Restful API - Check if Facebook access token is valid and authorized to use APP

Question

I am building a restful API (PHP) to serve iOS and Android applications and I would like to implement facebook login on both apps.

The flaw is like the following :

• Clients ( ios or Android ) login with facebook and send an access_token to the restful api
• verify if the access_token is authorized to use the application
• If token is valid, get user data from graph.
• Merge accounts and generate token for different queries.

For security purpose to avoid getting random tokens thatthey don't belong to my APP, I would like to make a test call to check if a token is authorized and valid or not ?

I know many similar questions might be already answered but none of them really give me the right answer and I don't really have experience with facebook graph.

I found this solution :

https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=SECRET_APP_ID&grant_type=fb_exchange_token&fb_exchange_token=ACCESS_TOKEN

This works somehow .. it whether give me an error, or an access token (string format not JSON) and I am not sure if this is the best way to test or not.

Note: I am still in early stage of development, if you have any suggestion on my flow please let me know, I might be doing things the wrong way ?

Answer 1

What works for my application (code with explanation below)...

$fb = new Facebook\Facebook([
'app_id' => 'XXXXXXX',
  'app_secret' => 'XXXXXXX',
  'default_graph_version' => 'v2.5',
]);

// My app pulls users' access tokens & page ID from a database here and stores in $fb_access_token & $fb_page_id variables
$fb_access_token = 'YOU OR YOUR USERS ACCESS TOKEN GOES HERE';
$fb_page_id = 'ID OF FACEBOOK PAGE OR USER'; 

$fb->setDefaultAccessToken($fb_access_token);

// CHECK IF ACCESS TOKEN SITLL WORKS
try{
$page = $fb->get('/'.$fb_page_id.'?fields=id', $fb_access_token);
} catch(Facebook\Exceptions\FacebookResponseException $e) {
echo 'Graph returned an error: ' . $e->getMessage();
$graphError = 'Yes';
} catch(Facebook\Exceptions\FacebookSDKException $e) {
echo 'Facebook SDK returned an error: ' . $e->getMessage();
$sdkError = 'Yes';
}

// IF ACCESS TOKEN STILL WORKS...CONTINUE WITH SCRIPT. THIS PREVENTS ACCESS TOKEN FAILURE FROM BREAKING SCRIPT.
if(!isset($graphError) && !isset($sdkError)){
// CONTINUE WITH SCRIPT
}

Explanation: you are taking the access token in question, and attempting to make a GET Request to the Facebook API. Only continue with the rest of your script IF there are NO ERRORS.

You could also add an ELSE statement at the end to maybe redirect the user to a page where they can re-authenticate their account/access token, depending on what your app is doing.

My app uses a couple of WHILE Loops to go through my database of users, and depending on certain column/cell values, it POSTS to their Facebook page for them...

Before this solution...when the Loop came across an invalid Access Token, it "broke" and did not execute the script for the rows following the "unauthenticated user" because it was making a failed request.

Hope this helps someone!

Answer 2

“Random” tokens would not work anyway. (Tokens issued by Facebook are encrypted, so the API can tell whether a token is genuine, or just "random". At most you'd need to worry about what a user possible could using a token for a different app, or one they themselves granted more permissions than you asked them for.)

Just request the user details using the access token you got - if it is not valid because someone tried to “fake” it, then the API response will tell you so.

The docs have a chapter about securing API requests, go check that out as well: https://developers.facebook.com/docs/graph-api/securing-requests