3

I'm using Facebook's Javascript SDK, but it's returning the error:

API calls from the server require an appsecret_proof argument

I'm familiar with why it would return this error server-side through PHP - but this is client-side javascript, and can't see why it would ever return this error.

Stripped-down code as follows:

window.fbAsyncInit = function () {
        FB.init({
            appId: [my app id],
            xfbml: true,
            version: 'v2.2'
        });
    };
    (function (d, s, id) {
        var js, fjs = d.getElementsByTagName(s)[0];
        if (d.getElementById(id)) {
            return;
        }
        js = d.createElement(s);
        js.id = id;
        js.src = "//connect.facebook.net/en_US/sdk.js";
        fjs.parentNode.insertBefore(js, fjs);
    }(document, 'script', 'facebook-jssdk'));
FB.login(function (res) {
        if (res.authResponse) {
                if (res.authResponse.grantedScopes.indexOf("manage_pages") >= 0) {
                    FB.api('/me/accounts', function (res) {
                        if (res && !res.error) {
                            /*
                             * Should show pages available for 
                             * the facebook user to manage ...
                             * (code removed)
                             */
                        }
                        else {
                            /*
                             * Instead, shows 'API calls from the 
                             * server require an appsecret_proof
                             * argument" error here
                             */
                            console.log("Error /me/accounts: " + JSON.stringify(res.error));
                        }
                    });
                }

        }
    });

This works fine if I turn off the 'App Secret Proof for Server API calls' in the Facebook App settings, but for security reasons I want this on.

This shouldn't fail through a javascript call - it's a client-side API call, not a server API call that the error message describes it as.

Is this a bug with Facebook, or something I'm missing somewhere?

takanomi
  • 31
  • 2

1 Answers1

0

As of February 2018, the issue (or a very similar one) seems to have reappeared. There's a bug report for this:

https://developers.facebook.com/bugs/1597942793626594/

That is, for an application with Require App Secret enabled, it seems that one cannot perform API calls from Javascript without passing the appsecret_proof - at the moment of writing.

Other notes:

Excerpt from docs:

When this is enabled, we will only allow API calls that either include appsecret_proof or are made from the same device the token was issued to.

However, in the application Settings > Advanced > Security > Require App Secret the description is as follows:

Only allow calls from a server and require app secret or app secret proof for all API calls.

Related bug reports: October 2016, February 2015.

Related SO post: API calls from the server require an appsecret_proof argument.

turdus-merula
  • 8,546
  • 8
  • 38
  • 50
  • 2
    So after July 18, 2019, when 2.09 reaches its end of life, and 2.10 will be enforced - which requires the app secret proof - the JavaScript SDK will be useless. In the bug report you linked they just said an hour ago that this is "broken as intended". I have no idea what Facebook is doing at the moment, but everything seems to be falling apart. – nickdnk Apr 19 '18 at 19:14