Assume a facebook game that rewards users with virtual-currency usable in the game for posting events from the game on their wall.
Using the IFrame method, I get on the client a JavaScript callback with the { post_id: 'some id' }
when the user completes the post successfully, and life is good.
While the post takes place on the client, I have to address the server and commit the reward for the user, providing the server with the post-id, and that is done using some form of JSONP HTTP request.
Stripping away the defense mechanisms against abuse that make sure that users will not overdo with posts and annoy all their friends with the game, lets focus on the problem:
curl
or fiddler
, after signing the request and all, I still need to make sure that the post-id that came in this request is in deed a real post_id
that came from facebook, and that this post is in-deed visible on the user's wall - at least for his friends...(because, no, post as private post that only you can see should not reward you with virtual-currency)
What's the best way to do that?
@CBroe is absolutely right: Facebook Policies (specifically Section IV, Item 1) prohibit the functionality you describe.
Breaking a policy and circumventing restrictions (which is another item against the policy...) is never the "best way" to do anything. But... what you describe is possible. I'd explain how but it's probably also against Stack Exchange policy to do so:
3 Subscriber Content
[...]
Subscriber represents, warrants and agrees that it will not contribute any Subscriber content that [...] (c) infringes any intellectual property right of another or the privacy or publicity rights of another[.]
Just know it's possible, maybe figure out how to do it for the satisfaction, and then move on without implementing what you ask.