A site I'm working for is having significant problems with fake users through facebook openID. Is there an API call which reports on the internal facebook calculations of the "humanness" of a user and/or indications that the account has been compromised?
If there were internal Facebook calculations of the "humanness" of a user, then there wouldn't fake users using openId to your client's website. Facebook would have already removed them.
You can check the verified field of the user Graph API object.
A user is considered verified if she takes any of the following
actions:
Registers for mobile
Confirms her account via SMS
Enters a valid credit card
You may want to play politics like some sites have done saying, you need X nbr of friends, have a profile pic, etc.
Related
I'm implementing a Log In With Facebook button on my website, and will be using the email field for two purposes:
create a new account if I don't have this email in my user database
match an existing account if I have a user with this email address
Does Facebook guarantee that they verified the user owns this email address when they return the field in their API?
Otherwise, in the (unlikely) event that a user of my website does not have a Facebook account, someone could create a Facebook account with this email, without validating it, to log in to my website with their account.
They are supposed to be but Facebook has had issues in the past of unverified emails being allowed to pass through the API Is it possible to check if an email is confirmed on Facebook?.
If you implicitly allow Facebook accounts to link up via email, then the next time Facebook has an issue they can effectively take control of all your users accounts.
The secure way to link users up is to either:
Ask a normal user to link their facebook account by logging into it.
Ask a Facebook-user to login with your sites normal account.
I have a website where users can log in with the Facebook oAuth API.
Once the user logs in or registers via Facebook it is stored in my database.
But what I'd like to achieve is, once the user goes to his Facebook application settings page and removes my website app permissions, the used should also be deleted from my database.
Is there any work around to this problem, if this is not possible via the Facebook oAuth API?
You can add Deauthorise Callback URL by Navigating to Settings > Advanced section of your application. Whenever a User Deauthorises your Facebook app, Facebook performs a HTTP POST of signed request to your URL. You may use the field user_id to determine which User has deauthorised your app.
Actually, I would do the following:
Add a date to his last log in to your site.
Have cron job check for old, unused accounts.
Send an email to the user's email address (or Facebook message mail) telling him his account is due to expire soon.
Delete account from database.
I'm developing a website where the user can either sign up creating his own profile or can sign in with FB or Twitter.
The thing is I don't really know how to manage it, for example: let's say my user signs up through the website and creates content, what happens if the user later decides to sign in with FB or Twitter? How can I keep it all unified?
I know I could just do the Twitter sign in, get the data from twitter and create a profile in my DB for the user with his Twitter handle, don't know how I'd deal with later if he wants to just log in through the site.
Anyone have any ideas?
So he later signs in with Twitter or Facebook. I think you have a couple of options in this case. Allow the ability to link accounts together once the user signs in with any one method. Say they sign in with your sites registration, let them hit a page where they can add in other linked accounts like Twitter and Facebook once they are in their logged in state on your site. See the friendfeed model for inspiration. Or, like we did with ucubd.com/index.aspx - let the user sign in with facebook and regsister an account on their behalf and ask for their email as the login credential. If it's found - great. If it's not ask for a password. This will allow the user to either login with your sites registration method or through facebook. You will have the information in your database to link both of them together.
Every account on your system will have an e-mail address. Every account with FB, Google, Twitter is also linked to an e-mail address. What you will need to do is link the accounts based on e-mail address. That way you will never get duplicate accounts.
My website has accounts that are often accessed by multiple users. For example, a company might create an account under a generic company email address, and have different interns, etc update it.
We also have normal users that are the only people accessing their account.
We know we could make registering / signing in so much easier and more effective by utilizing various third party services like Facebook, Twitter, OpenID, etc, but we can't think of how to handle those services when multiple people want to create / sign into a single account.
How do we know which users authenticated with FB/Twitter should be allowed to access the company account on our website?
Facebook doesn't let you sign in as a Page yet, right?
You can let the users log in with their normal company account, and then give them a facebook Connect button. The only important thing you need to keep for facebook connect is their facebook id. I would add a new table, or a new entry in the users table with all the ids that have connected to that account. There would be no difference between single user and multiple user accounts, only in the number of ids connected to that account.
I use a sql table with two values, user_id and remote_id, and every time a user connects you add an entry. The same can be done with other open ids and twitter, the same able can be used.
Technically, no you can not log in as a page. But, once you get an install from a user, you can easily tell which page they are administrators of. If you create your company organizational unit around the entity of a page (or allow users to do this) then you could allow your users to log in with their Facebook accounts and once you have their Facebook session, you can access the /me/accounts graph endpoint and look at the pages they're administrators of and cross reference that with your company->Facebook Page definitions.
You could allow Facebook Page Administrators to invite users who do not have access to their Facebook Page. Once the lesser-privileged (intern) user gets to their invite URL endpoint, they could click a Facebook connect button to link their FB account with the Company/Page that the Administrator invited them to. This way, the Administrator wouldn't have to add a bunch of users to their Facebook Page as Administrators (thereby keeping their page more secure).
We have users that logged in to our website through Facebook Connect. Now we'd like to contact those users about changes as we indicated in the signup process, but we don't have their email addresses. Only their Facebook ids.
How can we contact them? I understand Facebook removed 3rd parties' ability to send notifications through Facebook's API. We can send them a message through the API either.
So I guess we're left with posting to their wall from a user account of ours. I assume there's a low limit to how often we're allowed to do that and is that even permitted? Or we can make an application request from this designated facebook user account which would show up in their notifications.
Finally, we could manually go to the user's profile page and then click the "send a message" button from our facebook user account... A lot of manual work and I assume this is frowned upon as well. Is there an easy way to find out the profile page URL from a Facebook id?
What's the best approach here where we don't break any rules?
If you are getting stream_publish extended permission in your profile then you can simply post on there wall see this http://developers.facebook.com/docs/reference/rest/stream.publish/
Alternatively this can be a better solution if the user do not granted any extended permission
http://developers.facebook.com/docs/reference/rest/livemessage.send/
you should get "offline_access" from the facebook user requests to post at anytime.