通过PHP SDK验证Facebook API访问令牌和用户ID？

Question

I'm using the Facebook PHP SDK (v3.2.3, not v4.0)( https://developers.facebook.com/docs/reference/php/3.2.3 ) on my server, and the Phonegap Facebook Plugin (Master)( https://github.com/phonegap/phonegap-facebook-plugin ) manually installed in my Phonegap v3.3.0 iOS app.

I've got everything set up nicely, the app displays a Facebook access token and the "userID" of the authenticating user. Problem is, Facebook tokens only last about 2 months. To fix this, I created a table which houses every FB Access Token that Facebook has given for all of my FB-based users. This works great with my website's "Log in with Facebook" button!

...But because this Phonegap plugin leaves the device as a middleman between Facebook and my database, I need my server to double check with Facebook directly to verify the user ID and access token supplied by the user are genuine. I've seen that I could query https://graph.facebook.com/app?access_token=TOKEN or do something like:

GET /debug_token?
     input_token={input-token}&
     access_token={access-token}

... and apparently get back everything I need, but I get the feeling an attacker could just keep hitting my PHP script that checks with Facebook over and over again until they find success - then they would have the credentials necessary to access my app on behalf of that user whose token they guessed.

If the idea of an attacker guessing any Facebook access token over the period of a few weeks is ridiculous, let me know. But I was hoping to narrow it down and force the attacker to also know which user they're guessing the access token of - THAT should be near impossible to crack. So how can I verify a user using BOTH the user access token & the user's numerical ID?

Answer 1

Get the users Facebook ID from Facebook anytime you get a token and use the user's ID from Facebook to look up your user.

Even if your app requires offline access and you use a saved token, validate the token before you use it.

If you do not validate the token, your app may still function if the user logged out of Facebook or perhaps unauthorized your app.

$facebook = new Facebook(array(
    'appId'  => <FACEBOOK_ID>,
    'secret' => <FACEBOOK_SECRET>,
));

$facebook->setAccessToken($_REQUEST['access_token']);

if (($userId = $facebook->getUser())) {
    // $_REQUEST['access_token'] is valid token for user with id $userId
}

Answer 2

You shouldn't worry about attacker guessing the access token. Access token is 211 characters long consisting about 62 kind of characters(based on my token). That's 62^211 unique access token. There's only 7 billion human in the world, so it's practically impossible to brute force an access token. Nevertheless this kind of attack is FB responsibility to generate a better access_token.

Let say the access token is leaked to a criminal: If you are suggesting to compare to the user's FB numerical id -- dont! The id is accessible with the access token. Instead, assign your own unique id/username to a user when they sign up for the first time or something.