Commit 766fb0a63538a2b9d9c9d8a22881b959e17a9407 to mmangino's facebooker

mmangino / facebooker

Description:	The facebooker Rails plugin
Homepage:	http://facebooker.rubyforge.org
Clone URL:	git://github.com/mmangino/facebooker.git Give this clone URL to anyone. `git clone git://github.com/mmangino/facebooker.git`

Verify that facebook session_key is the same as the session key being 
posted via facebook_params

redinger (author)

Thu Jul 17 12:37:21 -0700 2008

mmangino (committer)

Thu Jul 17 13:01:39 -0700 2008

commit 766fb0a63538a2b9d9c9d8a22881b959e17a9407
tree 5234038386b02575bb3a993055eff9478da30362
parent e8e94a55b2c3459490f68b55a261719457daf2b7

lib/facebooker/rails/controller.rb
lib/facebooker/rails/helpers.rb
test/rails_integration_test.rb

lib/facebooker/rails/controller.rb

0
@@ -36,7 +36,11 @@ module Facebooker
0
       private
0
       
0
       def session_already_secured?
0
-        (@facebook_session = session[:facebook_session]) && session[:facebook_session].secured?
0
+        (@facebook_session = session[:facebook_session]) && session[:facebook_session].secured? if valid_session_key_in_session?
0
+      end
0
+      
0
+      def valid_session_key_in_session?
0
+       !session[:facebook_session].blank? && (facebook_params[:session_key].blank? || session[:facebook_session].session_key == facebook_params[:session_key])
0
       end
0
       
0
       def secure_with_token!

lib/facebooker/rails/helpers.rb

0
@@ -529,7 +529,7 @@ module Facebooker
0
       end
0
       
0
       def fb_prompt_permission(permission,callback=nil)
0
-        raise (ArgumentError, "Unknown value for permission: #{permission}") unless VALID_PERMISSIONS.include?(permission.to_sym)
0
+        raise(ArgumentError, "Unknown value for permission: #{permission}") unless VALID_PERMISSIONS.include?(permission.to_sym)
0
         args={:perms=>permission}
0
         args[:next_fbjs]=callback unless callback.nil?
0
         tag("fb:prompt-permission",args)

test/rails_integration_test.rb

0
@@ -290,11 +290,26 @@ class RailsIntegrationTest < Test::Unit::TestCase
0
   
0
   def test_existing_secured_session_is_used_if_available
0
     session = Facebooker::Session.create(ENV['FACEBOOK_API_KEY'], ENV['FACEBOOK_SECRET_KEY'])
0
+    session.secure_with!("c452b5d5d60cbd0a0da82021-744961110", "1111111", Time.now.to_i + 60)
0
+    get :index, example_rails_params_including_fb, {:facebook_session => session}
0
+    assert_equal(1111111, @controller.facebook_session.user.id)
0
+  end
0
+
0
+  def test_facebook_params_used_if_existing_secured_session_key_does_not_match
0
+    session = Facebooker::Session.create(ENV['FACEBOOK_API_KEY'], ENV['FACEBOOK_SECRET_KEY'])
0
     session.secure_with!("a session key", "1111111", Time.now.to_i + 60)
0
     get :index, example_rails_params_including_fb, {:facebook_session => session}
0
+    assert_equal(744961110, @controller.facebook_session.user.id)
0
+  end
0
+
0
+  def test_existing_secured_session_is_used_if_available_and_facebook_params_session_key_is_nil
0
+    session = Facebooker::Session.create(ENV['FACEBOOK_API_KEY'], ENV['FACEBOOK_SECRET_KEY'])
0
+    session.secure_with!("a session key", "1111111", Time.now.to_i + 60)
0
+    get :index, example_rails_params_including_fb.merge("fb_sig_session_key" => ''), {:facebook_session => session}
0
+    
0
     assert_equal(1111111, @controller.facebook_session.user.id)
0
   end
0
-  
0
+
0
   def test_session_can_be_secured_with_auth_token
0
     auth_token = 'ohaiauthtokenhere111'
0
     modified_params = example_rails_params_including_fb

Comments

fady318 Mon Jul 28 04:03:05 -0700 2008

I think this change breaks facebooker. I’m getting the same error as this person:
http://forum.developers.facebook.com/viewtopic.php?id=18778

The first authentication request works fine as the fb_sig parameter is part of the request. But for all subsequent requests, that parameter is (and I believe should not) be there. So the new valid_session_key_in_session? check fails.