4

After significant voodoo, I have finally got the scores API working. Turns out you have to set Enhanced Auth Dialog to disabled or Facebook ignores your publish_actions permission. Just a heads up in case anyone else is struggling.

However, I'm working entirely in the Javascript API. No server-side scripting is available.

The only way to publish a score is with an app access token. The only way to get one of them is to use the app secret, and that would have to be in the javascript code for the world to see. How bad is that exactly?

TBH I don't care if someone spoofs the scores to my little pong-style games. Good for them, only them and their friends can see it. It's just a bit of fun. But what exactly can go wrong if my app secret is published? Can someone hijack the entire application? Or is it just bad practice and nothing much can go wrong with a little mini game?

It's all purely javascript SDK so it seems to work only by user access tokens, so my first instinct is it's OK. But I thought I'd ask....!

AshleysBrain
  • 22,335
  • 15
  • 88
  • 124
  • 1
    As far as I know, the worst that happens if spoofing scores or posting stuff on a wall associated with your app, and similar things. But I'm not 100% certain, so this is a comment. – thedaian Oct 21 '11 at 14:32
  • 1
    I don't believe there are any risks associated with exposing the app secret in your source, but I'm not sure why you need to use the secret to retrieve the access token. Won't the following work as a means of retrieving the access token? `` – Chaney Blu Oct 21 '11 at 16:19
  • 2
    @Chaney Blu: I think that's just the user access token. You can't post a score to the scores API with a user access token, you need an app access token which is different. – AshleysBrain Oct 21 '11 at 17:49
  • 1
    That would explain it. Thanks for the clarification! – Chaney Blu Oct 21 '11 at 18:20
  • 1
    I'm having this *exact* same issue. This was quite a pain huh? – Ralphleon Oct 27 '11 at 20:00

1 Answers1

1

What other permissions are you using? If you're using "publish_stream" I'm sure you could imagine the shenanigans that could ensue! Even worse, if the user has both your public and private key (which they will) they could create an entire spoof application that identifies itself as you!

The "domain" options in facebook should prevent this, but if there's any chance an attacker could do an XSS attack they could potentially write malicious apps that masquerade as your game.

Have you considered writing something very simple with google app engine for the sole purpose of dealing with the app authentication token?

Ralphleon
  • 3,968
  • 5
  • 32
  • 34