用户即使在从Facebook应用设置中删除应用后也能访问应用

时间:2015-08-01 01:41:33

标签: ios swift facebook-login facebook-sdk-4.0

我有一个同时使用Parse和FacebookSDK的应用程序。目前遇到的问题是,即使进入他们的Facebook帐户应用程序设置并删除我的应用程序访问他们的Facebook数据,用户仍然可以访问我的应用程序。

所以:
1:新用户进行全新安装 2:用户通过Facebook登录注册并访问应用
3:用户访问Facebook.com>应用设置>删除我的应用
4:返回iPhone,用户关闭应用,重新开启并再次获得访问

我在这里检查用户的当前状态,如果他们持有currentAccessToken

,他们就可以访问 
override func viewDidLoad() {
    super.viewDidLoad()

    if FBSDKAccessToken.currentAccessToken() != nil{
        moveToNextView() //Segue to next viewController
    }
}

我的AppDelegate.swift

import UIKit
import Parse

@UIApplicationMain
class AppDelegate: UIResponder, UIApplicationDelegate {

    var window: UIWindow?

    func application(application: UIApplication, didFinishLaunchingWithOptions launchOptions: [NSObject : AnyObject]?) -> Bool {

        Parse.setApplicationId("ID", clientKey:"KEY")
        PFFacebookUtils.initializeFacebookWithApplicationLaunchOptions(launchOptions)
        FBSDKProfile.enableUpdatesOnAccessTokenChange(true)


        return FBSDKApplicationDelegate.sharedInstance().application(application, didFinishLaunchingWithOptions: launchOptions)
    }


    func application(application: UIApplication, openURL url: NSURL, sourceApplication: String?, annotation: AnyObject?) -> Bool {
        return FBSDKApplicationDelegate.sharedInstance().application(application, openURL: url, sourceApplication: sourceApplication, annotation: annotation)
    }
}

我猜测currentAccessToken缓存在应用或设备的某个位置,但不确定如何清除/刷新缓存。

1 个答案:

答案 0 :(得分:0)

我找到了解决此问题的方法。它并不像人们想象的那样直接。通过Facebook开发者控制台,您可以设置取消授权回调URL ,可在此处找到

  1. 在Facebook开发人员仪表板中选择您的应用
  2. 点击侧面菜单上的Facebook登录
  3. 点击设置
  4. 然后您可以提供取消授权的回调URL

无论何时有人从Facebook删除您的应用程序,它都会生成一个带有签名请求参数的POST到您的回调URL。您可以解析已签名的请求以检索用户的facebookid。拥有用户的facebookid后,您可以更新数据库中的记录,可用于检查其下一次登录。

这是PHP中如何处理取消授权回调的示例

<?php

function parse_signed_request($signed_request) {
  list($encoded_sig, $payload) = explode('.', $signed_request, 2);

  $secret = "appsecret"; // Use your app secret here

  // decode the data
  $sig = base64_url_decode($encoded_sig);
  $data = json_decode(base64_url_decode($payload), true);

  // confirm the signature
  $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
  if ($sig !== $expected_sig) {
    error_log('Bad Signed JSON signature!');
    return null;
  }

  return $data;
}


$signed_request = $_POST['signed_request'];
$data = parse_signed_request($signed_request);
$user_id = $data['user_id'];

//now use the user_id to look up your user in your database
//update a field called deauthorized to true so that you 
//can check this value upon next login

?>

现在,下次您检查访问令牌时,请在数据库中添加一个检查项,以查看用户是否已删除该应用程序。

- (void)viewDidLoad
{
  [super viewDidLoad];
  if ([FBSDKAccessToken currentAccessToken]) {
     // User is logged in, but they may have
     // removed the app so we have to check our 
     // db using a REST API call to see if is deauthorized

     // If the user has deauthorized then log them out
     // send them back to the login/signup page
     // if not, carry on as usual

     //also don't forget to set the deauthorized value to 0
     //whenever a user successfully logs into facebook

  }
}

希望这会对以后的人有所帮助。

相关问题
最新问题