Im using the javascript SDK of facebook in the frontend:
jQuery("#pct_fbbutton").live("click",function(){
FB.getLoginStatus(function(response) {
if (response.status === 'connected') {
console.log('Conected');
FB.api('/me/likes', function(response) { user_likes = response;
FB.api('/me', function(response) { user = response;
send_server(user, user_likes);
});
});
} else if (response.status === 'not_authorized') {
console.log('not_authorized');
login();
} else {
console.log('not_logged_in');
login();
}
});
});
As you can see, after the user is login with facebook ill send two objects via AJAX to a php script (using the function send_server).
I can access in the backend the currently generated token with $facebook->getAccessToken(), but as I know this is retrived from a cookie made by the javasript sdk, considering that all frontend data can be hacked, using the token how can ensure that the user data is valid on php?
The answer is to perform the graph calls with PHP instead of JavaScript, especially if the only purpose of your client-side script is to send it to the server;
Doing the data gathering on the server is the only practical way you can be sure that the data has not been tampered with, assuming you do proper https certificate checking.
The validity of the access token is also easy, because Facebook will return an error if the provided access_token value is invalid.
Once you retrieve the access_token in the back end, try to fetch the user's profile. If the fetch was successful, then the client provided you with the correct access_token and you should save it. Something like the below example should work, but you can find many more examples:
<?php
$facebook = new Facebook(array(
'appId' => $initMe["appId"],
'secret' => $initMe["appSecret"],
));
$facebook->setAccessToken($initMe["accessToken"]);
$user = $facebook->getUser();
if ($user) {
$user_profile = $facebook->api('/me');
print_r($user_profile);
}
?>