Ad

Is It Insecure To Expose Facebook App Token In Client Side?

My site makes JS Facebook Graph API requests like

https://graph.facebook.com/v2.2?id=http://[URL]&format=json&access_token=[FB app id]|[FB app token]

to get the number of Facebook shares for each post. The app id is my Facebook app ID number and the app token is a long-lasting access token.

Both of these values are exposed in the client side, although my app secret is private and I generate the app token server-side.

Is this way of doing things insecure? Do I need to move these requests server-side and make my own endpoint to report the share count?

Facebook's documentation is a bit confusing. It says:

Again, for security, app access token should never be hard-coded into client-side code, doing so would give everyone who loaded your webpage or decompiled your app full access to your app secret, and therefore the ability to modify your app. This implies that most of the time, you will be using app access tokens only in server to server calls.

Note that because this request uses your app secret, it must never be made in client-side code or in an app binary that could be decompiled. It is important that your app secret is never shared with anyone. Therefore, this API call should only be made using server-side code.

I'm not hard-coding the app access token, and I'm keeping my app secret hidden. But I am using the app token in client to server calls. Do I need to change this?

Ad

Answer

I think the docs (at https://developers.facebook.com/docs/facebook-login/access-tokens#apptokens) are quite clear, and you quoted them as well:

Again, for security, app access token should never be hard-coded into client-side code, doing so would give everyone who loaded your webpage or decompiled your app full access to your app secret, and therefore the ability to modify your app. This implies that most of the time, you will be using app access tokens only in server to server calls.

I wonder how you say it's not hard-coded... If so, where does the app access token come from?

Ad
source: stackoverflow.com
Ad