Update README.'

jaredhanson · Jan 31, 2016 · e2f1f46 · e2f1f46
1 parent bfe0fbc
commit e2f1f46
Showing 1 changed file with 37 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -21,22 +21,34 @@ unobtrusively integrated into any application or framework that supports
 
 ## Usage
 
+#### Create an Application
+
+Before using `passport-facebook`, you must register an application with
+Facebook.  If you have not already done so, a new application can be created at
+[Facebook Developers](https://developers.facebook.com/).  Your application will
+be issued an app ID and app secret, which need to be provided to the strategy.
+You will also need to configure a redirect URI which matches the route in your
+application.
+
 #### Configure Strategy
 
 The Facebook authentication strategy authenticates users using a Facebook
-account and OAuth 2.0 tokens.  The strategy requires a `verify` callback, which
-accepts these credentials and calls `done` providing a user, as well as
-`options` specifying an app ID, app secret, callback URL, and optionally enabling [`appsecret_proof`] (https://developers.facebook.com/docs/graph-api/securing-requests#appsecret_proof).
+account and OAuth 2.0 tokens.  The app ID and secret obtained when creating an
+application are supplied as options when creating the strategy.  The strategy
+also requires a `verify` callback, which receives the access token and optional
+refresh token, as well as `profile` which contains the authenticated user's
+Facebook profile.  The `verify` callback must call `cb` providing a user to
+complete authentication.
 
     passport.use(new FacebookStrategy({
         clientID: FACEBOOK_APP_ID,
         clientSecret: FACEBOOK_APP_SECRET,
         callbackURL: "http://localhost:3000/auth/facebook/callback",
         enableProof: false
       },
-      function(accessToken, refreshToken, profile, done) {
+      function(accessToken, refreshToken, profile, cb) {
         User.findOrCreate({ facebookId: profile.id }, function (err, user) {
-          return done(err, user);
+          return cb(err, user);
         });
       }
     ));
@@ -119,6 +131,26 @@ Developers using the popular [Express](http://expressjs.com/) web framework can
 refer to an [example](https://github.com/passport/express-4.x-facebook-example)
 as a starting point for their own web applications.
 
+## FAQ
+
+##### How do I include app secret proof in API requests?
+
+Set the `enableProof` option when creating the strategy.
+
+```js
+new FacebookStrategy({
+  clientID: FACEBOOK_APP_ID,
+  clientSecret: FACEBOOK_APP_SECRET,
+  callbackURL: "http://localhost:3000/auth/facebook/callback",
+  enableProof: true
+}, ...)
+```
+
+As detailed in [securing graph API requests](https://developers.facebook.com/docs/graph-api/securing-requests#appsecret_proof),
+requiring the app secret for server API requests helps prevent use of tokens
+stolen by malicous software or man in the middle attacks.
+
+
 ## Issues
 
 Facebook's OAuth 2.0 implementation has a [bug][1] in which the fragment `#_=_`