I added a like button to the canvas application page that actually configured to the facebook page of the application.
I would like that whenever a user pressed like or dislike on my page, a request will be sent to my server noticing it that the user liked or disliked the application page.
I can catch these events by using the following code:
FB.Event.subscribe('edge.create', function(response) {
alert('You liked the URL: ' + response);
});
FB.Event.subscribe('edge.remove', function(response) {
alert('You disliked the URL: ' + response);
});
I can just check if the response equals to my facebook application page.
the question is.. after I catched the like or dislike, how do i forward it to the server secure enough ? how can I send the request to the server without posting the facebook id as a post/get parameter?
i want to send it to the server in a way that the server will be able to fetch the facebook session information and fetch the userid from there, or any other secure way.
example:
if i'll just call http://mysite/liked_my_app?uid=4534534543
then a user notice this request and start sending liked_my_app with fake uids.
is there a way to prevent that somehow ?
thanks
Instead of using the UID of the user, forward the signed_request. Only you can decode signed requests coming from your application because of the app_secret you have to use to decode it.
Another possible solution (depending on what exactly you want to do when you confirm a like/dislike event) is to check at intervals your page/app like count - in a cron job for example. When a user likes your page/app you can retrieve his UID (possibly other information as well), and you can cross-reference the lists from the last cron job.
Related
I'm using the following Javascript for my users to send requests to "invitable friends" from my Facebook app:
FB.ui({
method: 'apprequests',
message: 'Come play with me etc.',
to: str_ids
},
requestCallback
);
function requestCallback(response){
if(response){
console.log(response);
}
else{
//show error to user
}
}
Where str_ids is a string containing the IDs returned by the invitable friends API. This all works fine.
When I invite a single user, let's say his Facebook ID is 1593894704165626, I get the following response:
request
"1399842883640198"
to
["1593894704165626"]
So here I have a unique request ID and the invited person's Facebook ID. I can now store this data in my database along with the inviter's ID, so I have all the necessary info.
However, now I want to reward the inviter after the invitee accepts the invitation and I'm running into a problem.
If user A and user B both invited user C, then when user C joins the game, how do I know whether to reward A or B?
I see from this question that it's possible to pass another parameter along with the invitation, which should help identify the inviter:
Facebook tracking who Invited whom
The first answer here suggests that you can pass such a custom parameter, but doesn't say how. Facebook's convoluted documentation is driving me insane.
Another thing - even if I send that additional parameter, I think there's a problem - for new users the app redirects to the Facebook page that checks whether they want to allow access to the app, and by the time they're redirected back to the app, the additional parameter will be lost.
Is there any solution to this?
Perhaps I am going about this the wrong way but I have a website that allows facebook login.
If the user has already registered on my website
and is logged into facebook but not logged into my site
when visiting the login page i check for their facebook login status and get response.status === 'connected' via-
FB.Event.subscribe('auth.authResponseChange', function (response)
{
if (response.status === 'connected')
{
var s = JSON.stringify(response.authResponse);
LogMeIn(s, function(response)
{
HandleAjaxError(response, function(msg)
{
window.location = '/_/';
});
});
}
}
I then want to pass their authResponse object to the server and confirm that this userid works with this token before I log them in as this user
I have read to simply grab the json contents of -
https://graph.facebook.com/{userID}?access_token={accessToken}
and if it does not return an error then it is good! But when testing this method I noticed that the same access_token worked for two different user ids (meaning it did not return an error for the userid that was not logged in on my computer). Instead it returned the facebook user object with name , location etc.
This really surprised me, as I expected the access_token to work only with a single user id.
In an effort to prevent someone from simply changing the user id before continuing the script I need to authenticate via server side. What is a way to accomplish this?
Proof, go to these links to see profile information
My profile-
https://graph.facebook.com/1233822590?access_token=CAACCBJJZBgjABAOGmvmsou8gMYGulLHTgAr5ZCHZAU7pKEp0cMAeX8r4qHLpiVuZCOT1v0ulMZAxX5YfLJkcZBr9l6qJQoPxWS5Fs5ndohDnH6ZAPPfZCZCTQtwWgAZAg6I1PAOIpdtCc0OUaMmBZAvGiMm9gQhmNXRbocZD
Another userid with same access_token-
https://graph.facebook.com/100000116781159?access_token=CAACCBJJZBgjABAOGmvmsou8gMYGulLHTgAr5ZCHZAU7pKEp0cMAeX8r4qHLpiVuZCOT1v0ulMZAxX5YfLJkcZBr9l6qJQoPxWS5Fs5ndohDnH6ZAPPfZCZCTQtwWgAZAg6I1PAOIpdtCc0OUaMmBZAvGiMm9gQhmNXRbocZD
Nothing to be surprised. You can fetch the basic details of any user of the facebook using the access token of any user of the facebook.. So this isnt really good way to validate the token. Moreover, that confirmation of token part isnt required.
If you want the authorization through server side go through.this link
I'm using the Facebook requestdialog to show my friend list and invite,this in a Facebook Web APP, using this:
function sendRequestViaMultiFriendSelector() {
FB.ui(
{
method: 'apprequests',
message: 'Selección de amigos a los que invitar a KugaBar'
}, requestCallback);
}
function requestCallback(data) {
console.log(data);
}
It works (ok).
But I need to identify the user when enter in my APP, you see the requestCallback data and see a "request", but when the users click on the notification and enter in the APP
I don't know how identify the request to detect if the user is accessing by the notification.
EDIT: OK I found it.
The param in the GET vars are "request_ids", but one problem appear, this param only come if the user previously have accepted the permissions, if the user clicks on the notification, and accept the permissions, hitting enter: this param doesn't exist, if the user enter again (not need to accept nothing) this param exists in the URL.
Are there any method to get this param in the first time the user enter?
Thanks
When the user first clicks on a request, you should get the request_id from the URL and store it in a cookie. When the user has completed logging in, check if the cookie exists and then update your record accordingly.
Notifications and Requests are NOT the same thing on Facebook. In your case you're talking about Requests. Request ids are passed to the app as a GET parameter 'request_ids' which is a comma separated list.
To be able to access this parameter after login dialog, you want to save your GET parameters from the original launch URL before redirecting to the OAuth dialog and pass them around in the redirect URL. This way you solved this problem for all of your future GET parameters.
If you're using PHP, the function you're looking for is http_build_query. I'd highly discourage from using a cookie to store one-time and easily accessible URL parameters.
Using the Facebook API, you can get back the post ID of a Facebook share, even if the user has not authorized your app.
The post ID is prefixed by your user ID, and separated by an underscore.
FB.ui({
method: 'feed',
name: 'People Argue Just to Win',
link: 'http://www.nytimes.com/2011/...',
}, function( response ){
// Response gives you :
// { post_id: "[fbUserId]_346759642059572" }
});
To me it looks like Facebook is using this programmatically, rather than with the idea of providing us the userId out of the kindness of their hearts. But it's extremely tempting to use.
I'm a little rusty on permissions - if there is a way to get back all the users that have liked/shared a specific URL, and not just a count, then this should be okay.
But the question remains, is it acceptable to use?
EDIT:
Now that I think about it, you can access the user ID by making an anonymous call to https://graph.facebook.com/[postId] but ONLY if the post was made public.
If you get a response from FB, it means that you have already ask the user for the required permissions,
so yes you can use the data returned from Facebook as you like, but you always have to inform the users how you use those data.
You can only cache user data if you have permission or it is necessary for the function of your app. Using the like button you can subscribe to edge.create and cache the response from the like.
refer to: http://developers.facebook.com/docs/reference/javascript/FB.Event.subscribe/
II. Storing and Using Data You Receive From Us
You will only request the data you need to operate your application.
You may cache data you receive through use of the Facebook API in
order to improve your application’s user experience, but you should
try to keep the data up to date. This permission does not give you any
rights to such data.
in my app i store the id of every page or user that is viewed to speed up page load times and count page views. Seems with in the scope of Policy as long as i am not sharing the info with 3rd parties or making public what a user has set to non public.
I am sending an app generated request to a user(already authorized the app) by calling the below function
function send_app_request(){
FB.api( "/" + '<USER-ID>' + "/apprequests", "POST", {
message: "Custom Request for you!",
data: "<REDIRECT-APP-URL>",
access_token: "<APP-ACCESS-TOKEN>"
}, function(response) {
console.log(response);
});
}
When a user clicks on the pop-up that appears beneath the app icon(with a red number) at the top right corner of the canvas, he gets redirected to the index page of the canvas with 'request_ids' as one of the parameters. How do I get/decode the 'data' parameter(contains a url) which i passed during the FB.api call(in the function above), so that I can redirect the user to a specific location(url) in my application.
I have seen this functionality in many applications, and I am "unable" to figure out how they are able to redirect the users to a specific location in their app, instead of the index page when the user clicks on the pop up.
The data is specific for that request you send to the user.
When the user clicks the requests and gets to your page (with the "request_ids" parameter) you should then get the data for the requests.
The url to get the requests from:
https://graph.facebook.com/USER_ID/apprequests
You will get a list of the requests and the data for each one (if such was sent).
You then need to delete the request for the user by issuing a request to:
https://graph.facebook.com/REQUEST_ID?method=delete
You can find a php example here: Upgrade to Requests 2.0