验证Facebook API访问令牌和UserID通过PHP SDK？ [英] Verify Facebook API Access Token & UserID via PHP SDK?

问题描述

我正在使用Facebook的PHP SDK（v3.2.3，而不是v4.0）（ https://developers.facebook.com/docs/reference/php/3.2.3 ）和Phonegap的Facebook插件（Master）（ https://github.com/phonegap/phonegap-facebook-plugin ）手动安装在我的Phonegap v3.3.0 iOS应用程序中。 p>

我已经很好地设置了一切，该应用显示了Facebook访问令牌和验证用户的userID。问题是，Facebook令牌最多只能持续2个月。为了解决这个问题，我创建了一个表，其中包含了Facebook为所有基于FB的用户提供的每个FB访问令牌。这对我的网站的使用Facebook登录按钮非常有用！

...但是由于这个Phonegap插件将设备当作Facebook和我的数据库之间的中间人，我需要我的服务器直接与Facebook进行双重检查，以验证用户提供的用户ID和访问令牌是否正确。我看到我可以查询 https://graph.facebook.com/app?access_token=TOKEN 或执行以下操作：

  GET / debug_token？ 
 input_token = {input-token}& 
 access_token = {access-token} 
  

...并显然收回了我需要的一切，但是我感到一个攻击者可能会继续击中我的PHP脚本，一遍又一遍地检查它们，直到找到成功 - 那么他们将拥有访问我的应用程序所需的凭据，代表该用户他们猜到的令牌。 / p>

如果攻击者在几周内猜到任何Facebook访问令牌的想法是荒谬的，让我知道。但是我希望将其缩小，并强制攻击者也知道他们在猜测访问令牌的用户 - 这几乎不可能破解。那么如何验证用户使用BOTH的用户访问令牌&用户的数字ID？

解决方案

从Facebook获取用户Facebook ID，随时获取令牌，并使用Facebook的用户ID查看您的用户。

即使您的应用程序需要离线访问，并且使用保存的令牌，请在使用该令牌之前验证该令牌。

如果您不验证令牌，如果用户注销了Facebook或可能未经授权的应用程序，您的应用程序可能仍然可以运行。

  $ facebook = new Facebook（array（
'appId'=>< FACEBOOK_ID>，
'secret'=>< FACEBOOK_SECRET> 
） ）; 
 
 $ facebook-> setAccessToken（$ _ REQUEST ['access_token']）; 
 
 if（（$ userId = $ facebook-> getUser（）））{
 // $ _REQUEST ['access_token']是ID为$ userId $ b $的用户的有效标记b} 
  

I'm using the Facebook PHP SDK (v3.2.3, not v4.0)(https://developers.facebook.com/docs/reference/php/3.2.3) on my server, and the Phonegap Facebook Plugin (Master)(https://github.com/phonegap/phonegap-facebook-plugin) manually installed in my Phonegap v3.3.0 iOS app.

I've got everything set up nicely, the app displays a Facebook access token and the "userID" of the authenticating user. Problem is, Facebook tokens only last about 2 months. To fix this, I created a table which houses every FB Access Token that Facebook has given for all of my FB-based users. This works great with my website's "Log in with Facebook" button!

...But because this Phonegap plugin leaves the device as a middleman between Facebook and my database, I need my server to double check with Facebook directly to verify the user ID and access token supplied by the user are genuine. I've seen that I could query https://graph.facebook.com/app?access_token=TOKEN or do something like:

GET /debug_token?
     input_token={input-token}&
     access_token={access-token}

... and apparently get back everything I need, but I get the feeling an attacker could just keep hitting my PHP script that checks with Facebook over and over again until they find success - then they would have the credentials necessary to access my app on behalf of that user whose token they guessed.

If the idea of an attacker guessing any Facebook access token over the period of a few weeks is ridiculous, let me know. But I was hoping to narrow it down and force the attacker to also know which user they're guessing the access token of - THAT should be near impossible to crack. So how can I verify a user using BOTH the user access token & the user's numerical ID?

解决方案

Get the users Facebook ID from Facebook anytime you get a token and use the user's ID from Facebook to look up your user.

Even if your app requires offline access and you use a saved token, validate the token before you use it.

If you do not validate the token, your app may still function if the user logged out of Facebook or perhaps unauthorized your app.

$facebook = new Facebook(array(
    'appId'  => <FACEBOOK_ID>,
    'secret' => <FACEBOOK_SECRET>,
));

$facebook->setAccessToken($_REQUEST['access_token']);

if (($userId = $facebook->getUser())) {
    // $_REQUEST['access_token'] is valid token for user with id $userId
}

这篇关于验证Facebook API访问令牌和UserID通过PHP SDK？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！