Facebook Authentication as App - javascript

To begin, I'm using the Facebook Javascript SDK within a JSP.
I'm developing a custom Facepile component. The idea is that I want to pull back a list of people attending a public Facebook event (public in that the creator of the event has set it to be "public"). I then want to be able to toggle between showing "everyone" that is going to the event and showing "friends" (as in Facebook friends) who are going to the event. I understand that the latter requires the "friends_events" permission as part of my access token.
Currently, I am able to do all of this just fine. I'm comfortable working within Graph and with using FQL. What I'm struggling with is that, in the case I'm just going to show "everyone" attending the event, I don't want to require the user to log into Facebook. In looking through the documentation, I see that to get a list of all attendees for a public event, I will still need an access token. However, I can't seem to find any good documentation about how to use this access token to forgo user authentication with Facebook.
So, in short, what I'm looking for is:
1) Is there any way I can get the list of attendees to a public Facebook event without having to get the user to log in?
2) If so, could you provide an example of how to do this? Right now I'm able to get an access token using my app for authentication but, now that I've got the token, I'm unsure how to actually use it (i.e. it doesn't look like either FB.init or FB.api takes an access token as a parameter).
Thanks much and please let me know if I can clarify anything further!

Related

Fetch posts from Facebook page using FB API

Up until this summer, I had a website (not my website) which was fetching it's responding fb page posts and was displaying it on a page.
I was doing it using the app-token, which now doesn't work since it now requires Page Public Content Access to get those data, which in turn requires it to be registered as an app, which is beyond the scope of this.
I tried creating a non-expiring user-access token, but they seem to expire after 3 months, no matter the "trick" I tried using.
Is there any suggestion of how I can get over it?
Maybe an automated api call that would refresh the token with no user interaction?
You can either use a Page Token (NOT a User Token) for the Page if you manage it - but it will expire. There is no way around that. OR you apply for Page Public Content Access so you can use an App Token.
Auto-refreshing would make the whole point of expiring Tokens pointless, you need user interaction for that.
So, I did it!
Now the how: I did it with the manage_pages access, not with Page Public Content.
I went back and forth a total of 5 times to get this to pass and a bit over a week.
First of all Page Public Content is only allowed by Facebook when you want to analyze data from other pages as well, so you better not mess with it.
What I had to do to get the request approved is specify on your application for requesting the access that there is no login, provide a copy of your code on the description and I also included a url where it was working with a user generated token through javascript, so they could review the code through a web debugger.
After that you get a manage_pages token which you can use to fetch your pages posts
I really hope some of those things were an overkill, but, like I said, I had to submit a review a total of 5 times, so on the last try I went all in...

Facebook Graph API - Get profile picture prior to authenticating

Ok so i've tried the following:
FB.api("/me", {fields: "picture"}, function(response){
console.log(response);
});
And i'm trying to work around http://graph.facebook.com/USERNAME_OR_USERID/picture since obviously i don't know the users ID prior to authenticating.
All i want is a "modern" feel within the website, so i'd like to present the user with his or her's profile picture on the "login" div presenting the facebook login button. Is this possible? I know that Facebook and their graph api prohibits most such features but i would hope that a public profile picture would be accessible through the graph API..
I've Googled around and all the solutions say "use the USERNAME in the URL and you're fine" but i'm not, so to clear out any doubts, is this possible?
Error message: An active access token must be used to query information about the current user.
You can get everyone's Facebook profile picture without authentication.
You just call http://graph.facebook.com/USERNAME_OR_USERID/picture?type=large. This URL redirects you to image URL.
Type may be normal,small or large.
I also have questions for you:
How do you want to display the picture of someone without knowing who he/she is?
How can you guess which account the visitor will use to connect?
It looks like you want to know whose Facebook account was lastly connected on the browser of your visitor. Technically, you would want to read another site's cookies, which is 1) not allowed 2) impossible.
Several additional things you need to know:
http://graph.facebook.com/USERNAME_OR_USERID/picture is a public way to retrieve someone's photo. You don't need a token for that. What else do you need?
Using FB.API("/me", ...) from the JS SDK implies that "me" represents the connected user. It cannot just be used alone.
By the way, identical questions have already been answered and accepted:
Facebook app without prompted authentication
Get Facebook user's profile picture prior to authenticating app
Why would you hope the impossible?

Creating a facebook likebox

A client of mine (a design studio) asked me to style the like-box social plugin on their site.
As far as I know this cannot be done now with the deprecation of "css" parameter on the fbml tag.
So the route I have to take is to recreate the like-box myself using the js SDK (or php SDK), but the problem is that I cannot find the users (and their photos) that like my page. I'm searching through the opengraph explorers parameters but i cannot find anything.
Does anyone know which url I must follow in the graph api to get what I want?
Do I have to have an access token for such an action? I noticed that the likebox plugin works event if you don't have a facebook account (It shows pictures).
Thank you.
You can't recreate the like box on your own. The Facebook APIs will not return a list of users who like your object. This was done to stop people from getting user lists of likers and spamming them.
Currently, you can only query to find if a specific, authenticated user or which of their friends likes your object.
You could build something similar by populating your fake like box with images of recent posters. You would need to deal with filtering out duplicates, and the page posting as itself, but this should get you started: /PAGE_ID/feed?fields=from.name,from.picture&limit=10
You will need an access_token to get this data. I'd authenticate as an app to do it.

Facebook: querying public events without requiring users to be logged in?

So I am confused on the new FB requirements for querying public events(for instance getting the start time), and it seems I am not the only one, even Facebook's own examples no longer work.....
Anyway, I would like to be able to query some public events and display the information on my site without requiring the user to be logged into facebook(since the information is public, that should be possible, since if I go directly to the Facebook page while logged out of Facebook, I can see all the information I want to query), but this doesn't seem possible to do(safely) on the client side anymore.
In order to use the graph API to query events an access token, either user, app, or page manager, is required. But if the user is not logged in then obviously I cannot use their access token, and publishing my app or page manager access tokens is a recipe for disaster, so how can I query public event data on the client-side without requiring the user to log in?
From the Facebook Event API page:
Starting July 5th, an access token will be required to access even
public events. To read an Event, you will need one of the following:
a user access token for a user who can see the event an app access
token (for non-public events, must be the app that created the event)
a page access token (for non-public events, must be the page that
created the event)
Bummer, it looks like this policy was just revised a week or two ago. :-/

JS SDK apprequest security

To invite friend to my app, as far as I know, the only way is to use JS SDK, with FB.ui and apprequests dialog. Thats fine.
Lets think about scenario - my FB game allows user to invite their friends and grant them (the friends) with some item. Based of level, name, random, whatever.
There is data parameter I can use while calling the dialog. It looks like the place where I can store information about what kind of item is to be given.
But..what stops users from tampering with this data? Of course, I can try some cryptographic and so on, but still, its variable fully visible to user.
Am I missing something? How given scenario can be solved in secure way?
You could set a code as the parameter to be sent, which you save on your server/database against that specific user. Then when the request is redeemed, check that the user has that code assigned to them. If they don't, you know it has been tampered.
#Abby is correct - store your request data in your database - the apprequest feature of the JS SDK has a callback containing information about the invite - store this and cross-reference the data when the user accepts the invite. The user might be able to tamper with the data on the Javascript level - but (I hope) he cant tamper with the data in your database. :)

Categories