facebook-signed-request 0.2.3 → 0.2.4

data/lib/facebook-signed-request/signed_request.rb

@@ -7,18 +7,17 @@ module Facebook
       # Creates a signed_request with correctly padded Base64 encoding.
       # Mostly useful for testing.
       def encode_and_sign options
-        encoded_data      = Base64.strict_encode64( options.to_json )
-
+        encoded_data      = Base64.urlsafe_encode64( options.to_json ).tr('=', '')
         digestor          = OpenSSL::Digest::Digest.new('sha256')
         signature         = OpenSSL::HMAC.digest( digestor, @secret, encoded_data )
-        encoded_signature = Base64.strict_encode64( signature )
-        encoded_signature = encoded_signature.tr('+/', '-_')
+        encoded_signature = Base64.urlsafe_encode64( signature )
+        encoded_signature = encoded_signature.tr('=', '')
 
         "#{encoded_signature}.#{encoded_data}"
       end
     end
 
-    attr_reader :errors, :signature, :data
+    attr_reader :errors, :signature, :data, :encoded_data
 
     def initialize( request_data, options = {} )
       @encoded_signature, @encoded_data = request_data.split(".", 2)
@@ -27,9 +26,10 @@ module Facebook
 
       check_for_invalid_arguments
 
-      @signature        = extract_request_signature
-      @payload          = extract_request_payload
-      @data             = parse_request_playload
+      @signature          = extract_request_signature
+      @computed_signature = compute_signature
+      @payload            = extract_request_payload
+      @data               = parse_request_playload
 
       validate_algorithm
       validate_signature
@@ -56,10 +56,9 @@ module Facebook
       end
     end
 
-    def base64_url_decode( encoded_string_orig )
-      encoded_string = encoded_string_orig.dup
+    def base64_url_decode( encoded_string )
       encoded_string << '=' until ( encoded_string.length % 4 == 0 )
-      Base64.strict_decode64(encoded_string.tr('-_','+/'))
+      Base64.urlsafe_decode64(encoded_string)
     end
 
     def extract_request_signature
@@ -95,15 +94,17 @@ module Facebook
       end
     end
 
-    def validate_signature
+    def compute_signature
       digestor            = OpenSSL::Digest::Digest.new('sha256')
       computed_signature  = OpenSSL::HMAC.digest(
         digestor, @secret, @encoded_data
       )
+    end
 
-      if @signature != computed_signature
+    def validate_signature
+      if @signature != @computed_signature
         message = "Signatures do not match. " \
-                  "Computed: #{computed_signature} but was #{@signature.inspect}"
+                  "Computed: #{@computed_signature} but was #{@signature}"
 
         @errors << message
       end

data/lib/facebook-signed-request/version.rb

@@ -1,5 +1,5 @@
 module Facebook
   class SignedRequest
-    VERSION = "0.2.3"
+    VERSION = "0.2.4"
   end
 end

data/test/signed_request_test.rb

@@ -6,11 +6,11 @@ class SignedRequestTest < Test::Unit::TestCase
 
   def setup
 
-    Facebook::SignedRequest.secret = "897a956a2f7eadcc5783a458fe3e7556"
+    Facebook::SignedRequest.secret = "897z956a2z7zzzzz5783z458zz3z7556"
 
-    @valid_request      = "vl0p_bGyDeVZ2I21cJvLd5C9CwpMkU2mcp1eUGWdvWs.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEzMDg5ODg4MDAsImlzc3VlZF9hdCI6MTMwODk4NTAxOCwib2F1dGhfdG9rZW4iOiIxMTQ5NTIyOTg1OTM4MTN8Mi5BUUJBdHRSbExWbndxTlBaLjM2MDAuMTMwODk4ODgwMC4xLTEwMDAwMDY1NDM0MzE5OXxUNDl3M0Jxb1pVZWd5cHJ1NTFHcmE3MGhFRDgiLCJ1c2VyIjp7ImNvdW50cnkiOiJkZSIsImxvY2FsZSI6ImVuX1VTIiwiYWdlIjp7Im1pbiI6MjF9fSwidXNlcl9pZCI6IjEwMDAwMDY1NDM0MzE5OSJ9"
-    @invalid_request_1  = "l0p_bGyDeVZ2I21cJvLd5C9CwpMkU2mcp1eUGWdvWs.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEzMDg5ODg4MDAsImlzc3VlZF9hdCI6MTMwODk4NTAxOCwib2F1dGhfdG9rZW4iOiIxMTQ5NTIyOTg1OTM4MTN8Mi5BUUJBdHRSbExWbndxTlBaLjM2MDAuMTMwODk4ODgwMC4xLTEwMDAwMDY1NDM0MzE5OXxUNDl3M0Jxb1pVZWd5cHJ1NTFHcmE3MGhFRDgiLCJ1c2VyIjp7ImNvdW50cnkiOiJkZSIsImxvY2FsZSI6ImVuX1VTIiwiYWdlIjp7Im1pbiI6MjF9fSwidXNlcl9pZCI6IjEwMDAwMDY1NDM0MzE5OSJ9"
-    @invalid_request_2  = "vl0p_bGyDeVZ2I21cJvLd5C9CwpMkU2mcp1eUGWdvWs.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEzMDg5ODg4MDAsImlzc3VlZF9hdCI6MTMwODk4NTAxOCwib2F1dGhfdG9rZW4iOiIxMTQ5NTIyOTg1OTM4MTN8Mi5BUUJBdHRSbExWbndxTlBaLjM2MDAuMTMwODk4ODgwMC4xLTEwMDAwMDY1NDM0MzE5OXxUNDl3M0Jxb1pVZWd5cHJ1NTFHcmE3MGhFRDgiLCJ1c2VyIjp7ImNvdW50cnkiOiJkZSIsImxvY2FsZSI6ImVuX1VTIiwiYWdlIjp7Im1pbiI6MjF9fSwidXNlcl9pZCI6IjEwMDAwMDY1NDM0MzE5OSJ"
+    @valid_request      = "53umfudisP7mKhsi9nZboBg15yMZKhfQAARL9UoZtSE.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEzMDg5ODg4MDAsImlzc3VlZF9hdCI6MTMwODk4NTAxOCwib2F1dGhfdG9rZW4iOiIxMTExMTExMTExMTExMTF8Mi5BUUJBdHRSbExWbndxTlBaLjM2MDAuMTExMTExMTExMS4xLTExMTExMTExMTExMTExMXxUNDl3M0Jxb1pVZWd5cHJ1NTFHcmE3MGhFRDgiLCJ1c2VyIjp7ImNvdW50cnkiOiJkZSIsImxvY2FsZSI6ImVuX1VTIiwiYWdlIjp7Im1pbiI6MjF9fSwidXNlcl9pZCI6IjExMTExMTExMTExMTExMSJ9"
+    @invalid_request_1  = "umfudisP7mKhsi9nZboBg15yMZKhfQAARL9UoZtSE.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEzMDg5ODg4MDAsImlzc3VlZF9hdCI6MTMwODk4NTAxOCwib2F1dGhfdG9rZW4iOiIxMTExMTExMTExMTExMTF8Mi5BUUJBdHRSbExWbndxTlBaLjM2MDAuMTExMTExMTExMS4xLTExMTExMTExMTExMTExMXxUNDl3M0Jxb1pVZWd5cHJ1NTFHcmE3MGhFRDgiLCJ1c2VyIjp7ImNvdW50cnkiOiJkZSIsImxvY2FsZSI6ImVuX1VTIiwiYWdlIjp7Im1pbiI6MjF9fSwidXNlcl9pZCI6IjExMTExMTExMTExMTExMSJ9"
+    @invalid_request_2  = "53umfudisP7mKhsi9nZboBg15yMZKhfQAARL9UoZtSE.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEzMDg5ODg4MDAsImlzc3VlZF9hdCI6MTMwODk4NTAxOCwib2F1dGhfdG9rZW4iOiIxMTExMTExMTExMTExMTF8Mi5BUUJBdHRSbExWbndxTlBaLjM2MDAuMTExMTExMTExMS4xLTExMTExMTExMTExMTExMXxUNDl3M0Jxb1pVZWd5cHJ1NTFHcmE3MGhFRDgiLCJ1c2VyIjp7ImNvdW50cnkiOiJkZSIsImxvY2FsZSI6ImVuX1VTIiwiYWdlIjp7Im1pbiI6MjF9fSwidXNlcl9pZCI6IjExMTExMTExMTExMTExMSJ"
 
   end
 
@@ -85,8 +85,8 @@ class SignedRequestTest < Test::Unit::TestCase
     sig_2, data_2 = reencoded_request.split(".", 2)
 
     # Simulate invalid raw Base64 from Facebook by removing padding
-    assert_equal sig_1, sig_2.gsub(/=+$/, "")
-    assert_equal data_1, data_2.gsub(/=+$/, "")
+    assert_equal sig_1, sig_2
+    assert_equal data_1, data_2
 
     request_2 = Facebook::SignedRequest.new( reencoded_request )
 
@@ -94,4 +94,23 @@ class SignedRequestTest < Test::Unit::TestCase
     assert_equal request_1.data,      request_2.data
   end
 
+  test "ring encoding request with invalid base64 signature and payload" do
+
+    fake = {"algorithm"=>"HMAC-SHA256", "expires"=>1309186800, "issued_at"=>1309183033, "oauth_token"=>"111111111111111|2.AQDpIv3FOWbnCv8z.3600.1111111100.1-1111100000|0vSxxsZC1R_I6fb_Jw2I8WEXztE", "user"=>{"country"=>"en", "locale"=>"en_US", "age"=>{"min"=>21}}, "user_id"=>"1111100000"}
+
+    Facebook::SignedRequest.secret = "11ce1114e5450047acb7764c64c6ca24"
+
+    request_string    = Facebook::SignedRequest.encode_and_sign( fake )
+    req_sig, req_data = request_string.split(".", 2)
+
+    assert req_sig  !~ /\=$/
+    assert req_data !~ /\=$/
+
+    request = Facebook::SignedRequest.new( request_string )
+
+    assert Base64.urlsafe_encode64( request.signature ) =~ /\=$/
+    assert request.encoded_data =~ /\=$/
+
+  end
+
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: facebook-signed-request
 version: !ruby/object:Gem::Version
-  version: 0.2.3
+  version: 0.2.4
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-06-27 00:00:00.000000000 +02:00
+date: 2011-06-28 00:00:00.000000000 +02:00
 default_executable: 
 dependencies: []
 description: Parses and validates Facebook signed requests