验证Facebook用户服务器端 [英] Verifying Facebook users server-side
问题描述
我正在编写一个Facebook应用程序,列出用户的朋友,并与用户提供的关于它们的信息(存储在Google App Engine数据库中)进行了交叉引用。以下是我的应用程序的运作方式:
用户登录到Facebook后,会通过Facebook的Javascript SDK进行图形API调用以获取他们的朋友列表。同时,使用用户的Facebook ID将AJAX请求发送到我的Google App Engine请求处理程序,并且处理程序从数据库中发回有关用户朋友的信息的JSON对象。然后在用户的计算机上交叉引用这两个列表。
这种方法明显的安全缺陷是任何人都可以向任意人的Facebook发送请求给我的处理程序ID,而不需要以该人的身份登录到Facebook,并获取该人提供的关于他们的朋友的所有信息。毕竟,Facebook ID是公开可用的。
为了确保用户的身份服务器端,我实现自己的登录系统的唯一方法是在AJAX请求中包含用户的访问令牌,因为访问令牌证明用户已登录到Facebook。请求处理程序然后可以向Facebook Graph API发出一个虚拟请求,以验证它是否有效。但是,这看起来很不方便,我不知道如何处理访问令牌在传输到App Engine服务器时过期的可能性。我还研究了 Facebook Python SDK ,但我不确定这可能会有帮助。
App Engine服务器如何验证Facebook用户是否已登录我的Facebook应用?
<尝试使用 signed_request 代替发送普通facebookID - 然后您可以使用Facebook APP页面上给出的secret_id在服务器上解码它们。解析方案
那么没有人能够向你发送假查询,因为它们将无法在服务器端解密。
例如,我有一个允许用户对给定条目进行投票的应用程序。用户接受权限后,我使用JavaScript将他的投票发送到服务器:
$。ajax({
键入:POST,
url:base_url +'vote / send',
data:{signed_request:response.authResponse.signedRequest,vote:vote},
});
在服务器端,我正在解码signed_request以获取用户FacebookID并将其存储为合法投票。 ..这样,没有人能够给我发虚假的投票,因为signed_request是用这种方式进行加密的,只有我的应用能够解码它。
响应当然是在用户获得使用应用程序许可之后来自SDK的对象。
I'm writing a Facebook app that lists the user's friends, cross-referenced with information the user has provided about them (which is stored in a Google App Engine database). Here is how my app operates:
After the user logs into Facebook, a Graph API call is made through Facebook's Javascript SDK to obtain a list of their friends. Simultaneously, an AJAX request is sent out to my Google App Engine request handler with the user's Facebook ID, and the handler sends back a JSON object with information from the database about the user's friends. The two lists are then cross-referenced on the user's computer.
The obvious security flaw in this approach is that anyone could send a request to my handler with an arbitrary person's Facebook ID, without needing to be logged into Facebook as that person, and get all the information that person has provided about their friends. After all, Facebook IDs are publicly available.
The only way I can think of to ensure the user's identity server-side, short of implementing my own login system, is to include the user's access token in the AJAX request, since the access token is proof that the user is logged into Facebook. The request handler can then make a dummy request to the Facebook Graph API to verify that it's valid. However, this seems hacky, and I'm not sure how to deal with the possibility of the access token expiring while in transit to the App Engine server. I've also looked into the Facebook Python SDK, though I'm not sure how this might help.
How can an App Engine server verify that a Facebook user is logged into my Facebook app?
Try to use signed_request instead of sending plain facebookID's - then you can decode them on the server, using secret_id given on Facebook APP page. Then none will be able to send you "fake" queries, because they will fail to decrypt on server side.
For example, I have application which allows users vote on given entry. After user accept permissions I'm using JavaScript to send his vote to the server:
$.ajax({
type: "POST",
url: base_url + 'vote/send',
data: { signed_request: response.authResponse.signedRequest, vote:vote },
});
on the server side, i'm decoding signed_request to get user FacebookID and store it as legit vote... in that way, none is able to send me fake vote, because signed_request is encrytped with in the way, which only my app is able to decode it.
response of course is the object, which comes from SDK after user aprove permission to use app.
这篇关于验证Facebook用户服务器端的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
