I am experiencing a very odd behaviour. I built my application with CakePHP and I use Nick Baker's Facebook Plugin.
When I log in, everything works ok. When somebody else logs in, again, everything works fine. But if someone logs in in the same time I am logged in, the correct User id is remembered in Auth for that User, but the Facebook data is taken from my account.
So, if I have User id 1 and John has user id 2 and each one of us logs in the application in the same time, the correct IDs are stored in the Auth Component (1, respectively 2). But if I visit a page which shows data from the corresponding profile, I see my picture and my Facebook data, but John also sees my picture and my data, instead of his.
Why is this happening? I really need help with this as it's beyond my understanding.
Thank you very much!
Do you have caching enabled? The web server might give a cached version of the page to the other user.
I have a similar problem and i think it is due to the access_token being saved in the user session. Since Facebook and my app reside at different domains the app session isn't destroyed when the user logs out from Facebook. I resolved this temporarily by calling $this->Session->delete('FB'); in the beforeFilter of my controller, like this:
public function beforeFilter() {
parent::beforeFilter();
$this->Session->delete('FB');
}
I think this makes the plugin request a new access_token on each request which is not optimal but works. Please correct me if i'm wrong.
Related
I've spent the better part of a day researching this and thought I could figure this out on my own, but no luck.
Here's the situation, I have FB authentication in a mobile app. This is working fine. A user can log in and I can access the public profile data, etc.
The issue is that I would like to have NEW users or first time logins to create new records in my private database, because I am looking to store more than email, and FB id. For example, favorite items. I can also accomplish this easily enough with a post to (www.mywebsite.com/api/users/).
So, the REAL issue is that I don't want to have a route that simply allows people to add users to my database, willy-nilly.
Is there a way to pass the access token to an API route to ensure that a user can only add a new user-record to the db IF they have a valid FB login?
I've set up the famous "auth/facebook" route that is popular on the web which also works great, until I access it from my app. It then throws X-origin errors (I believe in part due to the callback route).
this post was similar, but still doesn't quite cover it.
Authenticating against a REST API with iOS client using Facebook SSO as the only login mechanism
Please help!
Thanks,
Wayne
After another two days of digging, I found a rather simple solution.
The facebook graph API will allow you to submit the access token to recieve basic user data.
So my solution is now this:
1. Use cordova-facebook4 plugin to authenticate within the app. (You can find details here: https://github.com/jeduan/cordova-plugin-facebook4
2. Send the FB id AND authentication token to my server route, like this: `myapiserver.com:1234/auth/facebook/<token>/<id>`
3. On the server side, send an ajax request to https://graph.facebook.com/me?access_token=<token received from the
cordova plugin>. This will return the name and FB ID as JSON.
4. On the server, compare the ID returned from facebook to the ID sent with the request. If they match, add the new user, if not, do
not add the user and return an error. Of course, the server will
not allow a new account to be added to the system if that FB id is
already in use.
At this point, it seems that the worst harm that could be done is for someone to hack another person's FB account, get their token and ID and THEN use that to create a user on my system for that person. Which seems pointless enough that I'm not going to worry about those attacks.
Please comment if you know of a better solution or I missed a security vulnerability.
Ref: How to get the Facebook user id using the access token
In work I got a task (we MUST work with ASP Classic by the way): when user posts a blog, a link to that blog should be posted automatically on user's facebook timeline and in his twitter. I made everything working, but there is one problem: user needs to be signed in to post. I've made the cheking if he's logged in, and if not he must log in.
But I need to avoid the logging-in step and make it automatic (by sending user's username and password as part of the data sent to twitter/facebook or something like that), but I can't figure out how to do that or if it's even possible at all.
Any ideas? Would greatly appreciate any help.
P.S.: for the twitter part I used http://scottdesapio.com/VBScriptOAuth/
for the facebook part I used a combination of: http://snipplr.com/view/61108/facebook-app-login--authorization-entirely-clientside/
Everything works, but is it possible to automatize the user's sign-in part?
Finally I managed to make the both things automated...
The problem with Twitter was that I didn't store request token in session, that's why I got "Could not authenticate you" error.
Can't remember what I did wrong with Facebook (some co-workers helped me out), but I guess I didn't make proper http requests...
So the answer is: yes, it is possible to automatically post to Twitter and Facebook without user sign in.
If I am not wrong then your logged in user in facebook for current browser is not authorize for your app.
I think you should try googling about "How to authorize users into app". OR
If you don't mind I am giving you the direct URL to go to that setting page for your app:
https://developers.facebook.com/apps and then go to your app then after from left side bar go to roles and then after click on test user tab from top of page and then click on add button it will opne one pop-up to add a user.
In app you have to add test user for testing purpose and have to login for that added test user, so added user will be authorize for that app and you will be able to test.
Thank you...
Is there anyway to get the Facebook ID of a user without forcing them to authenticate? I'm trying to create an app page where the user can only add an answer to a poll once, so I need to be able to identify viewers by some kind of unique identifier.
My preference would be to not force them to log in. I think it's bad UX to add 2 extra steps just so I can make sure a facebook user on a facebook page is unique. I don't need any permissions to their profile/etc.
BTW, I've seen similar questions though nothing current or close enough for me.
No possibility if you don't make your user log in, for security reasons, the user has to be aware you are collecting information about him, it's also why there is a login.
With the PHP SDK, to get the id after login:
$userId = $facebook->getUser();
I've been trying to figure out a way to have my iframe Facebook app (built in PHP) work without requiring separate authentication methods. I am already logged into Facebook, but for some reason I still see all these Oauth notices from the example in the PHP SDK.
The only data I need is publicly available even without them "adding" my app. I am looking to collect their Facebook ID (since this is a contest, we need a unique ID for tracking), their name and (optionally) their email address as well.
The problem is, I cannot use the API to fetch the public information unless I already know their Facebook username. Any ideas on how I might be able to get their logged-in username or public handle so I can then fetch the rest of the information?
For whatever reason, Oauth is driving me completely insane with Facebook today.
Sidenote:
I did manage to technically get the Javascript SDK operational, which fed some information to PHP for use. The only issue there is that once I login, I don't see the data. If I refresh...then it shows up. Unsure why the refresh is required, as I wouldn't expect a user to actually have to hit refresh in order to proceed with the app.
I guess you are a bit confused here, Facebook will NOT share the username, id, full name or email without the user explicitly authorizing/allowing your application (and in the case of the email, requesting the email permission!).
Read the official Canvas Tutorial for more information:
In order to gain access to all the user information available to your
app by default (like the user's Facebook ID), the user must authorize
your app.
I have completed the facebook connect process. I need to address the following issues....
If a user has authorised my application: then on pressing F5, he must automatically be signed in...
If the user logs out of my site, he must log out of faceboook as well, and then display a dialog message.
Please help
You could try to redirect the user to Facebook's logout page. I doubt it works but it might be the only possibility.
Why do you want to log the user out of Facebook anyway? As a user I'd be pretty pissed about that, but then again I don't know what kind of app this is so it might make sense in some custom Facebook interface or something.
You could do something like
logout
However, it's rather user-hostile: unless I (the user) have asked you to do that, why the **** are you logging me out of Facebook?