how to securely implement fb login using javascript

Question

I'm implementing facebook login in my webproject, using Jquery. Everything is fine, yet I'm worried about the possible hacks people can try as everything is visible in firebug. I mean, anyone can see what URLs are being accessed in response to facebook requests; data is readily available , app_id being embedded in js file itself. So, I assume I might have been doing things wrongly and so here I am, to get clear about that. So, as per my knowledge, the process of Facebook login works as below:

->User Clicks on 'FB Login'
->Request goes to Fb with App ID
->Fb cross checks for App credentials
->Once authorised, it checks for user's credentials
->Asks user to log in if he/she isn't logged in->Returns the requested data by the app for the user
->Calls the call back function and that's where we come back again in scene.

In above procedure, what's confusing me is, if a user can see that what data is being passed to what URL in the last step, couldn't he simply call a fake script to that URL and log in maliciously? I know there is an access_token but I'm confused at how to use that access token (or, anything else, out of my knowledge) at the backend to ensure that the coming request is coming only from the callback function on success of Facebook login? Thanks in advance

Answer 1

My personal approach is to use the PHP SDK to check again if the user is logged in: https://github.com/facebook/facebook-php-sdk

You can just add the Facebook ID of the User to an AJAX call, check server side if the User is the correct one at the beginning of your script:

require 'facebook-php-sdk/src/facebook.php';

$facebook = new Facebook(array(
  'appId'  => 'YOUR_APP_ID',
  'secret' => 'YOUR_APP_SECRET',
));

// Get User ID
$user = $facebook->getUser();
if ($user && $user === $_GET['fbid']) {
  ...
}