0

I'm using the Expo Facebook login on my React Native app. In my app they can create and join events, which is done via API calls to my Laravel backend. I need these API calls to be authenticated (so some random person can't submit requests on someone else's behalf), but I don't want them to have to login twice. How can I ensure the person making API calls is who they say they are?

When they auth with Facebook they get their unique Facebook user ID, but I'm not sure if that is a secret they would only know after authenticating with FB or if anyone could get it. For my alpha version it's just sending their FB user ID with the request to ensure it's coming from the right person, but that seems really insecure because if anyone gets that ID they can forge requests.

One idea I had was to pass the auth token the React Native app got from Facebook to my API, and then on my server use that auth token to ensure it's really them. That just seems sort of complicated and it's hard to find a package that helps facilitate this, though.

It seems like this has to be a common problem. Any resources on how other apps handle this? Tinder, for example, must have this same problem.

Brynn Bateman
  • 769
  • 1
  • 8
  • 22
  • 2
    What do you _need_ to make the request from your server? Correct, the access token. So pass that. – CBroe Oct 18 '17 at 04:49
  • @CBroe, to clarify, my server doesn't *need* the access token. The React Native side of things pulls from Facebook's API to get name/email/profile photo and then sends that to my server. The access token would only be passed to my server so that my server could ensure that the person logged in on the React Native app was actually who they said they were. My question is mostly: "Is there a better way to do this than passing the access token and making a server-side check with it?" – Brynn Bateman Oct 18 '17 at 14:31
  • 1
    That is what Facebook recommends. – CBroe Oct 18 '17 at 14:58
  • Thanks @CBroe. I was having difficulty searching online for this since I don't know exactly what to call it. – Brynn Bateman Oct 18 '17 at 15:03
  • I found a [very similar question here](https://stackoverflow.com/questions/4623974/design-for-facebook-authentication-in-an-ios-app-that-also-accesses-a-secured-we?rq=1) that pretty much answers this. – Brynn Bateman Oct 18 '17 at 15:17

0 Answers0