You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Facebook's PHP example and almost every other example in other languages that I've seen uses the url-encoded base64 of the payload.
This would only cause problems if the signature happened to contain the + / (or - _) characters, which doesn't seem to be very often. However I did encounter an instance in my application where the MiniFB code believed the signature to be invalid due to the url-encoded base64.
The text was updated successfully, but these errors were encountered:
I was implementing my own signed_request system for a project, and came across an inconsistency in how MiniFB does signature validation.
https://github.com/appoxy/mini_fb/blob/master/lib/mini_fb.rb#L320
This uses the base64 of the payload to build the signature.
Facebook's PHP example and almost every other example in other languages that I've seen uses the url-encoded base64 of the payload.
This would only cause problems if the signature happened to contain the + / (or - _) characters, which doesn't seem to be very often. However I did encounter an instance in my application where the MiniFB code believed the signature to be invalid due to the url-encoded base64.
The text was updated successfully, but these errors were encountered: