Facbook login - using together with a custom backend API

Social Media
#1

Hi all,

I’ll try to be as brief as possible.

I’m looking into creating an app that will require it’s own backend (REST API and a database) to store some user data that can be shared across all the app’s users.

I’m looking into using facebook login to ease the sign-up process as much as possible.

What I’m still missing is a link between the facebook login and my own API.

I can write the API any way I want, but how would you go about connecting the facebook login in the app with an account on your own server/api/database?

Looking through the documentation, I understand when I do a facebook.login call in corona, I’m thinking I could use the token that comes back from the listener as an ID for the user, and use this to save that user’s info into my database.

However two questions arise:

  1. if the token changes the next time I log in, how do I connect the user to his already existing profile, instead of creating a new, empty profile for him?

  2. if the token did not change, then it would be a security issue - if someone guessed/retrieved your token, he could access my API using your token as it is the only identifier I have about the user… so he would be able to maliciously change the user data on my API as the token is the only credentials he needs.

has anybody built anything of this sort, and if so, can you point me how to make the connection between my server, and the apps facebook.login ?   I can make the server connect to facebook api too if I need to (I will probably be building the API in PHP), I just don’t see how to put it all together.

Cheers!

Joe

#2

Hi joedavinci,

Facebook Access Tokens come in several flavors and have different properties attached to them. You can also get at the user’s current access token via facebook.getCurrentAccessToken().

There may be some combination of all the info within a Facebook Access Token you can use to ensure information is accessed safely. In particular, you could use the user-Id that’s returned as a key for your database. That would at least answer your first question.

#3

Thanks Ajay, that linked explained most of what I need…
if facebook really generates the “long term token” when Corona’s facebook module asks for it, then I should be fine.

the way to do what I was looking for then will be

  1. user opens app, which will ask for facebook login.

  2. on succesful facebook login, app retrieves the User ID and the long term token

  3. app sends the user ID and token to my server

  4. my server uses this received ID and token to call Facebook and confirm that the ID/token combination is valid

  5. server does whatever it needs to do and talks to the app as authenticated user…

if step 4 fails, the server will just return an error to the app, and require the user to login to facebook again.

The app will store the ID and the token on the device, so next time the user comes in, he won’t have to call facebook again… if in the meantime the token expires, the server will respond with failure, and force the app to get back to facebook login to get a new token.

I think this should generally do it, and 30-60 days expiry for the token seems just fine.

if you think i went wrong anywhere, let me know… in the meantime i’ll start studying the facebook graph api :slight_smile:

#4

Hi joedavinci,

Facebook Access Tokens come in several flavors and have different properties attached to them. You can also get at the user’s current access token via facebook.getCurrentAccessToken().

There may be some combination of all the info within a Facebook Access Token you can use to ensure information is accessed safely. In particular, you could use the user-Id that’s returned as a key for your database. That would at least answer your first question.

#5

Thanks Ajay, that linked explained most of what I need…
if facebook really generates the “long term token” when Corona’s facebook module asks for it, then I should be fine.

the way to do what I was looking for then will be

  1. user opens app, which will ask for facebook login.

  2. on succesful facebook login, app retrieves the User ID and the long term token

  3. app sends the user ID and token to my server

  4. my server uses this received ID and token to call Facebook and confirm that the ID/token combination is valid

  5. server does whatever it needs to do and talks to the app as authenticated user…

if step 4 fails, the server will just return an error to the app, and require the user to login to facebook again.

The app will store the ID and the token on the device, so next time the user comes in, he won’t have to call facebook again… if in the meantime the token expires, the server will respond with failure, and force the app to get back to facebook login to get a new token.

I think this should generally do it, and 30-60 days expiry for the token seems just fine.

if you think i went wrong anywhere, let me know… in the meantime i’ll start studying the facebook graph api :slight_smile: