404 error trying to use Facebook test user login_url

Question

If I programmatically create a Facebook test user, the login_url for the new user doesn't work. Fetching the login_url returns a 404 error.

Pared-down example (in Python). The last two lines are where the problem shows up:

import requests
from urlparse import parse_qs
APP_ID = "<Facebook App ID>"
APP_SECRET = "<Facebook Client Secret>"

# Get app access token - this works
response = requests.get('https://graph.facebook.com/oauth/access_token',
                        params={'grant_type': "client_credentials",
                                'client_id': APP_ID, 'client_secret': APP_SECRET})
app_access_token = parse_qs(response.content)['access_token'][0]

# Create test user - this works
response = requests.post('https://graph.facebook.com/%s/accounts/test-users' % APP_ID,
                         data={'access_token': app_access_token, 'installed': "true"})
test_user = response.json()
login_url = test_user['login_url']
print login_url  # http://developers.facebook.com/checkpoint/test-user-login/...

# Get cookied for login - see https://stackoverflow.com/a/5370869/647002
session = requests.Session()
session.get("https://www.facebook.com/", allow_redirects=True)

# Login test user - THIS FAILS
response = session.get(login_url)
print response.status_code  # 404

Others have noted that you must first fetch the Facebook homepage before test user's login_url will work. We ran into that same problem, and I've included that workaround above without any luck. [Edit: added the _fb_noscript=1 query param, required starting mid-2015 for non-JavaScript test clients.] [Edit 8/2017: now removed _fb_noscript=1; no longer required, and sets a noscript cookie that makes some later FB auth requests return 500.]

I also tried opening the login_url directly in a browser:

• If I'm not already logged into Facebook, I get a generic Facebook 404 page.
• If I'm already logged into my developer account, Facebook warns that I'll be logged in as a platform test user, and then allows me into the test user's account.

That last point seems to confirm that the test user is being created properly and that I have the correct login_url. But of course, that's no help for automated testing. (We don't want to run tests logged into my developer account.)

Is there some other way the test user's login_url is meant to be used for automated testing?

Answer 1

A Facebook developer support engineer has confirmed that the test-user login_url can no longer be used for automated login of a test user, due to security changes. Apparently it's meant for manual testing.

I am, however, able to achieve automated login of a programmatically-created Facebook test user by posting to Facebook's normal login form. It seems like all you need are the email and password returned from the create-test-user API. (No other login form fields seem to be needed, though you'll still need to pick up the cookies first.)

The code below is working for me now (replacing the last two "this fails" lines of code from the original question):

# Login test user - THIS WORKS
response = session.post("https://www.facebook.com/login.php",
                        data={'email': test_user["email"],
                              'pass': test_user["password"]})
print response.status_code  # 200

I haven't found this documented anywhere, and Facebook may change their login form in the future, so YMMV.