views:

645

answers:

2

I'm writing a facebook desktop application for the first time using the PyFacebook api. Up until now, since I've been experimenting, I just passed the secret key along with the api key to the Facebook constructor like so:

import facebook
fb = facebook.Facebook("my_api_key", "my_secret_key")

and then logged in (fb.login() opens a browser) without any trouble. But now, I want to distribute the code and since it's python and opensource, I want to have some way of protecting my secret key. The wiki mentions I can use a server and ask for my secret key using the server each time my app runs (as I understand), but I have no clue as to how to start doing this, and how this should be done. I have never done web programming and don't know where I can get a server, and how to get the server to do what is needed in this case, and I don't know how can I use that server. I would really appreciate some help!

Thank you.

+1  A: 

EDIT: cmb's session keys approach is better than the proxy described below. Config files and GAE are still applicable. /EDIT

You could take a couple approaches. If your code is open-source and will be used by other developers, you could allow the secret key to be set in a configuration file. When you distribute the code, place a dummy key in the file and create some instructions on how to obtain and set the key in the config file.

Alternately, if you want to do the server approach, you'll basically be creating a proxy* that will take requests, add the secret key and then forward them on to Facebook. A good, free (unless/until your app gets a lot of users) Python-based service is Google App Engine. They also have a bunch of tutorial videos to get you started.

* E.g., when myservice.appspot.com/getUserInfo?uid=12345 is called, your service will execute something like the following.

userinfo = fb.users.getInfo(self.request.get('uid')...)

Ideally, you'd want to abstract it enough that you don't have to explicitly implement every FB API call you make.

One last thing to keep in mind is that many FB API calls do not require the secret key to be passed.

steamer25
It is opensource and I expect it to be used by other developers. Thanks, I will take a look at google app engine and let you know what I got!
fengshaun
+3  A: 

The relevant page on the FB developer wiki recommends a server component that just keeps your secret key and handles auth.getSession(), then gives your desktop app a session key. See that link for details.

Chris Boyle
The wiki page talks about what to do rather than how to do it. Really, I want to know how I can do it!
fengshaun
I'm starting to make sense of it :)
fengshaun