Get amount of likes Facebook - javascript

I always used this URL(https://graph.facebook.com/[PAGE-ID]) via JavaScript to get the amount of likes, but now I get an error:
"An access token is required to request this resource."
Is there another possibility to get the likes without an token?
Can I set my access token directly into the request (security)? Is the token a secret token?

I've found a solution to get it without a token. I can use the following URL:
https://api.facebook.com/method/fql.query?query=select%20fan_count%20from%20page%20where%20page_id=[PAGEID]&format=json

No, you have to use a Token. But you can use an App Access Token that does not require authorization.
You should always keep any Token secret, only use it on the server.

You cannot get it without token. Read more about how to generate tokens here

Related

how can i paretoken when i use jwt token?

I have values ​​in the url like this
console.log("url:",url)
url: demo://app?accessToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwcm92aWRlciI6Imtha2FvIiwiaWF0IjoxNjE4MzIwOTg1fQ.Ver4V9lOBamkgU-DQC91LnVZLuvkLOGgytXPnkOWsFg
I want to parse the token in the url and put it in the maintoken.
how can i do that?
this is my code
useEffect(()=>{
Linking.addEventListener("url", ({url}) => {
console.log("url:",url)
const maintoken = parseToken(url);
console.log("token:",token);
})
return () => Linking.removeEventListener("url");
},[])
if the url always start with demo://app?accessToken= you can just do a substring.
const mainToken = url.subString(22);
I'm not really sure what you are trying to implement. But, if you are trying to extract values from a JWT and adding them to another signed JWT on the frontend, then it's not possible.
Tampering or trying to change the values in a hashed JWT token makes it an invalid token.
The whole objective of using a JWT token is to ensure nobody can tamper with the token and/or the data contained in it. Once a JWT is signed by whichever JWT module you are using, its signed with the purpose of making sure the data cannot be changed.
Because if you could change the values in the JWT and the JWT still passes as a valid token, then that would compromise your entire authentication process.
Also, don't append JWTs to URLs. It's bad practice. If you have a logging system in place that records all API calls, then your tokens will be recorded in the logs, because URLs are usually saved in logs. Anyone with access to the logs can decode the token and use the payload in the token for malicious reasons. Use HTTP headers instead.
What you should do
If you have to decode the URL on frontend and have no other option, use jwt_decode it will return the payload hashed in the JWT.
Send those decoded values to your server.
Sign a new access token on the server, use those values as payload in the access token.
Send back the newly signed access token to the frontend for use.
If the URL token is something that was created by you on your own server. You don't even need jwt_decode. Just use the methods that come with the JWT module you are using to verify the token. In the callback, you will get the payload that was attached to that particular token, use the payload to create a new access token and send that to the frontend.

Refresh Google API access token with Expo SDK?

I've followed the guide Google login / Expo and got both access token and refresh token.
But after access token expiring I can't get the new token.
When I try to get new one I get this error:
"error": "unauthorized_client", "error_description": "Unauthorized"
Here is the sample of the sent request for getting the new access token (Google docs):
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
client_id=<your_client_id>&
client_secret=<your_client_secret>&
refresh_token=<refresh_token>&
grant_type=refresh_token
P.S. I did not forget to replace client_id and other relevant data.
The same client ID that got the refresh token must be used to get another access token!
You are probably using this code on Android, for mobile devices Google doesn't give you a secret since it is not needed. You can remove the secret from the request and change the client ID to match your mobile client ID.

Json web tokens and token type Bearer

I'm using the JSON Web Token for Node.js in my API. In every request i have a middleware that validates the token, and return success or false. If success the page will be rendered, if not, the user will be redirect for the login page.. everything ok. My problem is: I'm using ember-simple-auth the the oauth2 authentication, which automatically catch my token and pre-concat with "Bearer". So, when i try to verify the token, i can't, because is not the same. So, how exactly should i verify?
I simple concat token = "Bearer " + access_token ?? Or i am missing some JWT helper?
Thanks.
So, based on comments, you should be able to just slice off the string that the ember-simple-auth is auto-concatenating
So:
let normalizedToken = oldToken.slice(7)
That should give you a token you can use your jwt lib to verify. Does that help? Is there something I'm missing in your question?

Comment on Facebook page posts as page owner with extended token

I'm developing a node.js app which manages a Facebook page among other functionalities.
To comment on user submitted posts, I use the following code in node.js:
FB.api(object + '/comments','post',
{ message: COMMENT_I_WANT_TO_SUBMIT, access_token: MY_PAGE_ACCESS_TOKEN },
function(res){
// deal with res
}
);
When using my short-lived Facebook page access-token (which I get from Graph API Explorer) the comment submitted is shown as a comment submitted by the page itself (what I want), but when I use my permanent token it is shown as submitted by myself (page owner).
To get this permanent token I followed these instructions:
https://stackoverflow.com/a/28418469/4713311
The token has my name associated to it since I had to grant permissions to manage the pages I own to generate the token.
I believe this token has the proper permissions since the token debugger shows the following permissions in scope: "manage_pages, publish_pages, publish_actions, public_profile"
Is there any way I can use this never expiring token to comment on posts with the page name instead of my own?
A Page Access Token should have not only "User ID" but also "Profile ID" associated, which wasn't the case for the extended page access token.
A Page Access Token isn't "extendable", to get a permanent page access token I had to request one with a permanent User Access Token, as explained here
Using as short-lived access token I got from Graph API Explorer (Select App -> Get Token -> Select permissions manage_pages, publish_pages, publish_actions and other you may need -> Grab the token that fills the "Access Token" text box) I made the following call to extend the token.
https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token&client_id={app-id}&client_secret={app-secret}& fb_exchange_token={short-lived-token}
Using the token returned, you can simply call /me/accounts and copy the page's access_token
This token is a permanent Page Access Token, to confirm you can use the token debugger and verify it has your "User ID" and your page's "Profile ID"

How to have a notification of expired Facebook user access token

I've seen a lot of examples, and read some articles to know well about the access token expiration and it was explained pretty well in this article, Access Token Expiration.
I know how to renew the expiration access token. However, the problem is that, as explained in the article, there are possibly 4 reasons for expiration of access token .
Hence, there is no certainty when the access token will be expired and it can be at anytime. The conventional solution is by using offline_permision which will be deprecated by FB soon.
Here is what I'm trying to achieve:
Once the access token expired, and while when user is using our facebook app, I want FB to notifies me.
Once receiving notification, renew the access token.
I don't think the following achieves what I want.
FB.Event.subscribe('auth.authResponseChange', function(response) {
alert('The status of the session is: ' + response.status);
});
Hence, is there any way to have notification from FB when the access token is expired ?
When you try to access the API with an expired token, Facebook will send back an error message. You just check for that error in your callback function that handles the Facebook response, and if an error exists, refresh the token and try the API call again.
From Facebook:
Facebook doesn't notify you that a previously issued access token has become invalid. Unless you have persisted the expiry time passed to your application along with the access token, often the first your application knows that a given token has become invalid is when you attempt to make a request to the API.

Categories

Resources