iszwnc iszwnc - 7 months ago 21
Javascript Question

Implementing Facebook's Graph API without user authentication

I'm newbie to Facebook Graph API and Facebook JavaScript SDK but I'd like to know some things:


  • Is there any way to put my Access Token in a Open Source application without actually showing it? I'm using GitHub and for security purposes I'd like to make it private.

  • Can I show my user information without asking the users to Authenticate themselves?

  • Where in Facebook Developers App can I allow more "scopes" to share publicly? For example, user_photos, user_posts, user_likes, user_status, etc...



These "scopes" that Facebook allows by default are actually the information I'm getting from the user while I'm Authenticating them right?

Just to clarify what I'm trying to do, I want to share things about my Facebook Account through the Facebook Graph API in the gh-pages branch on GitHub, but I don't like the idea of having to authenticate every single user that has access to the page.

I'd like to make my user information public, but don't want to show my access token, because it's Open Source and it can get dangerous eventually.

If you'd like to see my repository and have a better understanding of the project. You can access https://github.com/iszwnc/rye

Answer

If I recap:

  • you don't want to share your app access token (good!),
  • you don't want your users to authenticate.

Basically, you can't hide your token and let your users query Facebook directly. You need some server-side code on a machine that would be the only one reaching Facebook. Your server would play the role of an interface between Facebook and your users. So you will have to:

  • do the API calls from a server using server-side code (i.e. Node.js),
  • save the information you want in a database. This is optional but better to avoid the same information to be retrieved multiple times, thus avoiding your future 100 users to (voluntarily or not) reach your app API limit.
  • let the users query your server using some client-side code (i.e. AngularJS) in order to retrieve what you and only you know (remember, you own the token).

About Github, don't share your token on it. People can generate their own token if they want to run your app. Here are several suggestions:

  • Add your token to an environment variable which you can set just before launching the app,
  • Add your token to a file:

    1. Create a credentials.js file that contains an empty token:

      // Please use your own token
      var APP_TOKEN = '';
      
    2. Commit the file to Github,

    3. Have a .gitignore file that contains the credentials.js,
    4. var APP_TOKEN = 'now-you-can-put-your-token-here';

Good luck with your project, it looks exciting :-)