FB.login Javascript changes needed by October?_问答_开发者

So, we switched from Facebook Connect to the new Javascript SDK and OpenGraph when it first came out.

Back in May, some of our customers got an email telling them that they might have security holes and might need to upgrade to Oauth 2.0. I looked at our new code compared with the docs for FB.login at the time and ended up with the impression that customers using our new stuff would be OK, so customers on the old Facebook Connect version of our product would have to upgrade to the latest version.

Today it came to my attention that the Javascript SDK was changed so that to use OAuth 2.0, code changes would need to be made after all. (i.e. this blog post, which was made over a month after that email went out), and that I'd need to upgrade by October 1st.

So, today I tried just setting my app's "Oauth 2.0 Migration" flag to true and running it with our same code. It worked, which I didn't expect. So my question is, do I need to make code changes outlined in the linked blog post or not? If the app works today with the "Oauth 2.0 Migration" checkbox checked, is that valid cause to assume that it will continue to work after October 1st?

Here's my code:

// call to FBinit does not include oauth: true
FB.init({appId: opts.ApiKey, status: true, c开发者_如何学Cookie: true, xfbml: true});

// call to login expects response.session on response. not response.authResponse. 
// Shame on Facebook for arbitrarily renaming that so I can't do a clean swap.
FB.login(function(response){
    if(response.session){
        var access_token = response.session.access_token;
        // blah blah blah
    }
});

Yes, you do need to make the code changes to the JS SDK (http://developers.facebook.com/docs/oauth2-https-migration/) to include oauth:true in the FB.init function and the other changes mentioned in the blog post.

The migration setting in the Dev App just indicates that you will receive an encrypted access token (see the tooltip).

I would change all the code over, also enabling O-2.0 and using old auth methods could break a session causing users not be able to log out through the application, or leaving session in the app when user logs out of Facebook.

With new O-2.0 enabled and old auth disabled, i use the sample below, integrated with php-sdk 3.1.1 with out any error or issue.

      <div id="FBauth"></div>
      <div id="fb-root"></div>
<script>
      window.fbAsyncInit = function() {
        FB.init({
    appId  : '112104298812138',
    status : true, // check login status
    cookie : true, // enable cookies to allow the server to access the session
    xfbml  : true, // parse XFBML
    //channelUrl : 'http://WWW.MYDOMAIN.COM/channel.html', // channel.html file
    oauth  : true // enable OAuth 2.0
        });
FB.Canvas.EarlyFlush.addResource("http://shawnsspace.com/index.php");
FB.Canvas.setAutoResize();
            FB.getLoginStatus(function(response) {
              if (response.authResponse) {
                // logged in and connected user, someone you know
                var authbox = document.getElementById('FBauth');
                //authbox.innerHTML="Hey" +authResponse.name+ "";
                authbox.innerHTML="<fb:login-button autologoutlink='true'></fb:login-button><fb:login-button show-faces='true' width='250' max-rows='1'></fb:login-button>";
                FB.XFBML.parse(authbox);
                //var a = document.createElement('a');
                //alert();
              } else {
                // no user session available, someone you dont know
                var authbox = document.getElementById('FBauth');
                authbox.innerHTML="";
                var a = document.createElement('a');
                a.setAttribute("href","javascript:void();");
                a.setAttribute("onclick","FBlogin();");
                a.innerHTML="Please Login";
                authbox.appendChild(a);
                //alert('not logged in'+response+'');
//
        window.FBlogin = function(){
                FB.login(function(response) {
               if (response.authResponse) {
                 FB.api('/me', function(response) {
                 });

               } else {
               top.location.href = "http://apps.facebook.com/shawnsspace/";
                 // user cancealed login.
               }
             }, {scope: 'manage_pages'});
        };
//          
              }
            }); 

        FB.Event.subscribe('auth.login', function(response) {
        top.location.href = 'http://apps.facebook.com/shawnsspace/';
        });
        FB.Event.subscribe('auth.logout', function(response) {
        //top.location.href = "http://facebook.com/designbyshawn";
        });
      };
      (function() {
        var e = document.createElement('script'); e.async = true;
        e.src = document.location.protocol +
          '//connect.facebook.net/en_US/all.js';
        document.getElementById('fb-root').appendChild(e);
      }());
</script>

The code above is not using Oauth2. It will still work as is until they decide to force you to use Oauth2.

To switch over, you need to add the oauth: true to FB.init call as mentioned in the blog post you referenced. The main change is that response.session becomes response.authResponse

There are a lot of other changes as well, so I recommend testing it out now. It took me a few hours to transition our site, but most of that was getting the cookies to work because w/ Oauth2 they are totally different and we wanted to generate an access_token from the cookie.

You can check out the Rails plugin I updated for Oauth2 - https://github.com/imme5150/fgraph the cookie code is here: https://github.com/imme5150/fgraph/blob/master/lib/fgraph/rails/fgraph_helper.rb at the bottom. Another trick is to get an access token from the "code" parameter stored in the cookie, you make a call to FB graph, but you have to include the "redirect_uri" parameter, but you want it to be blank.

Good luck!