I'm currently building an app and an API for that app to communicate with.
My API gathers information from the Facebook Graph API, processes/enrichs them with some data in my database and returns them to my app.
Users login to my app using the Facebook SDK. So at each request they append their Facebook user token (using https for security) so that my API/Server can query the Facebook API and also gets the user ID from it so that I can find data to that user in my database.
This works fine so far.
But getting the ID requires me to query Facebook for every request to my API. Maybe I should store the Facebook access tokens on the first request to my API and for further requests just check if they match? But is it a good idea to store (encrypted) Facebook access tokens? I think I read something about that being a bad idea.
Also I thought about what would happen if someone else is running a Facebook application as well and thus knows other user tokens.
If this person sends that token to my API it would think that this is a legitimate user, right? Is there a way to tell the Facebook Api to only accept tokens generated from my Facebook app?
I found out about querying "/app?access_token={token_to_check}" to get some information (app name, app id, ...) about a token. But querying this with each Facebook API request would slow the overall request down, I guess.
TL;DR:
Is it a good idea to store (encrypted) Facebook access tokens?
Can I tell the Facebook API to only accept access tokens generated by my (Facebook) app?
Or do you know any other way on how to reject foreign Facebook Tokens?
Found the answer myself:
Seems like Facebook only accepts access tokens generated by your application.
So you only have to check if the result of an FB api query is this kind of error to see if an access token is valid.