facebook-signed-request 0.2.3 → 0.2.4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. data/lib/facebook-signed-request/signed_request.rb +15 -14
  2. data/lib/facebook-signed-request/version.rb +1 -1
  3. data/test/signed_request_test.rb +25 -6
  4. metadata +2 -2
data/lib/facebook-signed-request/signed_request.rb CHANGED
@@ -7,18 +7,17 @@ module Facebook
7
7
  # Creates a signed_request with correctly padded Base64 encoding.
8
8
  # Mostly useful for testing.
9
9
  def encode_and_sign options
10
- encoded_data = Base64.strict_encode64( options.to_json )
11
-
10
+ encoded_data = Base64.urlsafe_encode64( options.to_json ).tr('=', '')
12
11
  digestor = OpenSSL::Digest::Digest.new('sha256')
13
12
  signature = OpenSSL::HMAC.digest( digestor, @secret, encoded_data )
14
- encoded_signature = Base64.strict_encode64( signature )
15
- encoded_signature = encoded_signature.tr('+/', '-_')
13
+ encoded_signature = Base64.urlsafe_encode64( signature )
14
+ encoded_signature = encoded_signature.tr('=', '')
16
15
 
17
16
  "#{encoded_signature}.#{encoded_data}"
18
17
  end
19
18
  end
20
19
 
21
- attr_reader :errors, :signature, :data
20
+ attr_reader :errors, :signature, :data, :encoded_data
22
21
 
23
22
  def initialize( request_data, options = {} )
24
23
  @encoded_signature, @encoded_data = request_data.split(".", 2)
@@ -27,9 +26,10 @@ module Facebook
27
26
 
28
27
  check_for_invalid_arguments
29
28
 
30
- @signature = extract_request_signature
31
- @payload = extract_request_payload
32
- @data = parse_request_playload
29
+ @signature = extract_request_signature
30
+ @computed_signature = compute_signature
31
+ @payload = extract_request_payload
32
+ @data = parse_request_playload
33
33
 
34
34
  validate_algorithm
35
35
  validate_signature
@@ -56,10 +56,9 @@ module Facebook
56
56
  end
57
57
  end
58
58
 
59
- def base64_url_decode( encoded_string_orig )
60
- encoded_string = encoded_string_orig.dup
59
+ def base64_url_decode( encoded_string )
61
60
  encoded_string << '=' until ( encoded_string.length % 4 == 0 )
62
- Base64.strict_decode64(encoded_string.tr('-_','+/'))
61
+ Base64.urlsafe_decode64(encoded_string)
63
62
  end
64
63
 
65
64
  def extract_request_signature
@@ -95,15 +94,17 @@ module Facebook
95
94
  end
96
95
  end
97
96
 
98
- def validate_signature
97
+ def compute_signature
99
98
  digestor = OpenSSL::Digest::Digest.new('sha256')
100
99
  computed_signature = OpenSSL::HMAC.digest(
101
100
  digestor, @secret, @encoded_data
102
101
  )
102
+ end
103
103
 
104
- if @signature != computed_signature
104
+ def validate_signature
105
+ if @signature != @computed_signature
105
106
  message = "Signatures do not match. " \
106
- "Computed: #{computed_signature} but was #{@signature.inspect}"
107
+ "Computed: #{@computed_signature} but was #{@signature}"
107
108
 
108
109
  @errors << message
109
110
  end
data/lib/facebook-signed-request/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Facebook
2
2
  class SignedRequest
3
- VERSION = "0.2.3"
3
+ VERSION = "0.2.4"
4
4
  end
5
5
  end
data/test/signed_request_test.rb CHANGED
@@ -6,11 +6,11 @@ class SignedRequestTest < Test::Unit::TestCase
6
6
 
7
7
  def setup
8
8
 
9
- Facebook::SignedRequest.secret = "897a956a2f7eadcc5783a458fe3e7556"
9
+ Facebook::SignedRequest.secret = "897z956a2z7zzzzz5783z458zz3z7556"
10
10
 
11
- @valid_request = "vl0p_bGyDeVZ2I21cJvLd5C9CwpMkU2mcp1eUGWdvWs.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEzMDg5ODg4MDAsImlzc3VlZF9hdCI6MTMwODk4NTAxOCwib2F1dGhfdG9rZW4iOiIxMTQ5NTIyOTg1OTM4MTN8Mi5BUUJBdHRSbExWbndxTlBaLjM2MDAuMTMwODk4ODgwMC4xLTEwMDAwMDY1NDM0MzE5OXxUNDl3M0Jxb1pVZWd5cHJ1NTFHcmE3MGhFRDgiLCJ1c2VyIjp7ImNvdW50cnkiOiJkZSIsImxvY2FsZSI6ImVuX1VTIiwiYWdlIjp7Im1pbiI6MjF9fSwidXNlcl9pZCI6IjEwMDAwMDY1NDM0MzE5OSJ9"
12
- @invalid_request_1 = "l0p_bGyDeVZ2I21cJvLd5C9CwpMkU2mcp1eUGWdvWs.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEzMDg5ODg4MDAsImlzc3VlZF9hdCI6MTMwODk4NTAxOCwib2F1dGhfdG9rZW4iOiIxMTQ5NTIyOTg1OTM4MTN8Mi5BUUJBdHRSbExWbndxTlBaLjM2MDAuMTMwODk4ODgwMC4xLTEwMDAwMDY1NDM0MzE5OXxUNDl3M0Jxb1pVZWd5cHJ1NTFHcmE3MGhFRDgiLCJ1c2VyIjp7ImNvdW50cnkiOiJkZSIsImxvY2FsZSI6ImVuX1VTIiwiYWdlIjp7Im1pbiI6MjF9fSwidXNlcl9pZCI6IjEwMDAwMDY1NDM0MzE5OSJ9"
13
- @invalid_request_2 = "vl0p_bGyDeVZ2I21cJvLd5C9CwpMkU2mcp1eUGWdvWs.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEzMDg5ODg4MDAsImlzc3VlZF9hdCI6MTMwODk4NTAxOCwib2F1dGhfdG9rZW4iOiIxMTQ5NTIyOTg1OTM4MTN8Mi5BUUJBdHRSbExWbndxTlBaLjM2MDAuMTMwODk4ODgwMC4xLTEwMDAwMDY1NDM0MzE5OXxUNDl3M0Jxb1pVZWd5cHJ1NTFHcmE3MGhFRDgiLCJ1c2VyIjp7ImNvdW50cnkiOiJkZSIsImxvY2FsZSI6ImVuX1VTIiwiYWdlIjp7Im1pbiI6MjF9fSwidXNlcl9pZCI6IjEwMDAwMDY1NDM0MzE5OSJ"
11
+ @valid_request = "53umfudisP7mKhsi9nZboBg15yMZKhfQAARL9UoZtSE.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEzMDg5ODg4MDAsImlzc3VlZF9hdCI6MTMwODk4NTAxOCwib2F1dGhfdG9rZW4iOiIxMTExMTExMTExMTExMTF8Mi5BUUJBdHRSbExWbndxTlBaLjM2MDAuMTExMTExMTExMS4xLTExMTExMTExMTExMTExMXxUNDl3M0Jxb1pVZWd5cHJ1NTFHcmE3MGhFRDgiLCJ1c2VyIjp7ImNvdW50cnkiOiJkZSIsImxvY2FsZSI6ImVuX1VTIiwiYWdlIjp7Im1pbiI6MjF9fSwidXNlcl9pZCI6IjExMTExMTExMTExMTExMSJ9"
12
+ @invalid_request_1 = "umfudisP7mKhsi9nZboBg15yMZKhfQAARL9UoZtSE.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEzMDg5ODg4MDAsImlzc3VlZF9hdCI6MTMwODk4NTAxOCwib2F1dGhfdG9rZW4iOiIxMTExMTExMTExMTExMTF8Mi5BUUJBdHRSbExWbndxTlBaLjM2MDAuMTExMTExMTExMS4xLTExMTExMTExMTExMTExMXxUNDl3M0Jxb1pVZWd5cHJ1NTFHcmE3MGhFRDgiLCJ1c2VyIjp7ImNvdW50cnkiOiJkZSIsImxvY2FsZSI6ImVuX1VTIiwiYWdlIjp7Im1pbiI6MjF9fSwidXNlcl9pZCI6IjExMTExMTExMTExMTExMSJ9"
13
+ @invalid_request_2 = "53umfudisP7mKhsi9nZboBg15yMZKhfQAARL9UoZtSE.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEzMDg5ODg4MDAsImlzc3VlZF9hdCI6MTMwODk4NTAxOCwib2F1dGhfdG9rZW4iOiIxMTExMTExMTExMTExMTF8Mi5BUUJBdHRSbExWbndxTlBaLjM2MDAuMTExMTExMTExMS4xLTExMTExMTExMTExMTExMXxUNDl3M0Jxb1pVZWd5cHJ1NTFHcmE3MGhFRDgiLCJ1c2VyIjp7ImNvdW50cnkiOiJkZSIsImxvY2FsZSI6ImVuX1VTIiwiYWdlIjp7Im1pbiI6MjF9fSwidXNlcl9pZCI6IjExMTExMTExMTExMTExMSJ"
14
14
 
15
15
  end
16
16
 
@@ -85,8 +85,8 @@ class SignedRequestTest < Test::Unit::TestCase
85
85
  sig_2, data_2 = reencoded_request.split(".", 2)
86
86
 
87
87
  # Simulate invalid raw Base64 from Facebook by removing padding
88
- assert_equal sig_1, sig_2.gsub(/=+$/, "")
89
- assert_equal data_1, data_2.gsub(/=+$/, "")
88
+ assert_equal sig_1, sig_2
89
+ assert_equal data_1, data_2
90
90
 
91
91
  request_2 = Facebook::SignedRequest.new( reencoded_request )
92
92
 
@@ -94,4 +94,23 @@ class SignedRequestTest < Test::Unit::TestCase
94
94
  assert_equal request_1.data, request_2.data
95
95
  end
96
96
 
97
+ test "ring encoding request with invalid base64 signature and payload" do
98
+
99
+ fake = {"algorithm"=>"HMAC-SHA256", "expires"=>1309186800, "issued_at"=>1309183033, "oauth_token"=>"111111111111111|2.AQDpIv3FOWbnCv8z.3600.1111111100.1-1111100000|0vSxxsZC1R_I6fb_Jw2I8WEXztE", "user"=>{"country"=>"en", "locale"=>"en_US", "age"=>{"min"=>21}}, "user_id"=>"1111100000"}
100
+
101
+ Facebook::SignedRequest.secret = "11ce1114e5450047acb7764c64c6ca24"
102
+
103
+ request_string = Facebook::SignedRequest.encode_and_sign( fake )
104
+ req_sig, req_data = request_string.split(".", 2)
105
+
106
+ assert req_sig !~ /\=$/
107
+ assert req_data !~ /\=$/
108
+
109
+ request = Facebook::SignedRequest.new( request_string )
110
+
111
+ assert Base64.urlsafe_encode64( request.signature ) =~ /\=$/
112
+ assert request.encoded_data =~ /\=$/
113
+
114
+ end
115
+
97
116
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: facebook-signed-request
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.3
4
+ version: 0.2.4
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2011-06-27 00:00:00.000000000 +02:00
12
+ date: 2011-06-28 00:00:00.000000000 +02:00
13
13
  default_executable:
14
14
  dependencies: []
15
15
  description: Parses and validates Facebook signed requests