I have a Node.js web application that uses Facebook OAuth 2.0 to register/login/logout users using everyauth.
I enabled the deprecation of offline access on my Facebook application so now I receive tokens that expire after ~two months, or when the user changes her password, or when she removes the application, BUT not when she logs out of Facebook
My application is embedded in an iframe into multiple websites and is used to push updates to the user's Facebook timeline.
Say I have my application installed on site A and site B. If the user X logs in my application on A, he is logged into my application on B as well because the iframe preserves the session.
Problem
If the user X logs out of Facebook, anyone else using the same computer on sites that have my application installed is going to push updates on behalf of X.
Is there a way to determine if X is still logged into Facebook before pushing an update?
In other words, I need something similar to Facebook's JavaScript SDK FB.getLoginStatus but on the server side in Node.js. The best thing would be a Graph API call, but I can't find an appropriate URL for it.
IMPERFECT SOLUTION:
In the end, I went with #NitzanTomer's solution described in the comments. I used the JavaScript SDK and its FB.getLoginStatus method to check if the current user of my application is still logged in on Facebook. This is far from ideal: it works in my case because I'm running JavaScript code in an iframe, thus being relatively protected from attacks by the same-origin policy.
You can you use FB.getLoginStatus to check whether the user is connected to Facebook or not:
https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/
getLoginStaus function is not there in facebook-node-sdk by amachang but what you can use is the getLoginStatusUrl function: facebook-node-sdk
The user is logged in if returned value is the url you assign to ok_session property. You cannot be sure of the permissions granted to your app though
Related
I am implementing Facebook Login (for the web) for the first time and I had some questions regarding the users session and and the best practices for handling logout. Right now, I am using a combination of the JS SDK (only for login flow if js is enabled) and PHP SDK.
Question 1: Should I save the Facebook access token in a PHP session or use the built in "cookies: true" feature in the SDK.
Question 2: If a user that signed up via Facebook returns to the site after a few days, should they be auto logged in, or have to click a login via Facebook button, then just be logged in?
Question 3: If a FB logged in user logs out of my site, should I log them out of Facebook or just my site?
Question 4: If a FB logged in user logs out of Facebook while also on my site (different tab) should I automatically log them out of my site?
1) You can save the access token in a database (but be wary of the expiry date) or save it in a session. Cookies would be the easiest way to manage this and takes care of (2).
2) Depending on how your handle the sessions and the SDK you use, the use would automatically be logged in (e.g. JavaScript method FB.getLoginStatus() to detect if the app has already been authed). You should have a "Login with Facebook" button on your app in any case, for new users.
3) If you use the logout methods in the SDK (e.g. FB.logout() in JavaScript SDK), the user will be logged out of both your site and Facebook. This really depends on how you want to handle this. You can log them out if your site by deleting the session / cookie.
4) You should alway check to see if the user is logged in whenever an action is taken on your site. If the user logs out of Facebook while on your site, eventually, your site should pick it up (using FB.getLoginStatus()) and ask them to login again.
3) Facebook will decide if a user should be logged out of Facebook also or only your site/app, at least when using the JS SDK. From their docs, see link for some case examples:
"The method FB.logout() logs the user out of your site and, in some
cases, Facebook." - Facebook docs
The Facebook Platform Policies section 1.6 clearly states
Your website must offer an explicit "Log Out" option that also logs the user out of Facebook.
The Login Flow for Web without Javascript SDK says on Logging people out
You can log people out of your app by undoing whatever login status indicator you added, for example deleting the session that indicates a person is logged in. You should also remove the stored access token.
On the other hand the Login Flow for Web says about Logging people out
Note: This function call will also log the person out of Facebook. The reason for this is that someone may have logged into your app and into Facebook during the login flow. If this is the case, they might not expect to still be logged into Facebook when they log out of your app. To avoid confusing people and to protect personal security, we enforce this logout behavior.
So in my understanding the Login Flow with JS SDK does what the policy says, it logs the user out of Facebook as well. How do I implement the Login Flow without JS JSDK correctly, such that i do not violate the Facebook Platform Policy? So far i don't see that the Graph API offers a similar functionality.
That should be easy, looking at the PHP SDK’s method getLogoutUrl, that creates an URL of the following scheme:
https://www.facebook.com/logout.php?next=FOO&access_token=USER_ACCESS_TOKEN
For FOO you just place the URL of your website where you want the user to be redirected to after they are successfully logged out of Facebook (don’t forget to properly URL-encode that value), and USER_ACCESS_TOKEN should be self-explanatory. (You need an active user access token to log the user out of Facebook – obviously, because otherwise every site on the web could just redirect me to this address and log me out of Facebook, without me actually wanting that to happen.)
I have an application which asks for a registration through facebook but before a user can proceed to the registration, the system should first determine if there is an active session. If a user is logged in to facebook, it should then automatically logout for a fresh start.
But here is where I'm stuck. The SDKs only let the user log out from facebook if he is connected to your app. It uses the app's access token. But what if he is still not registered to your app? Their log out means to log out from your app, and not really from facebook.
My requirement :
1. How can i log out from facebook.
2. How can i clear the browser cookies?
Not on a specific app but the whole facebook session.
[from comments] But to use the getLogoutUrl() function, the user has to be connected to your app. What I need is to logout from the whole facebook and not just from the app
If the user is connected to your app, then the URL provided by the getLogoutUrl method does that – log the user out of your app (web-app) and out of facebook.com.
If the user is not connected to your app however, you don’t have an active user access token – and then logging out of Facebook is not possible. The obvious reason being that if it was, every website that I visit could log me out of Facebook in a “drive-by” manner – without me actively wanting that, so people would get annoyed quite quickly.
If a user is logged in to facebook, it should then automatically logout for a fresh start.
If this is a security consideration, then you are in fact looking for re-authentication, which can be done using the auth_type parameter, quote from docs:
In apps where security is very important, you may want to double-check someone's identity - perhaps before they make a purchase within the app, or use it to access some sensitive personal data.
To prevent situations where a user could leave a device logged in or man-in-the-middle hijacking of the user session, re-authentication forces a person to re-enter their Facebook password before they can continue to use your app.
Be aware to use the server-side Auth flow though – because in the client-side flow, using the JS SDK, there is a bug that allows the user to bypass re-entering his password by simply closing the popup, which is still open: https://developers.facebook.com/bugs/248632218597467 (Has been assigned Priority: High, but received still nothing more than a “we will follow up” response yet.)
Use the logout.php url.
https://developers.facebook.com/docs/reference/php/facebook-getLogoutUrl/
Basically,
http://facebook.com/logout.php?next=YOUR_NEXT_URL_FOR_LOGOUT&access_token=USER_TOKEN
1) logging out from facebook by using
facebook=>getLogoutUrl();
2) clearing the session by using :
$facebook->destroySession();
example:
Log Out
logout.php page codes as follow:
<?php
require 'facebook.php';
$facebook->destroySession();
header( "location:index.php" );
?>
there is an facebook application, you can see it there:
http://www.facebook.com/tdmtravelclub?v=app_197602066931325&app_data=wlbb%3D1
You have to like it and than you can play a game (you don't have to i just explain the functionality of it).
This application isn't forcing you to login (i think the authorization is automated), but they can query the user data (they see if you liked the site).
I lookd for a similar authenthication method for fb apps but i didn't found one.
The only thing you know about a user (who has not authorised your application) within a tab application is if he is a fan or not. Facebook sends this information via the signed request.
PHP SDK Demystified – What is Signed Request?
Authentication within a Page Tab
SO Question including signed request
well i have used the facebook api couple of times. But last day i just came across a site which was really new to me. Heres the scenario
If a user is logged in at facebook and comes to my site, he will
automatically be logged in without asking him and also if user logs
out of my site he gets logged out of facebook. But the site i saw
yesterday, they had handled it perfectly, user dose not logs in their
site automatically and even if user logs out from their site, he does
not gets logged out of facebook.
So any help? what is this technique called? or any relevant help?
Best Regards
most site handled the login/authenication by using the login status of the user at facebook ends.
to do what u wants, simply add an additional layer of authentication / login status checking at your own site.
The site level login status is to be retained only for the current session. In other words, once the user went away from the site, the site level login status is gone. With this, when the user returns, you know that he needs to login again.
when the user logged out from your site, you only log him out of your site and do nothing about facebook login
Using the Facebook SDK it will likely tell you the user is logged out when not logged into Facebook, which in theory is the correct behaviour of the whole system, as Facebook want user's to always be connected to Facebook, I quote facebook:
As long as the user is signed into Facebook, they are automatically signed into your site as well.
So if they aren't connected to Facebook, you aren't connected to other sites. In a way it's a deterrant and increases Facebooks market.
But anyhow, it's likely the site you are describing are implementing their own authentican system rather than using Facebook's own SDK, or if they are using the SDK they are using it in moderation and understand about cookies/the above.
The flow to allow the user to be logged into Facebook but out of your site is as so:
When a user logs out of their site, it will unset session data for the site's own application, and also unset Facebook cookies, etc. That way the user is still logged into Facebook but out of your site.
When they try to log in again, Facebook will detect no cookies are available and hence will re-authenticate and pass you onto the url as passed during the authentication process. Your site will then login the user to the site's own application, setting any session variables, etc.
you need to check how you are handling the FB logins and sessions at your end..
my guess is you check the is login at your site and there are some access_tokens which are as per your app id in the cookies of your browser which are helping you to log in ..
and when logging out from your site you are explicitly logging out the user from FB as well
( thats what you are describing atleast )
you seem to be explicitly calling logout or clearing the cookies for fb app id ..