I am working on an open source web-based application that communicates with Facebook. One of the files contains the Facebook API id and secret key. Is it fine to share this information with the rest of the world?
It is extremely important that you never share your app secret. Your app ID is completely unimportant and available to anyone who goes to your Facebook apps profile page, but the app secret is a completely different story. It could compromise any data stored within your application and allow third parties to call specific APIs on your behalf without your knowledge. This is bad for you and for your users.
If you have accidentally shared your app secret (this can happen when it's embedded in client binaries or code) then you can reset it really quickly through the Facebook developer app: https://developers.facebook.com/apps goto Settings -> Edit and then click reset beside the app secret. This will have the effect of invalidating any access tokens that have been previously been granted by your app.
It is not safe to share the secret key, you shouldn't share this with anyone. When you open source the code put in some dummy values instead, or nothing at all.
No it isn't. Why do you think they named it "Secret" ?
It's the truth that there is probably no way to abuse it (because Facebook always checks origin URL, too) however you should not share it...
The secret key, is, well secret. You shouldn't share it with anyone.
Related
I have an app with SwiftyDropbox that function correctly, but I need to insert email and password for Dropbox every time that I use the app.
The app it's only for my use, it's not a security problem if the app auto-login in my account.
I don't find examples or documentation to make an auto-login with SwiftyDropbox. It's possible?
While the Dropbox API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files, it is technically possible to connect to just one account. We generally don't recommend doing so, for various technical and security reasons, but those won't apply if you're the only user anyway.
So, there are two ways to go about this:
1) Implement the normal app authorization flow as documented, and log in and authorize the app once per app installation. The SwiftyDropbox SDK will store the resulting access token for you, which you can programmatically re-use after that point each time using authorizedClient.
2) Manually retrieve an access token for your account and hard code it in to the app, using the DropboxClient constructor shown here under "Initialize with manually retrieved auth token".
So we've developed a Facebook App (and similar apps on Twitter and Instagram) that allow users to post and read content using an external system. We'll sell this integration directly to our clients, so it's a private application.
Basically the user will see a very simple page with a button "Log in to Facebook" and a disclaimer regarding the authorization (we'll use some query params fixed in the url, depending on the client). The client authorize us and we capture the access tokens.
To submit the app review, though, we have to explicitly give a test user to the reviewers, but that's not really possible because the real "action" happens within the integrated systems, NOT within the app itself. And those systems are not public (they shouldn't be).
So just to be clear: our app is basically a very simple "Facebook login" that we use to get tokens, generated by specific clients authorization. It's not going to be published anywhere.
Until we have around 5 to 10 clients we can add the specific users in our app as Testers/Admins/etc, but what if we scale up? Say we have 20 clients. How are we supposed to get our app to be "live"?
To follow the app review steps we would have to create some users in our local systems (we have some dev environments), open them to the internet so the reviewers can log in and see how it actually works? Is that it?
(btw I'm asking this because our app review was rejected twice and I want to make sure I'm submitting everything they ask this time).
Thanks :)
I think the Login Review FAQ answers most of your questions. The key point:
Our review team will actually test how your app uses each permission on every platform you have listed in the settings section of your app.... You'll need to explain exactly how to test each permission or feature in your app so that we can make sure it works and follows our policies. We can't approve your app if we can't fully test how it integrates with Facebook.
In other words, it's not enough to just allow them to log in to your app, you have to expose all Facebook-related features to the reviewer.
To follow the app review steps we would have to create some users in our local systems (we have some dev environments), open them to the internet so the reviewers can log in and see how it actually works? Is that it?
Yes, though I'm not sure what you mean by "open them to the internet". You should be able to create a test user on your local system and link that account to a test Facebook user. Then you can have the Facebook reviewer use that test account for their review. (From the FAQ: "In the Items in Review section, you'll see a Test User (optional) section that allows you to type the name of the user you wish to be used in your review.")
I have more than few clients that would like to add facebook connect to their landing pages (managed by me). They are too many and not enough tech-savvy to manually create ad appid for each of them.
So my only solution is to usa my own appid to add facebook connect to all my clients websites, but as far as I know, Facebook doesn't allow to simply use the same appid on any domain.
How can I solve this? I can't find any documentation to solve my issue. Does anyone have a direction for me?
This has been discussed a couple o’ times before already – but I mostly commented on earlier questions, so let me write the whole thing up as a proper answer, for future reference.
[paraphrased] Multiple-client Facebook login via one single app id
Does anyone have a direction for me?
You probably rather don’t want to do that.
It is not really possible to run one simple app one multiple different domains.
As a workaround for only a few domains, people used to specify different domains for the different platforms – Website, Page Tab or Canvas App, plus Mobile alternative for Canvas – without actually using any of those platforms besides Website, which made the app usable on multiple domains as a website app. But since Facebook introduced their login/permission review process¹, you can’t do that any more – they expect you to present actual functionality on all platforms you have configured in your app.
You can kind-off use one single app for login on multiple domains – if you are willing to use only the server-side login flow, and to redirect users to one “main” domain (that gets specified as the app domain in the app settings) to login, and then from there back to the origin domain.
But this has several drawbacks:
It’s not what you’d call a “white label” solution. If your clients expect it to look as if users where logging in via “their” app, it should stay on their domain. Individual branding, in regard to stuff such as app name, app logo that shows in the login dialog, etc., would also not be possible. Additionally, app attribution – the link that shows up under content shared/posted via the app – would only link users back to the main domain, and not to your customer’s.
You would not be able to use the JS SDK for client-side API requests, or even just to embed it to render any of the FB social plugins that require an app id – the SDK checks what domain it is “running on”, and can not be tricked to accept a domain that is not specified in the app settings.
There could be privacy issues. An over-exaggerated example: Just because I as the app user decided to share my photos or videos I have on Facebook with your customer Our-Holy-Mother-of-Christ-Bakery.com, does not necessarily mean I want to share them with your other customer, amateurs-doing-all-kinds-of-nasty-stuff.xxx as well – but if they shared an app id for login purposes, I automatically would. Have fun writin’ the Privacy Policy (which is mandatory if you use FB login functionality, and FB also automatically checks if your app has got one) for that scenario ;-)
Finally, and most importantly: All your customers would be “sitting in the same boat.” If one of them, or in turn their website users, would publish spam via your app id, so that Facebook blocks it, login would not work any more for all of your customer’s websites. And if you decide only then, that setting up an individual app for each of your customers would be the better way to go, they would not be able to recognize their existing users any more, because of user ids being app-scoped since API v2.0 was introduced – so if users logged into this new app, that app would see a totally different user id. (And to rely on an email address as an identifier is risky, too, because you will not get one from the API for every user; for example if they registered using their mobile device.)
Edit: Plus, app/domain insights, as luschn mentioned in his answer.
¹ Yes, the review process has made it more laborious to set up multiple apps for multiple clients. But for apps that do the same stuff/use the same permissions in the same manner, you can refer to an earlier successfully reviewed app id to speed up the process a little. Also, screenshots of how f.e. posts made via the app look on timeline, and what UI components are used, as well as screencasts that you include in your submission could probably be used with little to no alteration.
Apps are not meant be used on several different domains, you will have to create a new App for each domain, i´m afraid. You can use the different platforms in the App settings to use different domains, but there are only a few so it´s pointless. Just create some screenshots and a tutorial for your clients, that´s how it is usually done.
Btw, it would be weird to authorize an App on a website, and the same App would allow you to be authorized on all other client websites. Also, insights are per App, so your clients may want to see their own insights and not the global insights of all domains together.
Many is not defined but i think for being a smart developer you need to create new app_ids for every project you need to use facebook connect. Just my opinion. It also allows you to monitor alot of stuff.
OK, here is my situation. We had two developers create a Social Networking program for us. They created a feature that allows it to link to your Facebook account. They said they used a the standard Facebook API and that it uses a token for authorization. The feature worked great when the code was on our dev site, dev.maizing.com, but now that it is on www.maizing.com we are having a problem.
I searched and found one PHP file that had several references to dev.maizing.com and I changed them to www.maizing.com In our app now when I try to link to my Facebook account, I get a long error url. I noticed it includes ....
https://www.facebook.com/dialog/oauth?client_id=____________
I won't include the whole client_id here.
What I was told is that my original client ID was hardcoded to work with dev and not www. My original developers are gone and are unreachable. I think they have the client_id under another account and I don't have access to it. Have can I get the access to now make our
client_id point to the right server?
Your AppID shown on your app dashboard page is the client_id.
Sounds like you need access to the apps settings, found here:
https://developers.facebook.com/apps/[client_id]/summary/
As this page says, "The URL you specify must be a URL with the same base domain specified in your app's settings..."
So unless you get access to your app settings, you have to stay with "dev.maizing.com"
Sorry.
There is a silver lining though, if you change your app domain to "maizing.com" instead of "dev.maizing.com" then you can us this app from "*.maizing.com" as stated on the tool tip for app domain.
I'm currently making a CMS and I would like to use some Facebook functionnalities.
The problem is that I need an API Key for that. So I'm wondering that if I have an API Key can I share it with my open source cms project to anyone? And can anyone use it with my CMS?
You have two options.
Create an app for each installation of the CMS, then set app secret and ID in the CMS configuration file.
If you want all installations to use the same app securely you will need a loop back server (i.e. the CMS installation makes a call to your server, which in turn makes a call to Facebook and returns the results).
Do not share your App Secret with anyone. The App Secret is used to sign the signed_request that is passed to you after Facebook authentication. With the App Secret, a hacker can impersonate anyone to use your app because he can pass anything and sign it as if it is from Facebook.