing to do; i.e., the user will be able to see a certain wall, but using hard coded credentials (not their own). In other words, your credentials are proxying for the user.
I do not know if it is technically possible to do this (I imagine it is) but I don't think it's a good idea, and I do think it's a violation of the Facebook API terms of service.
First you need to get the a access_token by parsing your app id and secret.
https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET
Then send following request to get the data you want. Note that only public data will be accessible.
https://graph.facebook.com/FACEBOOK_USER_ID/?access_token=ACCESS_TOKEN

Facebook Application - Security Considerations regarding the user's facebook Id

I am building a facebook game using ASP.Net MVC3. (More like Mafia Wars and less like Farmville in terms of technology and look and feel).
Almost all of the actions of the game will be triggered by Javascript (which calls a REST api) that we have written.
Now, our game authentication is done using Facebook's JS SDK and we also ask for offline access permission. So we save the auth_token in our DB the first time a user signs up.
I want to know what would be the best way to access the id of the user for operations performed within the application from the point of view of security (and making it hard for people to spoof ids)
I know of the following ways:
Store it in a Global javascript variable and load it on every page load using the JS SDK. (bad idea because this can easily be changed in Firebug)
Read the value from server side using the fbs_[app-id] cookie that is set. (again, I was able to change the value in the cookie which got posted to the server)
Use the C# SDK and do an API fetch (for /me) to get the ID using the auth_code which is supplied in the cookie (by far the safest way - but also the slowest)
Any pointers would be greatly appreciated.
Also please let me know if I am getting excessively paranoid about this.
I am sure there must be a clean, simple, secure method which I have overlooked!
Thanks.
I guess I'll just put down what we are doing - incase someone stumbles upon this later.
I checked out Zynga's Mafia Wars and found my facebook id peppered at almost 6 to 7 places throughout the page in the HTML code.
I guess one could try fooling around and modifying it using Firebug - but the quantity of obfuscated javascript out there, one would need to be decently motivated to do it.
However, what we have ended up doing is follows.
Our game asks for offline access to the user - so the access token that we get in the first login, is saved in our DB.
Then everytime the user performs an action, the facebook cookie associated with the account is returned to us out of which we pull out the access token.
We then do a lookup on our own DB for the user id corresponding to this access token.
If the user id is not found (for a new user, say), we do a GET("me") using the facebook api to get the user id.
It is slightly ineffective - but I guess will do for the time being. Will update this if we end up doing something else. Maybe we just are over analysing things.

Getting a visitors Facebook page

Hey guys, this is more of a question out of curiosity, but is it possible to get somebody's Facebook page after they have visited your site?
Was thinking maybe a chain of lookup stuff could be used starting with an IP to eventually perhaps get a name and thus that person's Facebook page. I have also heard you can read somebody's web history, is this true?
If you want something, ask for it.
Seriously: you can use Facebook Authentication {instead of|in addition to} your site's registration/login system. It's really not that hard and it's well documented (pay attention to FB's data policies though: what you can do/must not do with the data, how long you can keep it etc.)
When users sign into your app through FB Auth, they must grant your page (temporary) access to their basic profile (at least, I haven't found the way to only use FB Auth for authentication, without granting access to profile data).
On the other hand, if you are planning to track your site's users on FB without their knowledge and/or consent, there's a word for that: "stalking"; in some places, there's even a penalty of law to go with it. In such case, I would recommend talking to a lawyer first - just out of curiosity ;)

Outside access to Facebook events

Let's say I own/control a Facebook page where events are posted. I'd like to display these events on another website (In my case, a WordPress blog, but that's not the important part) on an "Upcoming events" page.
What I'm unsure about is: Is the Facebook API usable "externally" like this? I've downloaded the PHP library and have a demo app running that works from within Facebook (i.e. emitting FBML that facebook.com interprets and displays to the logged-in user), but in my case I want a third party (my web server) to query Facebook every so often, rather than the site visitors directly requesting data (HTML/JSON/etc.) from Facebook itself.
Is this sort of thing possible with the Facebook API? How will my web server authenticate itself? What information do I have to store?
Note: I'm looking for information more at a "sequence diagram" conceptual level, not just asking for code. That part I can figure out myself. ;) Unfortunately, Google and the FB developer wiki have not been entirely forthcoming. What do I need to know so I can start coding?
This is a basic overview of how I've done it for a few of my clients who wanted similar functionality:
Create a pretty basic app that prompts for Extended permissions, specifically "offline_access" and whatever else you need
Store the resulting Session Key in your database with the UID
Create a secure, authenticated webservice for your app which allows you to get the info you need for a UID that you supply, using the session that you've stored in your database
On the website make requests to your app's webservice, being sure to cache the results for a certain period of time and only make a new request to your webservice once the cache has expired (I use 5-10 minutes for most of mine)
So basically your Facebook app acts sort of like a proxy between the website and the user, doing all of the authenticating and requesting using legitimate means.
I've used a webservice because I only wanted to maintain one Facebook app for multiple client's needs. It works like this (in a not-very-awesome ASCII art diagram):
Facebook User 1 \ / Client Website 1
Facebook User 2 --- Facebook App --- Client Website 2
Facebook User 3 / \ Client Website 3
Note: I've only done this for users, not pages, so your mileage may vary.
You can do Events.get with the Facebook API then supply the page/profile ID you'd like to get the events for. Depending on how your page is setup you may have to authenticate, simply use your Facebook account, since you should have access to all the events. oh and make sure you do plenty of caching so your not hitting Facebook on every page load.
AFAIK other than user info, you can't fetch any other data from facebook.
But you can try it other way - say create an app that stores events and other relevant information on a webserver and then your other website can easily access that info.