Partial Outageshare-external
Received a warning email about required changes to support Require App Secret Proof but cannot find a case that will be impacted.
1

I received the following email:

"Action required for OfferUp by Nov 12, 2024

We’re making changes to our require App Secret proof feature via enhanced security measures when authenticating a platform application’s Graph API calls that will affect Facebook Login. Starting on November 12, 2024, apps that have this feature enabled will no longer be allowed to make client-initiated Graph API calls, for example via the Facebook iOS or Android SDKs. Upon review, we have identified that some of your app’s API calls will be rejected after our improvements take effect. As a result we will proactively disable require App Secret proof on your app on November 12, 2024 to prevent disruption to your app’s users. Please note, after this feature is disabled, your app will continue to function normally for both client- and server-initiated Graph API calls. Action required To minimize any potential disruptions to your apps, we ask that developers do one of the following based on how your app is making API calls before November 12, 2024. If you do not want to re-enable this feature on this app, no further action is required. If you do want to re-enable the require App Secret proof feature on this app, go to Settings, then Advanced on the app Dashboard. In preparation, create a new test app with Facebook Login, enable the App Secret proof setting, thoroughly test your application flows to understand the impacts and make the necessary changes to your software to be compatible with the feature before re-enabling it in your production app. As a reminder, never include your app secret in client-side or decompilable code. If you wish to re-enable this feature, client-initiated API calls must be first sent to your own web servers, where the app secret proof is calculated and added to a server-to-server Graph API call."

After exhaustive searching of my code base and historical code, I cannot find a place where we are accessing the Graph API from a client. We only access it from the backend. Is there any way I can get more data on why I received this email? Can I see which APIs Facebook is seeing being requested from the client, or how many client Graph requests are being received? I don't see any of that data available in the developer console.

Chris
Asked about 2 weeks ago