JS SDK apprequest security
Question
To invite friend to my app, as far as I know, the only way is to use JS SDK, with FB.ui and apprequests dialog. Thats fine.
Lets think about scenario - my FB game allows user to invite their friends and grant them (the friends) with some item. Based of level, name, random, whatever. There is data parameter I can use while calling the dialog. It looks like the place where I can store information about what kind of item is to be given. But..what stops users from tampering with this data? Of course, I can try some cryptographic and so on, but still, its variable fully visible to user. Am I missing something? How given scenario can be solved in secure way?
2 answers
solution1
1 ACCPTED 2011-11-21 15:07:36
You could set a code as the parameter to be sent, which you save on your server/database against that specific user. Then when the request is redeemed, check that the user has that code assigned to them. If they don't, you know it has been tampered.
solution2
0 2011-11-21 15:19:00
@Abby is correct - store your request data in your database - the apprequest feature of the JS SDK has a callback containing information about the invite - store this and cross-reference the data when the user accepts the invite. The user might be able to tamper with the data on the Javascript level - but (I hope) he cant tamper with the data in your database. :)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.