Reputation: 1180
Verify Facebook API Access Token & UserID via PHP SDK?
I'm using the Facebook PHP SDK (v3.2.3, not v4.0)(https://developers.facebook.com/docs/reference/php/3.2.3) on my server, and the Phonegap Facebook Plugin (Master)(https://github.com/phonegap/phonegap-facebook-plugin) manually installed in my Phonegap v3.3.0 iOS app.
I've got everything set up nicely, the app displays a Facebook access token and the "userID" of the authenticating user. Problem is, Facebook tokens only last about 2 months. To fix this, I created a table which houses every FB Access Token that Facebook has given for all of my FB-based users. This works great with my website's "Log in with Facebook" button!
...But because this Phonegap plugin leaves the device as a middleman between Facebook and my database, I need my server to double check with Facebook directly to verify the user ID and access token supplied by the user are genuine. I've seen that I could query https://graph.facebook.com/app?access_token=TOKEN or do something like:
GET /debug_token?
input_token={input-token}&
access_token={access-token}
... and apparently get back everything I need, but I get the feeling an attacker could just keep hitting my PHP script that checks with Facebook over and over again until they find success - then they would have the credentials necessary to access my app on behalf of that user whose token they guessed.
If the idea of an attacker guessing any Facebook access token over the period of a few weeks is ridiculous, let me know. But I was hoping to narrow it down and force the attacker to also know which user they're guessing the access token of - THAT should be near impossible to crack. So how can I verify a user using BOTH the user access token & the user's numerical ID?
Upvotes: 5
Views: 8874
Answers (2)
Reputation: 2921
Get the users Facebook ID from Facebook anytime you get a token and use the user's ID from Facebook to look up your user.
Even if your app requires offline access and you use a saved token, validate the token before you use it.
If you do not validate the token, your app may still function if the user logged out of Facebook or perhaps unauthorized your app.
$facebook = new Facebook(array(
'appId' => <FACEBOOK_ID>,
'secret' => <FACEBOOK_SECRET>,
));
$facebook->setAccessToken($_REQUEST['access_token']);
if (($userId = $facebook->getUser())) {
// $_REQUEST['access_token'] is valid token for user with id $userId
}
Upvotes: 5
Reputation: 848
You shouldn't worry about attacker guessing the access token. Access token is 211 characters long consisting about 62 kind of characters(based on my token). That's 62^211 unique access token. There's only 7 billion human in the world, so it's practically impossible to brute force an access token. Nevertheless this kind of attack is FB responsibility to generate a better access_token.
Let say the access token is leaked to a criminal: If you are suggesting to compare to the user's FB numerical id -- dont! The id is accessible with the access token. Instead, assign your own unique id/username to a user when they sign up for the first time or something.
Upvotes: 2
Related Questions
- Restful API - Check if Facebook access token is valid and authorized to use APP
- Login with Facebook using Facebook SDK for PHP
- PHP cURL to verify Facebook API login access_token on server?
- How to verify facebook id_token received by android app on server side with php and get user profile
- How to verify a facebook token and user id?
- Check if Facebook User logged in without PHP SDK
- How to check the access token is valid or not without using appId and secret?
- Facebook app: server-side access token verification
- How can I validate an access token from PHP when it was generated from a mobile app?
- PHP-SDK: check if user has authorized my app