This library provides authentication via Facebook's OAuth2 API. To install, run the following command in your terminal: First you need to get your "App ID" and "App Secret" from Facebook:Installation
Usage
- "Add a New App" on Facebook's Apps Page
- "+ Add Product" -> "Facebook Login" -> "Set Up"
- Ignore the "Quickstart" and go to "Facebook Login" -> "Settings" in the sidebar.
- Add your callback URL to "Valid OAuth redirect URIs" (e.g. //localhost:3000/__/auth/facebook) then "Save Changes"
- Go to "Settings" -> "Basic":
- "Add Platform" -> "Website"
- Enter site URL (e.g. //localhost:3000/)
- Add "localhost" (or your domain name) to "App Domains"
- "Save Changes"
- Copy "App ID" into the FACEBOOK_APP_ID environment variable
- Copy "App Secret" into FACEBOOK_APP_SECRET environment variable
For the sign in process, the user is first directed to Facebook, where they are asked if they want to grant your website permission to see their information, then Facebook redirects them back to your website at the callbackURL - which must be one of the "Valid OAuth redirect URIs".
The __ prefix is a convention to mean "do not cache these requests in a service worker" it is supported out of the box by moped/create-react-app/etc. You can choose any URL to be the callbackURL as long as it matches the URL you gave to Facebook.
When the user posts to //localhost:3000/__/auth/facebook they will be re-directed to Facebook to complete the sign in. Facebook will then redirect them back to the callbackURL, with additional info in the query. You can check if the user decided to cancel the login by calling userCancelledLogin, otherwise calling completeAuthentication may throw an error.
Once the user has successfully logged in, calling completeAuthentication returns a profile with info about the user (e.g. their id and emails), an accessToken (for further API requests) and a refreshToken if you need to request new access tokens.
API
Constructor
import FacebookAuthentication from '@authentication/facebook'; const facebookAuthentication = new FacebookAuthentication<State>(options); const FacebookAuthentication = require('@authentication/facebook'); const facebookAuthentication = new FacebookAuthentication(options);Options:
- appID (required, string) - defaults to process.env.FACEBOOK_APP_ID. This is the App ID you get from Facebook. It is needed to tell Facebook which application is being signed into.
- appSecret (required, string) - defaults to process.env.FACEBOOK_APP_SECRET. This is the App Secret you get from Facebook. It is needed to verify the account with Facebook.
- callbackURL (required, string | URL) - a relative or absolute URL that represents the path that will handle facebook's callbacks.
- cookieKeys (optional, string[]) - Optionally sign the cookie used to store the state between the two steps of the oauth process
- cookieName (optional, string) - Optionally override the name of the cookie used to store the state between the two steps of the oauth process (defaults to 'authentication_oauth2').
- trustProxy (optional, boolean) - If callbackURL is a relative URL, it will be resolved relative to the request URL. If trustProxy is true it will trust x-forwarded headers. You can also use the BASE_URL environment varialbe to specify the base url.
isCallbackRequest
const isCallbackRequest = facebookAuthentication.isCallbackRequest(req);Returns true if the request has parameters indicating that it is a callback from facebook. If this returns false you should call redirectToProvider and redirect to the resulting URL.
userCancelledLogin
const userCancelledLogin = facebookAuthentication.userCancelledLogin(req);Returns true if the user clicked "Cancel" at some point in the login process and facebook redirected them back to your app. You should probably return the user to the login page at this point, instead of displaying an error.
redirectToProvider
facebookAuthentication.redirectToProvider(req, res, next, options);Redirect the user to Facebook with the appropriate parameters to request access to their profile.
Options:
- scope (optional, string | string[]) - defaults to DEFAULT_SCOPE, see Facebook's OAuth Docs for a full list of possible scopes.
- state (optional, State) - a JSON serializeable value that you can use once the authentication is complete. This is useful for recording where the user was before they started to log in - e.g. a URL to redirect them to after login is complete or an action that the user wanted to take as soon as they are logged in.
- display (optional, string) - use this to control the look and feel of the permissions page - see //developers.facebook.com/docs/facebook-login/manually-build-a-login-flow
- isReRequest (optional, boolean) - If a user declines your app a given permission, Facebook will not re-request that permission unless you explicilty pass {isReRequest: true}. You might want to do this after explaining in more detail why you need a given permission.
completeAuthentication
const { accessToken, refreshToken, profile, rawProfile, // the raw profile is the un-normalized data from Facebook state, } = await facebookAuthentication.completeAuthentication(req, res, options);Verifies the supplied authentication info with Facebook and returns an accessToken and a profile. It also returns the state that you passed in when calling redirectToProvider. See Profile for more info on the fields available in the profile object.
Options:
- imageSize (optional, number) - The prefered profile image size in pixels. Facebook will always return a range of a few sizes in the images array but specifying this will override the contents of the image property on the profile.
- profileFields (optional, string[]) - Request additional fields as part of the profile request. By default, fields needed for profile are fetched, providing the appropriate scope was included.
callbackPath
The callbackPath property is just a string pathname from the url you passed in as the callbackURL. This is there so you don't have to keep repeating it.