JS SDK apprequest security
https://stackoverflow.com/questions/8213195
-
05-03-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian質問
To invite friend to my app, as far as I know, the only way is to use JS SDK, with FB.ui and apprequests dialog. Thats fine.
Lets think about scenario - my FB game allows user to invite their friends and grant them (the friends) with some item. Based of level, name, random, whatever. There is data parameter I can use while calling the dialog. It looks like the place where I can store information about what kind of item is to be given. But..what stops users from tampering with this data? Of course, I can try some cryptographic and so on, but still, its variable fully visible to user. Am I missing something? How given scenario can be solved in secure way?
解決
You could set a code as the parameter to be sent, which you save on your server/database against that specific user. Then when the request is redeemed, check that the user has that code assigned to them. If they don't, you know it has been tampered.
他のヒント
@Abby is correct - store your request data in your database - the apprequest feature of the JS SDK has a callback containing information about the invite - store this and cross-reference the data when the user accepts the invite. The user might be able to tamper with the data on the Javascript level - but (I hope) he cant tamper with the data in your database. :)
