Facebook development and integration is nothing new. Come on, man, everybody's doing it. Don't you want to be cool? Indeed, while I'm sure that a lot of people/companies are doing this, and while it's evident that a lot of them meet with a great deal of success in the matter, my experience as of late seems to indicate that many people/companies toy with the idea but have no clue as to how to actually implement it. Well, product folks can undoubtedly come up with all the marketable and sellable ideas they want in this matter, but success or failure may hinge on the simple idea of know how the Facebook platform actually works. It's one thing to say "we need more Facebook on our site!" and it's another thing entirely to come up with an actual workable solution.
To that end, let's take a look at some very basic Facebook integration. You may or may not have heard of their Graph API, which is basically a JSON service for getting information our of their "social graph" (the various data objects they track and the relationships between them). Getting that data, once you have permission that is, is actually very simple.
First, you need to create your application on Facebook. (This step is a lot easier than it sounds.) Basically, give Facebook some simple information about your website and how it'll be integrating. Start out with something simple:
Facebook Graph API from your website. You know, visitors come to your site, they use their Facebook account (since they're most likely logged into Facebook in another tab) to "Like" your site, you harvest their data and spam their friends, etc.
So now you need to add some Facebook stuff to your site. Note the sample code in the preceding screen shot above. This code does a couple things:
- Initialize your page with your Facebook app.
- Present the user with a Facebook login button.
- Present the user with a Facebook "like" button.
This is where the user grants or denies your site access to their Facebook data. If they deny you, then your work ends here. But if they allow you to access the data, then this is where you'll be able to send requests to Facebook on their behalf. You can go so far as to, if permitted, post stuff to their wall or send messages to their friends, etc. But, again, we're sticking with the basics here. We want to see the Graph API data.
Once permission is granted, Facebook writes a cookie to the user's computer which you can use. Remember that "application secret" value from before? You use that to decrypt the cookie. Take a look at this PHP code (which can still be found here, though they change their documentation a lot):
(Note: You must never share your application secret with anybody. Don't render it to the page, don't use it anywhere but your protected server-side code. Anybody who has this value can pretend to be your application and can spoof users and Facebook as you. The access token you pull form a user's cookie should also be treated with this level of secrecy, with one exception. You can render that to the page, since you're pulling it from the user's cookie and just showing it back to the user. However, proper use of SSL is, as always, recommended.)
Note how the PHP code then makes a simple Graph API request to get the user's name. In this case, the "me" in the Graph API URL is being interpreted by Facebook as the user who owns the access token. There are a number of ways to access a particular user's node on the graph, this is just one of the shortcuts. But basically, this is what you're looking for.
- Server-Side: Once you have that access token, you can continue to make requests for data on their behalf. So in an offline process you can start harvesting. (Yes, it pains me to say that. Let me explain...) You can, say, loop through their friends list and grab email addresses (assuming their friends allow that, they have privacy settings too) to compare with your local data store. Then you can prompt the user with such gems as "I see your friends are already members of this site, would you like to say hello?" or "Your friends haven't signed up for this site, click here to invite them." And so on. Act responsibly, of course. The user trusts you with their data, don't betray that.