[英]Securing Facebook Login through Javascript and PHP SDK
What I'm trying to achieve 我正在努力实现的目标
Where I've got to 我要去的地方
1) I currently have javascript that initialises when the page loads, and assuming this particular user is logged in and authenticated in this case, I then have access to the $helper = new FacebookJavaScriptLoginHelper();
1)我目前拥有在页面加载时初始化的javascript,并且在这种情况下,假设该特定用户已登录并通过身份验证,则可以访问$helper = new FacebookJavaScriptLoginHelper();
class, where I can then get the session and make calls in PHP, I could also pass in the access token directly using $session = new FacebookSession('access token here');
类,然后可以在其中获取会话并使用PHP进行调用,也可以直接使用$session = new FacebookSession('access token here');
传递访问令牌$session = new FacebookSession('access token here');
- great! -太好了!
2) I've got this snippet of PHP that will check the signedRequest property of the JS response that checks against the app_secret - great! 2)我有这个PHP片段,它将检查JS响应的signedRequest属性,该属性针对app_secret进行检查-太好了!
$signed_request = $_POST['signedRequest'];
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
$secret = "mysecret"; // Use your app secret here
// decode the data
$sig = base64_url_decode($encoded_sig);
$data = json_decode(base64_url_decode($payload), true);
// confirm the signature
$expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
if ($sig !== $expected_sig) {
return null;
}
//this is the oAuth code.
echo $data['code'];
Where I'm unclear 我不清楚的地方
I'm confused with point 3) in what I'm trying to achieve. 我对要实现的目标的3)感到困惑。
I want to utilise 我想利用
Secure Server-side Calls with appsecret_proof 使用appsecret_proof保护服务器端呼叫
The below snippet using the FB PHP SDK classes works great, it does not send the appsecret_proof . 以下使用FB PHP SDK类的代码片段效果很好,它不会发送appsecret_proof 。 (if the result from the check in 2) is null, I can just bum out the script there, so that's fine.) (如果2中检查的结果为空),我可以在此处将脚本烧坏,这样就可以了。)
$helper = new FacebookJavaScriptLoginHelper();
$session = $helper->getSession();
$request = new FacebookRequest($session, 'GET', '/me');
$response = $request->execute();
$graphObject = $response->getGraphObject();
I could curl that will have the appsecret_proof but is this not possible using the PHP SDK (it's cleaner through there). 我可以卷曲将具有appsecret_proof,但是使用PHP SDK是不可能的(到此为止比较干净)。
curl \
-F 'access_token=<access_token>' \
-F 'appsecret_proof=<app secret proof>' \
-F 'batch=[{"method":"GET", "relative_url":"me"},{"method":"GET", "relative_url":"me/friends?limit=50"}]' \
https://graph.facebook.com
Maybe? 也许?
Once I've completed 2) I should getLongLivedSession()
on the JS SDK short-lived access_token and then validate()
using the Facebook\\FacebookSession
namespace. 完成2)之后,我应该在JS SDK上进行短暂的access_token的getLongLivedSession()
处理,然后使用Facebook\\FacebookSession
命名空间进行validate()
。 Is the validate the same as I did in 2)?? 验证与我在2)中所做的相同吗? If I do it that way, can I still turn on the 'Require proof on all calls' in the FB App?? 如果我这样做,是否仍可以在FB App中打开“要求所有通话都提供证明”?
Note: If you down-vote my question, please explain WHY, I'm still none the wiser as to why my last question was down-voted, and thus I can't improve. 注意:如果您不赞成我的问题,请解释为什么。对于我最后一个问题为何不赞成,我仍然不明智,因此我无法改进。
Firstly, there are two security features in the app in Settings->Advanced. 首先,应用程序的“设置”->“高级”中有两个安全功能。
Secondly, code wise I run the following to help secure: 其次,在代码方面,我运行以下命令来保护安全:
I believe that this is now secure. 我相信现在是安全的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.