即使从Facebook应用程序设置中删除了应用程序，用户仍然可以访问应用程序

Question

I have an app that uses both Parse and FacebookSDK. Currently running into the problem where the user is still able to access my app even when going to their Facebook account App settings and removing my app from accessing their Facebook data.

So:
1: New user does a fresh install.
2: User signs up via Facebook Login and accesses app
3: User goes to Facebook.com>App Settings>Remove my app
4: Back on iPhone, user closes app, reopens and gains access again

Here is where I check the current status of the user and let them have access if they hold a currentAccessToken

override func viewDidLoad() {
    super.viewDidLoad()

    if FBSDKAccessToken.currentAccessToken() != nil{
        moveToNextView() //Segue to next viewController
    }
}

And my AppDelegate.swift :

import UIKit
import Parse

@UIApplicationMain
class AppDelegate: UIResponder, UIApplicationDelegate {

    var window: UIWindow?

    func application(application: UIApplication, didFinishLaunchingWithOptions launchOptions: [NSObject : AnyObject]?) -> Bool {

        Parse.setApplicationId("ID", clientKey:"KEY")
        PFFacebookUtils.initializeFacebookWithApplicationLaunchOptions(launchOptions)
        FBSDKProfile.enableUpdatesOnAccessTokenChange(true)


        return FBSDKApplicationDelegate.sharedInstance().application(application, didFinishLaunchingWithOptions: launchOptions)
    }


    func application(application: UIApplication, openURL url: NSURL, sourceApplication: String?, annotation: AnyObject?) -> Bool {
        return FBSDKApplicationDelegate.sharedInstance().application(application, openURL: url, sourceApplication: sourceApplication, annotation: annotation)
    }
}

I'm guessing the currentAccessToken is cached somewhere on the app or device, but unsure about how to clear/refresh that cache.

Answer 1

I have found the solution to this problem. It's not as straight forward as one would think. The Facebook developer console allows you to set a Deauthorize Callback URL which can be found here:

1. Select your app in the Facebook developer dashboard
2. Click Facebook Login on the side menu
3. Click Settings
4. Then uou can supply Deauthorize Callback URL

Whenever someone removes your app from facebook it generates a POST to your callback URL with a signed request parameter. You can parse the signed request to retrieve the user's facebookid. Once you have the user's facebookid you can update a record in your database that you can use to check on their next login.

Here is an example in PHP of how to handle the deauthorize callback

<?php

function parse_signed_request($signed_request) {
  list($encoded_sig, $payload) = explode('.', $signed_request, 2);

  $secret = "appsecret"; // Use your app secret here

  // decode the data
  $sig = base64_url_decode($encoded_sig);
  $data = json_decode(base64_url_decode($payload), true);

  // confirm the signature
  $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
  if ($sig !== $expected_sig) {
    error_log('Bad Signed JSON signature!');
    return null;
  }

  return $data;
}


$signed_request = $_POST['signed_request'];
$data = parse_signed_request($signed_request);
$user_id = $data['user_id'];

//now use the user_id to look up your user in your database
//update a field called deauthorized to true so that you 
//can check this value upon next login

?>

Now next time you check the your access token include a check in your database to see if the user has removed the app.

- (void)viewDidLoad
{
  [super viewDidLoad];
  if ([FBSDKAccessToken currentAccessToken]) {
     // User is logged in, but they may have
     // removed the app so we have to check our 
     // db using a REST API call to see if is deauthorized

     // If the user has deauthorized then log them out
     // send them back to the login/signup page
     // if not, carry on as usual

     //also don't forget to set the deauthorized value to 0
     //whenever a user successfully logs into facebook

  }
}

Hopefully this will help someone in the future.