简体繁体 English

在Facebook Javascript SDK中使用“应用程序访问令牌”吗？

[英]Use “app access tokens” with the Facebook Javascript SDK?

原文 2014-02-12 19:38:40 6 1 javascript/ facebook/ facebook-graph-api

I'm using the Javascript SDK for a Facebook app and a certain API call I want to make, requires an app access token . 我正在为Facebook应用程序使用Javascript SDK，并且要调用某个API ，因此需要app access token 。 However, the documentation states: 但是，文档指出：

[…] app access token should never be hard-coded into client-side code, doing so would give everyone who loaded your webpage or decompiled your app full access to your app secret, and therefore the ability to modify your app. […]应用程序访问令牌永远不应硬编码到客户端代码中，这样做将使每个加载您的网页或反编译您的应用程序的人都可以完全访问您的应用程序机密，从而可以修改您的应用程序。 This implies that most of the time, you will be using app access tokens only in server to server calls. 这意味着大多数时候，您只会在服务器到服务器的调用中使用应用程序访问令牌。

and: 和：

Note that because this request uses your app secret, it must never be made in client-side code or in an app binary that could be decompiled. 请注意，由于此请求使用您的应用程序密钥，因此绝不能以客户端代码或可以反编译的应用程序二进制文件形式进行请求。 It is important that your app secret is never shared with anyone . 切勿与任何人共享您的应用程序机密，这一点很重要 。 Therefore, this API call should only be made using server-side code. 因此，此API调用仅应使用服务器端代码进行。

Emphasis not even mine! 重点甚至不是我的！
So how the heck am I supposed to make API calls that require app access tokens using the JS SDK if I should only do those calls server-side? 那么，如果我只在服务器端进行那些需要使用应用程序访问令牌的API调用，我该怎么做呢？

1 个解决方案

The short answer is: You shouldn't! 简短的答案是：您不应该！ As Adam wrote, if you expose your app access token, somebody could grab it from the source code and do whatever he wants with it! 正如亚当所写的那样，如果公开您的应用程序访问令牌，则有人可以从源代码中获取它，并随心所欲！ It's a security issue... 这是一个安全问题...