Search code examples
facebookfacebook-php-sdkaccess-token

Can I use the Facebook SDK to login automatically (using cron) and save the access token?

I want to store the full access token in my site. Is it possible to use the Facebook API and login with crontab every hour? If I can, can you point me to the documentation that talks about this?

require '../src/facebook.php';
$facebook = new Facebook(array(
  'appId'  => '13XXXXXXXXXX',
  'secret' => 'fbXXXXXXXXXXXXXXXXXXXXXXXXX',
));
$user = $facebook->getUser();
if ($user) {
  $logoutUrl = $facebook->getLogoutUrl();
  $access_token = $facebook->getAccessToken();
} else {
  $loginUrl = $facebook->getLoginUrl();
}
echo $access_token;

UPDATE:

My purpose is to provide a search box for the public so that everyone can search facebook without requiring a login.

I have tried 

https://graph.facebook.com/search?q=mark&type=user&access_token=1xxxxxxxxxxxxxx‌​|xxxxxxxxxxxxxxx&scope=publish_stream,offline_access,user_status,read_stream

But it returns an error "message": "A user access token is required to request this resource."

And I see someone has developed a site that does facebook search at http://www.fbsearch.us/q/mark/5

How does that work?

Solution

  • As an answer to your third revision...

    I've accomplished saving the user state by

    a) saving the last url into the user session context

    b) directing the login success form to a server script that will save the credentials into the same session context and then redirects the browser to the last url or default welcome page.

    The redirect url is attached to the oauth login dialog:

    $params = array(
  'scope' => 'read_stream, friends_likes',
  'redirect_uri' => 'https://www.myapp.com/post_login_page'
);

$loginUrl = $facebook->getLoginUrl($params);

    After the user authorizes your app, FB redirects the user back to the redirect_uri with the access token in the URI fragment:

    https://www.myapp.com/post_login_page?access_token=...

    excerpts from facebook-getLoginUrl and Authentication

    You may have to append YOUR_URL with the session id if it doesn't translate directly (likely because of crossing http/https/http).

    This way the user sees the least transition from the facebook login form an authenticated app page and can ignore the actual credentials.

    Be careful, methods like this may be compromised by XSS and other OWASP Top 10 Vulnerabilities