Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

fix for verifying rest_graph_fbs_ within a facebook app flow #5

Closed
wants to merge 2 commits into
from

Conversation

Projects
None yet
2 participants

bruchu commented May 27, 2011

The sig verification in the rest_graph_fbs_ is failing within the facebook app flow. I ran into this specifically with the session_store.

My workaround involves verifying the sig without '"' and with.

Owner

godfat commented May 28, 2011

Can you show me which fbs is causing this fail? Thanks!

bruchu commented Jun 1, 2011

hi,

case is when a signed request comes in to a facebook app canvas:

Parameters: {"signed_request"=>"9rV-IdDFqrQ9dwBrXcIVT9hHzMDir-oTKhricvqTYz4.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEzMDY5MTUyMDAsImlzc3VlZF9hdCI6MTMwNjkwOTEwOSwib2F1dGhfdG9rZW4iOiIxMDQ5NDMxMTk1OTcwNjh8Mi5BUUJXZnZ5RUxMdEVRSDhpLjM2MDAuMTMwNjkxNTIwMC4xLTEwMDAwMjMwMTU0MzEyMnxyUmlkX3Vnd2ZaRWs0OERGWjhZQWFsVi12Z3ciLCJ1c2VyIjp7ImNvdW50cnkiOiJ1cyIsImxvY2FsZSI6ImVuX1VTIiwiYWdlIjp7Im1pbiI6MjF9fSwidXNlcl9pZCI6IjEwMDAwMjMwMTU0MzEyMiJ9"}
session: {"csrf_token"=>"d7bGHDaC5mV/wIghSYnNpMM6+fDfY5AFCMGzMIuThes=",
"rest_graph_fbs
"=>"algorithm=HMAC-SHA256&issued_at=1306909091&user={"country"=>"us",
"locale"=>"en_US", "age"=>{"min"=>0,
"max"=>12}}&sig=98573caeeb88b48c83a15c9c05338323"}
DEBUG: RestGraph: detected signed_request, parsed:
{"algorithm"=>"HMAC-SHA256", "expires"=>1306915200,
"issued_at"=>1306909109,
"oauth_token"=>"104943119597068|2.AQBWfvyELLtEQH8i.3600.1306915200.1-100002301543122|rRid_ugwfZEk48DFZ8YAalV-vgw",
"user"=>{"country"=>"us", "locale"=>"en_US", "age"=>{"min"=>21}},
"user_id"=>"100002301543122",
"sig"=>"\xF6\xB5~!\xD0\xC5\xAA\xB4=w\x00k]\xC2\x15O\xD8G\xCC\xC0\xE2\xAF\xEA\x13*\x1A\xE2r\xFA\x93c>"}
DEBUG: RestGraph: wrote session: fbs =>
algorithm=HMAC-SHA256&expires=1306915200&issued_at=1306909109&oauth_token=104943119597068|2.AQBWfvyELLtEQH8i.3600.1306915200.1-100002301543122|rRid_ugwfZEk48DFZ8YAalV-vgw&user={"country"=>"us",
"locale"=>"en_US",
"age"=>{"min"=>21}}&user_id=100002301543122&sig=08dad7a68c0a5b6e011cb1f7d995d375

so the session is saved with the fbs. the next page load, the session
is loaded, but signature verification fails because of stripping out
'"' in RestGraph#parse_fbs!:

session: {"csrf_token"=>"d7bGHDaC5mV/wIghSYnNpMM6+fDfY5AFCMGzMIuThes=",
"rest_graph_fbs
"=>"algorithm=HMAC-SHA256&expires=1306915200&issued_at=1306909109&oauth_token=104943119597068|2.AQBWfvyELLtEQH8i.3600.1306915200.1-100002301543122|rRid_ugwfZEk48DFZ8YAalV-vgw&user={"country"=>"us",
"locale"=>"en_US",
"age"=>{"min"=>21}}&user_id=100002301543122&sig=08dad7a68c0a5b6e011cb1f7d995d375"}
DEBUG: RestGraph: detected rest-graph session, parsed: {}

let me know if you need more info...

-b

On Fri, May 27, 2011 at 10:07 PM, godfat
reply@reply.github.com
wrote:

Can you show me which fbs is causing this fail? Thanks!

Reply to this email directly or view it on GitHub:
#5 (comment)

Owner

godfat commented Jun 1, 2011

Hi, thanks for the detailed information. I just merged you patch,
but instead, had committed another fix along with a test case:

786fd7c

Can you see if this works for you? Thanks a lot!

bruchu commented Jun 1, 2011

hi,

fix verified.

thanks!

-b

On Wed, Jun 1, 2011 at 2:24 AM, godfat
reply@reply.github.com
wrote:

Hi, thanks for the detailed information. I just merged you patch,
but instead, had committed another fix along with a test case:

786fd7c

Can you see if this works for you? Thanks a lot!

Reply to this email directly or view it on GitHub:
#5 (comment)

Owner

godfat commented Jun 2, 2011

Thank you for your confirmation. I'll release a new version for this soon.

@godfat godfat closed this Jun 2, 2011

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment