Facebook Application: How can I deny direct access on my server? - facebook

Is there a way to deny direct access to the application server for a facebook application?
Facebook loads the application via an iFrame src=http://app-domain/, but you can clearly view the page source and find out that domain and copy paste the URL into a browser and view the application directly.
There is this signed_request and oauth_token in the API, I was wondering how to use that or if I can use that to limit direct access to the application.
So if a user inputs in the browser your application's URL he gets redirected to Facebook.
Thank you.
EDIT:
I found a way that also works with form submission.
// Signed request
$signed_request = $facebook->getSignedRequest();
if(!$signed_request) header("Location: " . $settings['appBaseUrl']);
This redirects the browser while accessing the application directly and not through facebook.


It will not work if javascript is disabled.
<script type="text/javascript">
var isInIFrame = (window.location != window.parent.location) ? true : false;
if(!isInIFrame){
window.location = 'link-of-application-page';
}
</script>


You'll need some Javascript to detect whether you're in Facebook's frame and if you're not, redirect to it.


I found a way that also works with form submission. (Works for me, it might not work for you. Test it first.)
// Signed request
$signed_request = $facebook->getSignedRequest();
if(!$signed_request) header("Location: " . $settings['appBaseUrl']);
This redirects the browser while accessing the application directly and not through facebook.

Related

How to force Facebook to use https into a tab url

My server use only https with an htaccess redirect at root level, when my tab app is called from a FB page if the user use an http connection I lost the signed request.
Everyone knows a solution?
How to force Facebook to use https when call a tab?
thanks
luc

How to force Facebook to use https when call a tab?
In theory, HTTP status codes 307 (Temporary Redirect) and 308 (Permanent Redirect) should be used for this, since they require the method to stay the same, so the client would have to fetch the resource that’s been redirected to using POST with the same data again.
However, I have no experience how well this works with the browsers that are out there.
Probably better to “redirect” client-side, using JavaScript. Of course, that requires a resource that is available using HTTP only, and is not redirected server-side to it’s HTTPS counterpart.
In the future, this “problem” will go away on it’s own, I assume – since Facebook announced end of last year that they will move all users to HTTPS; so I think some time from now we won’t be required to give a HTTP URL for canvas/page tab apps any more, and use just one HTTPS version.

I resolved in this way:
In the FBapp manager I used as http url a page created on a different server that accept http.
In this page I used the following code .
$signed_request = $facebook->getSignedRequest();
$page_id = $signed_request["page"]["id"];
$fql_query_url = "https://graph.facebook.com"
."/$page_id?fields=link"
."";
try {
$fql_query_result = #file_get_contents($fql_query_url);
$fql_query_obj = json_decode($fql_query_result, true);
} catch(Exception $o){ }
$pageinfo = $fql_query_obj[link];
$pageinfo = str_replace("http://","https://",$pageinfo);
$tabpage = "$pageinfo"."?sk=app_$appId";
echo "
<!-- force tab iframe -->
<script type=\"text/javascript\">
top.location.replace('$tabpage');
</script>
";
?>
that's all

Redirect to facebook app after login from auth dialog

I got some problem with my testing app
$params = array(
'scope' => 'read_stream, publish_stream'
);
$loginUrl = $facebook->getLoginUrl($params);
echo "<script type='text/javascript'>top.location.href = '$loginUrl';</script>";
This is the code I use to send user who has not logged in yet to login
via facebook auth dialog.
The problem is after login using facebook auth dialog
user will be redirected to my site which is not in facebook app.
How can I send user back to facebook app after login using auth dialog ?
Please help

You can use the redirect_uri parameter of getLoginUrl() to tell facebook where you want to send the user after authorization ends (let it be success or failure).
There's a number of restrictions on what you can use there, basically you got three options:
URL under your application's domain.
The canvas path of the application (if it has one): https://apps.facebook.com/YOUR_APP_NAMESPACE
Any page url that has your application installed: https://www.facebook.com/PAGE_USERNAME/app_YOUR_APP_ID
By default, the php sdk takes the current url as redirect_uri. The documentation about these are under the oauth dialog's documentation of the same parameter.

Was google-ing about the same issue and found a solution,so thought might as well answer her.
simply add the following code in the main page.
$config['appBaseUrl'] = "http://apps.facebook.com/your_app_name/";
if(isset($_GET['code']))
{
header("location:" . $config['appBaseUrl']);
exit;
}
$config is the array that i pass while creating the facebook object. In this context,its not necessary to create an array though.

How to change HTTPS to HTTP in Facebook via an Application

I want to develop an App in FB which should make HTTPS browsing impossible for fb users. Or, the app must run in HTTP without SSL. Can anyone here help me? please?

Shouldn't you do exactly the opposite? Why? Never mind...
In PHP:
// Enforce http
if (substr(AppInfo::appURL(), 0, 7) != 'http://') {
header('Location: http://'. $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
exit();
}

You app inside iframe and you know what url of parent page with your app without https.
Do this js in iframe on onload or onclick
window.top('http://needed_url');

Facebook Signed Request empty after reload

I have a probleme with my Signed Request on my facebook application. The first time is good, and i know if the user like or not my app. But when I reload the application (link, form, like) i loose the Signed Request, (only refresh [F5], and unlike works)..
I realy don't understand why ??
Links don't work anymore :(
This is my test page : https://www.facebook.com/pages/TestCactOos/255835411190164
And the test app : https://www.facebook.com/pages/TestCactOos/255835411190164?sk=app_335457189856398
On app, you can see $facebook, $_REQUEST and $_SERVER informations.
Thank you all for your time and help.

The signed request is in the header of the referral from Facebook. It's not maintained from link to link, since the subsequent referrals will be from your own pages. Use the signed_request to get some info and keep that in your session between pages.

You are just one time able to get the signed_request. That is exactly when Facebook loads your App in an iframe. Then you must have to save the signed_request for further usage (subpages). There you have to check for the data via $_REQUEST or fall back to your stored signed_request values.
Here is an small example of the fbHelper component. I hope this might give you some ideas how to handle the issue:
Source: http://www.facebook.com/HelperComponentlCommunity/app_412923142052609
if(array_key_exists('signed_request', $_REQUEST))
$signed_request = $_REQUEST['signed_request'];
elseif(array_key_exists('signed_request' . $this->pageId, $_SESSION))
$signed_request = $_SESSION['signed_request' . $this->pageId];
else
return false;
$facebook_data= $this->parse_signed_request($signed_request);

Facebook canvas authentication: No signed_request parameter after redirect

In my canvas page, I try to authenticate the user the way it is described in http://developers.facebook.com/docs/guides/canvas/, by using essentially this code (example code from developers.facebook.com):
<?php
$app_id = "YOUR_APP_ID";
$canvas_page = "YOUR_CANVAS_PAGE_URL";
$auth_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($canvas_page);
$signed_request = $_REQUEST["signed_request"];
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
$data = json_decode(base64_decode(strtr($payload, '-_', '+/')), true);
if (empty($data["user_id"])) {
echo("<script> top.location.href='" . $auth_url . "'</script>");
} else {
echo ("Welcome User: " . $data["user_id"]);
}
?>
The problem is, the first time the user authorizes my canvas application, Facebook doesn't pass a signed_request parameter when redirecting back (as described in the example code), but a code parameter. When accessing the application the second time (already having confirmed the rights), it passes a signed_request parameter as expected.
Why does it pass a code parameter the first time? The documentation doesn't explain when Facebook passes a code / signed_request parameter.

The problem was that for $canvas_page, I used the canvas URL (e.g. mysite.com/canvas) instead of the canvas page URL (e.g. apps.facebook.com/myapp).

I think you need to append "&response_type=token" to your authentication url:
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&response_type=token
Then you get back something that looks like:
http://apps.facebook.com/APP_NAME/#access_token=YOUR_APP_ID%YADA_YADA_YADA0&expires_in=3948
And you can extract it with some Javascript:
if (window.location.hash.length == 1)
{
var accessToken = window.location.hash.substring(1);
}

Facebook uses the code parameter to authenticate your application. In the documentation, it states:
*If the user presses Allow, your app is authorized. The OAuth Dialog will redirect (via HTTP 302) the user's browser to the URL you passed in the redirect_uri parameter with an authorization code*
To complete the authorization, you must now take the code parameter and your app secret and pass it to the Graph API token endpoint (paraphrasing the documentation). This will grant you access to the access token. From this point onward, your application will not require the code parameter for this user because they are already authenticated.
Facebook uses the signed_request to share information with your application. The documentation states three scenarios in which it will pass the signed request. These are:
A signed_request is passed to Apps on Facebook.com when they are loaded into the Facebook environment
A signed_request is passed to any app that has registered an Deauthorized Callback in the Developer App whenever a given user removes the app using the App Dashboard
A signed_request is passed to apps that use the Registration Plugin whenever a user successfully registers with their app
So to conclude, the code parameter is only sent to authenticate the application, while the signed_request is utilized to pass information once the application has been authorized.

Saj-and is very correct.
I too struggeled with this alot.
When setting the redirect_uri to my domain name, I got an infinate redirect loop.
When setting the redirect_uri to the facebook app url, I got an error saying the url is not on my domain and so cannot be accessed.
It took the "/" at the end to solve this

I had the same problem with my canvas app, I fixed it by simply redirecting to my application's canvas url in the case that there is a code GET request parameter. After that Facebook sends me POST request that contains the signed_request parameter as expected. Here is the Python Django snippet:
if 'code' in request.GET.keys():
return HttpResponseRedirect(FACEBOOK_CANVAS_URL)
# ...rest of your canvas handling code here

I struggled with this issue (not getting oauth ID in the signed_request and instead get the "code" after user approves the app) for over a week, and this post (and few others posts) helped me get very close to resolving the issue (I was using my apps canvas URL instead of the canvas page url in the redirect URI, and I didn't specify the namespace in the settings).
After making these corrections, I faced a different issue where the app approval page won't show up for a new user and instead facebook throws the message" application has an error etc.. and finally I figured I was missing a / at the end of the canvas page url in my redirect url.. I had it as https://apps.facebook.com/myappname instead of https://apps.facebook.com/myappname/ in the redirect uri. Adding the / at the end resolved the issue and when a new user access my app using https://apps.facebook.com/myappname (if the user is already logged in ) facebook shows the approval page (upon receiving the response from my server) and once the user approves the app, facebook sends the signed-request with the required auth code to my application. Hope this will be useful for anyone else who might encounter the same issue.

Just to clear the confusion about the code parameter.. Facebook will always send this parameter when user allows the application.. however the signed_request parameter is sent using post or some other method.. it is not sent in the url.. You can access it using $_REQUEST['signed_request']

I had a similar problem that was solved when I assigned a namespace to my app, so it would look like apps.facebook.com/myapp and not apps.facebook.com/1234.

I was experiencing the problem you describe with firefox and with third-party cookies disabled.
I enabled third-party cookies and then the signed_request was suddenly available.