I'm using the following Javascript for my users to send requests to "invitable friends" from my Facebook app:
FB.ui({
method: 'apprequests',
message: 'Come play with me etc.',
to: str_ids
},
requestCallback
);
function requestCallback(response){
if(response){
console.log(response);
}
else{
//show error to user
}
}
Where str_ids is a string containing the IDs returned by the invitable friends API. This all works fine.
When I invite a single user, let's say his Facebook ID is 1593894704165626, I get the following response:
request
"1399842883640198"
to
["1593894704165626"]
So here I have a unique request ID and the invited person's Facebook ID. I can now store this data in my database along with the inviter's ID, so I have all the necessary info.
However, now I want to reward the inviter after the invitee accepts the invitation and I'm running into a problem.
If user A and user B both invited user C, then when user C joins the game, how do I know whether to reward A or B?
I see from this question that it's possible to pass another parameter along with the invitation, which should help identify the inviter:
Facebook tracking who Invited whom
The first answer here suggests that you can pass such a custom parameter, but doesn't say how. Facebook's convoluted documentation is driving me insane.
Another thing - even if I send that additional parameter, I think there's a problem - for new users the app redirects to the Facebook page that checks whether they want to allow access to the app, and by the time they're redirected back to the app, the additional parameter will be lost.
Is there any solution to this?
I have a web page which asks the user to log in and then proceeds to get JSon via Graph for a particular Facebook group. It builds the Uri dynamically by taking the access_token that is returned after login. It works fine when I do this, but if I try to log in with a different account, no data for the feed is returned.
One hint in this problem is when the facebook dialog screen appears, it only asks for my username/password. It doesn't ask go to the usual screen where Facebook asks for you to give permissions for "Basic Information" etc. It's just a username/password screen and then I go straight in.
This is the login code:
function login()
{
FB.login(function (response)
{
if (response.authResponse)
{
// connected
var authResponse = response.authResponse;
access_token = authResponse.accessToken;
refresh();
} else
{
// cancelled
}
});
}
One hint in this problem is when the facebook dialog screen appears,
it only asks for my username/password. It doesn't ask go to the usual
screen where Facebook asks for you to give permissions for "Basic
Information" etc. It's just a username/password screen and then I go
straight in.
This is because you've already authorized the app, so once you login it will take you straight to the app.
It works fine when I do this, but if I try to log in with a different
account, no data for the feed is returned.
Well the limited view of code you posted is fine, so something else is the problem. First debug step is to get the access token for that different account, and check the debugger to see if its tied to the appropriate user and scope.
I have implemented FB Multi Friend Selector as explained on this page https://developers.facebook.com/docs/reference/dialogs/requests/
function sendRequestViaMultiFriendSelector() {
FB.ui({method: 'apprequests',
message: 'My Great Request'
}, requestCallback);
}
However I want to send the custom Url to the User, since my Facebook App has some parameters at the end like below
http://apps.facebook.com/MY_APP_NAME/MY_PARAMETERS
However with the above method, the user is getting the following link with the MY_PARAMETERS Omitted
I cann't see any "url" parameter in the "apprequests" method. However, this is something that Sweepstakes does successfully. They are able to pass all their parameters in the Message and I want to copy the same functionality.
Thanks in Advance.
The request will point the accepting user to your canvas URL – there is nothing you can change about that.
However, if you need to pass custom data along “with” the request – there’s the data parameter of the dialog for that. You will get the info you put in there back, after reading the details of the request object from the API.
I added a like button to the canvas application page that actually configured to the facebook page of the application.
I would like that whenever a user pressed like or dislike on my page, a request will be sent to my server noticing it that the user liked or disliked the application page.
I can catch these events by using the following code:
FB.Event.subscribe('edge.create', function(response) {
alert('You liked the URL: ' + response);
});
FB.Event.subscribe('edge.remove', function(response) {
alert('You disliked the URL: ' + response);
});
I can just check if the response equals to my facebook application page.
the question is.. after I catched the like or dislike, how do i forward it to the server secure enough ? how can I send the request to the server without posting the facebook id as a post/get parameter?
i want to send it to the server in a way that the server will be able to fetch the facebook session information and fetch the userid from there, or any other secure way.
example:
if i'll just call http://mysite/liked_my_app?uid=4534534543
then a user notice this request and start sending liked_my_app with fake uids.
is there a way to prevent that somehow ?
thanks
Instead of using the UID of the user, forward the signed_request. Only you can decode signed requests coming from your application because of the app_secret you have to use to decode it.
Another possible solution (depending on what exactly you want to do when you confirm a like/dislike event) is to check at intervals your page/app like count - in a cron job for example. When a user likes your page/app you can retrieve his UID (possibly other information as well), and you can cross-reference the lists from the last cron job.
Users want to use my facebook app for many hours without refreshing the browser.
But token expires in 2 hours. Now I ask users to refresh the page but that's annoying.
I don't want to ask offline access permissions because it will scare some users.
The best solution will be somehow "relogin" and get new token without refreshing the page.
Is it possible?
I would subscribe to the expiry trigger (I think this is authResponseChange), then automate another login check. It won't be a perfect solution as it could trigger a pop up (if they have logged out for example) automatically, which a lot of browsers may block. You could instead, when the token expires, check if they will need to complete a pop up, and display a notification on your page somewhere saying 'Facebook needs your attention to continue', then only launch the pop up from their response, which would stop the pop up being blocked.
FB.Event.subscribe('auth.authResponseChange', function(response) {
// do something with response
FB.login(){
// refresh their session - or use JS to display a notification they can
// click to prevent pop up issues
}
});
An algorithm to workout on this
Ask for permission from the user
Save the token
Periodically check for an access token is near to expire or not
If its in verse of expiry, embed some dummy iframe, which redirects to the facebook homepage. - Extend auth token without refreshing the page
This should refresh the token. You might need to generate another token or continue with the same. Whatever be required, can be done without refreshing the page.
Have you thought of using ajax? After two hours you will check, if user is still active. If so, you send axax request to URL, where his session details will be updated. example:
$(document).ready(function(){
setInterval('update_session()', 5500000);
})
update_session(){
$.post({
URL: ..., // script to update session on server
data:{ /* username, password */ },
})
}
and the server-side just takes username and password from post or and runs relogin.
Try acquiring tokens with the offline_access permission.
I presume, guess this is not possible,FB architecture would not allow it. And why is offline_access such a problem!!!!!!...anyway offline_access is the best optimal solution I guess....
Unfortunately I believe this is impossible by design (if you mean for it to happen without user intervention). If the user is still logged in to Facebook you can redirect the top-level page to Facebook and it will bounce you right back with a new code (as it sounds like you are doing already), but that is only possible because of the Facebook cookie that it can check. If you try to do anything from your server, it will be rejected because that cookie will not accompany the request. Same goes for trying to make a call to facebook from javascript -- since your code is running in a different domain, the cookie will not accompany the call and Facebook will reject it. The only way that Facebook can even know who the user is, and that they are still logged in, is to see that cookie. And the only way that can happen is if the browser itself is redirected to the facebook.com domain.
It's worth mentioning also that Facebook has blocked the only logical workaround, i.e. loading the oauth url in an iframe. If you try it you will see that they detect the page is being loaded in an iframe and output a page with a link on it which does a top-level redirect to break out of the frame. So not only does this approach not work, it's clear that Facebook has specifically made it impossible as part of their architecture.
Edit: If what you mean to do is not avoid the refresh altogether but just have it happen automatically when a new token is needed, you can do something like this:
$status=0;
$data=#file_get_contents("https://graph.facebook.com/me?access_token=$token");
foreach ($http_response_header as $rh) if (substr($rh, 0, 4)=='HTTP') list(,$status,)=explode(' ', $rh, 3);
if ($status==200)
{
//token is good, proceed
}
else
{
//token is expired, get new one
$fburl="http://www.facebook.com/dialog/oauth?client_id=APP_ID&redirect_uri=".urlencode('http://apps.facebook.com/yourapp/thispage.php');
echo "<html>\n<body>\n<script>top.location='$fburl';</script>\n</body>\n</html>\n";
exit;
}
This is assuming you have something before this code that will process a signed_request parameter if it is present and assign a value to $token (either explicit code of your own or the appropriate SDK entries). The shown code can then be used anywhere you need to check if $token is still valid before proceeding.
If you get the access_token without specifying any expiry to them they will not expire ..
atleast not till the time user either changes his Fb credentials or de registers your application ..
I presume you are using the iframe signed_request parameter to get your access token. One method of achieving what you require is to use the oAuth 2.0 method of aquiring an access token. This is more prolonged in the first instance; your server and Facebook's have to exchange credentials which can be slow, but it means that you will be given a code that can be exchanged for an access token regularly, meaning your server can maintain the session periodically (probably from an ajax call from the client). You would then pass this new access_token to the client, and use it in your dialog call for your requests (gifts).
Hope that helps.
Spabby
Have a look at https://developers.facebook.com/docs/offline-access-deprecation/#extend_token
basically you extend the token with
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
that will give you new token with new expiry time (it should be 60d but I'm noticing similar bug like described here https://developers.facebook.com/bugs/347831145255847/?browse=search_4f5b6e51b18170786854060 )