$facebook->getUser(); STILL returning 0 - facebook

I see this has been asked a lot here but I still have yet to come up with a solution. I need to get the user's ID to determine if they have already filled out a form in my app. Here is my code..
require_once('facebook.php');
$facebook = new Facebook(array(
'appId' => 'xxxxxxxxxx',
'secret' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx',
'cookie' => false,
));
$signed_request = $facebook->getSignedRequest();
$page_id = "fb" . $signed_request['page']['id'];
$user_id = $facebook->getUser();
I don't know if this is related or not but I can grab the page id just fine. But $user_id keeps returning as 0 for all users except me. I'm guessing that's because I'm an admin of my page.
Does anybody know what the problem is here?


My guess is that most of the reported problems with $facebook->getUser() are related to CSRF (Cross Site Request Forgery) protection that is built into Facebook's PHP SDK and is implemented somewhat awkwardly.
What CSRF protection does is to make sure that a request to get user's data needs to originate from the same server. It does it by storing a random hash in the session. If you call to getUser() without this value set, getUser() will always return 0.
So the user needs to visit your site first, a CSRF token will be generated and stored in the session and only on the following requests you can successfully call getUser()
If you look at the PHP SDK source code you'll notice that the way to generate this CSRF token is to call a protected method called establishCSRFTokenState(). You can't call this method from outside and the only way it gets called is when calling $facebook->getLoginUrl(...)
So, either modify the SDK source to change this behavior (or to make establishCSRFTokenState() public) or just call getLoginUrl(...) when the user first visits your site. Make sure that you have session support enabled.
I think this isn't designed very well and documented even worse. And it doesn't help to protect the site against CSRF attacks in most cases unless people understand how to properly use it.


i has this problem too, the only solution was to use oauth before with permission request
"user_about_me". Since FB uses oauth 2.0, most user values are hidden and you have to request
all this sh*t :(

Related

Facebook PHP SDK misbehaving after December '12 updates

I'm using the PHP (with js) SDK for authentication around my website.
Until now I've never had a problem with access tokens and everything has run smoothly.
Since the latest updates have been pushed I'm receiving a lot of:
Fatal error: Uncaught OAuthException: An active access token must be used to query information about the current user. thrown in /home/content/54/9505854/html/src/fb/base_facebook.php on line 1106
The access tokens seem to be invalidated (or irretrievable) whenever there is a PHP call to the API. I made a simple page that uses and this has always simply returned the current access token as expected:
//Facebook PHP SDK
require_once 'src/fb/facebook.php';
//Config
$facebook = new Facebook(array(
'appId' => '...id...',
'secret' => '...secret...',
));
$accessToken = $facebook->getAccessToken();
die($accessToken);
This page still works if loaded immediately after javascript authentication but any navigation away from this page (or indeed a refresh) this script will return the appID and secret as a string in the form [appID]|[secret]
Basically any call to the Facebook object makes the next page navigation unauthenticated.
Also I am not currently storing the retrieved access token as a cookie or in mySQL. Should I?
Any insight into the problem or solution would be really helpful! Thanks

It's a Facebook bug. Description can be found here: https://developers.facebook.com/bugs/404450666302585

This has now been fixed. Update to the latest version of the PHP-SDK (v3.2.2).

I am using php-sdk "3.2.0" got same error..
As per new PHD-sdk mention above https://github.com/facebook/facebook-php-sdk/commit/ca9472b3312dab3fdcfbffb4e45eb091f582dcb7
I have added following code-snippet which fetch saved access token from cache instead giving call to new access token using same code.
if ($code && $code == $this->getPersistentData('code')) {
// short-circuit if the code we have is the same as the one presented
return $this->getPersistentData('access_token');
}
Now, it is returning cache access token instead of [appID]|[secret] one.
It work for me.

PHP Session with GET having problem with IE8 and Facebook application

I am developing a facebook app. I was using Sessions with cookies and it was all working fine. Suddenly IE8 has some errors with cookies. It was blocking my site because it was in iframe. So I came to know about P3P Header. I used that correctly and problem solved. But client now want me to use GET if cookies are not available. I am doing it but now I am facing problem that facebook PHP Sdk has problem in its session. Its getSession method is not getting session and redirecting to authenticate the user and then redirect back to the app. but in all this it loses the GET variable PHPSESSID. Following is a thread of stackoverflow that has some thing similar so may be for you guys following is helpful.
Facebook PHP SDK getSession() fails to get session. Cookie problem?
This is the code used to have Sessions with GET if Cookies are not available:
ini_set( 'session.use_cookies_only', false );
ini_set( 'session.use_trans_sid', true );
session_start();
This is the code for accessing fb. session with PHP Sdk.:
$facebook = new Facebook(array(
'appId' => FACEBOOK_APPID,
'secret' => FACEBOOK_SECRET,
'cookie' => true,
));
$this->facebook=$facebook;
// We may or may not have this data based on a $_GET or $_COOKIE based session.
// If we get a session here, it means we found a correctly signed session using
// the Application Secret only Facebook and the Application know. We dont know
// if it is still valid until we make an API call using the session. A session
// can become invalid if it has already expired (should not be getting the
// session back in this case) or if the user logged out of Facebook.
$this->session = $facebook->getSession();
Please tell if you can give me any clue.
thanks to all of you

This seems to be a never ending issue with facebook API. There session functionality breaks randomly and you can do much about it. What I usually do in my applications is to disable cookies and store facebook session in my own application SESSION. There is a parent controller which is called on each request which is responsable for checking SESSION. If a valid SESSION is found, it is set to facebook's session object. This ensures that a valid session will be returned on calling getSession().

Facebook Graph API problem

I've got some trouble with Facebook authentication. Even when I'm logged, the function getUser() returns 0
Here's my code :
$fb_params = array(
'appId' => APP_ID,
'secret' => SECRET_ID
);
$fb = new Facebook($fb_params);
echo $fb->getUser(); // UID
Someone's got an idea?
PS : 'I can no long access to $fb->api('/me'), it says it requires an access_token, I think it's linked to the authentication issue...'
Thanks

You are currently not authenticating as a user, only as an application. As a result, the Facebook API can't show you the /me page or respond to a getUser() call since it doesn't know what user you are trying to access the API on behalf of (ie. "Who is /me?"). You will also only be able to access publically-accessible information.
You need to get a user to authenticate your application through Oauth2, store the access_token you are returned, and then include it in any future calls (eg. WIRQjCey1.3600.1309525200.0-509450630|eD6SAR">https://graph.facebook.com/me?access_token=2227470867|2.AQB-_WIRQjCey1.3600.1309525200.0-509450630|eD6SAR...).
To do this using the PHP SDK you can do
$loginUrl = $fb->getLoginUrl();
echo "<a href='$loginUrl'>Login with Facebook</a>";
Clicking that link and having the user authenticate will store the access_token to the $_SESSION, and when you hit refresh the "new Facebook( $fb_params );" constructor will pick out the access token from the $_SESSION and use it for all future calls, so then calls like $fb->getUser(); will return correctly.
There's a functioning example in the examples folder of the SDK, here:
https://github.com/facebook/php-sdk.
You can use it to try calls while authenticated as an application (public data access only), and then as a user.

More settings for the facebook php API

Maybe I searched completely in the wrong way, and the facebook documentation pretty much sucks in my opinion.
I was wondering, I'm connecting to facebook with the settings below and that works (I'm able to retrieve the profile information of the logged in user allows my application to access his profile.) Are there other options I can set, like the callback url and the expiration (which I want to set to never, so I can save the token in my db and re-use it)?
This is the config now:
$facebook = new Facebook(array(
'appId' => 'xxxxxxxxxxxx',
'secret' => 'xxxxxxxxxxxx',
'cookie' => true
));
I'm also connection to twitter and there I'm able to this:
$this->configTwitter = array(
'callbackUrl' => 'xxxxxxxxxxxx',
'siteUrl' => 'http://twitter.com/oauth',
'consumerKey' => 'xxxxxxxxxxxx',
'consumerSecret' => 'xxxxxxxxxxxx'
);
Thanks in advance!
Facebook should take a look at Twitter

After trying a few days, spitting the documentation of the Graph OAuth 2.0 (which doesn't work as good as expected and searching the internet I found a solution which I used to create the following script:
// Config
$this->redirectUrl = 'http://www.mywebsite.com/facebook'
$this->clientId = 'APPLICATION_ID';
$this->permissions = 'publish_stream,offline_access';
// Check if a sessions is present
if(!$_GET['session'])
{
// Authorize application
header('Location: http://www.facebook.com/connect/uiserver.php?app_id='.$this->clientId.'&next='.$this->redirectUrl.'&perms='.$this->permissions.'&return_session=1&session_version=3&fbconnect=0&canvas=1&legacy_return=1&method=permissions.request');
}
else
{
$token = json_decode($_GET['session']);
echo $token->access_token; // This is the access_token you'll need!
// Insert token in the database or whatever you want
}
This piece of code works great and performs the following actions:
Log in if the user isn't logged in to facebook
Asks if the user wants to add the application and grants the requested permissions (in my case: publish_stream and offline_access) in one dialog
returns to the page you specified under redirectUrl with an access_token (and because we requested for offline access this one doesn't expire)
I then store the token in the database so I won't have to request it again
Now you can, if you wish use the facebook code, or you're own code to get the users data, or other information from facebook (be sure you requested the right permissions)
Don't now if this is facebook-valid code, but it works great and I can easily define the 'config' like I wanted....

There are many settings you can set at the point of authenticating. Extended permissions let you set the offline_access so that you can authenticate and store your session in a db. More info on extended permissions are at developers.facebook.com/docs/authentication/permissions and you can read my blog post for more info on how to use them at http://www.joeyrivera.com/2010/facebook-graph-api-app-easy-w-php-sdk/

Facebook access_token invalid?

I'm attempting to use the new Graph API Facebook recently released, but I can't seem to get it to work correctly.
I've gone through the steps, and after the /authorize call, I receive an access_token:
access_token=109002049121898|nhKwSTJVPbUZ5JYyIH3opCBQMf8.
When I attempt to use that token I get:
{
"error": {
"type": "QueryParseException",
"message": "An active access token must be used to query information about the current user."
}
}
I'm stumped as too why...
-AC

When using your Facebook Application's token
If you're using the me alias as in https://graph.facebook.com/me/ but your token is acquired for a Facebook Application, then "me" isn't you anymore - it's the app or maybe nothing. Anyway, that's not your intention for the app to interact with itself.
In this case you will want to interact with your personal user account from an app. What you need to do (after giving the app the permissions it requests in the UI when it asks) is find your facebook userid # and put it in place of "me" to access your own info. e.g. Mark Zuckerberg's facebook userid is 4 so he is https://graph.facebook.com/4/
The alias me only works if you're you! Sometimes it's hard to remember who the current user is when programming facebook (i.e. you, the Page, the App, etc) because we're accustomed to using the facebook UI as ourselves most of the time. From a programming standpoint it depends on what the acquired token represents.
A great blog post that always helps correct me is Ben Biddington | Facebook Graph API — getting access tokens.

same thing here. I followed Ben Biddington's blog to get the access token. Same error when trying to use it. Facebook's OAuth implementation doesn't follow the spec completely, i am fine with it as long as the doc is clear, which obviously is not the case here. Aslo, it would be nice if the userid and username are returned with the access token.

Just to clarify -- after you call
https://graph.facebook.com/oauth/authorize?
you should receive a CODE which, in conjunction with your CLIENT_ID and CLIENT_SECRET (assuming you have registered your application) can be exchanged for an access_token at
https://graph.facebook.com/oauth/access_token?
If this is indeed how you came by your ACCESS_TOKEN, you should then be able to request
https://graph.facebook.com/me/

Adding type parameter returns the auth_token for the application level, so it is better to OMIT it. What worked for me, after countless attempts and combinations, is using the same redirect_url parameter in the call to /oath/access_token as was used in the call to /oath/authorize.
So the full sequence to authorize your app on someone's behalf is:
1. call or redirect to:
"https://graph.facebook.com/oauth/authorize?client_id=" + my_clientId + "&scope=publish_stream,offline_access,manage_pages" + "&redirect_uri=" + "http://my_redirect_url?blah"
2. in the page located at the return_url above, issue a request or what ever else to this url:
"https://graph.facebook.com/oauth/access_token?client_id=" + client_id + "&client_secret=" + secret + "&code=" + Request.QueryString["code"] + "&redirect_uri=" + "http://my_redirect_url?blah"

I've been having the exact same problem. A couple of things I've done to resolve it:
Try it all out in the browser first to make sure the urls are correct at each stage
Ensure the redirect url is identical, not just equivalent. Parameters in the same order, encoding the same
Don't use the type=client_cred, or anything else for that matter
Encode any ampersands in the redirect_url (but not the rest of the url) e.g. http://example.com/fb?foo=234%26bar=567. This one caused me the most issues. When the callback page was run, only the url before the first ampersand was included, as the ampersand was assumed to be part of the url for graph.facebook.com, not part of the redirect_url. I was then getting the values from the querystring to put in the redirect_url for the second call, but they weren't there. Once I encoded the ampersands they appeared correctly.
Don't have any empty values in you encoded querystring parameters (e.g. ?foo=%26bar=123)

I want to point out what has sort of been said on Ben Biddington's blog, and what I noticed from looking at the "malformed" access_token in the initial question. Others have said similar things in this thread, but I want to be explicit.
The token is not actually malformed, but rather a token that allows you to do actions on behalf of the APP, not the user. This is the token you'd use if you wanted to get all of the users of the app, or view insights for your app, etc, with the requests typically coming from your server, not the client. This type of token is gained by using the type=client_cred parameter. If you want to do things on behalf of the user, do not specify type=client_cred, and make sure you specify the following parameters in your call to http://graph.facebook.com/oauth/access_token:
'client_id' => APP_ID
'redirect_uri' => REDIRECT_URI
'client_secret' => APP_SECRET
'code' => $_GET['code']
I've written this as key-value pairs of a PHP array, but I think you get the point. The code GET value is gained after making the initial call to http://graph.facebook.com/oauth/authorize with the following parameters:
'client_id' => APP_ID
'redirect_uri' => "http://your.connect.url/some/endpoint"
I hope this helps! What the Facebook docs say, but don't say well, is that getting an access_token is a two-request process.

I actually noticed that if your return uri doesn't have a slash on the end you have issues. I'm currently testing in the browser and return_uri=https://mydomain.com doesn't work but return_uri=https://mydomain.com/ does work. If I use the first I get "Error validating verification code."
This seems a bit odd, but I prolly just missed a word in the spec/instructions some where. Did lose two hours of my life to it though.

I had the same problem, but getting rid of type=client_cred and making sure that the redirect_uri parameter is the same when making the authorize and the access_token call fixed the issue.

I had the same issue in IE8 only.
The solution for me was sending the access_token in the API request.
Something like this:
FB.api('/me/friends?access_token=<YOUR TOKEN>
I obtained my token through PHP like this:
// Create our Application instance.
$facebook = new Facebook(array(
'appId' => '<API_ID>',
'secret' => '<SECRET>',
'cookie' => false,
));
$session = $facebook->getSession();
$token = $session['access_token'];