I am working on a "Post with Facebook" feature for my website and I decided to go the JavaScript route (I have messed around with the PHP versions back in the day, but I am a big fan of not having to keep updating the SDK).
I followed the guide posted on Facebook Developers ( https://developers.facebook.com/docs/facebook-login/web/#example) which frankly works really well. However I am worried about security because for this to work I need to disable Require App Secret on Advanced Settings in my Facebook app setting.
This seems like an insecure way of handling logins. Here's my exact code:
function statusChangeCallback(response) { // Called with the results from FB.getLoginStatus(). console.log('statusChangeCallback'); console.log(response); // The current login status of the person. if (response.status === 'connected') { // Logged into your webpage and Facebook. testAPI(); } else { // Not logged into your webpage or we are unable to tell. console.log('Not logged in.'); } } function checkLoginState() { // Called when a person is finished with the Login Button. FB.getLoginStatus(function(response) { // See the onlogin handler statusChangeCallback(response); }); } window.fbAsyncInit = function() { FB.init({ appId: '193356002573279', cookie: false, // Enable cookies to allow the server to access the session. xfbml: true, // Parse social plugins on this webpage. version: 'v9.0' // Use this Graph API version for this call. }); FB.getLoginStatus(function(response) { // Called after the JS SDK has been initialized. statusChangeCallback(response); // Returns the login status. }); }; function testAPI() { // Testing Graph API after login. See statusChangeCallback() for when this call is made. FB.api('/me', function(response) { console.log(response); if response.name !== "undefined"{ // insert stuff into database using ajax } }); } As you can see, there's no place for a app_secret and even if there was, it would be shown in plain text on the clients machine. What is the solution for this?
没有评论:
发表评论