Back to News for Developers

Platform Updates: Operation Developer Love

May 6, 2011ByJan Jeżabek

Test Users: New response, limit, and password reset feature

Most developers test their apps by generating test users. We recently updated the response to include the test user’s email and password along with the id, access_token, and login_url. In addition, we added the ability to reset passwords via Graph API. We recommend that you either record the password or reset it whenever you need it, as it is only returned when the test user is first created.

Here’s a simple PHP example that creates a new test user, prints out the response, and changes the test user’s password:

  $app_id = "YOUR_APP_ID";
  $app_secret = "YOUR_APP_SECRET";

  $token_url = "" .
    "client_id=" . $app_id .
    "&client_secret=" . $app_secret .

  $app_access_token = file_get_contents($token_url);

  $graph_url = "" . $app_id
    . "/accounts/test-users?installed=true"
    . "&permissions=read_stream&method=post&"
    . $app_access_token;

  $response = file_get_contents($graph_url);
  if($response) {
    $obj = json_decode($response);
    echo "<pre>";
    echo "</pre>";
  //change the password
  $new_password = "YOUR_NEW_PASSWORD";
  $graph_url = "" . $obj->{'id'}
    . "?password=" . $new_password . "&method=post&" . $app_access_token;

  $response = file_get_contents($graph_url);
  if($response) {
    echo "Password changed successfully.";


Based on your feedback, we have also increased the limit for the number of test users an app can create to 500.

Prompting users to re-authenticate

For many situations (e.g., before a user makes a purchase), developers wanted the ability to confirm a user’s identity by prompting the user to re-type in their password. This prevents a user from purchasing something as someone else in case that user is on a shared computer.

Server-side re-authentication

We have added two additional parameters that you can pass into the authentication request (at or

  • auth_type: this parameter specifies the requested authentication features (as a comma-separated list). Valid options are:
  • https - checks for the presence of the secure cookie and asks for re-authentication if it is not present
  • reauthenticate - asks the user to re-authenticate unconditionally
  • auth_nonce: specifies an app-generated alphanumeric nonce which can be used to provide replay protection. This parameter is option, but apps are strongly encouraged to use it especially when requesting reauthenticate as auth_type

Here’s a PHP example of authenticating and re-authenticating a user:

  $app_id = "YOUR_APP_ID";
  $app_secret = "YOUR_APP_SECRET";
  $my_url = "YOUR_APP_URL";
  $auth_nonce = "YOUR_AUTH_NONCE";

  $code = $_REQUEST["code"];  
  //Check to see if reauth button was clicked, 
  //if so prompt re-auth dialog
     $dialog_url = "" 
       . $app_id . "&redirect_uri=" . urlencode($my_url) 
       . '&auth_type=reauthenticate&auth_nonce=' . $auth_nonce;

     echo("<script> top.location.href='" . $dialog_url . "'</script>");
  if($_REQUEST['error']) { 
      //user did not reauthenticate successfully
      echo $_REQUEST['error'] . ": " . $_REQUEST['error_description'];
      echo '<p>';

  $token_url = "" .
    "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url) . 
    "&client_secret=" . $app_secret . "&code=" . $code;

  $access_token = file_get_contents($token_url);
  $params = null;
  parse_str($access_token, $params);

  if($params['auth_nonce']==$auth_nonce) {  
      echo("Hello again! You were re-authenticated.");
      echo '<p>';
  $graph_url = "" .

  $user = json_decode(file_get_contents($graph_url));

  echo("Hello " . $user->name);
  echo '<p>'; 
  //Check if code is empty (when user first hits page). 
  //Prompt user to auth.
  if(empty($code)) {
    $dialog_url = "" 
      . $app_id . "&redirect_uri=" . urlencode($my_url);

    echo("<script> top.location.href='" . $dialog_url . 

  <form action="YOUR_APP_URL">
    <input type="hidden" name="reauth" value=”true” />
    <input type="submit" value="Re-authenticate" />

Improving Reference Docs

Documentation activity for the past 7 days:

Fixing Bugs

Bugzilla activity for the past 7 days:

  • 194 new bugs were reported
  • 29 bugs were reproducible and accepted (after duplicates removed)
  • 12 bugs were fixed (10 previously reported bugs and 2 new bugs)
  • As of today, there are 1,222 open bugs in Bugzilla (up 16 from last week)

Forum Activity

Developer Forum activity for the past 7 days:

  • 477 New Topics Created
  • 246 New Topics received a reply
  • Of those 246, 45 were replied to by a Facebook Employee
  • Of those 246, 43 were replied to by a community moderator

Jan Jezabek, a Platform engineer, hopes to see more e-commerce apps on Facebook use the ability to re-authenticate users.