如何在Facebook上验证两个朋友

Question

I am working a mobile application based on facebook. The application creates local user by facebook login. The steps of application are below.

1. Login With Facebook
2. Backend Service Create Local User
3. Find Friends Who use The App By Facebook SDK
4. Vote Your Friends

Notes:

1. I don't want to keep user friends on my database system
2. I use JWT

Problem:

I have to verify that authenticated user and voted user are friends on facebook. The user must be voted by its friends.

I found a couple solution but they have vulnerability too.

For instance;

I authenticated and i fetched all my friends by facebook sdk. The request is to vote a user like this: /vote/user_id/vote_id The backend service checks and verifys jwt token and vote user whose id is user_id as vote_id by authenticated user.

table structure

from_user_id,vote_id,to_user_id 

So the problem is that when a user authenticate, it can vote a user from application outside taking jwt token whether it is its friend or not. This is a realy big problem for us. So I wonder how can verify two user are friends without send request to facebook for it. Or how can design the archtecture to avoid this situtation.

Answer 1

This can simply be done making a request to

/me/friends/{id_of_friend}

using the current app user's access token. If they are friends, you will get back a data structure that contains the friend's id and name – if they aren't friends, data will be an empty array.

This of course requires that both users have granted user_friends permission to your app.