Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pass appsecret_proof as a query string parameter as it maybe be ignored if passed in as a body parameter #1070

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Pass appsecret_proof as a query string parameter as it maybe be ignored if passed in as a body parameter #1070

wants to merge 1 commit into from

Conversation

artie-shevchenko
Copy link

@artie-shevchenko artie-shevchenko commented Apr 16, 2024
edited

Specifically for some POST requests in current implementation we get API calls from the server require an appsecret_proof argument response. Some POST endpoints will send the HTTP body with form encoded data, which would mean the body parameters are ignored.

Tangibly related it may be worth also implementing it following https://developers.facebook.com/docs/facebook-login/security/#proof (using timestamp in proof computation is not enforced but recommended by FB)

      // See https://developers.facebook.com/docs/facebook-login/security/#proof
      var appsecretTime = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis());
      final String appsecretProofPlain = accessToken + "|" + appsecretTime;
      for (byte b : mac.doFinal(appsecretProofPlain.getBytes())) {
        appsecretProof.format("%02x", b);
      }
      request.addQuerystringParameter("appsecret_proof", appsecretProof.toString());
      request.addQuerystringParameter("appsecret_time", String.valueOf(appsecretTime));

@artie-shevchenko artie-shevchenko changed the title Facebook doesn't accept appsecret_proof passed in as a body parameter Pass appsecret_proof as body param as Facebook doesn't accept it passed in as a body parameter Apr 16, 2024
@artie-shevchenko artie-shevchenko changed the title Pass appsecret_proof as body param as Facebook doesn't accept it passed in as a body parameter Pass appsecret_proof as a body param as Facebook doesn't accept it passed in as a body parameter Apr 16, 2024
@artie-shevchenko artie-shevchenko changed the title Pass appsecret_proof as a body param as Facebook doesn't accept it passed in as a body parameter Pass appsecret_proof as a body parameter as Facebook doesn't accept it passed in as a body parameter Apr 16, 2024
@artie-shevchenko artie-shevchenko changed the title Pass appsecret_proof as a body parameter as Facebook doesn't accept it passed in as a body parameter Pass appsecret_proof as a query string parameter as Facebook doesn't accept it passed in as a body parameter Apr 16, 2024
@artie-shevchenko artie-shevchenko changed the title Pass appsecret_proof as a query string parameter as Facebook doesn't accept it passed in as a body parameter Pass appsecret_proof as a query string parameter as Facebook ignores it if passed in as a body parameter Apr 16, 2024
@artie-shevchenko artie-shevchenko changed the title Pass appsecret_proof as a query string parameter as Facebook ignores it if passed in as a body parameter Pass appsecret_proof as a query string parameter as it maybe be ignored if passed in as a body parameter Apr 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@artie-shevchenko