1

Situation: I am developing a facebook canvas app. Facebook is sending my sever a POST request with the signed_request each time that a page is render. Inside my app I have all my links with target="_top" because if I don't, facebook send my server a common GET without the signed request. So I cann't check the user info.

Problem: It is too slow! even if I am testing it in local, each click that I press takes 1 sec to render and my canvas becomes completely white and then the info is shown, It will be a bad user experience.

My tests: If I remove the target=_top and I point all my links' href to my server without the app.facebook.com/whatever, it loads very quickly.

My doubts: Is there any security issue with this? If I point all the links to my server (no apps.facebook.com) I can not check the signed request, I will only check it in the main page..

Any advice? any tutorial? Do I have any misundestanding of this? (It is my first facebook app)

JDL
  • 700
  • 5
  • 16

2 Answers2

2

Have you read the Server-Side Authentication tutorial? You're doing it wrong.

Once the users lands in your app you should keep all links in the same frame, loading the entire window along with facebook is completely redundant.

What you should do:

When you get the POST with the signed request, decode it and check if the user is authenticated, if he is persist the data (token and such) somewhere (session, db, cache). If he is not authenticated send him to the auth dialog as noted in the tutorial, when he gets back exchange the code you get (in GET) for the token (also shown in the tutorial), then redirect him to http(s)://apps.facebook.com/YOUR_APP and you'll be posted with the authenticated signed request, save it, etc..

Since you persist the data, in every request that is not POST or don't include the signed_request check your persistency choice for the data, and use it.

There should be only two times where facebook sends you the request, once it is POST when your canvas is loaded, the 2nd is when the user returns from the authentication dialog, in which you either get the code parameter or error in case the user declined the authentication. Other requests should be from your app (inside the iframe) into the app servers.

Nitzan Tomer
  • 155,636
  • 47
  • 315
  • 299
  • Hi Nizan, sincerely I've read lots of docs but no one about links between pages inside an iframe (even no clear example) I'm using fandjango+facetools. I've "Read The Docs" and in the example of facetools they put the target=_top in all links of the app... it goes slow too. (And it is diferent from what you are saying) Doubt: http(s)://apps.facebook.com/YOUR_APP -> server/main/ other pages: server/main/polls/ server/main/polls/1/results/ I check signed_request and make all the logic that you say in server/main/ What will happend if I go directly to: apps.facebook.com/YOUR_APP/polls/ – JDL Mar 22 '12 at 00:25
  • I'm not familiar with nither fandjango or facetools, but when inside an iframe your app should act as usual with no interaction with the parent facebook frame, the only ways you interact with facebook is using the js sdk or through server side api calls. – Nitzan Tomer Mar 22 '12 at 07:38
1

JDL,

I believe you are querying the graph API at each request (and that's why you always need the signed_request). Is this right?

The graph API is pretty slow (~ 1 second/query) and you should use only when necessary. For example, when you first receive the access_token you should save it in your session and query the graph API to retrieve the respective facebook user info. But then you should put the info you need about this user in your session and only refresh it (using the graph API) when the signed_request access token is different from the one you have saved in your session.

The behavior of adding _top to the target of your links is ok and a good practice within facebook canvas.

barbolo
  • 3,807
  • 1
  • 31
  • 31
  • Hi barbolo, I'm only asking the Graph the first time that user lands in my canvas (Basic user info at the moment, in the future It'll change, I'll ask for more things) I'm using an app that abstracts me of all this things. The main problem is that when I put target=_top all facebook is reloaded and it takes time. I've a lot of links in my app (lots) BUT if I use normal links it goes really fast (I still can access to the signed_request and user info in a cookie) Is It mandatory do target=_top? Is there any security issue if I only process the POST signed_request in the main canvas access? – JDL Mar 22 '12 at 00:40
  • Ok, now it became clearer. The behavior you're seing is completely normal. You can check several other apps that works the exactly same way (test, for example, Shopping Mall by Payvment). The main problem of not using target=_top is that the user will not be able to use the browser back button or to copy the current url of navigation. If this is not a problem for you, then you can avoid using target=_top – barbolo Mar 22 '12 at 14:58
  • Hi Barbolo! Thanks for your answer. Well... benefits in terms of speed are much bigger than back button + url, so I will use internal iframe references. Again Thanks! – JDL Mar 22 '12 at 16:02