Handling invalidated access tokens

Last week, we reminded you how you should handle invalid access tokens. This is an important concept to understand as there are several legitimate reasons an access token can become invalid such as:

  • its expiration time was reached
  • a user changed their password
  • a user deauthorized your application
  • a user logged out of Facebook
  • we invalidated it for security reasons

Even if you have the offline_access permission from the user, your token can still be invalidated. You should ensure you application is built to handle these scenarios.

New PHP SDK

Today we upgraded the PHP SDK to version 3.0.0. Be sure to read our blog post which explains the changes as well as when you should consider upgrading. Version 2 of the PHP SDK will no longer work come September 1st as we will be requiring all apps to use the new OAuth flows.

Client-side re-authentication flow

A couple weeks ago we introduced a server-side way for you to force a user to re-enter their password to confirm their identity (e.g. before making a purchase on a shared computer). We now have a way to perform re-authentication on the client side as well. To get started, check out the example below or see the documentation.

<html>
<head></head>
<body>
<div id="fb-root"></div>
<button id="fb-login" onclick="login()">Login</button>
<script>
  var button = document.getElementById('fb-login');

  // For help with AJAX, see http://www.w3schools.com/Ajax/Default.Asp
  function checkNonce(access_token) {
    var xmlhttp;
    if (window.XMLHttpRequest)
      {// code for IE7+, Firefox, Chrome, Opera, Safari
      xmlhttp=new XMLHttpRequest();
      }
    else
      {// code for IE6, IE5
      xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
      }
    xmlhttp.onreadystatechange=function() {
      if (xmlhttp.readyState==4 && xmlhttp.status==200)
        {
          if (xmlhttp.responseText == 1) {
            console.log('The user has been successfully ' +
                               're-authenticated.');
          } else {
            console.log('The nonce has been used before. ' +
                               'Re-authentication failed.');
          }
        }
    }
    xmlhttp.open('POST','checkNonce.php',true);
    xmlhttp.setRequestHeader('Content-type',
      'application/x-www-form-urlencoded');
    xmlhttp.send('access_token=' + access_token);
  }

  function login(){
    FB.login(function(response) {
      if (response) {
        console.log('Login success. Checking auth_nonce...');
        checkNonce(response.session.access_token);
      } else {
          console.log('Login cancelled.')
      }
    }, { auth_type: 'reauthenticate', auth_nonce: 'abcd1234' });
  }

  window.fbAsyncInit = function() {
    FB.init({appId: 'YOUR_APP_ID', status: true, cookie: true,
             xfbml: true});
    FB.getLoginStatus(function(response) {
      if (response.session) {
        button.innerHTML = 'Re-Authenticate';
        console.log('User is logged in.');
      } else {
          console.log('User is not logged in.');
      }
    });
  };
  (function() {
    var e = document.createElement('script'); e.async = true;
    e.src = document.location.protocol +
      '//connect.facebook.net/en_US/all.js';
    document.getElementById('fb-root').appendChild(e);
  }());
</script>
</body>
</html>

checkNonce.php

<?php

    $access_token = $_REQUEST['access_token'];
    $graph_url = 'https://graph.facebook.com/oauth/access_token_info?'
        . 'client_id=YOUR_APP_ID&access_token=' . $access_token;
    $access_token_info = json_decode(file_get_contents($graph_url));

    function nonceHasBeenUsed($auth_nonce) {
        // Here you would check your database to see if the nonce
        // has been used before. For the sake of this example, we'll
        // just assume the answer is "no".
        return false;
    }

    if (nonceHasBeenUsed($access_token_info->auth_nonce) != true) {
        echo '1';
     } else {
        echo '0';
     }
?>

Old Insights Dashboard

As previously announced, we will remove the old version of the Insights dashboard on Tuesday as all the metrics that were previously available are now available in the new Insights dashboard.

Improving Docs

Documentation activity for the past 7 days:

Fixing Bugs

Bugzilla activity for the past 7 days:

  • 195 new bugs were reported
  • 67 bugs were reproducible and accepted (after duplicates removed)
  • 16 bugs were fixed (13 previously reported bugs and 3 new bugs)
  • As of today, there are 1,287 open bugs in Bugzilla (up 3 from last week)

Forum Activity

Developer Forum activity for the past 7 days:

  • 480 New Topics Created
  • 243 New Topics received a reply
  • Of those 243, 21 were replied to by a Facebook Employee
  • Of those 243, 35 were replied to by a community moderator

Yasser Shohoud, a Partner Engineer on the Developer Relations team, is looking forward to seeing how you use the re-authentication feature to create safe, seamless user authentication flows.