如何使用通过Firebase身份验证获得的Facebook令牌？ [英] How to use Facebook token obtained through Firebase authentication appropriately?

问题描述

当这个人想通过Facebook注册时，我试图获得一个人的名字和姓氏，但想知道是否存在一些安全问题。

I am trying to get a person's first name and last name when the person would like to sign up through Facebook, but wondering if there can be some security issue.

根据来自Firebase的文档，来自Stack Overflow ，以及关于Facebook网站参数的解释，我写了以下代码：

Based on the document from Firebase, the answer from Stack Overflow, and the explanation about parameters from Facebook website, I wrote the following codes:

firebase.auth().getRedirectResult().then(function(result) {
   var token = result.credential.accessToken;
   FB.api('/me', {fields: 'last_name', access_token: token}, function(response) {
   console.log(response);
   })
})

我主要担心的是，根据Facebook，它说：

My main concern is that according to Facebook, it says:

注意的一个参数是access_token，您可以使用它来使用页面访问令牌进行API调用。 此SDK中永远不应使用应用访问令牌，因为它是客户端，并且您的应用密码会被曝光。

One parameter of note is access_token which you can use to make an API call with a Page access token. App access tokens should never be used in this SDK as it is client-side, and your app secret would be exposed."

看起来我不能用这种方法来获取用户的名字和姓氏。

It looks like I cannot use this approach to get a user's first and last name.

推荐答案

从Firebase 4.0.0，其他IdP数据将直接在UserCredential类型的结果中返回。您不需要对Facebook进行额外的API调用来获取首/姓的数据：

Starting with Firebase 4.0.0, additional IdP data will be directly returned in the result of type UserCredential. You shouldn't need to make an additional API call to Facebook to get data like first/last name:

firebase.auth().getRedirectResult().then(function(result) {
  if (result.user) {
   // Additional user info like first name, last name,
   // Facebook account url, gender, etc.
   console.log(result.additionalUserInfo.profile);
   // Facebook access token returned in the process
   // for the scopes requested.
   console.log(result.credential.accessToken);
 }

}）;

这篇关于如何使用通过Firebase身份验证获得的Facebook令牌？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！