Definitely understand the concern—I set the minimum permissions, but obviously friends list is among them. All the code looks for is user_id; I'm not even storing the access_token generated.
This will be clearer as the readme shapes up, but it's for a private messaging repository, accessible only to folks whose user ID you save in a Redis hash.
For example, assume authed_user_ids = {1: '', 2: ''}. If, after authenticating with Facebook, we determine your user_id is 1, today's date gets stored as your value (authed_user_ids = {1: 'DATE', 2: ''}). The card will then open with Day 0's message, and will display a new one for every subsequent day until the sequence has expired (you will need to auth every time, as the only session variable stored is the OAuth nonce).
If Facebook returns with user_id = 3, the card will open and display some generic "no message for you" content.
This will be clearer as the readme shapes up, but it's for a private messaging repository, accessible only to folks whose user ID you save in a Redis hash.
For example, assume authed_user_ids = {1: '', 2: ''}. If, after authenticating with Facebook, we determine your user_id is 1, today's date gets stored as your value (authed_user_ids = {1: 'DATE', 2: ''}). The card will then open with Day 0's message, and will display a new one for every subsequent day until the sequence has expired (you will need to auth every time, as the only session variable stored is the OAuth nonce).
If Facebook returns with user_id = 3, the card will open and display some generic "no message for you" content.