I have been making web applications for around 4 years now, and I have always had troubles setting up the Facebook web SDK.
But for my new application I really wanted to make the Facebook integration.
The problem I am facing now, is that I am using the JS SDK witch was fairly easy to set up, but now I want to build my backend to support it all. The flow I came up with was like this:
The user logs in
The user giving me their FB-id
A call from the back end create the new profile or logs if its a older user
The api gives back a api key for the other requestes.
The problem I see with this flow is, that if another person haves another users facebook id, they can obtain a api key for that user, just by sending the request with that id to the server.
How can I make this secure. I don't really thing that the docs on facebook are great, and the other tutorials on the web dos not cover this topic.
Thanks for the help guys!
Related
I'm trying to create a webpage that can incorporate LinkedIn info's (profile,people,company, etc...).
The things that it can/would do are the following:
When the user enters a name that is registered in LinkedIn, he gets the following
*Name, Company, Email
*List of LinkedIn messages that are waiting for reply
The same process goes on everytime the user adds a profile, I'm planning to use the Profile API of LinkedIn to get the Name, Company and Email but I can't find a working example to be my basis.
As for the 2nd one I still don't know how to get the LinkedIn messages.
Here's my Layout and expected result.
How can I achieved this? Opinions and Suggestions are highly appreciated tnx
This is far to broad a question for me to invest the necessary time in to figure the answers (multiple) for you, but do let me give you some hints. First of all, from my experience with the linkedin API not all the data you wish to access is available (do double check this though, I used the API quite awhile back and stuff might have changed in the meantime). As this data is not available through the API the only alternative would be to somehow bypass the cross domain policy, which in conclusion would require the user to install a chrome extension/firefox plugin which will function as a proxy for your application or even 'better', make you entire application a browser plugin based web app. Not that I am a fan of those whatsoever but if you application is meant in any way whatsoever as a linkedin (dedicated) plugin (probably as part of a greater service you're developing) then it might make most sense.
The whole system you are describing is very long winded and requires a large amount of development time. Alot of the data is not accessible directly or indirectly too. You cannot get email address's out from the API as a security feature (bots could just harvest emails for marketing campaigns).
First of all, you will need to make an application that allows for oAuth2 connections with the linkedin API service. People will log onto your website, click to join their linkedin account with your website and your website will receive back an access token to do the calls.
You will then need to build the queries which will access the data you require. The linkedin API documentation (http://developer.linkedin.com/) isn't greatly indepth but it gives you a good understand and points you where you need to go. There are also a couple of pre-done php API's around such as https://code.google.com/p/simple-linkedinphp/.
I have worked with many API's from twitters, facebooks and LinkedIn's and they all require a lot of back-end work to make sure that they are secure and get the correct data.
It would take me hours to go through exactly how to do it and has taken me many hours to get a solid implementation in place and working with all the different calls available.
If you have minimal coding knowledge, it would be best to go to an external company with a large amount of resources and knowledge in the field who can do it for you. Otherwise it may take many months to get a working prototype.
I know we can get online users, but this online is not what I want, I want to know the online users who are currently on my web page, but not facebook. I want to get the user list who is now using my web page after log in using their facebook account, and then I don't care whether they are still active on their facebook.
Is there any methods that I can get this information? Please help! I am using Javascript!
There isn't anything in the API that lets you know whether one user is active/online on your app.
You would need to record connections by yourself. But you are using Javascript, which is a client-side language. It means that it is executed on the client's browser and that you won't be able to manage incoming connections.
Are you using PHP (server-side) in the background? That would make it possible for you to display the connected people for the last 5 minutes!
I have a client who would like the most recent post displayed on their site (along with like and comment counts) plus a link to the actual post. Their page is public, so I can view it in a browser without being logged in. Let's just say it's Nike.
http://www.facebook.com/nike (public)
http://graph.facebook.com/nike/feed (wait, i need to authenticate to see this?)
I went through the trouble of setting up a dummy app on a dummy account, got an access_token an was able to pull what I needed using javascript(Jquery). The reason I'm doing it this way is because the client has sensitive data and other apps/sites on this server and does not want to involve their IT department to QA my code.
Before final handoff, they'll likely set up their own facebook app on their account. This would significantly raise the stakes if someone decided they wanted to play with that access_token.
I'm mostly a front-end guy who's done some small php sites/apps, so what would you recommend I do?
Thanks for your time!
I don't know about facebook in particular, but typically if you want to protect api access credentials you would proxy the request through your server, and just send the results to the client (so the access key only exists on the server). Alternately, and I'm not sure that facebook provides this, some APIs will give you a user token, which does not expose your access key, but allows the client to call the api.
I'm developing a standalone website application that makes use of Facebook Connect and the new Javascript SDK that was released in June.
I've been trying to get friend invites working. I'm able to send an invite using a request dialog (http://developers.facebook.com/docs/reference/dialogs/requests/), but the URL that the user clicks through to when they accept the invite is the internal Facebook app page (http://apps.facebook.com/APP_ID/?request_ids=REQUEST_ID&ref=notif), not my site URL.
Is there any way to fix this so invites work with FB Connected web applications?
It seems this was possible with previous versions of the SDK.
I have seen some posts recommending a redirect from the canvas page, but I have also read that this can lead to the application being suspended by Facebook:
http://forum.developers.facebook.net/viewtopic.php?pid=343257#p343257
Many thanks for assistance on this matter.
I would never expect Facebook to lead me to an external URL by accepting an invite via the request system - especially when most invites/requests tend to be spam.
Have you thought of distributing your invites via the Facebook Message system or sending them via email instead?
This would make the whole process a lot less misleading to a user.
This might sound super crazy but I really want to know if this can be done.
Assume a multi-user site that gives users some tools to build web apps from the site itself (using only HTML/CSS/JS) and share them. Now, if each of the apps were to be assigned a datastore, say just a table for convenience, is it possible to make secure query/insert requests from the app to the backend to write to the assigned table.
Take an example - the app is a small game. The developer wants to record the scores of the users who play the game and wants to use his assigned datastore (see above) for it. Is it possible for the site to ensure that no other app/user can access this datastore? If so, how can it be done?
Edit: Please do note that there are three parties involved - the developer of the app who is a registered user, the app itself which has been granted the datastore and an app user (registered/unregistered) who is viewing the app.
I think this is the same as using any type of backend datastore for any web app. You could assign the user a unique ID (which they have to validate by logging in) and then manage access to the datastore through AJAX post backs.