Facebook php api giving access to users with invalid tokens

Question

I am using the facebook php api to control the access to some parts of my webapp. Basically I am just checking if the user is logged into facebook and the user authorize the app (basic permission) every time the page is load and then printing things according to the state.

Something like, if($check_user_lo_npe) { echo 'Welcome!'; }, simple as that. Well, everything is working fine, until I realize that if the user deletes the app from their users settings in facebook, which means the token gets invalidated, I am still getting a true response from the function check_user_lo_npe even if I know the token is invalid because as I said, the user deleted the app. This is how I am checking the permissions:

function check_user_lo_npe() {
    global $facebook;
    global $data;
    $fb_user_id = $facebook->getUser();
    if ($fb_user_id) {
    try {
        if(!isset($_SESSION['fb_user_profile'])) {
            $_SESSION['fb_user_profile'] = $facebook->api('/me');
            $temparray = $facebook->api('/me/friends');
            $_SESSION['fb_user_friends'] = count($temparray[data]);
        }
        $data->reg_user($_SESSION['fb_user_profile'],$_SESSION['fb_user_friends']);
        return array(true,'');
    } catch (FacebookApiException $e) {
        $fb_user_id = NULL;
        return array(false,$e->getMessage());
    }
    } else {
        return array(false,'');
    }
}

I need to realize when the user deletes the app so I can send them to the login screen again, the function is supposed to detect when there is an exception, but somehow I am not getting any... why?

Answer 1

Those $_SESSION variables are set by your app, not by the Facebook SDK right? Without attempting to access the Facebook session you can't be sure if that session is still active/

If you need to check on each page whether there's still an active Facebook session or not, look at FB.GetLoginStatus() in the Javascript SDK, or make an API call to (for example) /me/permissions to check your access token is still valid

That said, it may be as easy to just have an exception handler which detects when an attempt to access Facebook's API fails, and have it send the user through the authentication flow at that point.

Answer 2

Your if ($fb_user_id) line is probably evaluating to false, which causes you to return array(false,''); in your else statement, never triggering an exception.

If you did get past the ID check, it looks like you are putting data into $_SESSION before they delete the app, and then not re-checking it. Once you have it in the $_SESSION, if you don't go back to Facebook to verify, there is no reason an exception would be thrown.