Closed diegohaz closed 7 years ago
Currently, we are accepting any Facebook access_token to authenticate the user, even if the access_token wasn't originated by our Facebook App.
This PR adds one more layer of security while authenticating through Facebook by sending a appsecret_proof to the Facebook Graph API.
appsecret_proof
The downside is we need to add two more environment variable: FB_APP_SECRET and FB_APP_SECRET_DEV (the last one comes from the fb test app).
FB_APP_SECRET
FB_APP_SECRET_DEV
Currently, we are accepting any Facebook access_token to authenticate the user, even if the access_token wasn't originated by our Facebook App.
This PR adds one more layer of security while authenticating through Facebook by sending a
appsecret_proofto the Facebook Graph API.The downside is we need to add two more environment variable:
FB_APP_SECRETandFB_APP_SECRET_DEV(the last one comes from the fb test app).