通过Javascript和PHP SDK保护Facebook登录的安全

Question

What I'm trying to achieve

1. Javascript checks if the user is logged in or not, if so, send a code (either access_token or signedRequest) to PHP to securely deal with the logging in.
2. PHP will take the code from javascript and using the app_secret, will make sure the code given from javascript is valid.
3. Using the PHP SDK I would like to make all my Graph API calls with a appsecret_proof so I can turn on "require proof on all calls" in the FB App.

Where I've got to

1) I currently have javascript that initialises when the page loads, and assuming this particular user is logged in and authenticated in this case, I then have access to the $helper = new FacebookJavaScriptLoginHelper(); class, where I can then get the session and make calls in PHP, I could also pass in the access token directly using $session = new FacebookSession('access token here'); - great!

2) I've got this snippet of PHP that will check the signedRequest property of the JS response that checks against the app_secret - great!

$signed_request = $_POST['signedRequest'];
list($encoded_sig, $payload) = explode('.', $signed_request, 2); 
$secret = "mysecret"; // Use your app secret here

// decode the data
$sig = base64_url_decode($encoded_sig);
$data = json_decode(base64_url_decode($payload), true);
// confirm the signature
$expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
if ($sig !== $expected_sig) {
  return null;
}

//this is the oAuth code.
echo $data['code'];

Where I'm unclear

I'm confused with point 3) in what I'm trying to achieve.

I want to utilise

Secure Server-side Calls with appsecret_proof

The below snippet using the FB PHP SDK classes works great, it does not send the appsecret_proof . (if the result from the check in 2) is null, I can just bum out the script there, so that's fine.)

$helper = new FacebookJavaScriptLoginHelper();
$session = $helper->getSession();
$request = new FacebookRequest($session, 'GET', '/me');
$response = $request->execute();
$graphObject = $response->getGraphObject();

I could curl that will have the appsecret_proof but is this not possible using the PHP SDK (it's cleaner through there).

curl \
  -F 'access_token=<access_token>' \
  -F 'appsecret_proof=<app secret proof>' \
  -F 'batch=[{"method":"GET", "relative_url":"me"},{"method":"GET", "relative_url":"me/friends?limit=50"}]' \
  https://graph.facebook.com

Maybe?

Once I've completed 2) I should getLongLivedSession() on the JS SDK short-lived access_token and then validate() using the Facebook\\FacebookSession namespace. Is the validate the same as I did in 2)?? If I do it that way, can I still turn on the 'Require proof on all calls' in the FB App??

Note: If you down-vote my question, please explain WHY, I'm still none the wiser as to why my last question was down-voted, and thus I can't improve.

Answer 1

Firstly, there are two security features in the app in Settings->Advanced.

1. Require app secret for server API calls. Although this isn't done explicitly, you enter the app secret here FacebookSession::setDefaultApplication(Appid, AppSecret), so your app secret is sent through all the server api calls.
2. Server IP Whitelist - this will ensure that if your app secret is compromised, someone would still need to send the calls through your server (tricky!).

Secondly, code wise I run the following to help secure:

1. I run the check in 2) that I mentioned in my question.
2. I also use the $session->validate() method.
3. I then $session->extend the access token.

I believe that this is now secure.