Added code to verify that the data is from a legitimate source #1

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
4 participants
@Jamie-Landeg-Jones

No description provided.

jamiejones
Add code to verify that the callback is from a trusted source, by che…
…cking the hmac hash against the app secret.
@mawgcen

This comment has been minimized.

Show comment Hide comment
@mawgcen

mawgcen Mar 22, 2011

hmmm, so what is the callback for again?
to handle subscriptions?

hmmm, so what is the callback for again?
to handle subscriptions?

This comment has been minimized.

Show comment Hide comment
@nisc

nisc Nov 27, 2011

This commit implements a check for:

With every response, Facebook sends the X-Hub-Signature HTTP header which contains the SHA1 signature over the response payload, using the application secret as the key - for example: 'X-Hub-Signature: sha1=12345...'. The consumer can verify the signature to validate the integrity of the payload.

See: https://developers.facebook.com/docs/reference/api/realtime/

In Python (Twisted Web):

        headers = request.getAllHeaders()
        data = request.content.read()
        signature = headers.get('x-hub-signature')
        if signature:
            from hashlib import sha1
            from hmac import new as hmac_new
            signature_check = "sha1=" + \
                    hmac_new(FACEBOOK_API_SECRET, data, sha1).hexdigest()
            log.msg('Signatures:\nReceived: %s\nCalculated: %s' \
                    % (signature, signature_check))

nisc replied Nov 27, 2011

This commit implements a check for:

With every response, Facebook sends the X-Hub-Signature HTTP header which contains the SHA1 signature over the response payload, using the application secret as the key - for example: 'X-Hub-Signature: sha1=12345...'. The consumer can verify the signature to validate the integrity of the payload.

See: https://developers.facebook.com/docs/reference/api/realtime/

In Python (Twisted Web):

        headers = request.getAllHeaders()
        data = request.content.read()
        signature = headers.get('x-hub-signature')
        if signature:
            from hashlib import sha1
            from hmac import new as hmac_new
            signature_check = "sha1=" + \
                    hmac_new(FACEBOOK_API_SECRET, data, sha1).hexdigest()
            log.msg('Signatures:\nReceived: %s\nCalculated: %s' \
                    % (signature, signature_check))
@jamesgpearce

This comment has been minimized.

Show comment Hide comment
@jamesgpearce

jamesgpearce May 14, 2014

Contributor

Facebook is no longer actively maintaining or supporting this repo, and we are closing its old and outstanding pull requests.

Many, many thanks for your support of the project. If you have any further questions, please don't hesitate to let us know.

Contributor

jamesgpearce commented May 14, 2014

Facebook is no longer actively maintaining or supporting this repo, and we are closing its old and outstanding pull requests.

Many, many thanks for your support of the project. If you have any further questions, please don't hesitate to let us know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment