User:Google Web Toolkit

From Facebook Developer Wiki

Revision as of 21:35, 8 July 2009 by Pete Bratach (Talk | contribs)
Jump to: navigation, search

Contents

Creating a Facebook Application Using Google Web Toolkit

Google Web Toolkit (GWT) is a great tool to develop rich and effective Web-based software. It's especially useful if you don't want to code in JavaScript and don't want to deal with HTML. However, it can be a little complicated to integrate it with other tools and libraries, or with writing a Facebook application. But it can be done.

This article describes the steps you need to follow to develop a Facebook application using GWT. These steps also apply to similar libraries like GWT-ext or GXT, which are built on top of GWT.

Render Canvas Pages in IFrames

Facebook applications developed in GWT must have their canvas pages rendered in an iframe. When configuring your application, choose IFrame as the Render Method on the Canvas tab. If you want to render XFBML in an iframe canvas, see Using HTML to Imitate XFBML.

Security and Authentication

When a user accesses your application through Facebook, Facebook (not the user) actually makes the request to your application. Facebook adds some POST parameters to that request. These parameters are described in Authorizing Applications. These parameters tell you which user is trying to connect and also give you some additional information. If these parameters don't exist in a request, then the request is not coming from Facebook servers. In this case, you should show some other content like a redirection to a Facebook login page to that requester.

Important: A malicious user can try to attack your application by putting these parameters manually into their request, hoping to fool your application and make it believe that the request is coming from Facebook. Thus, you have to be very careful and check if the parameters are valid. The parameters Facebook sends to you include a special parameter called fb_sig. This parameter carries an MD5 value so you can make a validity check. If this value is valid, you can be sure the request is coming from Facebook servers and is also valid. Thus, you can determine whether someone is trying to attack your application. See #Validating Users and Their Login State for more information.

Getting Facebook Parameters

To get the values of the parameters Facebook sends to your application, use GWT's Window.Location class. For example:

import com.google.gwt.user.client.Window.Location; String fb_sig_user = Location.getParameter("fb_sig_user"); String fb_sig_session_key = Location.getParameter("fb_sig_session_key");


Note: The values of these parameters are undefined if a user tries to access your application through Facebook, but is not logged into Facebook.

Validating Users and Their Login State

As described earlier, you need to verify whether a user request comes through Facebook. You can do this by using the part of your application's back-end that implements business logic. If you are using PHP on the back end, the following code shows you how to do it. Let's assume the name of the PHP file you're calling is fb.php.

  1. Get the query string that comes from a Facebook server.
    import com.google.gwt.user.client.Window.Location; String queryString = Location.getQueryString(); if(queryString.charAt(0) == '?') queryString = queryString.substring(1); // We are getting rid of the ? in front of the string. String url = "php/fb.php?action=validate&" + queryString;

  2. Make an AJAX call to the URL you just created. If you aren't familiar with how to make an AJAX call using GWT, please refer to the GWT documentation.
  3. Take the request from your PHP file and validate it. Your PHP file should have content similar to the following:
    $appsecret = '{YOUR APPLICATION SECRET KEY HERE}'; if($_REQUEST['action'] == "validate") { $sig = ''; ksort($_REQUEST); foreach($_REQUEST as $key => $val) { if(substr($key, 0, 7) == 'fb_sig_') { $sig .= substr($key, 7) . "=" . $val; } } $sig .= $appsecret; $verify = md5($sig); if($verify != $_REQUEST['fb_sig']) { // Request is not valid; } else { // Request is valid; } }


Making a Request to Facebook (Using PHP)

Once you obtain the necessary URLParameter values from Facebook and validate them, you can make queries, as in the following example.

Send your own parameters to your PHP files, in addition to the parameters Facebook sent, by making an AJAX call. Let's say your PHP file is called fb.php. To get the user's name, make a call to fb.php as in the following example.

String url = "fb.php?action=getName&" + queryString;


In fb.php you need to have content similar to the following;

require_once 'facebook.php'; require_once 'facebookapi_php5_restlib.php'; $appapikey = '{YOUR API KEY HERE}'; $appsecret = '{YOUR APPLICATION SECRET KEY HERE}'; // do this after validation $userid = $_REQUEST['fb_sig_user']; $sKey = $_REQUEST['fb_sig_session_key']; if($_REQUEST['action'] == "getName") { try { $fbClient = new FacebookRestClient($appapikey, $appsecret, $sKey); } catch(FacebookRestClientException $ex) { // Handle Exception } $userInfo = $fbClient->fql_query("SELECT name FROM user WHERE uid=$userid"); $userName = $userInfo[0]['name']; // $userName now contains user's name. }


Accessing User Data

To access user data for your application, use FQL, specifically the user (FQL) table.

Retrieved from "http://wiki.developers.facebook.com/index.php/Google_Web_Toolkit"
reference