I'm currently making a CMS and I would like to use some Facebook functionnalities.
The problem is that I need an API Key for that. So I'm wondering that if I have an API Key can I share it with my open source cms project to anyone? And can anyone use it with my CMS?
You have two options.
Create an app for each installation of the CMS, then set app secret and ID in the CMS configuration file.
If you want all installations to use the same app securely you will need a loop back server (i.e. the CMS installation makes a call to your server, which in turn makes a call to Facebook and returns the results).
Do not share your App Secret with anyone. The App Secret is used to sign the signed_request that is passed to you after Facebook authentication. With the App Secret, a hacker can impersonate anyone to use your app because he can pass anything and sign it as if it is from Facebook.
Related
I have an app with SwiftyDropbox that function correctly, but I need to insert email and password for Dropbox every time that I use the app.
The app it's only for my use, it's not a security problem if the app auto-login in my account.
I don't find examples or documentation to make an auto-login with SwiftyDropbox. It's possible?
While the Dropbox API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files, it is technically possible to connect to just one account. We generally don't recommend doing so, for various technical and security reasons, but those won't apply if you're the only user anyway.
So, there are two ways to go about this:
1) Implement the normal app authorization flow as documented, and log in and authorize the app once per app installation. The SwiftyDropbox SDK will store the resulting access token for you, which you can programmatically re-use after that point each time using authorizedClient.
2) Manually retrieve an access token for your account and hard code it in to the app, using the DropboxClient constructor shown here under "Initialize with manually retrieved auth token".
This is a first time I am trying to make a facebook application/game, and I have couple of questions.
Let's say canvas url is http://mysite/first_app/ and facebook app url is https://apps.facebook.com/first_app
I wonder if visited both url-s should a functionality be the same? I mean does facebook give you more tools and freedom if navigated from https://apps.facebook.com/first_app? Or should both url-s look and do the same thing? Is it possible?
I wonder if visited both urls should a functionality be the same
Of course yes. The difference is just that one is deployed at the facebook's app center and the other at your domain.
Yes, you have more tools available in the canvas ("apps.facebook.com.."), as it will send you the user-id without any user consent. Has the user previously used your app, you will also be able to get their accesstoken and fetch more info about them.
It requires some backend code to decode the signed request parameter, which provides you this stuff.
This example is how php handles signed request:
https://developers.facebook.com/docs/facebook-login/using-login-with-games/
If you're using C#, download the Facebook C# (available through NuGet, the package from Outercurve Foundation) and use this example:
How do I parse a signed request in Facebook C# SDK?
I try to handle the user in Facebook context whenever possible. It adds trust and more tools. Although since the Facebook phone/tablet app (App Store/Google Play) doesn't support Facebook apps at all, I often optimize the app for mobile web use also. I read somewhere that over 50% of daily Facebook visists are done using the phone app, so it might be something to think into your app while developing.
UPDATE:
I can see I have misunderstood part of signed request, as commented by Shadowfax and CBroe. In my app, I use the user id from signed request but of course only when the user has already logged on to the app beforehand. My apologies.
I am building a mobile app for my web application. I have decided to use cordova , So basically it will be single page web app. I have also made a REST API server which uses key and secret to verify each request. In web app I can use key and secret to make request to my api server, But how do I do it with in mobile app? It would be bad idea to store key and secret in mobile app (May be it is bad idea for web app aswell). I am thinking of changing Authentication process in api server aswell. What should be the best way to call this rest api server from mobile app and authenticate these requests. Should I generate tokens for each user request and verify with key and secret? I think I will not need oauth as this service will be for my webapp and mobile apps only, we don't have need to allow others third party service to access our api.
Should I generate tokens for each user request and verify with key and secret?
Yes.
It might be worth using OAuth if you can use an existing implementation from somewhere. It's a standard protocol, so is more likely to be secure than something you invent yourself.
It also means that if you ever want to let third party apps log in in future, you can. You might not think you will ever need it, but you never know. It's also a good idea so that if you ever work on another project that needs oauth, you have had practise.
I like to distribute content from within our Content Management System to several online channels like the website, twitter, linkedin and, last but not least, Facebook. Editors can create items and, eventually after a worfklow process, distriute them amongst the different channels.
Off course the website is no problem (it's still a CMS, isn't it). Twitter integration was rather simple. But now I like to create a connector with Facebook.
The approach is like this.
Create a Facebook app: TheCMSFacebookConnector
Give it permissions to write on a wall, create events, add photo
collections, etc. A customer buys the CMS
Within the CMS Manager there is an action to connect the
TheCMSFacebookConnector app to the customers' (corporate) facebook
account
The OAuth dance is performed and the accesstoken en accesstoken secret are stored
From now we use the REST API to add content to the customer's corporate wall. This is exactly the way i did it for the Twitter integration.
But.........
choosing the right integration type
When I create the Facebook app, the Facebook asks me to tell how the app integrates with Facebook. The integration types that seems to fit the best are Native iOS App or Native Android App. In fact the CMS acts as a Native App as well. Has anyone a clue which App Integration type i have to choose?. And are there other parameters that are important to set in a, maybe, different way?
Choosing the authentication flow
A second question is about the OAuth dance. If we distribute the CMS amongst our customers, they host the CMS Manager environment in their DMZ with their own (mostly) corporate URL or, better, they host the CMS Server within the LAN and the Publication Server in the DMZ (we provide some tools to synchronize those servers)
When I do the OAuth dance, the CMS Manager (which is a webapplication) has is own URL. So in the definition of the app i cannot name an unique value for App Domains. From within the "OAuth dance"" code the redirect URL seems to have a connection with the App Domain and cannot be set in a dynamic way. So is it true that for the "OAuth dance" the only valid method is the client-side authentication flow?
Hope that someone can help me with, especially, the first question. Thanks in advance
E.
So is it true that for the "OAuth dance" the only valid method is the client-side authentication flow?
Not necessarily – you could always have an address from your app domain set as redirect_uri, and have that redirect to the CMS users web address afterwards (via a GET parameter in redirect_uri or something like that).
I am working on an open source web-based application that communicates with Facebook. One of the files contains the Facebook API id and secret key. Is it fine to share this information with the rest of the world?
It is extremely important that you never share your app secret. Your app ID is completely unimportant and available to anyone who goes to your Facebook apps profile page, but the app secret is a completely different story. It could compromise any data stored within your application and allow third parties to call specific APIs on your behalf without your knowledge. This is bad for you and for your users.
If you have accidentally shared your app secret (this can happen when it's embedded in client binaries or code) then you can reset it really quickly through the Facebook developer app: https://developers.facebook.com/apps goto Settings -> Edit and then click reset beside the app secret. This will have the effect of invalidating any access tokens that have been previously been granted by your app.
It is not safe to share the secret key, you shouldn't share this with anyone. When you open source the code put in some dummy values instead, or nothing at all.
No it isn't. Why do you think they named it "Secret" ?
It's the truth that there is probably no way to abuse it (because Facebook always checks origin URL, too) however you should not share it...
The secret key, is, well secret. You shouldn't share it with anyone.