facebook graph api node.js invalid appsecret_proof

Question

this is my first post so please go easy on me!

I am a beginning developer working with javascript and node.js. I am trying to make a basic request from a node js file to facebook's graph API. I have signed up for their developer service using my facebook account, and I have installed the node package for FB found here (https://www.npmjs.com/package/fb). It looks official enough.

Everything seems to be working, except I am getting a response to my GET request with a message saying my appsecret_proof is invalid.

Here is the code I am using (be advised the sensitive info is just keyboard mashing).

let https = require("https");
var FB = require('fb');

FB.options({
    version: 'v2.11',
    appId: 484592542348233,
    appSecret: '389fa3ha3fukzf83a3r8a3f3aa3a3'
});


FB.setAccessToken('f8af89a3f98a3f89a3f87af8afnafmdasfasedfaskjefzev8zv9z390fz39fznabacbkcbalanaa3fla398fa3lfa3flka3flina3fk3anflka3fnalifn3laifnka3fnaelfafi3eifafnaifla3nfia3nfa3ifla');

console.log(FB.options());

FB.api('/me',
    'GET',
    {
        "fields": "id,name"
    },
    function (res) {
        if(!res || res.error) {
            console.log(!res ? 'error occurred' : res.error);
            return;
        }
        console.log(res);
        console.log(res.id);
        console.log(res.name);
    }
);

The error I am getting reads:

{ message: 'Invalid appsecret_proof provided in the API argument',
  type: 'GraphMethodException',
  code: 100,
  fbtrace_id: 'H3pDC0OPZdK' }

I have reset my appSecret and accessToken on the developer page and tried them immediately after resetting them. I get the same error, so I don't think that stale credentials are the issue. My

 console.log(FB.options()) 

returns an appropriate looking object that also contains a long hash for appSecretProof as expected. I have also tried this code with a number of version numbers in the options (v2.4, v2.5, v2.11, and without any version key). Facebook's documentation on this strikes me as somewhat unclear. I think I should be using v2.5 of the SDK (which the node package is meant to mimic) and making requests to v2.11 of the graph API, but ??? In any case, that wouldn't seem to explain the issue I'm having. I get a perfectly good response that says my appSecretProof is invalid when I don't specify any version number at all.

The node package for fb should be generating this appSecretProof for me, and it looks like it is doing that. My other info and syntax all seem correct according to the package documentation. What am I missing here? Thank you all so much in advance.

Answer 1

looks like you have required the appsecret_proof for 2 factor authorization in the advance setting in your app.

Access tokens are portable. It's possible to take an access token generated on a client by Facebook's SDK, send it to a server and then make calls from that server on behalf of the client. An access token can also be stolen by malicious software on a person's computer or a man in the middle attack. Then that access token can be used from an entirely different system that's not the client and not your server, generating spam or stealing data.

You can prevent this by adding the appsecret_proof parameter to every API call from a server and enabling the setting to require proof on all calls. This prevents bad guys from making API calls with your access tokens from their servers. If you're using the official PHP SDK, the appsecret_proof parameter is automatically added.

Please refer the below url to generate the valid appsecret_proof,and add it to each api call

https://developers.facebook.com/docs/graph-api/securing-requests

Answer 2

I had to deal with the same issue while working with passport-facebook-token, I finally released that the problem had nothing to have with the logic of my codebase or the app configuration.

I had this error just because I was adding intentionally an authorization Header to the request. so if you are using postman or some other http client just make sure that the request does not contain any authorization Header.