Geek Answers Handbook

How to check user login using Facebook Javascript SDK

I already went through the question , but my question is different. I am not sure how there can be a login in javascript, and how can someone not log in to the account of others.

According to the start of work, FB.authResponse is called upon successful login, but on the client side, of course.

Then we can get userId and accessToken outside the response, we can also call /me to get more information. To put this user into the session, all this information about successful login to javascript must be sent to the server, and here I am confused. After all, it is HTTP, every other request is different and can be replicated.

Perhaps I'm just confused about how someone cannot hack and exclude the facebook id of other users in order to log into his account.

For example, after successful authentication, I make an ajax call for my server by providing fb-user-id, and then I map it to the database and put the corresponding user into the session, but not since this fb-user ID is not checked again in back-end (or is it checked ?, I didn’t find anything, though about this) that this particular user is the one who really registered in my application, then the same login request with someone else fb-user-id can be entered to enter his account.

I am sure that I am not the first to have this confusion. Please help resolve this confusion as I have read the documents many times now, but still cannot understand why someone else cannot log in to someone else's account.

EDIT I ​​found this similar question , but the guy here does not answer how he checked the login or may not be able to understand.

+6
source share
2 answers

In accordance with:

How to securely authorize a user through the Javascript SDK from Facebook

Send signed_request fields to your server which is accepted in authResponse using javascript sdk

Then, on the server side, for verification, follow the procedure described in the documentation :

Once you have captured the signed request, you need to complete three steps:

  • Divide the signed request into two parts, marked with the letter '.' (e.g. 238fsdfsd.oijdoifjsidf899)
  • Decode the first part - encoded signature - from base64url
  • Decode the second part - the "payload" - from base64url, and then decode the resulting JSON object

Here is an example in PHP:

 function parse_signed_request($signed_request) { list($encoded_sig, $payload) = explode('.', $signed_request, 2); $secret = "appsecret"; // Use your app secret here // decode the data $sig = base64_url_decode($encoded_sig); $data = json_decode(base64_url_decode($payload), true); // confirm the signature $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true); if ($sig !== $expected_sig) { error_log('Bad Signed JSON signature!'); return null; } return $data; } function base64_url_decode($input) { return base64_decode(strtr($input, '-_', '+/')); }

This will create a JSON object that looks something like this:

 { "oauth_token": "{user-access-token}", "algorithm": "HMAC-SHA256", "expires": 1291840400, "issued_at": 1291836800, "user_id": "218471" }

After receiving user_id, this particular user can be placed in a session, although there must be other checks for proper authorization.

As a second check, you can check issued_at to see if it is longer than 10 minutes.

Taken from here .

However, there may be scenarios in which your app_secret may be compromised. To take care of this case, you should follow step No. 3, since the code exchange for access_token can occur only once and within 10 minutes of its release. If the user does not have an account with your site, then in any case, you will need step No. 3 to use access_token to retrieve other necessary user data, such as name, email address, etc. from FB.

To update the token, your server can make the next call

 GET /oauth/access_token? grant_type=fb_exchange_token& client_id={app-id}& client_secret={app-secret}& fb_exchange_token={short-lived-token}

Link

+9
source

When creating a chart API call, you need an access_token that is unique to the user and the application. When you request a call regarding a user ID and simply manipulate it, the access token you use belongs to the original user, and the Facebook API returns the information that the managed identifier can receive. This may be different if the manipulated user is a friend of the original or not.

Simplified: Your user logs in to your website and accepts your area settings. Now Facebook returns the user id and access_token, valid only for this user and your application.

Most graph calls now require a user ID and access_token. If you fulfill the update request, for example, in the user friend lists, and access_token belongs to the user, the api column will return an error.

It stores access_token on your server and sends it to your server through HTTP-Request / AJAX, and not through https, a person in the middle can catch an access token and abuse it.

0
source

More articles:


All Articles