FB认证的正确方法 [英] A proper approach to FB auth

问题描述

我的项目使用Node.js和Express，但问题是关于通用方法。

我们的用户都来自FB，我们没有任何其他比FB。我们需要将一些操作与特定的FB用户关联起来，并且还需要他们的令牌与FB通信。

目前我们这样做： / p>

• 用户来到页面


• 有隐形块：一个使用用户头像和名称（登录）的占位符，另一个使用FB JS SDK触发FB登录（注销）


• ，我们检查用户的登录状态。如果连接（实际上意味着：登录到FB，验证我们的应用程序并提供了我们需要的所有权限），我们获得用户名和FB ID并显示登录块。否则，注销块被显示为


• 对于某些操作，登录用户的用户的access_token将通过AJAX传递到服务器（不用担心，此处为HTTPS）并由服务器使用FB登录按钮由JS处理，并在JS上调用FB.login（）


• 来处理行为的代码，例如张贴到用户墙或任何


• authResponseChanged事件明显的操作（显示/隐藏登录/输出块）

有什么好：我们总是知道用户的状态是有效的（令牌的TTL超过正常页面的生命周期，所以我们在这里很好）。

我们不太喜欢：
*客户端令牌是短暂的（是的，我们可以交换他们，但不想，如果我们可以找到任何替代）
*通常需要多个请求到FB （1 - 加载JS SDK，2 - 获取登录状态），直到我们可以显示一些东西。直到我们网站的登录块为空。

有什么问题？

我们正在寻找一种在这里使用某些服务器端代码的最佳方法，并且至少在我们确定用户登录时可以渲染用户名和头像。

我可以想像这样的一些计划：

• 使用服务器端验证（重定向）来获取长寿命的令牌，在服务器上保存


• 如果会话具有登录状态，则在会话


• 中保存用户的状态（登录/退出，FB ID，名称） ，在服务器上处理模板时呈现名称和头像

关注：

• 如果用户从FB登录或撤消了App权限，我们应该如何知道它，何时需要检查（每隔X小时检查一次N个请求？只有当令牌在Y个小时内到期时）？如果我们另行检查用户的状态，那么


• 在呈现任何模板之前，服务器上的tatus（在官方示例）这会减慢事情吧？因为我认为FB API调用在热点时间可能相当慢。

解决方案

使用JS SDK是实时中了解用户状态的唯一可行方法。 （实时在引号中，因为FB.getLoginStatus的结果也被缓存 - 如果一直希望它在任何时候都是准确的，那么必须使用第二个参数设置为true。）

如果您将JS SDK设置为在您的域下设置Cookie，那么PHP SDK能够确定用户的登录状态，而无需通过HTTP进行任何API查找 - 只需从cookie，所以Facebook :: getUser（）会得到你的用户ID。这足以显示图片 - 但是对于用户名，仍然需要API请求。

您可以选择请求名称一次 - 然后将其保存到您的会话中。如果在下一个请求中，JS SDK表明用户没有连接，您可以从页面中删除登录信息和/或强制重新加载（并且在此清除会话），以返回到不登录状态。

My project uses Node.js and Express, but the question is about generic approach.

Our users are all from FB and we don't have any auth other than FB. We need to associate some actions with specific FB users and also need their tokens to communicate with FB.

Currently we do it like that:

• user comes to the page
• there are invisible blocks: one with placeholders for user's avatar and name ('logged-in'), the other with button triggering FB login ('logged-out')
• using FB JS SDK we check user's login status. If connected (which actually means: logged into FB, authenticated our app and provided all the permissions we need), we get user's name and FB ID and show the 'logged-in' block. Otherwise the 'logged-out' block is shown
• for logged-in user on some actions user's access_token is passed to the server via AJAX (no worries, HTTPS here) and used by the server code for actions like posting to user's wall or whatever
• the FB login button is handled by JS and calls for FB.login()
• on JS authResponseChanged event obvious actions are taken (show/hide logged in/out blocks)

What's good: we always know that user's status is effective (token's TTL is more than normal page's lifetime, so we are good here).

What we don't like much: * client-side tokens are short-lived (yes, we can exchange them, but don't want to if we can find any alternative) * it normally takes several requests to FB (1 - load JS SDK, 2 - get login status) until we can show something. Till that the 'login' block of our site is empty.

What's the question?

We are looking for an optimal way to use some server-side code here and at least render user's name and avatar when we're sure the user is logged in.

I can imagine some scheme like this:

• use server-side auth (with redirects) to get the long-living token and persist it on the server
• save user's status (logged in / out, FB ID, name) in session
• if session has the logged in state, render name and avatar when processing templates on the server

Concerns:

• if the user logged our from FB or revoked App permission, how should we know it and when should we check for it (check every N requests? every X hours? check only when token is going to expire in Y hours?)
• if we alternatively check for user's status from the server before rendering any template (which is the case in an official example) this will slow things down, right? Cause I think FB API calls can be rather slow in hot hours.

解决方案

Using the JS SDK is the only feasible way to know a user’s status in "real-time". ("real time" in quotes, because the result of FB.getLoginStatus gets cached as well – if one wants it to be accurate at all times, one must use the second parameter set to true.)

If you have the JS SDK set up to set cookies under your domain, then the PHP SDK is able to determine the login status of the user without any API lookups over HTTP – it just reads the user ID from cookie, so Facebook::getUser() will get you the user ID. That would be enough to display the picture – but for the user name, that’ll still require an API request.

Here you could opt for requesting the name once – and then saving it into your session. If, on the next request, the JS SDK indicates that the user is not connected any more, you could erase the login info from the page and/or force a reload (and on that, clear the session), to return to the not logged in state.

这篇关于FB认证的正确方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！