Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Deekshith's avatar

Suggestion for facebook login security

I am using javascipt facebook login SDK for facebook login in my laravel application 3 years back and i have not used socialite for this,

and in controller i have written a code like below,

///////////////////////////////////////
        // prep Facebook verification
        ///////////////////////////////////////

        // sanitize login data
        $facebook_access_token = filter_var($accesstoken, FILTER_SANITIZE_STRING);

        // set variables
        $facebook_user_access_token = $facebook_access_token;
        $my_facebook_app_id = config('constants.fb.facebook_app_id');
        $my_facebook_app_secret = config('constants.fb.facebook_secret_key');
        $facebook_application = 'My Portal'; // in my case 'domain.com', as set up in Facebook

        ///////////////////////////////////////
        // get facebook access token
        ///////////////////////////////////////
        $curl_facebook1 = curl_init(); // start curl
        $url = "https://graph.facebook.com/oauth/access_token?client_id=".$my_facebook_app_id."&client_secret=".$my_facebook_app_secret."&grant_type=client_credentials"; // set url and parameters
        curl_setopt($curl_facebook1, CURLOPT_URL, $url); // set the url variable to curl
        curl_setopt($curl_facebook1, CURLOPT_RETURNTRANSFER, true); // return output as string
        $output = curl_exec($curl_facebook1); // execute curl call
        curl_close($curl_facebook1); // close curl
        $decode_output = json_decode($output, true); // decode the response (without true this will crash)

        // store access_token
        $facebook_access_token = $decode_output['access_token'];

	///////////////////////////////////////
        // verify my access was legitimate
        ///////////////////////////////////////
        $curl_facebook2 = curl_init(); // start curl
        $url = "https://graph.facebook.com/debug_token?input_token=".$facebook_user_access_token."&access_token=".$facebook_access_token; // set url and parameters
        curl_setopt($curl_facebook2, CURLOPT_URL, $url); // set the url variable to curl
        curl_setopt($curl_facebook2, CURLOPT_RETURNTRANSFER, true); // return output as string
        $output2 = curl_exec($curl_facebook2); // execute curl call
        curl_close($curl_facebook2); // close curl
        $decode_output2 = json_decode($output2, true); // decode the response (without true this will crash)

 // test browser and Facebook variables match for security
        if ($my_facebook_app_id == $decode_output2['data']['app_id'] && $decode_output2['data']['application'] == $facebook_application && $decode_output2['data']['is_valid'] == true) {
	//success
	$check_for_email = User::where('email',$email)->first();

	//if email exists then login or create new account

} else {
	//show email not found and erro mesage
}

Here i am checking only email because i was not storing user id or auth id of facebook login instead i was just checking for email exists or not. is this correct way or do i need to rewrite this ?

and if user registered using facebook and if user uses google signin with same email then he is allowed to login by verifying gmail token. does this cause any security issue?

0 likes
2 replies

Please or to participate in this conversation.