How to delete an apprequest - facebook-graph-api

According to the documentation I must remove an apprequest when a user has accepted it. There is however a problem with this.
When I accept an apprequest, I will be redirected to my app. But in the url parameters only the apprequestid(s) are included. The userId of the current user is unavailable.
My app doesn't require authentication so I can't access the current users data.
How do I remove the apprequest for this user when I don't have acces to the userdata or accesstoken as described here:
The old method of the apprequest allowed me to extract the userid from the requestid. This is not possible anymore.

you have to have authentication to "tamper" with user data - that includes app invitations.
However with an App Access Token you might be able to delete the post without authenticating your user (you'll still have to aquire their UID - possibly from the signed_request . You can read at this link about app login and how to retrieve the correct access token.

Related

How to provide read-only access for unauthorized users to my React/Django app?

I have a social media-type web app and want to have some read-only access even when a user isn't logged in. For example, if the user votes on a poll, I want nothing to happen but the user should still be able to see it. I am using token authorization. I'm wondering, should I do a check on the front-end somehow to see if a user is logged in (perhaps checking for the existence of a token in local storage) and not perform a fetch if they're not? Or should I somehow, in the frontend, handle receiving a 401 response from the backend for trying to access a protected resource? Or should I handle it on the back end and send back a 200 response and let the front end handle receiving a different version of a 200 response?
I'm using Django and React
Question has tag django-rest-framework so I suppose you are using it.
Take a look at DRF permissions documentation. There is IsAuthenticatedOrReadOnly permission which allows read-only access for unauthenticated users (list, retrieve actions), but only allows create, update, delete to authenticated users.

Reactjs - Current User from JWT token

So, I have created a django-rest-framework backend with JWT Authentication and now, I am trying to solve the problem where when user manually provides a URL, I have to check If the user was previously logged in.
So since, I am storing the token to localStorage when the user logged in. I am doing this:
componentDidMount() {
if (localStorage.getItem('token')) {
// fetch current user
this.props.ctx.toggleLoggedIn()
// this.props.ctx.setUsername('')
}
}
If I find a token in localStorage, then I have to fetch the current User and then, toggleLoggedIn and also set the current user's username in the context.
So, I am planning to create another API end-point which provides the current user when a token is given. The problem is I don't know how to start that!
It might be that i misunderstand, but for me it seems like you're trying to solve this a bit backwards. When the user login, get token and store this in localStorage. Right after login fetch the user profile and store this as well.
If the user manually provides a url, you should now have both token and user. If you don't have a token or it's expired, redirect to login page and clear local storage.
I would create a higher order component that checks if the token is valid and use this for all "protected" pages.

Unable to access user's username using Facebook api 2.0

I am using facebook api 2.0 to allow users to use their Facebook profile data to fill up my custom form. (I don't want facebook's prefilled form). I am getting other information like first name, last name, email. But apparently Facebook api 2.0 has removed username from response object and I am unable to access it. I have observed that Response.link contains url of the person's profile and the portion after "www.facebook.com/" is identical to username. If we succeed in fetching link, we could get Username. But I am not sure this is true for all users. However when i try to access the link, I get link with app scoped id like this:
"www.facebook.com/app_scoped_user_id/XXXXXX/"
where last portion (XXXXXX) is some numerical id. Does anybody know how to access the link in the form of "https://www.facebook.com/username"?
Also, if we are not able to do that in 2.0 but we can in 1.0, then how to switch back to 1.0?
As https://developers.facebook.com/docs/apps/changelog#v2_0_api_versions is clearly stating
/me/username is no longer available
If your app is created after April 30th 2014, there's no way switching back to v1.0. If not, you can prepend /v1.0 to your request, but that will only work until April 30th, 2015.
If you only require current authorized user's username(or any other authorized user for your app), then it's possible.
First step, you call /v2.0/me?fields=third_party_id endpoint . You have to use authorized User Access Token (Authorized with basic scope, i.e. public_profile permission enough).
Or alternative way, you can use App Access Token instead. Of course you can't use me connection anymore, you have to explicitly to put User ID. For example, 12345678 shown on the folowing screenshot:
Second step, use App Access Token (User Access Token is not allow here) to call following FQL query:
SELECT username FROM standard_user_info WHERE third_party_id =
'example12345abcdef'
In which "example12345abcdef" is the third_party_id example you get from the first step.
p/s: please note that the user/app access token on first step must use the same app on second step. It's because third_party_id is tied to app.
Cheers :)
Note that username is optional on Facebook. By default a Facebook profile doesn't have a username
In any Facebook API response, you'll get the username, only if the user has set his username under his Facebook settings.
If you just need to show the user his name why not use the "name" field? It contains their first and last name both. I have changed my app to use name instead of "username".

Application Token is Different

On this page:
http://developers.facebook.com/docs/opengraph/using-app-tokens/
It describes how to get the app access token, yet the token it returns is different than the one in the open Graph "Get Code" example. The latter is the only one that works. How can I get the second access token using the API? When I try to use the first example, I basically get something back that looks like "application ID|secret key" which is different than the real access token.
as documentation states, you will get
access_token=YOUR_APP_ACCESS_TOKEN
string back from the API call. Even though it LOOKS like "application ID|secret key HASH" - it is a valid access token you can use to publish to user's wall. You can verify it's a proper access token using Debug toll from FB: https://developers.facebook.com/tools/debug - just paste the token there.
The reason it might not work for you is because you are trying to publish something to the user's wall who did not authorize your app. Look here: https://developers.facebook.com/docs/reference/javascript/ - for example of how to use your app ID to make user authorize the app. You need to request publish_stream permission for your app from user in order to be able to publish as the app to the user's wall.
And going back to the documentation:
Note that the app access token is for publishing purposes permitted by
the publish_actions and publish_stream permissions. You will be unable
to retrieve information about the status update post with the given ID
using the app access token. Instead, you should use a user access
token for such purposes.
hope that helps.

Facebook app (NOT user) access token expiration

Do Facebook APP access tokens expire? These tokens are different than the USER tokens; they are acquired like this:
https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id={0}&client_secret={1})
as described in the App Login section of the document at http://developers.facebook.com/docs/authentication/.
Are there any circumstances under which they will become invalid?
NB: This is NOT a question about USER access tokens (which are clearly documented). There was an identical question http://facebook.stackoverflow.com/questions/7322063/does-app-login-access-token-expire wrongly closed as duplicate of another question about USER access tokens.
Per the Facebook documentation:
An App Access Token is signed using your app secret and will not
expire; it will be invalidated if you re-key/reset your application
secret.
Creating an APP_ACCESS_TOKEN is really easy.
You can use your App ID/API Key and App secret
access_token = YOUR_APP_ID|YOUR_APP_SECRET
Example: 1234587968 | bghyuifjk3438483249235903502035023504305
I do know that one condition that will cause them to become invalid is if you reset the Application Secret using the Facebook developer tool.
I do not know if using the OAuth method to produce an App Token will cause it to have an expiration. However, if you scan Facebook's PHP SDK, you may notice that a non-expiring app token is made by concatenation app_id and secret:
/**
* Returns the access token that should be used for logged out
* users when no authorization code is available.
*
* #return string The application access token, useful for gathering
* public information about users and applications.
*/
protected function getApplicationAccessToken() {
return $this->appId.'|'.$this->apiSecret;
}
WARNING: I would never use this in client-code as it would publish your app secret. However, in a trust server environment, it seems like the way to go.
To test this, I went to the OpenGraph tool and erased my Access Token and typed in the concatenated value from the code sample. I then accessed my app's insights to verify that it would work:
<APP_ID>/insights/application_active_users
For me, the answer is not to find a token that doesn't expire, (since I do not trust Facebook), but to catch the expiring token and reset without taking up my users time. I found this and thought you might want to check it out.
"To ensure the best experience for your users, your app needs to be prepared to catch errors for the above scenarios. The following PHP code shows you how to handle these errors and retrieve a new access token.
When you redirect the user to the auth dialog, the user is not prompted for permissions if the user has already authorized your application. Facebook will return you a valid access token without any user facing dialog. However if the user has de-authorized your application then the user will need to re-authorize your application for you to get the access_token." Resource: https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/