Platform Update: Re-Authentication, Raised App Tester Capp

Today’s Platform Update from the Facebook Developers Blog explains a new security function for apps that allows them to ask users to re-authenticate by re-entering their password, which can be especially helpful for commerce apps. Facebook has also raised the API-created application tester limit to 500 and now allows developers to reset a tester’s password via the API. These changes make Facebook applications a safer place to transmit sensitive data, and make development on the Platform simpler.

In some cases, developers may want verify a user’s identity before they take an important action, such as making a purchase or changing their settings. This helps developers avoid customer service or billing issues stemming from unauthorized actions that may have occurred because a user’s session was hijacked either in person by someone on a shared computer, or by a hacker. It can also ensure parents aren’t charged because their kids sat down at the computer and started randomly clicking.

Now developers can add additional re-authentication parameters to an authentication request through the dialogs or Graph API OAuth system. Under auth_type the can include https to require a password to be reentered if a secure cookie isn’t detected, or reauthenticate to unconditionally require a password to be entered. Facebook encourages developers taking advantage of the re-authentication feature to protect themselves from replay attacks by adding auth_nonce, which “specifies an app-generated alphanumeric nonce” or cryptographic cookie.

In November 2010, Facebook implemented an API-controlled application tester system so developers wouldn’t have to create fake accounts that violated the site’s terms of service in order to test their apps. Developers could only create 50 testers per app, through. Facebook has now raised this cap to 500.

Facebook recently added a test user’s email and password to the response sent when they’re created to augment the  id, access_token, and login_url already included in the response. In case developers need a tester’s password, or need to change it, they can now reset the password via the Graph API. This will alleviate the need to meticulously copy down the passwords received when testers are created.

To change a tester’s password, developers can follow the sample code provided by Facebook:

  $new_password = "YOUR_NEW_PASSWORD";

  $graph_url = "https://graph.facebook.com/" . $obj->{'id'}
    . "?password=" . $new_password . "&method=post&" . $app_access_token;

  $response = file_get_contents($graph_url);
  if($response) {
    echo "Password changed successfully.";
  }