Securing Facebook Login through Javascript and PHP SDK -

what i'm trying achieve

1. javascript checks if user logged in or not, if so, send code (either access_token or signedrequest) php securely deal logging in.
2. php take code javascript , using app_secret, make sure code given javascript valid.
3. using php sdk make graph api calls appsecret_proof can turn on "require proof on calls" in fb app.

where i've got to

1) have javascript initialises when page loads, , assuming particular user logged in , authenticated in case, have access $helper = new facebookjavascriptloginhelper(); class, can session , make calls in php, pass in access token directly using $session = new facebooksession('access token here'); - great!

2) i've got snippet of php check signedrequest property of js response checks against app_secret - great!

$signed_request = $_post['signedrequest']; list($encoded_sig, $payload) = explode('.', $signed_request, 2);  $secret = "mysecret"; // use app secret here  // decode data $sig = base64_url_decode($encoded_sig); $data = json_decode(base64_url_decode($payload), true); // confirm signature $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true); if ($sig !== $expected_sig) {   return null; }  //this oauth code. echo $data['code']; 

where i'm unclear

i'm confused point 3) in i'm trying achieve.

i want utilise

secure server-side calls appsecret_proof

the below snippet using fb php sdk classes works great, does not send appsecret_proof. (if result check in 2) null, can bum out script there, that's fine.)

$helper = new facebookjavascriptloginhelper(); $session = $helper->getsession(); $request = new facebookrequest($session, 'get', '/me'); $response = $request->execute(); $graphobject = $response->getgraphobject(); 

i curl have appsecret_proof not possible using php sdk (it's cleaner through there).

curl \   -f 'access_token=<access_token>' \   -f 'appsecret_proof=<app secret proof>' \   -f 'batch=[{"method":"get", "relative_url":"me"},{"method":"get", "relative_url":"me/friends?limit=50"}]' \   https://graph.facebook.com 

maybe?

once i've completed 2) should getlonglivedsession() on js sdk short-lived access_token , validate() using facebook\facebooksession namespace. validate same did in 2)?? if way, can still turn on 'require proof on calls' in fb app??

note: if down-vote question, please explain why, i'm still none wiser why last question down-voted, , can't improve.

firstly, there 2 security features in app in settings->advanced.

1. require app secret server api calls. although isn't done explicitly, enter app secret here facebooksession::setdefaultapplication(appid, appsecret), app secret sent through server api calls.
2. server ip whitelist - ensure if app secret compromised, still need send calls through server (tricky!).

secondly, code wise run following secure:

1. i run check in 2) mentioned in question.
2. i use $session->validate() method.
3. i $session->extend access token.

i believe secure.