I'm writing a webapp where users will need to login with Facebook (a Facebookless login does not make sense in the context of the app). Ideally, after their initial visit, when a user visits /index, my webapp sees a cookie it deposited earlier, and seamlessly logs the user in automatically and goes to the application (/app).
My problem arises when the user logs out of Facebook, and returns to my app. Since their cookie on my domain will still be present, and their oauth_token will still be valid (they are for 60 days now), I can still log the user in automatically, and the app will work as expected.
To me, it doesn't seem right that the app remains signed in with their Facebook account even when they are not signed in to Facebook. I played around on Stackoverflow itself; it allows this behaviour as well. Are my worries misplaced, or is there a recommended way to see if a user is signed into Facebook when they first request /index from my server.
In my opinion, I don't think your app should remain signed in while the user has already signed out of Facebook.
One scenario where this may not be desirable is: what if I am using your app from a public computer. After I logged out of Facebook, your app still "remembers" me. And now anyone who uses this computer will assume my Facebook identity inside your app.
I think the problem here is that you set your own cookie to remember the user's Facebook login status. Obviously, when user signes out of Facebook itself, your cookie is not cleared. So at this point your cookie is out of sync with Facebook status.
I recommend that you don't use your own cookie for the purpose of remembering user's Facebook login status. Always rely on Facebook itself for this purpose.
The general strategy is, whenever user comes to your app, you should check the Facebook login status by using the mechanism provided by Facebook. This way, your app will be in syn with Facebook in terms of user's login status.
I personally use this piece of code to call Facebook Javascript API for the purpose of user login:
/*
* Init code for Facebook connect
*/
window.fbAsyncInit = function() {
FB.init({
appId : FACEBOOK_APP_ID, // App ID
channelUrl : CHANNEL_URL, // Channel File
status : true, // check login status
cookie : true, // enable cookies to allow the server to access the session
xfbml : true, // parse XFBML
oauth : true
});
// check facebook login status
FB.getLoginStatus(function(response) {
console.log("FB login status: " + response.status);
if (response.status === 'connected') {
showWelcome(); //display welcome message
} else if (response.status === 'not_authorized') {
// the user is logged in to Facebook, but not connected to the app
showFbLogin(); //display Facebook Login button
} else {
// the user isn't even logged in to Facebook.
showFbLogin(); //display Facebook Login button
}
});
// subscribe to facebook events
FB.Event.subscribe('auth.authResponseChange', function(response) {
fbAuthResponseChanged(response);
});
};
Related
I have just implemented email/password auth. Now users need to register or sign in before they can see the rest of my site.
However I'm not clear about what to do when the client refreshes the page after they've already signed in. I want their "logged in" state to still be there, and to not require them to re-enter credentials.
It seems like an easy way to do this would be to store email/password in a client side cookie or localstorage. But I feel a little apprehensive about this. Is there a better way, or is this acceptable?
This app has no server other than firebase.com. I'm deploying the front end to github pages.
Why don't you use firebase.auth() function and only show the login page when they are not logged in?
firebase.auth().onAuthStateChanged(function(user) {
if (user) {
// User is signed in.
} else {
// No user is signed in.
}
});
First of all: I'm aware that there's plenty of questions about the same topic, but none of them did the trick for me (I've already been like 3 days trying to get this working)...
I'm working on a Javascript mobile game which includes some FB functions (through the Javascript Facebook API). I'm having trouble while trying to really log out from Facebook to log in with another user: everytime I log out, I expect to call the log in function and prompt the FB login dialog where I can specify my e-mail and my password, but instead of this, Facebook logs in automatically with the last user without even asking me for anything... I'm using CocoonJS as the mobile platform and plain Javascript (no jQuery):
Log in function:
CocoonJS.Social.Facebook.init({
appId:<<MYAPPID>>,
channelUrl: "channel.html"
});
var socialService = CocoonJS.Social.Facebook.getSocialInterface();
socialService.login(function(loggedIn, error) {
if (error) {
console.error("login error: " + error.message);
}else if (loggedIn) {
console.log("login suceeded");
// Ask for extended permissions
CocoonJS.Social.Facebook.requestAdditionalPermissions("publish", "publish_actions",
function(response)
{
callback(response.error ? false : true);
}
);
CocoonJS.Social.Facebook.getLoginStatus(function(response) {
if (response.status === 'connected')
{
CocoonJS.Social.Facebook.api(
"/me",
function (response) {
if (response && !response.error) {
// Getting "me" returns the information of the "same" user!
console.log("User: "+response.first_name+" "+response.last_name);
}
}
);
}
});
}
});
Log out function:
CocoonJS.Social.Facebook.getLoginStatus(function(response) {
if (response.status === 'connected')
{
CocoonJS.Social.Facebook.logout(function(response) {
console.log("User logged out!");
});
}
});
The console log is thrown, so it seems that the user has actually logged out, but when I restart the game, a kind of "I'm doing something" screen appears for less than a second and the same user who logged out is logged in again (even throwing their personal information through calling "me")... I was expecting Facebook to ask me with which user I would like to log in to my app, but it doesn't...
I thing it has something to do with "session" or "cookies", but I don't know how to clear them through Javascript (and, as I'm using CocoonJS as the "browser", I have little control over it)... Any idea?
Thanks in advance for your time and effort! :)
CocoonJS uses native iOS and Android Facebook SDKs. The SDK itself takes care of the session storage, no cookies are used in CocoonJS.
Facebook SDK has two different methods to close the session:
close(): Closes the local in-memory session object, but does not clear the persisted token cache.
closeAndClearTokenInformation(): Closes the in-memory session, and clears any persisted cache related to the session
CocoonJS.Social.Facebook.logout calls internally to closeAndClearTokenInformation on Android and iOS. It erases all the cached tokens, so the next login starts from scratch.
Facebook SDK uses the Facebook Application to handle the login process if it's installed on the device, otherwise it fallbacks to a webview based login. The problem may be that you are testing on a device with the Facebook Application installed, so the SDK is able to get the logged in user from the Facebook App and doesn't need to ask for it again. If you logout from the Facebook Application or you test your app on a device with no Facebook App, Facebook will ask for a user and password.
I am trying to build a facebook page tab application using Meteor and have spent an ungodly amount of time just trying to receive a signed_request using just JS. This is incredibly easy using php but I can't use php inside of a Meteor app.
I'm loading the JS SDK within my if (Meteor.isClient) {} Section and it appears to be working. I've tried using FB.Login to get the information I need (Has User Liked Page, Is Admin, ect) but I can't seem to get it working. With page tab applications a user doesn't need to authenticate the app it just runs. The admin is the only that authenticates while installing I think... I can't find anything helpful perusing the Facebook Developer section on creating a facebook page tab application using the JS SDK. Please Help!
Some of my code...
if (Meteor.isClient) {
Template.fbconnect.connect = function () {
if (!Session.get("is Facebook JDK loaded?")) {
Session.set("is Facebook JDK loaded?", true);
// https://developers.facebook.com/docs/reference/javascript/
window.fbAsyncInit = function() {
// init the FB JS SDK
FB.init({
appId : 'Removed', // App ID, Took away for online question
status : true, // check login status
cookie : true, // enable cookies to allow the server to access the session
xfbml : true // parse XFBML
});
// Additional initialization code such as adding Event Listeners goes here
FB.getAuthResponse(function(response) {
if (response.status === 'connected') {
console.log(response.session.access_token);
} else {
console.log('User cancelled login or did not fully authorize.');
console.log(response.session.access_token);
}
}, {scope: 'email,user_likes'});
I am developing a Facebook app. I have a server side OAuth flow which allows me to authenticate a user without requiring him to click on any button. I hence retrieve his accessToken as long as other information and use those ones on the server side before to generate the page.
In my application, I now need to use the Javascript API which could technically share the same Oauth token.
Is it possible to instantiate the FB javascript Object with a given Oauth token ?
I know it is possible to do the contrary meaning doing the Oauth process on the client side and share the Oauth key with the server side via the cookie but this has two many drawbacks in my opinion :
_ First, it implies to have this "login" button which is to me not a good user experience for a facebook app.
_ Also, I don't get how this Oauth process is supposed to behave if my application is composed of two different pages. Going from one page to another reloads entirely the javascript. Will this Oauth process (with the popup and so forth) be done on each page reloading ?
Thanks for your help !
I had a similar problem once, Facebook has an older method called FB.getLoginStatus which you can use to check if the user has given permission without a popup -
FB.init({appId: 'XXXXXXXXXXXXXX', xfbml: true, cookie: true, oauth: true});
FB.getLoginStatus(function(response) {
if (response.authResponse) {
token = response.authResponse.accessToken;
FB.api('/me', function(response) {
console.log(response);
// do something here they are logged in and have given you perms
});
} else {
// no user session available, someone you dont know
}
});
hope that helps!
I have some troubles when using javascript code for Facebook invite friends. Details:
User Facebook A already authorized our web application, and give us the permission to offline-access their access tokens.
User A logged in into our web. The system detect that A synchronized his account (on our web) with Facebook, so it retrieve A's information from Facebook.
In the same browser, A open a new tab, and log out of Facebook.
A user B borrows A computer, and then logged in Facebook but with his account: user Facebook B.
He move to our web (the tab that A already opened), and click "Invite friends". The list show all the friends of user B, not user A.
This scenario (though very rarely happens), troubled our group testers, because it may causes un-expected behavior for our web application (a user may think he synchronize the wrong Facebook account).
To stop that case, I want to differentiate who is currently logged-in Facebook (user B), with the user has authorized our application (user A). Currently I'm checking like this:
function showInvitationDialog() {
FB.init({
appId:'${appId}',
cookie: false,
status: true,
xfbml: true
});
FB.getLoginStatus(function (response) {
if (response.session) {
if (response.session.uid != ${fbId}) {
alert("You are currently logged in to FB with another account (different to the account you registered). Please make sure that you don't accidently use others FB account to invite");
return;
}
}
var request_ids = FB.ui({ method: 'apprequests',
message: '<#spring.message code="friends.invitation.message" />',
data: 'hello'});
});
}
The above code works for most case, but it have a problem:
If user X is logged in Facebook user X', and he authorize our app already: response.session.uid = X_FacebookId -> ok, we know who he is
If user X is not logged to Facebook, response.session == undefined
If user X is logged in with Facebook user X', and he hasn't auhthorized our application yet, response.session == undefined
So I can not differentiate the case 2 vs case 3. In both case, the results from getLoginStatus is the same, but I want to solve it differently:
case 2 -> continue to call the function to let "Login dialog" popup
case 3 -> informs the user that he has logged into the wrong Facebook
account.
Is there any solution for this situation? Any idea will be greatly appreciated.
getLoginStatus() returns a Json object which is like :
{
status: one of 'not_authorized' / 'connected' / 'unknown'
authResponse: ....
}
not_authorized means they are logged into facebook but haven't authorized your app,
connected means they have authorized the app,
unknown means they are not logged into facebook.
(from memory so might not be exact)
Also, you might want to consider listening for auth events, which might make this problem easier. http://developers.facebook.com/docs/reference/javascript/FB.Event.subscribe/