Prevent signups with Facebook proxy email - facebook

Problem is, when a user clicks on FB Login button on my site, Facebook API throws him with a window which ask for access permissions(which is the usual flow). But when the user chooses the proxy mail address (anonymous), then I want to force the user to login only using his real email id.
How am I supposed to handle this ?
I can detect that user used proxy email and prevent him from registering, but then I can't remove my app from his list of authorized apps - meaning I can't get him to that initial dialog for choosing which email he will provide.

You can't force the user to go through the authorization dialog again, because as far as Facebook is concerned, the user has installed your application and nothing else needs to happen. The best thing you can do here is write your own form which informs the user that the Facebook proxy e-mail address is unacceptable and you need a real e-mail address. Unfortunately, this does not force the user to give you their Facebook account e-mail address, or even a real e-mail address. This is the best we have via Facebook though, and it's just something we have to deal with.
UPDATE 5/10/11
I was browsing around the Facebook documentation, and found a method that exists in the old Legacy REST API which actually allows you to remove extended permissions for your app from a user. I think you could use this exact API call to manage getting non-proxy addresses from your Facebook user, while still using the native install dialog.
I tested this using the FB JS SDK and it worked! The method you need to use is the auth.revokeExtendedPermission method. Here are 2 examples of calling that method via the JS SDK and the PHP SDK.
Javascript:
<script>
FB.api({
method: 'auth.revokeExtendedPermission',
perm: 'read_stream'
}, function(response)
{
console.log(response)
});
</script>
PHP:
<?php
$facebook->api(array(
'method' => 'auth.revokeExtendedPermission',
'perm' => 'email',
'uid' => $uid
));
Because these use the Legacy REST API they're not as "supported" as the new Graph API. I've not seen anything regarding migrating this feature to the Graph API. Hopefully they will.

Invoke revocation of the app through graph api (as below) with the php sdk then redirect user back through your dialog with this non-proxy requirement explained.
private function revokeAccess() {
$access_token = $this->facebook->getAccessToken();
$result = $this->facebook->api(array(
'method' => 'auth.revokeAuthorization',
'uid' => $this->{facebook id here},
'access_token' => $access_token
));
return $result;
}
This code is php.
This completely removes the app.
Returns 1 on success; 0 on failure.
$this->facebook == facebook object from the facebook php sdk.

Related

Facebook access token for post message in timeline

I am trying to do something like this. Lets say a user used FB Connect for registration in our site, so I can get the "uid" of facebook and I can store in DB. Now what I want each time that user will visit a store details page or item details page I will post that store/item image with link, photo, description etc to FB timeline.
Something like this:
$post_id = $facebook->api('/me/feed/', 'post', array(
'message' => $products_name, // item name
'link' => 'http://www.blabla.com/item/myshoes', // item url
'picture' => $fb_img_src, // item image
'caption' => $products_name, // item name for caption
'description' => $products_description // item description
));
} catch (FacebookApiException $e) {
$user = null;
}
This process works fine if user logged in to FB by using our FB app. But as I said I want to post if they not even logged in by using their facebook "uid".
Is it possible to authenticate that user depending on facebook "uid"?
Thanks in advance! Any clue/help will be appreciated!
I strongly believe that posting anything to user's Facebook without their's consent or even their action will surely and quickly encourage them to leave your site forever. Do not do this.
Anyway - to answer your question:
Yes, it is possible to get access to user's Facebook and "do stuff", especially when a user is logged in both on Facebook and on your site. You just need to obtain user's access token (read about it in the docs), and make sure the users grants your app all aproppriate permissions. There are also access tokens that can be used offline (user is not even online), but I'm not going to discuss it here.
One way to obtains user's access token is to redirect the user to FB login url providing your APP_ID (as described in FB developers docs). FB will then redirect the user to your Fb-login URL with access code/access token, which enables you to do something like posting to users timeline.
Of course actions that you can take are limited according to permissions said user has granted for your app. And I have to remind you - it's a thin ice you're stepping on.

Redirect to facebook app after login from auth dialog

I got some problem with my testing app
$params = array(
'scope' => 'read_stream, publish_stream'
);
$loginUrl = $facebook->getLoginUrl($params);
echo "<script type='text/javascript'>top.location.href = '$loginUrl';</script>";
This is the code I use to send user who has not logged in yet to login
via facebook auth dialog.
The problem is after login using facebook auth dialog
user will be redirected to my site which is not in facebook app.
How can I send user back to facebook app after login using auth dialog ?
Please help
You can use the redirect_uri parameter of getLoginUrl() to tell facebook where you want to send the user after authorization ends (let it be success or failure).
There's a number of restrictions on what you can use there, basically you got three options:
URL under your application's domain.
The canvas path of the application (if it has one): https://apps.facebook.com/YOUR_APP_NAMESPACE
Any page url that has your application installed: https://www.facebook.com/PAGE_USERNAME/app_YOUR_APP_ID
By default, the php sdk takes the current url as redirect_uri. The documentation about these are under the oauth dialog's documentation of the same parameter.
Was google-ing about the same issue and found a solution,so thought might as well answer her.
simply add the following code in the main page.
$config['appBaseUrl'] = "http://apps.facebook.com/your_app_name/";
if(isset($_GET['code']))
{
header("location:" . $config['appBaseUrl']);
exit;
}
$config is the array that i pass while creating the facebook object. In this context,its not necessary to create an array though.

REST web service Basic authentication + Client Facebook app authentication = double authentication?

I have built a web service based on a REST design. Of course some of the operations available on resources require authentication (delete a user for example). I use Basic authentication and so far everything is fine.
I have built a client to consume the web service : a set of Ajax function. Again, everything is fine (also for the Basic authentication).
I want now to create a whole web app that will use the set of Ajax function above to interact with the web service. But, to enhance the user experience, some of the web app functions will require Facebook authentication.
So here is my problem. The web app will require username and password to call the web service via the Basic authentication. But it will also require Facebook credentials to use Facebook API and the user will have to log in twice. Moreover, every time I will have to check if the Facebook user (currently logged in Facebook) corresponds to the user of the web service and it is quite troublesome.
Does anyone have an idea to simplify the process ?
It's a bit related to that post authentication-scheme-for-multi-tiered-web-application-utilizing-rest-api but I did not find any answer I could understand.
In such scenarios, I use only Facebook authentication. If user is logged into Facebook by JS SDK, you can simply get accessToken by FB.getAuthResponse().accessToken. Then, you can pass it into webservice and use it to authenticate on server side.
First, client side authentication with JS SDK:
/* assumed, that you alredy called FB.login() and stuff */
var accessToken = FB.getAuthResponse().accessToken;
$.ajax({
'url' : 'rest.php',
'type' : 'get',
'dataType' : 'json',
'data' : { accessToken : accessToken },
'success' : function(response) {
/* some fancy code, blah blah blah */
}
});
I use PHP SDK, so I'll show example in PHP.
<?php
require 'facebook.php';
$accessToken = $_GET['accessToken'];
$facebook = new Facebook(array(
'appId' => 'xxxxx',
'secret' => 'xxxxx'
));
$facebook->setAccessToken($accessToken);
if ($facebook->getUser()) {
// yaay, user is authenticated
echo json_encode($mySuperDuperSecretContentForLoggedUserOnly);
} else {
// authentication failed
echo json_encode(null);
}
If your main design uses basic authentication, but you want on some cases to be able to connect with facebook, then I suggest that you use an adapter/bridge on your server that will be able to take the facebook auth data and then handle the basic authentication itself.
That way the facebook users won't have to go through 2 authentication processes, and you don't break anything in your original flow.
It should not be hard to implement, when a user signs up just associate his fb account with a user in your system, then when he logs in with facebook take his id and log him into the system using the basic authentication.
One thing though, if you want to implement the facebook authentication using client side then you should send the auth data in https.

Using Phonegap's Facebook access token on the server-side

I have Phonegap's Facebook plugin working perfectly within my Android app. This plugin uses Facebook's client-side Javascript flow. However, I would like to upload photos to FB from the server-side, instead of client-side, as this is much (much) more efficient.
Is it possible to use Facebook's access token generated from client-side on the server-side? (BTW, I have Facebook's PHP SDK working perfectly on stand alone web pages.)
I am getting a "(#200) Permissions Error" trying to pull this off.
If the client-side token cannot be used on the server, any other suggestions? I do not know of a way to generate a server-side Facebook token from a Phonegap app.
Edit:
It appears that you actually can use a client side Facebook token on the server. It's simple matter of upgrading to the latest Facebook PHP SDK, and using the $facebook->setAccessToken() function with a token sent from Javascript.
An access token is valid via client or server. On facebook end it is the same thing: a request through HTTP.
If you are not able to upload photos, check that you have the appropriate user permissions for your application.
If you are trying to figure out what graph api calls you need, a good starting place is the javascript console:
https://developers.facebook.com/tools/console/
Here you can see in the javascript what calls are being made in order to read fromt he api, or make a feed story or upload. You will use the same graph URLS and variables using server side code.
Yes you can use client side token in server side.Actually when user is logged into facebook ,fb create an access token in cookies ,which you can access on both client as well as server and when user is logged out ,cookie is destroyed and access token becomes invalid.
And to upload the photos to facebook i used following code :
// $friends is an array of friend id to be tagged in photo
// $x and $y are the position of tags.
for($i=0;$i<sizeof($friends);$i++)
{
$tags[] = array(
'tag_uid'=>$friends[$i],
'x' => $x[$i],
'y' => $y[$i],
);
}
$photo_details = array(
'access_token'=>$access_token ,
'message'=> 'Any message',
'tags' => $tags
);
$file=$photo_name; //Example image file
$photo_details['image'] = '#' . realpath($file);
$upload_photo = $facebook->api('/me/photos', 'post', $photo_details);

Facebook Graph API problem

I've got some trouble with Facebook authentication. Even when I'm logged, the function getUser() returns 0
Here's my code :
$fb_params = array(
'appId' => APP_ID,
'secret' => SECRET_ID
);
$fb = new Facebook($fb_params);
echo $fb->getUser(); // UID
Someone's got an idea?
PS : 'I can no long access to $fb->api('/me'), it says it requires an access_token, I think it's linked to the authentication issue...'
Thanks
You are currently not authenticating as a user, only as an application. As a result, the Facebook API can't show you the /me page or respond to a getUser() call since it doesn't know what user you are trying to access the API on behalf of (ie. "Who is /me?"). You will also only be able to access publically-accessible information.
You need to get a user to authenticate your application through Oauth2, store the access_token you are returned, and then include it in any future calls (eg. WIRQjCey1.3600.1309525200.0-509450630|eD6SAR">https://graph.facebook.com/me?access_token=2227470867|2.AQB-_WIRQjCey1.3600.1309525200.0-509450630|eD6SAR...).
To do this using the PHP SDK you can do
$loginUrl = $fb->getLoginUrl();
echo "<a href='$loginUrl'>Login with Facebook</a>";
Clicking that link and having the user authenticate will store the access_token to the $_SESSION, and when you hit refresh the "new Facebook( $fb_params );" constructor will pick out the access token from the $_SESSION and use it for all future calls, so then calls like $fb->getUser(); will return correctly.
There's a functioning example in the examples folder of the SDK, here:
https://github.com/facebook/php-sdk.
You can use it to try calls while authenticated as an application (public data access only), and then as a user.