Using Twitter OAuth, I'm saving the user's data as JSON in a "twitter" field in my database. Likewise, I'm saving the user's Facebook Connect info (including persistent session_key) as JSON in a "facebook" field.
For most operations, this is great. However, I'd like to add a "Find Friends" function that will grab the user's friends from either service, compare against users on my service, and show the resulting list to suggest friends.
The initial problem: doing a DB call to compare the user's friend list against usernames that are in JSON.
First idea: if I can get a list of all users that have authenticated my application (along with their emails), I could then find users in my database with those emails. However, I'm not aware of any API call for either Twitter or Facebook that does that.
Any other idea on how to create this function?
Thanks in advance.
You could create tables for the users having their service ID in a field. (facebook or twitter user id).
Then just do a SQL search on the tables to find them. JSON isn't a good idea to store in a table for searching with.
Joe
Related
I'm experimenting with getting user data from the Facebook Graph API, but so far I can only retrieve information from my own profile. Using the Graph API Explorer, I'm sending GET requests for this information:
me?fields=id,name,birthday,picture,email
How can I change this to search for other users instead of "me"? For example, I want to search for profiles of people named "John Smith" and return pictures and birthdays for each profile of this name.
You can use the Search API to search for users by name: https://developers.facebook.com/docs/graph-api/using-graph-api#search
...but there is no way to get birthdays and emails of users if they did not authorize your App. You would not be allowed to use the emails anyway, even if you would get them.
Will exposing app specific Facebook friend user IDs in client side source code expose my app/my apps users to any exploitable security/spam risks?
Example where data is exposed:
I'm requesting the list of facebook friends using the user_friends permission with the graph API. This list returns a name and app specific user ID for each friend.
I allow a user to select a friend which will send them an in-app invite.
The best way to identify this friend is the app specific user ID which means it will appear in my client side source code.
Exploits I can think of:
Using a sending message dialog link (https://developers.facebook.com/docs/sharing/web#sendingmessages), might allow someone to use my app id (which can be easily found by logging in via facebook) and an exposed user ID to prepopulate the to field to pretend to be my app trying to spam their friends.
Workaround to exposing data:
Store the friend list in a db table and generate a new harmless ID for each relationship.
I'd rather not do this as I'll have to update this list every time as friend lists will change regularly.
It is perfectly safe to expose those App Scoped IDs on the client. You can only prepopulate the send dialog with one single ID, and the ID must be a friend of yours. So you canĀ“t really exploit it.
IDs are safe in general (App ID, User ID, ...). You only need to be careful with your App Secret and Access Tokens.
I am building a turn-based game and would like to allow players to play games against other users in the database that are not their friends. Currently I am only storing FB ids from which I am providing a mixed list of friends and non-friends to select from. I have a call to retrieve pictures and names from the FB API but only picture urls are being returned for non-friends. Is there another way to get names from FB API or do I need to store names in my database?
As outline in Graph API User Section, you can make a call to the Graph API and get the information (User's name) that you need.
This is an excerpt from that page which is relevant to your requirement:
You can choose the fields you want returned using the fields query
parameter:
https://graph.facebook.com/me?fields=id,name
Modify the above API call like this:
https://graph.facebook.com/THE_USER_ID?fields=name, picture
Also of importance is in the Fields table listed on the page linked above. To get the User's Name, No access_token required
Now, you haven't tagged the platform you are working on, so I cannot give you the actual code. I work on Android and am not familiar with other platforms. But the Graph API call will essentially remain the same.
Once you have the User's name and Profile Picture, then you can store in your Database if you so desire.
You should be able to get a JSON object with the name, username, id and photo of any user without an access_token by making a call to:
http://graph.facebook.com/USERNAME_OR_ID
We are building mobile app that uses Facebook for registration (know how to do this).
We would like to have a screen, where all your friends would be listed with indication, if they also use our app.
How should we save data (client, server) that one facebook user is also our app user?
When you're already using Facebook for authentication, you probably already have a column in the user table in your database that holds Facebook profile ids of each user. If you want to distinguish between them, just add a column modeling if that user is also using your mobile app.
By issuing a request to https://graph.facebook.com/PROFILE_ID/friends as described in the Facebook Graph API Documentation you can get the list of friends for a certain user without requiring any additional permissions.
Now just build the intersection between the friends list of the user and your (mobile app) user base and you got the list of his friends that are using your mobile app. You should of course do this comparision on the server, so you don't have to send the Facebook ids of your complete user base around.
How do you query the Facebook Graph to get all the users who have connected with your application? I am not storing their user ID, email or any other data from the user when they first connected with the app. Is there a way to get this data retroactively?
You're probably out of luck then, as you have to have at least the user ID to query the user FQL table. Your best bet is to implement something that recaptures old installs as existing users come back to your application and capture the data at that time.