I've already gone through this question, but my question is different. I am unsure of how can javascript login be sure and how can some-else not login into others account.
According to the getting started FB.authResponse
is called when the login is successful, but in the client's side of course.
Then we can get the userId
& accessToken
out of the response, we can also make call to /me
to get more information. In order to put that user into session, all this info about successfull javascript login has to be sent to the server and this is where I get confused.
After all it's HTTP, every other request is different and can be replicated.
May be it's just that I'm confused, about how someone can't hack and immitate any other users' facebook id to login into his account.
For e.g. after the authentication is success, I make an ajax call to my server providing the fb-user-id and then I match it with the database and put the appropriate user in the session, but not since this is fb-user-id is not verified again in the back-end (or is it verified?, I didn't found anything though about it) that this particular user is the one who actually signed up in my application, then a same login request with someone else's fb-user-id can be made to login into his account.
I'm sure, I'm not the first one to have this confusion. Please help to clear this confusion, as I've read the docs many times now, but still unable to figure out why can't someone else login into someone else's account.
EDIT
I found this similar question
but the guy here doesn't answer how he verified backend login or may be I was unable to understand.
Click on "Active Sessions," which is located towards the bottom of the Privacy settings page. This brings up a list of your current and past Facebook logins, including the location where the login took place, the type of device that was used to access the site, and the day and time of the login.
You can simply request https://graph.facebook.com/me?access_token=xxxxxxxxxxxxxxxxx if you get an error, the token is invalid. If you get a JSON object with an id property then it is valid. Unfortunately this will only tell you if your token is valid, not if it came from your app.
OAuth is also used when giving third-party apps access to accounts like your Twitter, Facebook, Google, or Microsoft accounts. It allows these third-party apps access to parts of your account. However, they never get your account password.
Tap Security and Login. Tap Use two-factor authentication. Tap Two Factor Authentication. We'll walk you through a few steps to set up login approvals.
According to :
How to securely authorize a user via Facebook's Javascript SDK
Send the signed_request field to your server, which is being received in the authResponse
using the javascript sdk
Then in the server-side, the following procedure as stated in the documentation has to be followed for verfication :
Once you have captured the signed request, you need to perform three steps:
Here is an example in PHP:
function parse_signed_request($signed_request) {
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
$secret = "appsecret"; // Use your app secret here
// decode the data
$sig = base64_url_decode($encoded_sig);
$data = json_decode(base64_url_decode($payload), true);
// confirm the signature
$expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
if ($sig !== $expected_sig) {
error_log('Bad Signed JSON signature!');
return null;
}
return $data;
}
function base64_url_decode($input) {
return base64_decode(strtr($input, '-_', '+/'));
}
This will produce a JSON object that looks something like this:
{
"oauth_token": "{user-access-token}",
"algorithm": "HMAC-SHA256",
"expires": 1291840400,
"issued_at": 1291836800,
"user_id": "218471"
}
After getting the user_id, that particular user can be put in session, although there needs to be other checks for proper authorization.
As a second check, the issued_at
can be checked to see if it's not more than 10 mins old.
Taken from here.
However, there may be scenarios where your app_secret may be compromised. To take care of this case, you should follow step #3, as the exchange of code for access_token can happen only once and within 10 mins of it's issue. If the user doesn't have an account with your site, then you anyway need step #3 to use the access_token for retrieving other necessary user data, like name, email, etc from FB.
In order to refresh token the following call can be made from your server
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
Reference
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With