Menu
I'm using the Facebook PHP SDK (v3.2.3, not v4.0)(https://developers.facebook.com/docs/reference/php/3.2.3) on my server, and the Phonegap Facebook Plugin (Master)(https://github.com/phonegap/phonegap-facebook-plugin) manually installed in my Phonegap v3.3.0 iOS app.
I've got everything set up nicely, the app displays a Facebook access token and the "userID" of the authenticating user. Problem is, Facebook tokens only last about 2 months. To fix this, I created a table which houses every FB Access Token that Facebook has given for all of my FB-based users. This works great with my website's "Log in with Facebook" button!
...But because this Phonegap plugin leaves the device as a middleman between Facebook and my database, I need my server to double check with Facebook directly to verify the user ID and access token supplied by the user are genuine. I've seen that I could query https://graph.facebook.com/app?access_token=TOKEN or do something like:
GET /debug_token?
input_token={input-token}&
access_token={access-token}
... and apparently get back everything I need, but I get the feeling an attacker could just keep hitting my PHP script that checks with Facebook over and over again until they find success - then they would have the credentials necessary to access my app on behalf of that user whose token they guessed.
If the idea of an attacker guessing any Facebook access token over the period of a few weeks is ridiculous, let me know. But I was hoping to narrow it down and force the attacker to also know which user they're guessing the access token of - THAT should be near impossible to crack. So how can I verify a user using BOTH the user access token & the user's numerical ID?
991
Facebook Error: Error Validating Access Token: The User Is Enrolled In A Blocking, Logged-in Checkpoint. If you've received this error, it means that your Facebook user account has failed a security checkpoint and you need to log in at https://www.facebook.com or https://m.facebook.com to correct the issue.
An access token is an opaque string that identifies a user, app, or Page and can be used by the app to make graph API calls. When someone connects with an app using Facebook Login and approves the request for permissions, the app obtains an access token that provides temporary, secure access to Facebook APIs.
When your app uses Facebook Login to authenticate someone, it receives a User access token. If your app uses one of the Facebook SDKs, this token lasts for about 60 days. However, the SDKs automatically refresh the token whenever the person uses your app, so the tokens expire 60 days after last use.
Get the users Facebook ID from Facebook anytime you get a token and use the user's ID from Facebook to look up your user.
Even if your app requires offline access and you use a saved token, validate the token before you use it.
If you do not validate the token, your app may still function if the user logged out of Facebook or perhaps unauthorized your app.
$facebook = new Facebook(array(
'appId' => <FACEBOOK_ID>,
'secret' => <FACEBOOK_SECRET>,
));
$facebook->setAccessToken($_REQUEST['access_token']);
if (($userId = $facebook->getUser())) {
// $_REQUEST['access_token'] is valid token for user with id $userId
}
You shouldn't worry about attacker guessing the access token. Access token is 211 characters long consisting about 62 kind of characters(based on my token). That's 62^211 unique access token. There's only 7 billion human in the world, so it's practically impossible to brute force an access token. Nevertheless this kind of attack is FB responsibility to generate a better access_token.
Let say the access token is leaked to a criminal: If you are suggesting to compare to the user's FB numerical id -- dont! The id is accessible with the access token. Instead, assign your own unique id/username to a user when they sign up for the first time or something.
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
