使用Facebook API进行登录 [英] Security with facebook API login

问题描述

我在使用使用Facebook登录实现我的第一个应用程序时遇到了一些问题。
用户必须在我的系统中注册，但他可以将FB帐号关联到它。当FB帐户关联时，我只需从Facebook保存用户电子邮件地址。

I'm with some problems implementing my first application with "Login with Facebook". The user MUST be registered in my system, but he can associate a FB account to it. When an FB account is associated I just save the user email address from facebook.

当用户点击用Facebook登录（考虑到他已经登录了Facebook）我只是抓住其个人资料的电子邮件，并将其发送到服务器，以验证是否有与该电子邮件关联的用户。如果这样的用户存在，我将为该用户创建一个会话。
这是用于抓取用户电子邮件并将其发送到服务器的代码：

When the user clicks on "login with facebook" (considering he is already logged in facebook) I just grab its profile email, and send it to the server to verify if there is a user with that e-mail associated. If such user exists, I create a session for that user. This is the code for grabbing the user's e-mail and sending it to the server:

function login()
{
    FB.api('/me',
    function (user)
    {            
        $.ajax(
        {
            url: "my_ajax_page.php",
            type: "POST",
            data: {controller: "MyController", action: "LinkEmail", fbmail: user.email},
            success: function (response)
            {
                if(response == 1)
                {
                    alert("Success!");
                }
            },
            error: function ()
            {
                alert("Error");
            }
        }
        );
    }
    );
}

这种方法存在很大的安全漏洞，任何人都可以创建一个脚本发送向我的系统发送电子邮件，这个错误的电子邮件将链接到当前记录的用户帐户：

There is a big security flaw with this approach, anyone can create a script sending an e-mail to my system and this 'wrong' e-mail will be linked to the current logged user account:

function hacking()
{
    $.ajax(
    {
        url: "my_ajax_page.php",
        type: "POST",
        data: {controller: "MyController", action: "LinkEmail", fbmail: 'someonemail@mail.com'},
        success:
        function (response)
        {
            if(response == 1)
            {
                alert("Success!");
            }
        },
        error: function ()
        {
            alert("Error");
        }
    }
}

可以使用什么方法使用FB登录？

What approach can I use to make it secure to login with FB?

推荐答案

也许您应该发送 signed__request as ano Ajax调用的参数。只有您的应用程序使用自己的`app_secret 可以解码 signed_request ，所以如果你能解码 - 这意味着呼叫源自有效的（登录的）Facebook用户。

Perhaps you should send the signed__request as another parameter to the Ajax call. Only your application with its own `app_secret can decode the signed_request so if you are able to decode it - that means the call originated from a valid (logged in) Facebook user.

您可以在此链接中查看有关已签名请求的更多信息：

https://developers.facebook.com/docs/authentication/signed_request/

You can read more about signed requests at this link :
https://developers.facebook.com/docs/authentication/signed_request/

这篇关于使用Facebook API进行登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！