Reputation: 22591
Why can't post scores via Scores API in Javascript?
I'm writing a javascript game library that I want to integrate with Facebook Scores. Games made with my library typically run on static file servers (i.e. just ordinary HTML+JS, no server side scripts).
I've been looking at the scores documentation and have come across this problem: you can only submit a score with an app access token.
Why?
Correct me if I'm wrong, but it seems I can't get an app access token unless I have the app secret, and it seems obvious I should not put the app secret in javascript. For most of these games, server side scripting is out of the question. So I have no way to get an app access token, so none of these games can submit scores.
What seems especially dumb is if the user grants the app the "publish_stream" permission, you can automatically make a wall post along the lines of "I just scored 77777 in MySuperGame!". You can do that with just pure HTML+JS. But you can't post a score.
Am I missing something or is the API just a bit dumb about this?
Upvotes: 3
Views: 748
Answers (2)
Reputation: 595
Because the client can send any information it wants to the server, it is a good idea not to trust it. Since scores are usually a way to objectively determine the skill of a player, letting the player determine his own score would directly undermine the function of scores. So the score is determined by an independent party; the server.
If Facebook did not require an access_token, it would be very difficult for other games to secure the scores. You could ask the Facebook SDK developers to add an insecure alternative to the Facebook SDK, but adapting your games to use the secure method is probably easier.
I would recommend creating a system where choices made by players are sent to the server, where they are checked, and where the score is calculated and sent to Facebook. For a simple quiz these choices are simply the chosen answers, in a complex 3d Game they might include all movement and interaction with the world.
If extensive server scripting is really out of the question, you could reduce it to one script on the server that relays the score sent by the client to Facebook.
Upvotes: 1
Reputation: 306
If you could do it from javascript then anyone could forge their scores by just running a few commands via console.
I'm not sure if that is the reason we don't support it but it seems like a likely one.
Upvotes: 1
Related Questions
- Can't Post to Facebook Page using JS
- Can't get facebook score using the Javascript API
- How to create a facebook publish button to post the scores?
- Facebook Graph API Explorer won't POST scores
- Facebook scores api - " Method allowed only for games" error
- Facebook Scores API
- Facebook scores api with iOS5.1 - Can read scores... but cant post them
- Facebook Javascript - High Score API - Score is found but not able to return it
- How to post a score from the Facebook JavaScript SDK
- Posting on Facebook ... works fine but throws error in console WHY?