[英]How to verify two user who are friends on facebook
I am working a mobile application based on facebook. 我正在基于Facebook的移动应用程序。 The application creates local user by facebook login.
该应用程序通过Facebook登录创建本地用户。 The steps of application are below.
应用步骤如下。
Notes: 笔记:
Problem: 问题:
I have to verify that authenticated user and voted user are friends on facebook. 我必须验证通过身份验证的用户和投票的用户是Facebook上的朋友。 The user must be voted by its friends.
用户必须由其朋友投票。
I found a couple solution but they have vulnerability too. 我找到了几个解决方案,但它们也存在漏洞。
For instance; 例如;
I authenticated and i fetched all my friends by facebook sdk. 我进行了身份验证,并通过Facebook SDK获取了所有朋友。 The request is to vote a user like this: /vote/user_id/vote_id The backend service checks and verifys jwt token and vote user whose id is user_id as vote_id by authenticated user.
请求是对这样的用户进行投票:/ vote / user_id / vote_id后端服务检查并验证jwt令牌,并将ID为user_id的id投票的用户投票给经过身份验证的用户。
table structure
from_user_id,vote_id,to_user_id
So the problem is that when a user authenticate, it can vote a user from application outside taking jwt token whether it is its friend or not. 因此,问题在于,当用户进行身份验证时,它可以从使用jwt令牌的外部应用程序投票给用户,而不管它是否是它的朋友。 This is a realy big problem for us.
对我们来说,这是一个很大的问题。 So I wonder how can verify two user are friends without send request to facebook for it.
因此,我想知道如何在不向Facebook发送请求的情况下验证两个用户是否是朋友。 Or how can design the archtecture to avoid this situtation.
或者如何设计架构来避免这种情况。
This can simply be done making a request to 可以简单地通过向
/me/friends/{id_of_friend}
using the current app user's access token. 使用当前应用程序用户的访问令牌。 If they are friends, you will get back a
data
structure that contains the friend's id and name – if they aren't friends, data
will be an empty array. 如果他们是朋友,您将返回一个包含朋友的ID和名称的
data
结构–如果他们不是朋友,则data
将为空数组。
This of course requires that both users have granted user_friends
permission to your app. 当然,这需要两个用户都向
user_friends
授予您的应用权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.