Paul Ghiran
Reputation: 1233
Facebook API: AppID|AppSecret token?
I am using JS to fetch a page feed using the facebook graph API, but in order to fetch the page's feed I need an access token. My current access token is set to expire in an hour, but I can use AppID|AppSecret as a permanent access token.
My question is: Since viewing the page source will show the acess token, is using the appID|appSecret combination a safe approach to having a permanent access_token?
var facebookFeed = [];
window.fbAsyncInit = function () {
FB.init({
appId: '173668203065748',
xfbml: true,
version: 'v2.7'
});
FB.api(
'/officialstackoverflow/feed',
'GET', {
"access_token": "EAACEdEose0cBACP92ZBJexyw6OhDqs7SbBIme4CSisaI4UDgbJHDOa0NVjoXOXSJB7SD6549CB6M3KAdV11ySAn6wlJAMI4YEFEdfw2cM9JpovUG4NZC3VsCWcajbXfXWSWMmQQDR1fM9bzk6YPxMUYOiqBQnWrEm0IzbaCQZDZD",
"fields": "full_picture,message,created_time,type,link,id"
},
function (response) {
writePosts(response.data);
}
);
};
(function (d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) {
return;
}
js = d.createElement(s);
js.id = id;
js.src = "//connect.facebook.net/en_US/sdk.js";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
function writePosts(facebookFeed) {
for (i = 0; i < facebookFeed.length; i++) {
var currentPost = facebookFeed[i];
var myDate = new Date(currentPost.created_time);
if (currentPost.type == "photo" || currentPost.type == "status") {
if(!currentPost.link)currentPost.link="http://facebook.com//"+currentPost.id;
console.log(currentPost);
}
}
}.facebookText {
font-size: 16px;
font-weight: 600;
font-family: sans-serif;
}
.facebookImage {
width: 100%;
border:1px solid rgba(0,0,0,0.1)
}
.facebookPost {
width: 400px;
border-bottom: 1px solid rgba(0, 0, 0, 0.3);
box-shadow: 0px 5px 15px rgba(0, 0, 0, 0.3);
margin-bottom: 20px;
padding: 10px 5px 3px 5px;
transition: 0.3s ease all;
}
.facebookPost:hover {
cursor: pointer;
box-shadow: 0px 5px 15px rgba(0, 0, 0, 0.5);
}
.facebookTime {
font-size: 12px;
font-style: italic;
padding: 5px 0px;
}Upvotes: 0
Views: 191
Answers (1)
andyrandy
Reputation: 73984
It is called "App Secret" for a reason, you should not expose it on the client. You should not expose any Token to other users anyway. You need to do that server side, and you should implement some caching - just in case you get many users and hit an API limit.
Upvotes: 2
Related Questions
- How to use an App Token with Facebook's Graph API
- what is facebook app ID?
- Use "app access tokens" with the Facebook Javascript SDK?
- How to work with Facebook App Access Tokens?
- How to use the access token?
- Facebook Graph API: getting an access token with an app ID and secret
- Facebook API - access token for web application
- Facebook Access Token [Javascript SDK]
- Use "appId|appSecret" as access_token
- FB.login access token facebook javascript SDK