Adding Facebook Auth as an Afterthought

Transcript

1. Adding Facebook Auth as an Afterthought Dallas PHP | August

   2017

2. Use Case Locally housed user management system. Willing to trust

   outside party as an authority on user identity. Desires easy/social login for smoother experience.

3. Process Overview Your Site! Facebook! "I HAS GUY"

4. Process Overview Your Site! Facebook! "YOU HAS AN BOB"

5. Process Overview Your Site! Facebook! "HAV BOB, PRIVATE DETAILS, EMAIL,

   ETC PLOX"

6. Process Overview Your Site! Facebook! "SURE THING MY DUDE"

7. Process Overview Your Site! Facebook! "I SO HAVE THAT BOB"

   "WHOA ADDING NEW BOB" "WELCOME, BOB"

8. Process Overview User initiate a request to log into your

   site. Site sends user to Facebook Authentication, with instructions on how to return after they accept. Facebook sends them back to your app. App uses authorisation to request solid identification. App makes judgement on what to do with identification. (Login, or Create+Login)
9. None
10. None

11. $composer require facebook/graph-sdk

12. developers.facebook.com

13. None
14. None

15. $FBConfig = [ 'app_id' => 'YOUR_APP_ID', 'app_secret' => 'YOUR_APP_SEKRET', 'default_graph_version'

    => 'v2.10' ];

16. $FB = new Facebook\Facebook($FBConfig);

17. $FB = new Facebook\Facebook($FBConfig); $Helper = $FB->GetRedirectLoginHelper();

18. /auth/fb-init $CallbackURL = GetURL('/auth/fb-confirm'); $Permissions = [ 'email' ]; $FacebookURL

    = $Helper->GetLoginURL( $CallbackURL, $Permissions ); Goto($FacebookURL);

19. login.phtml <a href="/auth/fb-init" class="Button Blue"> <i class="fa fa-facebook"></i> Login with

    Facebook </a>
20. None

21. /auth/fb-confirm <1> // check if we got an oauth token

    from facebook's flow try { $Token = $Helper->GetAccessToken(); } catch(Throwable $Err) { /* refused, error, etc */ return; } if(!$Token) { return; }

22. /auth/fb-confirm <1> Exceptions Primary Causes: • Invalid tokens, expired tokens.

    • Some sort of foolery where the token was changed enroute. • User took too long to say OK. • The user just said no. You NEED to know: • It just didn't work. Bail out on attempting ID.

23. /auth/fb-confirm <2> // try to trade the token for a

    longer lasting one try { $Token = $FB->GetOAuth2Client() ->GetLongLivedAccessToken($Token->GetValue()); $FB->SetDefaultAccessToken($Token->GetValue()); } catch(Throwable $Error) { return; }

24. /auth/fb-confirm <2> Exceptions Primary Causes: • Invalid tokens, expired tokens.

    • For some reason Facebook has revoked the token. You NEED to know: • It just didn't work. Bail out on attempting ID.

25. /auth/fb-confirm <3> // use the authorisation to get user data

    we need to id user. try { $About = $FB->Get('/me?fields=id,name,email')->GetGraphUser(); } catch(Throwable $Error) { return; } $Info = [ 'FBID' => $About->GetID(), 'Name' => $About->GetName(), 'Email' => $About->GetEmail(), 'Token' => $Token->GetValue() ]; if(!$Info['Email']) { return; /*?*/ }

26. /auth/fb-confirm <3> Exceptions Primary Causes: • Invalid tokens, expired tokens.

    (How slow is your server lol) • For some reason Facebook has revoked the token. You NEED to know: • It just didn't work. Bail out on attempting ID. • It worked but I cannot ID them: (no email address) ◦ Bail out ◦ "{$Info['FBID']}@facebook.com"

27. Finally

28. /auth/fb-confirm <4> // find id or generate id for user.

    $User = User::GetByEmail($Info['Email']); if(!$User) { try { $User = User::Create($Info); } catch(Throwable $Err) { return; } } $User->BeginSession(); Redirect('/');

29. Token Reuse

30. try { $FB = new Facebook\Facebook($FBConfig); $FB->SetDefaultAccessToken($Who->Token); $TokenInfo = $FB

    ->Get("/debug_token?input_token={$Who->Token}") ->GetGraphObject(); } catch(Throwable $Error) { return FALSE; } return (Bool)$TokenInfo->GetField('is_vaild'); Bool IsTokenValid(User $Who)

31. Graph SDK Basics

32. Facebook API Main Methods $FB->Get(String "/endpoint-uri") $FB->Post(String "/endpoint-uri", Array $Data)

33. Facebook API: Get() try { $About = $FB->Get("/me?fields=id,first_name,last_name") ->GetGraphObject(); }

    catch(Throwable $Err) { return; } echo $About->GetField('first_name');

34. Facebook API: Post() try { $Post = $FB->Post( // requires

    publish_actions "/me/feed", [ "link" => $WebsiteURL, "message" => $Message ] ) ->GetGraphObject(); } catch(Throwable $Err) { return; } echo "Posted Post #{$Post->GetField('id')}";

35. Some Things you can do... Get information Post status updates

    Upload photos Respond to event invites Check friendship status Schedule page posts Tag places Get payment status

36. All Calls Must Be Caught Any time you make a

    call that depends on valid auth token make sure the library was able to do its job. try { ... } catch(Throwable $Error) { /* bail out */ } Any time you consume data, make sure it makes sense, and contains all the data you need. if(...data seems invalid...) { /* bail out */ }
37. None
38. None

39. Dallas PHP August 2017 Bob Majdak Jr @bobmagicii Graph SDK

    Documentation developers.facebook.com /docs/reference/php Graph SDK github.com /facebook/php-graph-sdk Graph API developers.facebook.com /docs/graph-api Demo Project github.com /bobs-archive-of-stuff /dallasphp-201708-fbauth