This project is read-only.

ajax rpc services - how to get access to facebooknet?

Feb 1, 2008 at 7:15 AM
Hello,

My scenario is this: I have a series of aspx pages (working fine) which issue ajax calls (basically an rpc) to a .ashx handler. The handler needs to verify that the call is made by a particular authenticated user (ie Facebook.Service.User) as part of the checking.

So, in the .aspx file I would simply call the fbApp.Service.Users.GetUser(fbApp.UserID, null) or something like that (actually, at the moment all I need to do is ensure that fbApp.UserID = a database userid field, i.e. to ensure that the user authenticated by facebook is infact the appropriate user) but I am not really show how to obtain the equivalent from a .ashx handler?

I read the following threads about ajax:
http://www.codeplex.com/FacebookNET/Thread/View.aspx?ThreadId=17001
http://www.codeplex.com/FacebookNET/Thread/View.aspx?ThreadId=14910

these suggest using FacebookProxy and possibly setting the fbApp.EnableAjaxScenarios property. However I really have NO idea how to use this :) The second thread mentions some sample code and maybe a blog post but I could not see this in the sample code of the install files or in the example application.

I took a look at the FacebookProxy source code but do not fully understand it. So, it looks like you pass it the fbMethod/fbContext headers, and it adds on the secret & apikey and then invokes on the Facebook REST server. Is this right?

So I guess the core of it is the invocation:
FacebookService service = new FacebookService(appSettings.ApiKey, appSettings.Secret, sessionKey, userID, pageUserID);

Where the apikey/secret are hard-coded (or come from the web.config) and the sessionKey, userID and pageUserID come from the client.

So I was also thinking that a malicious client could fake the userID to pretend to be another user, but the sessionKey should be user-specific and basically a user&facebook secret, correct?

anyway, using it in this way will mean that I must remap the ajax calls to include a sessionKey, userID, pageUserID and then construct a fb service? Will I need to do this for every single call? Or is it safe to store these variables (or the FacebookService) in the handlers HttpSessionState?

I am trying to figure this out as I go anyway, please let me know if any of this makes sense, cheers!


Feb 5, 2008 at 2:57 AM
I personally don't rely on session state - I'd just send these variables to the client, and have the client send them to the server. If you can do this in one (the 1st) call, why not do it every time.

One of the options/thoughts is to encypt the information sent to the client, so it can't be faked. However, since the session is scoped to a user, only a malicious user can fake a request for an app he/she uses... not for any other app for any other user. So its a fairly slim scenario... hence the current implementation where it is not encrypted.

The other requirements around POST requests, requiring headers etc. make sure some script in the browser cannot do this. Only a full trust client app could fake a request in the first place.