javascript - A proper approach to FB auth

Question

My project uses Node.js and Express, but the question is about generic approach.

Our users are all from FB and we don't have any auth other than FB. We need to associate some actions with specific FB users and also need their tokens to communicate with FB.

Currently we do it like that:

• user comes to the page
• there are invisible blocks: one with placeholders for user's avatar and name ('logged-in'), the other with button triggering FB login ('logged-out')
• using FB JS SDK we check user's login status. If connected (which actually means: logged into FB, authenticated our app and provided all the permissions we need), we get user's name and FB ID and show the 'logged-in' block. Otherwise the 'logged-out' block is shown
• for logged-in user on some actions user's access_token is passed to the server via AJAX (no worries, HTTPS here) and used by the server code for actions like posting to user's wall or whatever
• the FB login button is handled by JS and calls for FB.login()
• on JS authResponseChanged event obvious actions are taken (show/hide logged in/out blocks)

What's good: we always know that user's status is effective (token's TTL is more than normal page's lifetime, so we are good here).

What we don't like much: * client-side tokens are short-lived (yes, we can exchange them, but don't want to if we can find any alternative) * it normally takes several requests to FB (1 - load JS SDK, 2 - get login status) until we can show something. Till that the 'login' block of our site is empty.

What's the question?

We are looking for an optimal way to use some server-side code here and at least render user's name and avatar when we're sure the user is logged in.

I can imagine some scheme like this:

• use server-side auth (with redirects) to get the long-living token and persist it on the server
• save user's status (logged in / out, FB ID, name) in session
• if session has the logged in state, render name and avatar when processing templates on the server

Concerns:

• if the user logged our from FB or revoked App permission, how should we know it and when should we check for it (check every N requests? every X hours? check only when token is going to expire in Y hours?)
• if we alternatively check for user's status from the server before rendering any template (which is the case in an official example) this will slow things down, right? Cause I think FB API calls can be rather slow in hot hours.

Answer 1

Using the JS SDK is the only feasible way to know a user’s status in “real-time”. (“real time” in quotes, because the result of FB.getLoginStatus gets cached as well – if one wants it to be accurate at all times, one must use the second parameter set to true.)

If you have the JS SDK set up to set cookies under your domain, then the PHP SDK is able to determine the login status of the user without any API lookups over HTTP – it just reads the user ID from cookie, so Facebook::getUser() will get you the user ID. That would be enough to display the picture – but for the user name, that’ll still require an API request.

Here you could opt for requesting the name once – and then saving it into your session. If, on the next request, the JS SDK indicates that the user is not connected any more, you could erase the login info from the page and/or force a reload (and on that, clear the session), to return to the not logged in state.