0

I have two facebook apps 'A' and 'B' associated with domain_A and domain_B respectively; 'A' has activated the 'Stream post URL security' flag.

I need to post content to fanpage X using "facebook sdk 4.0 for php" from app 'B', the problem is the post only success disabling A's Stream post URL security flag; otherway FacebookRequest throws an exception:

One or more of the given URLs is not allowed by the Stream post URL security app setting. It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App's domains.

It makes no sense, why facebook api checks this flag in app A?

I have double check the ids and secret keys, maybe A has an open session permanently like facebook users in navigators?

This is the code:

FacebookSession::setDefaultApplication($api_id_B,api_secret_key_B);
FacebookSession::enableAppSecretProof(false);

$session = FacebookSession::newAppSession($api_id_B,api_secret_key_B);

try {
    $post_id = (new FacebookRequest(
        $session,
        'POST',
        '/' . $fanpage_id_X . '/feed',
        array(
            'access_token'  => $fanpage_token_X,
            'message'       => $message_post,
            'link'          => $link_inside_domain_B,
            'caption'       => $caption_post,
            'name'          => $link_inside_domain_B,
            'description'   => $description_post,
            'published'     => true )
        )
    )->execute()->getGraphObject()->asArray();
    echo 'post shared!';
} catch (FacebookRequestException $e) {
    echo 'ERROR! ' . $e->getMessage();
} catch (Exception $e) {
    echo 'ERROR! ' . $e->getMessage();
}

Any help will be appreciated, thanks.

vladiastudillo
  • 407
  • 1
  • 10
  • 23
  • 3
    What app is $fanpage_token_X from? May I guess app A? – WizKid Jan 15 '16 at 21:48
  • If you’re not sure, paste it into https://developers.facebook.com/tools/debug – CBroe Jan 15 '16 at 22:39
  • @WizKid you're right man.. $fanpage_token_X was generated for A (suicide emoticon here <---) .. but that makes even less sense to me, why fb api let me post from an unauthorized app? Thanks bro. – vladiastudillo Jan 15 '16 at 22:46
  • What do you mean post from an unauthorized app? – WizKid Jan 15 '16 at 23:20
  • I used the access token debugger as @CBroe suggested with $fanpage_token_X, this was de result: App ID: 123 A; Profile ID: 456 $fanpage_X; User ID: 789 C (user fb admin who creates A, B); Issued: 987 (about n moths ago); Expires: Never ... so, It could be: (a) some kind of impersonation inside session B to use A's token because both share the same User Id? (b) any app could use any token and fb sdk will apply token's app policies? (c) or ...? – vladiastudillo Jan 16 '16 at 05:42

1 Answers1

0

@WizKid was right, the real problem turned out that the $fanpage_token_X was actually generated for A, so its policies were applied, even when B initiated the session.

vladiastudillo
  • 407
  • 1
  • 10
  • 23