Using JavaScript SDK, it is possible to wall post with user's consent. Since It can be done entirely on client side, how to prevent someone to post something to their wall on behalf of my application, tampering with fields the fields like "picture", "link", "caption" and "description"?
Edit for the bounty:
Bragging is an essential part of any game, including online games. In my web game I want to enable users to brag on Facebook when they win, but I don't want them to be able to forge some post and send via my application, what would allow them to brag without actually winning. They may only publish something via my application if I actually allow them to do (I can only imagine some way to ensure this by using some authenticated server side API).
Facebook's Feed Dialog allows developers to prompt users if they want to publish something in their wall, and I well could use it to publish the user's winning story. The problem is that that API is entirely client-side, and can be used via Javascript SDK or just by forging an URL. I was able to forge a post in the name of my application by just filling the fields in an URL, like this given example:
https://www.facebook.com/dialog/feed?
app_id=123050457758183&
link=https://developers.facebook.com/docs/reference/dialogs/&
picture=http://fbrell.com/f8.jpg&
name=Facebook%20Dialogs&
caption=Reference%20Documentation&
description=Using%20Dialogs%20to%20interact%20with%20users.&
redirect_uri=http://www.example.com/response
The problem is that I was unable to forge such request for an existing application, like Robot Unicorn Attack : Evolution. Thus, either 1) I don't know how to forge a request to this application and that is still possible and there is no safety or 2) it is possible to prevent client side exploitation of the Facebook's API, and I don't know how to do this on my application.
So, for the bounty sake, I will consider a proper answer either 1) some proof that it is always possible to forge a post on behalf of some application, and by that I would require a way to post whatever I want on behalf of Robot Unicorn Attack : Evolution, or 2) a way to prevent users to forge feed posts on behalf of my application, in a way I can no longer do it without having server-side only information.
If you want to post anything on behalf of Robot Unicorn Attack : Evolution do the following:
0) Make sure you have added the app.
1) Using Chrome, go to https://s.adultswim.com/games3/fb-game-files/robotunicornattackevolution-sec/index.html (this URL was located by inspecting the action of the form tag above the iframe of the content on the canvas page)
2) Open Developer Tools
3) In the Console paste this:
FB.ui({
method: 'feed',
name: 'There is no security',
link: 'https://developers.facebook.com/docs/reference/dialogs/',
picture: 'http://fbrell.com/f8.jpg',
caption: 'I can post whatever i want',
description: 'Dialogs provide a simple, consistent interface for applications to interface with users.'
},
function(response) {
if (response && response.post_id) {
alert('Post was published.');
} else {
alert('Post was not published.');
}
});
4) Hit enter and see the dialog pop up on the page
1) some proof that it is always possible to forge a post on behalf of
some application, and by that I would require a way to post whatever I
want on behalf of Robot Unicorn Attack : Evolution,
You have already done that. Keep Self proof. Hence proved.
2) a way to prevent users to forge feed posts on behalf of my
application, in a way I can no longer do it without having server-side
only information.
feed posts need is an application id, which cannot be hidden. So as long as you have an application - anyone may post on its behalf . (according to me.)
Related
I'm tearing my hair out here.
We've got a web app that is hosted on a bunch of different domains and we have a facebook login on the page. This works just peachy. Most of them run of our root domain eg newsite.ourplatform.com and we reuse the same facebook app and add a new domain in.
We've had a request to set up a new site on a different url. In the past, this hasn't really been a problem. We set up a new facebook app, add the appid to out config and voila, facebook login working. (we don't do this so often, so I've potentially broken it)
This time around. I've set up a new app id and plugged it in, but whenever I call the facebook login, it authenticates me, but I get a useless response from facebook.
eg. On a working site I call
FB.api("/me/", function(response){console.log(JSON.stringify(response));});
and get response
"{id":"12345678910","email":"my#email.com","first_name":"My Name","gender":"male","last_name":"Myname","link":"https://www.facebook.com/app_scoped_user_id/12345678910/","locale":"en_GB","name":"My Name","timezone":10,"updated_time":"2014-01-19T10:44:20+0000","verified":true}
but on the broken site I do the same call and get a response
{"name":"MyName","id":"12345678910"}
Which is sort of good, but I need their email. As far as I can tell, I'm not asking for any permissions beyond email,public_profile and user_friends
Because of the way the app setup works, we have different apps running 2.1, 2.2 and 2.4 and this new one on 2.4 doesn't work. I'm not sure if that's a red herring or if I've got a misconfigured facebook app.
(edit - removed the sites affected to protect the innocent)
As #CBroe said you really need to checkout the v2.4 changelog for the API. In version 2.4 of the API Facebook introduced 'declarative fields'. This means that when you make a base request, like to /me you will only get a small amount of info back, e.g. 'name' and 'id'.
You have two options to get more fields:
Option One
FB.api('/me?fields=first_name,last_name,gender', function(response) {
console.log(response)
});
Option Two
FB.api('/me', function(response) {
console.log(response)
}, {'fields': 'first_name, last_name, gender'})
This will return a response that looks like the following:
{"first_name":"First", "last_name":"Last", "gender":"gender", "id":"ID"}
The key in the request above is specifying the fields URL parameter in your request and is documented in the link #CBroe linked and I have linked above.
I want to post to user time-line with their current activity with photo uploaded by them.
For example:
I voted 'xyz movie'.
..image1.. ..image2.. ..image3..
Question : Mutiple photos possible? If yes, Is there limit of photos.I need to show 3-5 photos
Similar to Candy crush saga game post:
(just for reference,not exactly like this. For curiosity I wanted to know whether this is two posts?)
Which api can we use for this?
Is this possible with FB.ui feed api?
FB.ui(
{
method: 'feed',
to:'the Facebook ID of the person you wanna send',
name: 'Facebook Dialogs',
link: 'http://emplido.com',
picture: 'http://fbrell.com/f8.jpg',
caption: 'Reference Documentation',
description: 'Dialogs provide a simple, consistent interface for applications to interface with users.'
},
function(response) {
if (response && response.post_id) {
alert('Post was published.');
} else {
alert('Post was not published.');
}
}
);
What you want is called rich stories, you can create them with open graph, here you can see what are the options available.
This is no easy deal, since you have a lot of options, so you really need to read the open graph docs to find which action fits best. In the docs you have a complete "how to", including how to post an action on a users wall with graph api https://developers.facebook.com/docs/opengraph/using-actions/
Remember that you have to two types of actions, common (docs here) and custom (docs here)
I know that documentation isn't the best answer or the one you wanted to, but in this case it's really necessary, as I said before, you have too many options, that allows you to create the best user experience for your app.
Quoting the docs here's a little example on how to create a story with open graph
To publish an action, make an HTTP POST to the following Graph API endpoint:
/{user-id}/{action-type}
This call should be signed with a user access token with
publish_actions permission or with an app access token for a user who was previously logged in.
For common actions, the {action-type} is the name of the action, such as og.likes:
/{user-id}/og.likes
For custom actions, it is a composite of the app namespace and the custom action type:
/{user-id}/{namespace}:{action-type-name}
The namespace is unique to your app, and is set in your app's dashboard on the Basic tab.
This example is the simplest one.
I try social plugin "Recommendations Bar" and it works. It has a built-in function to activate and deactivate the social reading function.
I want to enable this function in my simple app with "read" publish_actions.
I don't want to use cookies or session var to do this, it's a wrong way.
Users have to choose in which article on/off the social reading and change his preference on the fly.
User login with:
scope="publish_actions, email"
I know:
$facebook->api("/me/permissions");
$facebook->api("/me/news.reads?limit=10");
and I can post reads:
FB.api('/me/news.reads',
'post',
{ 'article': 'xxxxxx',
'access_token': 'xxxxx' },
function(response)
and delete it:
FB.api(id, 'delete', function(response)
Any idea for API call to enable/disable social reading function?
How to set publish_actions permission value to 0/1 for the users having app installed?
I dont want to use cookies or session var to do this, it's a wrong way.
Right, the user’s profile would be a better place to save this, so that he doesn’t have to make that decision again next time he visit’s your site.
How to set publish_actions permission value to 0/1 for the users having app installed?
You can’t revoke permissions via app. And I can’t see why you would want to. If a user disabled social reading on your site (which you save in their profile, preferably), then just don’t post anything on their behalf.
I am new to Facebook apps, I have an app already up and running on GAE (using python). I want to integrate it with Facebook so I can access some of the users' data to help me personalize the app (data like the liked pages, interests, where they are from etc..). And also to share the app's outputs to be seen by friends.
I thought I would go for the Facebook app option on https://developers.facebook.com/
I don't know where to start from, there are some tutorials (most of them are very old, some use scripts that are deprecated so it is a bit worrying), and there's FBML.. and I was thinking that maybe I can get the same data by only using Facebook's log in then use FQL to access these data.
And I don't know if I will get stuck with that new https restriction (Facebook says that it is required as of October 2011 to have an SSL certificate).
So bottom line.. where do I start?
Here we go:
From this link do download: https://github.com/jgorset/facepy/tree/master/facepy:
from downloads, you will have:
signed_request.py to parse signed_request that will be posted by facebook in your
canvas url: https://apps.facebook.com/myapp in POST method
and graph_api.py to make operation to graphapi https://developers.facebook.com/docs/reference/api/
note: you will be including access_token from cookies written by facebook js sdk.
for fb js sdk see this answer: https://stackoverflow.com/a/8625873/492258 of javascript part
in your index page:
fb_app_secret='abcd...'
fb_app_id = 123345
def index(request):
if request.POST:
signed_request_param = request.POST.get('signed_request)
if signed_request_param:
#signed_request.py
signed_request_dic = signed_request.parse_signed_request(signed_request_param, fb_app_secret)
if signed_request_dic:
if signed_request_dic.has_key('user_id'):
fb_uid = signed_request_dic['user_id']
#you got your man that is previously authorized your fb app : mypp
for successive calls, you'll be using cookies that I mentioned above:
def my_page(request):
my_dict = None
my_dict = signed_request.get_user_from_cookie(request.COOOKIES, fb_app_id, fb_app_secret)
if my_dict:
if my_dict.has_key('uid'):
fb_uid = my_dict['uid']
fb_uid = int(fb_uid)
#you got your registered user again.
For registration, the easiest way doing from fb js sdk, already I mentioned
#finally for SSL, in your app.ymal:
- url: .*
script: django_bootstrap.py
secure: optional
Don't forget to set P3P for internet explorer, iframre cookie issue:
def my_page(request):
....
response = render_to_response('mypage.html', view_params )
response["P3P"] = 'CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"'
return response
You need to authenticate your server app (GAE) against Facebook: you need to implement server-side authentication flow.
See LeanEngine (open-source) for an example implementation: server auth classes.
Once you are past authentication and you get user FB auth token, you can use FB Graph API to get all kinds of data.
Buy a SSL cert for your web server, so you can be compliant with the new rules.
Create/Setup your app to get your app id and secret.
Study up on the Javascript SDK, it's the easiest to implement in my humble opinion.
Study up on the Graph API and learn about the objects and their properties as well as their connections.
You can play around with the JS SDK here: https://developers.facebook.com/tools/console/ and the Graph here: https://developers.facebook.com/tools/explorer
Introduce code slowly to your page on your webserver. First get authentication working, then move on to getting basic user information.
I have a Facebook app that is built as an iFrame. I am using the JavaScript client API loaded via:
http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php
In my initialization code, I use the requireLogin method to ensure that the user has authorized the app. I have found this to be necessary to be able to gather the user's name, avatar, etc. for the scoreboard. Here's a representative code snippet:
FB_RequireFeatures(["Connect","Api"], function() {
FB.Facebook.init("...API_KEY_HERE...", "xd_receiver.htm");
var api = FB.Facebook.apiClient;
api.requireLogin(function() {
api.users_getInfo(
FB.Connect.get_loggedInUser(),
["name", "pic_square", "profile_url"],
function(users, ex) {
/* use the data here */
});
});
});
This causes the iframe to redirect causing the Facebook authorization screen to load within my app's iFrame. This looks junky and is somewhat confusing to the user, e.g. there are two Facebook bars, etc.
Question 1: is there anything I can do to clean this up while still implementing as an iFrame, and still using the JavaScript APIs?
According to the FB API documentation:
FB.ApiClient.requireLogin
This method is deprecated - use
FB.Connect.requireSession instead.
My experience though when I replace api.requireLogin with FB.Connect.requireSession it never gets invoked. I'd prefer the recommended way of doing it but I struggled and was not able to find a way to get it to work. I tried adding various arguments for the other two parameters as well with seemingly no effect. My expectation is that this method will load in a dialog box inside my app iFrame with a similar authorization message.
Question 2: what am I missing with getting FB.Connect.requireSession to properly prompt the user for authorization?
Finally, at the end of the game, the app prompts the user for the ability to publish their score to their stream via FB.Connect.streamPublish. Which leads me to...
Question 3: am I loading the correct features? Do I need both "Api" and "Connect"? Am I missing any others?
Here is a summary of the changes I needed to make to clean up the authorization process. It appears that iFrames must fully redirect to properly authorize. I tried using the FBConnect authorization but it was a strange experience of popup windows and FBConnect buttons.
Ultimately this game me the expected experience that I've seen with other FB apps:
FB_RequireFeatures(["Connect","Api"], function() {
var apiKey = "...",
canvasUrl = "http://apps.facebook.com/...";
function authRedirect() {
// need to break out of iFrame
window.top.location.href = "http://www.facebook.com/login.php?v=1.0&api_key="+encodeURIComponent(apiKey)+"&next="+encodeURIComponent(canvasUrl)+"&canvas=";
}
FB.Facebook.init(apiKey, "xd_receiver.htm");
FB.ensureInit(function() {
FB.Connect.ifUserConnected(
function() {
var uid = FB.Connect.get_loggedInUser();
if (!uid) {
authRedirect();
return;
}
FB.Facebook.apiClient.users_getInfo(
uid,
["name", "pic_square", "profile_url"],
function(users, ex) {
/* user the data here */
});
},
authRedirect);
});
For iFrames, the solution was ultimately to redirect to the login URL which becomes the authorization URL if they are not already logged in.
I think that FB.requireSession only works from a FB connect site outside of
Facebook. If you're using an app hosted on apps.facebook.com use the php api
call instead,
$facebook = new Facebook($appapikey, $appsecret);
$facebook->require_login();
or link to the login page.
Of these methods to login
* Using the PHP client library
* Directing users to login.php
* Including the requirelogin attribute in a link or form
* Using FBML
only the first 2 are available to iframe apps hosted on apps.facebook.com
I think requirelogin and fbml only work with fbml canvas apps.
see
http://wiki.developers.facebook.com/index.php/Authorization_and_Authentication_for_Canvas_Page_Applications_on_Facebook
Question 1: is there anything I can do
to clean this up while still
implementing as an iFrame, and still
using the JavaScript APIs?
Question 2: what am I missing with
getting FB.Connect.requireSession to
properly prompt the user for
authorization?
Please have a look at this. This article discusses correct use of require session and provides links on how to implement that. And yes, you are right, the requireLogin has been deprecated and won't help any more.
Question 3: am I loading the correct
features? Do I need both "Api" and
"Connect"? Am I missing any others?
As far as I know, you can use both API and Connect together, basically you access Facebook's API with the help of JavaScript.
For iframe apps however, there is no great help and minimum support of API with some handful functionality available. See this for more info.
This causes the iframe to redirect
causing the Facebook authorization
screen to load within my app's iFrame.
This looks junky and is somewhat
confusing to the user, e.g. there are
two Facebook bars, etc.
Finally and personally I have not seen any iframe app requiring user to add the app first. This will create the problem of two bars you mentioned as quoted above.
The link I posted at the beginning of my answer has some useful links to get you started and decide the next-steps or possibly making changes to your apps.