GraphAPIError: Code was invalid or expired. about facebook-sdk HOT 11 CLOSED

According to the error message, the session expired over 3 hours before the request was made. Can you confirm that the user's access token has not expired in this case?

from facebook-sdk.

Yes I can. It's happened to me in fact. Interestingly it works after refreshing a couple of times.

Edit: in some cases it seems we have to restart the app for it work.

from facebook-sdk.

This is the JavaScript we're using which should be giving us our cookie I believe.

<script>
    window.fbAsyncInit = function() {
        FB.init({
            appId: '{{ config.FACEBOOK_APP_ID }}', 
            status: true, 
            cookie: true,
            xfbml: true,
        });

        $('#facebook-login').bind('click', function() {
            FB.login(response);
        });
    };
    (function() {
        var e = document.createElement('script');
        e.type = 'text/javascript';
        e.src = document.location.protocol + '//connect.facebook.net/en_US/all.js';
        e.async = true;
        document.getElementById('fb-root').appendChild(e);
    }());
 </script>

from facebook-sdk.

Can you check the issued_at parameter in the parsed signed request from the cookie data and see whether it is the same as the expiration date in the error message? Also, is there anything in your implementation that might be causing expired cookies to be used (e.g. your application storing cookie data, users staying on a page without refreshing and having their access_tokens expire)?

from facebook-sdk.

Can you check the issued_at parameter in the parsed signed request from the cookie data and see whether it is the same as the expiration date in the error message?

I'm not quite sure how to do that.

Also, is there anything in your implementation that might be causing expired cookies to be used (e.g. your application storing cookie data, users staying on a page without refreshing and having their access_tokens expire)?

As far as I can tell, no. The application doesn't store the cookie and a new cookie should be generated upon login (running the JS), right?

from facebook-sdk.

+1

from facebook-sdk.

I'm not quite sure how to do that.

I am not sure how reproducible this error is, so you might want to put the below code in the "except" part of a try..except block around the line where the error is occurring:

parsed_request = parse_signed_request(cookie, app_secret)
print parsed_request["issued_at"]
raise

from facebook-sdk.

Here's the end of the traceback, there's a problem using split on an immutable type it looks like:

File "/srv/http/blueprint/trekseat/frontend/views.py", line 914, in facebook_login
parsed_request = facebook.parse_signed_request(request.cookies, FACEBOOK_APP_SECRET)
File "/srv/http/blueprint/trekseat/src/facebook-sdk/facebook.py", line 380, in parse_signed_request
l = signed_request.split('.', 2)
AttributeError: 'ImmutableTypeConversionDict' object has no attribute 'split'

This happens when trying to pass the cookie back to the parse_signed_request method.

from facebook-sdk.

Okay another update, by getting the cookie manually, instead of use get_user_from cookie, I was able to parse it and get the UNIX time which is 1325618477. This is what the debug code looks like:

#cookie = facebook.get_user_from_cookie(request.cookies, 
#                                       FACEBOOK_APP_ID, 
#                                       FACEBOOK_APP_SECRET)

cookie = request.cookies.get('fbsr_' + FACEBOOK_APP_ID, '')
parsed_request = facebook.parse_signed_request(cookie, FACEBOOK_APP_SECRET)
print parsed_request['issued_at']

Then without the debug code and using the bit that's commented out above, we get this error: GraphAPIError: Code was invalid or expired. Session has expired at unix time 1325624400. The current unix time is 1325871218.

from facebook-sdk.

Since this seems to be the result of the JavaScript SDK not updating its cookie (since issued_at is well before the session expiration date or the current time in the GraphAPIError message), I would argue that this is not an error in our implementation. I am closing the issue, but you should definitely reopen it and berate me if you have found anything that suggests otherwise.

I looked on Facebook's bugtracker, but could not find a similar bug, so it would probably be worth filing one. If you do, please post the URL here.

In my experience, the JavaScript SDK works best when used in combination with Facebook Canvas applications, but external websites should use the server-side OAuth workflow (which looks harder but is more consistent). Feel free to ping me if you have questions about this.

from facebook-sdk.

One thing you might consider is issuing better exceptions. I can only catch exceptions by doing some nasty string matching based on the GraphAPI error message as it is currently. This at least means I can put the user through the proper flow again, but it's messy and prone to errors.

from facebook-sdk.