IPValverde IPValverde - 4 months ago 7
Javascript Question

Security with facebook API login

I'm with some problems implementing my first application with "Login with Facebook".
The user MUST be registered in my system, but he can associate a FB account to it. When an FB account is associated I just save the user email address from facebook.

When the user clicks on "login with facebook" (considering he is already logged in facebook) I just grab its profile email, and send it to the server to verify if there is a user with that e-mail associated. If such user exists, I create a session for that user.
This is the code for grabbing the user's e-mail and sending it to the server:

function login()
{
FB.api('/me',
function (user)
{
$.ajax(
{
url: "my_ajax_page.php",
type: "POST",
data: {controller: "MyController", action: "LinkEmail", fbmail: user.email},
success: function (response)
{
if(response == 1)
{
alert("Success!");
}
},
error: function ()
{
alert("Error");
}
}
);
}
);
}


There is a big security flaw with this approach, anyone can create a script sending an e-mail to my system and this 'wrong' e-mail will be linked to the current logged user account:

function hacking()
{
$.ajax(
{
url: "my_ajax_page.php",
type: "POST",
data: {controller: "MyController", action: "LinkEmail", fbmail: 'someonemail@mail.com'},
success:
function (response)
{
if(response == 1)
{
alert("Success!");
}
},
error: function ()
{
alert("Error");
}
}
}


What approach can I use to make it secure to login with FB?

Lix Lix
Answer

Perhaps you should send the signed__request as another parameter to the Ajax call. Only your application with its own `app_secret can decode the signed_request so if you are able to decode it - that means the call originated from a valid (logged in) Facebook user.

You can read more about signed requests at this link :
https://developers.facebook.com/docs/authentication/signed_request/