After significant voodoo, I have finally got the scores API working. Turns out you have to set Enhanced Auth Dialog to disabled or Facebook ignores your publish_actions permission. Just a heads up in case anyone else is struggling.
However, I’m working entirely in the Javascript API. No server-side scripting is available.
The only way to publish a score is with an app access token. The only way to get one of them is to use the app secret, and that would have to be in the javascript code for the world to see. How bad is that exactly?
TBH I don’t care if someone spoofs the scores to my little pong-style games. Good for them, only them and their friends can see it. It’s just a bit of fun. But what exactly can go wrong if my app secret is published? Can someone hijack the entire application? Or is it just bad practice and nothing much can go wrong with a little mini game?
It’s all purely javascript SDK so it seems to work only by user access tokens, so my first instinct is it’s OK. But I thought I’d ask….!
What other permissions are you using? If you’re using “publish_stream” I’m sure you could imagine the shenanigans that could ensue! Even worse, if the user has both your public and private key (which they will) they could create an entire spoof application that identifies itself as you!
The “domain” options in facebook should prevent this, but if there’s any chance an attacker could do an XSS attack they could potentially write malicious apps that masquerade as your game.
Have you considered writing something very simple with google app engine for the sole purpose of dealing with the app authentication token?