I’m with some problems implementing my first application with “Login with Facebook”.
The user MUST be registered in my system, but he can associate a FB account to it. When an FB account is associated I just save the user email address from facebook.

When the user clicks on “login with facebook” (considering he is already logged in facebook) I just grab its profile email, and send it to the server to verify if there is a user with that e-mail associated. If such user exists, I create a session for that user.
This is the code for grabbing the user’s e-mail and sending it to the server:

function login()
{
    FB.api('/me',
    function (user)
    {            
        $.ajax(
        {
            url: "my_ajax_page.php",
            type: "POST",
            data: {controller: "MyController", action: "LinkEmail", fbmail: user.email},
            success: function (response)
            {
                if(response == 1)
                {
                    alert("Success!");
                }
            },
            error: function ()
            {
                alert("Error");
            }
        }
        );
    }
    );
}

There is a big security flaw with this approach, anyone can create a script sending an e-mail to my system and this ‘wrong’ e-mail will be linked to the current logged user account:

function hacking()
{
    $.ajax(
    {
        url: "my_ajax_page.php",
        type: "POST",
        data: {controller: "MyController", action: "LinkEmail", fbmail: 'someonemail@mail.com'},
        success:
        function (response)
        {
            if(response == 1)
            {
                alert("Success!");
            }
        },
        error: function ()
        {
            alert("Error");
        }
    }
}

What approach can I use to make it secure to login with FB?