使用“应用访问令牌"使用Facebook Javascript SDK? [英] Use "app access tokens" with the Facebook Javascript SDK?

问题描述

我正在将Javascript SDK用于Facebook应用程序和我要进行的某个API调用，需要app access token.但是，文档指出:

I'm using the Javascript SDK for a Facebook app and a certain API call I want to make, requires an app access token. However, the documentation states:

[…]应用访问令牌永远不应硬编码为客户端代码， 这样做会给所有加载您的网页或反编译的人 您的应用拥有对您的应用机密的完全访问权限，因此可以 修改您的应用.这意味着大多数情况下，您将使用 应用访问令牌仅在服务器到服务器的调用中存在.

[…] app access token should never be hard-coded into client-side code, doing so would give everyone who loaded your webpage or decompiled your app full access to your app secret, and therefore the ability to modify your app. This implies that most of the time, you will be using app access tokens only in server to server calls.

和:

请注意，由于此请求使用您的应用程序密码，因此绝对不能 使用客户端代码或可以反编译的应用二进制文件进行. 重要的是，永远不要与任何人共享您的应用机密. 因此，此API调用仅应使用服务器端代码进行.

Note that because this request uses your app secret, it must never be made in client-side code or in an app binary that could be decompiled. It is important that your app secret is never shared with anyone. Therefore, this API call should only be made using server-side code.

强调甚至不是我的！
那么，如果我只在服务器端进行那些需要使用应用程序访问令牌的API调用的话，我该怎么做呢?

Emphasis not even mine!
So how the heck am I supposed to make API calls that require app access tokens using the JS SDK if I should only do those calls server-side?

推荐答案

简短的答案是:您不应该！正如亚当所写的那样，如果公开您的应用访问令牌，那么有人可以从源代码中获取它，并随心所欲！这是一个安全问题...

The short answer is: You shouldn't! As Adam wrote, if you expose your app access token, somebody could grab it from the source code and do whatever he wants with it! It's a security issue...

这篇关于使用“应用访问令牌"使用Facebook Javascript SDK?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！