Home/ Questions/Q 9230031
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T05:43:14+00:00

I am developing an Phonegap based application, that uses Facebook OAuth for SSO login.

  • 0

I am developing an Phonegap based application, that uses Facebook OAuth for SSO login. How to validate the FB.login javascript response on server side? After successful redirection from Facebook mobile back to my app I get the userId and accessToken. It is enough to check the accesToken to gain access for the User on the server?

https://graph.facebook.com/me?fields=id&access_token=...

My Problem is JS & PHP mix on mobile and web:
The user uses FB.login on mobile (Javascript) and returns sucessfully (client), because the user has already connected via web. Now I can check the FB id in my database to load the user credentials via AJAX request. How to make the AJAX request secure. The prototype will login everyone that passes a valid FB, which exits in my DB too. So the system is open to get a session without revalidating on FB (server). My Idea was to check if the accessToken is valid, but not sure if this is enough… I think is is not… maybe check IP too?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Using the SignedRequest instead of accessToken seams to be the correct choice for my needs, e.g. PHP solution, using app secret.

    private function check_signed_request($signed_request) {

    $secret = Semods_Utils::getSetting('socialdna.facebook_secret','');
    list($encoded_sig, $payload) = explode('.', $signed_request, 2);

    // decode the data
    $sig = $this->base64_url_decode($encoded_sig);
    $data = json_decode($this->base64_url_decode($payload), true);

    if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
        throw new Exception('Unknown algorithm. Expected HMAC-SHA256');
    }

    // Adding the verification of the signed_request below
    $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
    if ($sig !== $expected_sig) {
        throw new Exception('Bad Signed JSON signature!');            
    }

    return true;
}

private function base64_url_decode($input) {
    return base64_decode(strtr($input, '-_', '+/'));
}

    see: https://developers.facebook.com/docs/howtos/login/signed-request/

    PROBLEM
    I did not receive the signed_request, these are undefined:

    response.authResponse.signed_request
response.authResponse.signedRequest

    and the this one contains only “…”

    response.authResponse.sig

    Anyone an idea?

    EDIT
    Ok .sig seam to be provided only by my plugin, hard coded: so the fix should bein there https://github.com/davejohnson/phonegap-plugin-facebook-connect

    But reported:
    https://github.com/davejohnson/phonegap-plugin-facebook-connect/issues/245

    • 0