able to retrieve profile details by providing another application's clientId and clientSecret

[rakesh1988]

Let's say I have app A and app B.
On my android app I use client id of app A and generate a token. I send it to my server for verification. In my server I use app B's client id and client secret.
In the above scenario, should the auth succeed or fail?

My understanding is, it should fail. But I am able to retrieve user's profile details.

[ghaiklor]

@rakesh1988 we are using hmac proof as documented on Facebook documentation. It shouldn't really work 🤔

[twelve17]

I seem to be able to get the profile with an invalid client id altogether, e.g.:

 passport.use(new FacebookTokenStrategy({ 
   clientID: "bad", 
   ...

Since the access token is sufficient to make calls to the graph API, I think the library might using it as-is, without needing an app ID and secret, to get the profile:

passport-facebook-token/lib/index.js:

authenticate(req, options) {
    const accessToken = this.lookup(req, this._accessTokenField);
    const refreshToken = this.lookup(req, this._refreshTokenField);

    if (!accessToken) return this.fail({message: `You should provide ${this._accessTokenField}`});

    this._loadUserProfile(accessToken, (error, profile) => {
    ...

On my end, I am running Facebook's "debug token" endpoint to perform additional validation of the token using the client ID and secret. Might be handy if this NPM optionally does that, otherwise, I think no authentication is being done here, just a call to the graph API to get the profile given the access token.

[twelve17]

My apologies, I see now where the code is using the "enable_proof"feature with the app secret.

I think this works for me because I am using a single app (unlike the OP), and it seems the clientID param is essentially unused since the appsecret_proof only requires the secret.

However, now I am perplexed too about the OP's use case. @rakesh1988, are you by chance using the same app secret for both apps? This shouldn't be a problem, but if it were the case, and the behavior is reproducible, that would be quite interesting!

[twelve17]

@rakesh1988 - On Facebook's Dev site, do you have "Require App Secret" enabled on your app? The docs make it sound like their API should perform the additional verification if the appsecret_proof query param is present, even if that switch is disabled, but I'd be curious if you can still get the profile if this switch is enabled in your apps.

[twelve17]

For what it's worth, I was unable to reproduce this with the steps provided by the OP. I get an error which includes this from the Facebook API:

oauthError": {
      "statusCode": 400,
      "data": "{\"error\":{\"message\":\"Invalid appsecret_proof provided in the API argument\",\"type\":\"GraphMethodException\",\"code\":100,\"fbtrace_id\":\"XYZ\"}}"
    },

[ravindersgh90]

I am getting similar error, can anybody suggest me how can I fix it.

oauthError": {
"statusCode": 400,
"data": "{"error":{"message":"Invalid appsecret_proof provided in the API argument","type":"GraphMethodException","code":100,"fbtrace_id":"XYZ"}}"
},