search

jaredhanson / passport-facebook

Facebook authentication strategy for Passport and Node.js.
https://www.passportjs.org/packages/passport-facebook/?utm_source=github&utm_medium=referral&utm_campaign=passport-facebook&utm_content=about
MIT License
1.29k stars 447 forks source link

Heads up: api v2.8 possible breaking change, authorizationURL needs updating #198

Closed chanon closed 5 years ago

chanon commented 7 years ago

I set up a new "facebook app" for login with facebook for my site today. The app got minimum api as v2.8. I didn't notice at first and using my old passport code that worked perfectly in a previous project caused an error on the facebook page.

I wasted hours trying to change a lot of options including the profileURL and tokenURL but it still didn't work.

Turns out that I had to also set authorizationURL to https://www.facebook.com/v2.8/dialog/oauth too! (I saw this url from https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/)

This is related to: https://github.com/jaredhanson/passport-facebook/issues/180 and https://github.com/jaredhanson/passport-facebook/pull/181 but that covers only the profileURL and tokenURL

I suggest updating the defaults to v2.8 and possibly adding a 'facebookAPIVersion' option which will select the correct urls according to api version specified.

And/or at least the requirement and ability of setting the profileURL, tokenURL and authorizationURL should be documented in the README

andreassemborg commented 7 years ago

+1

fiznool commented 7 years ago

Thanks for the write-up @chanon - I added a PR which covers off most of your points.

davemaloney commented 7 years ago

+1

For current users that have v2.8 apps before this PR can be merged, this issue seems to be fixable by updating the strategy configuration to include profileURL, authorizationURL, and tokenURL but it's not easy to find out that's what you're supposed to do.

passport.use(new FacebookStrategy({
    clientID: FACEBOOK_APP_ID,
    clientSecret: FACEBOOK_APP_SECRET,
    callbackURL: "http://localhost:3000/auth/facebook/callback",
    profileURL: 'https://graph.facebook.com/v2.8/me',
    authorizationURL: 'https://www.facebook.com/v2.8/dialog/oauth',
    tokenURL: 'https://graph.facebook.com/v2.8/oauth/access_token'
  },
  function(accessToken, refreshToken, profile, cb) {
    User.findOrCreate({ facebookId: profile.id }, function (err, user) {
      return cb(err, user);
    });
  }
));
tiblu commented 5 years ago

@chanon There is 3.0.0 out, which uses API 3.2. Can we close this?