4

I am implementing facebook data deletion callback but I got really lost and i can't continue on the JSON response that facebook is expecting.

  • Return a JSON response that contains a URL where the user can check the status of their deletion request and an alphanumeric confirmation code. The JSON response has the following form:

{ url: '<url>', confirmation_code: '<code>' }

that is the part that I got lost and stuck. My question is

  1. what is the URL should do or show.
  2. what is the logic between the confirmation code

so far here is what I did on my controller.

<?php

namespace App\Http\Controllers\User\Auth\Socialite;

use App\Models\User;
use Illuminate\Http\Request;

class FacebookSocialLoginController extends SocialLoginFactory
{

    public function provider(): string
    {
        return 'facebook';
    }

    public function dataDeletionCallback(Request $request)
    {
        $signed_request = $request->get('signed_request');
        $data = $this->parse_signed_request($signed_request);
        $user_id = $data['user_id'];

        // here will delete the user base on the user_id from facebook
        User::where([
            ['provider' => 'facebook'],
            ['provider_id' => $user_id]
        ])->forceDelete();

        // here will check if the user is deleted
        $isDeleted = User::withTrashed()->where([
            ['provider' => 'facebook'],
            ['provider_id' => $user_id]
        ])->find();

        if ($isDeleted ===null) {
            return response()->json([
                'url' => '', // <------ i dont know what to put on this or what should it do
                'code' => '', // <------ i dont know what is the logic of this code
            ]);
        }

        return response()->json([
            'message' => 'operation not successful'
        ], 500);
    }

    private function parse_signed_request($signed_request) {
        list($encoded_sig, $payload) = explode('.', $signed_request, 2);

        $secret = config('service.facebook.client_secret'); // Use your app secret here

        // decode the data
        $sig = $this->base64_url_decode($encoded_sig);
        $data = json_decode($this->base64_url_decode($payload), true);

        // confirm the signature
        $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
        if ($sig !== $expected_sig) {
            error_log('Bad Signed JSON signature!');
            return null;
        }

        return $data;
    }

    private function base64_url_decode($input) {
        return base64_decode(strtr($input, '-_', '+/'));
    }
}
KevDev
  • 541
  • 2
  • 6
  • 20
  • 5
    Good question. I think many developers are going to want to know how to make Facebook's data-deletion feature in Laravel now that Facebook requires it. – Andrew Koper Apr 10 '21 at 02:32

1 Answers1

7
  1. what is the URL should do or show.

The purpose of this URL, is what the documentation said - to provide a way for the user, to check on the status of their deletion request.

Not all apps will be able to delete all personal user data immediately, the moment the user requests it.
Some might need to keep a subset of the data for legal reasons; others might simply need some extra processing time, because the process can not be handled in a totally automated matter, and a human needs to get involved.

So the user is given this status check URL in response to their request – so that they can go visit that URL tomorrow, or two weeks or six months from now, and check on the status of their deletion request - were you able to delete all data by now, will it still take some time, is there some data that won’t be deleted for legal reasons, etc.

  1. what is the logic between the confirmation code

Just a different way to access the same information. Maybe checking the status via the URL you provided is not enough for the user, so they might want to call or send an email to your support staff, to inquire about the status of their deletion request. Then they can give your support people that code, and they can go look up the necessary information via that.

If you check the code examples in the documentation, they are using the same code value in the status check URL, and as the confirmation code. So you can use the same code for both.
Create it, store it in your database, and associate the status of a particular user’s deletion request with that code.

CBroe
  • 91,630
  • 14
  • 92
  • 150