joelind-koala 0.8.1

data/lib/koala.rb

@@ -0,0 +1,292 @@
+require 'cgi'
+require 'digest/md5'
+
+# rubygems is required to support json, how facebook returns data
+require 'rubygems'
+require 'json'
+
+# openssl is required to support signed_request
+require 'openssl'
+
+# include default http services
+require 'koala/http_services'
+
+# add Graph API methods
+require 'koala/graph_api'
+
+# add REST API methods
+require 'koala/rest_api'
+
+require 'koala/realtime_updates'
+
+module Koala
+    
+  module Facebook
+    # Ruby client library for the Facebook Platform.
+    # Copyright 2010 Facebook
+    # Adapted from the Python library by Alex Koppel, Rafi Jacoby, and the team at Context Optional
+    #
+    # Licensed under the Apache License, Version 2.0 (the "License"); you may
+    # not use this file except in compliance with the License. You may obtain
+    # a copy of the License at
+    #     http://www.apache.org/licenses/LICENSE-2.0
+    #
+    # Unless required by applicable law or agreed to in writing, software
+    # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+    # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+    # License for the specific language governing permissions and limitations
+    # under the License.
+    # 
+    # This client library is designed to support the Graph API and the official
+    # Facebook JavaScript SDK, which is the canonical way to implement
+    # Facebook authentication. Read more about the Graph API at
+    # http://developers.facebook.com/docs/api. You can download the Facebook
+    # JavaScript SDK at http://github.com/facebook/connect-js/.
+
+    class API
+      # initialize with an access token 
+      def initialize(access_token = nil)
+        @access_token = access_token
+      end
+      
+      def api(path, args = {}, verb = "get", options = {}, &error_checking_block)
+        # Fetches the given path in the Graph API.
+        args["access_token"] = @access_token || @app_access_token if @access_token || @app_access_token
+        # make the request via the provided service
+        result = Koala.make_request(path, args, verb, options)
+        
+        # Check for any 500 errors before parsing the body
+        # since we're not guaranteed that the body is valid JSON
+        # in the case of a server error
+        raise APIError.new({"type" => "HTTP #{result.status.to_s}", "message" => "Response body: #{result.body}"}) if result.status >= 500
+        
+        # Parse the body as JSON and check for errors if provided a mechanism to do so 
+        # Note: Facebook sometimes sends results like "true" and "false", which aren't strictly objects
+        # and cause JSON.parse to fail -- so we account for that by wrapping the result in []
+        body = response = JSON.parse("[#{result.body.to_s}]")[0]
+        if error_checking_block
+          yield(body)
+        end
+        
+        # now return the desired information
+        if options[:http_component]
+          result.send(options[:http_component])
+        else
+          body
+        end
+      end
+    end
+    
+    class GraphAPI < API
+      include GraphAPIMethods
+    end
+    
+    class RestAPI < API
+      include RestAPIMethods
+    end
+    
+    class GraphAndRestAPI < API
+      include GraphAPIMethods
+      include RestAPIMethods
+    end
+    
+    class RealtimeUpdates < API
+      include RealtimeUpdateMethods
+    end
+    
+    class APIError < Exception
+      attr_accessor :fb_error_type
+      def initialize(details = {})
+        self.fb_error_type = details["type"]  
+        super("#{fb_error_type}: #{details["message"]}")
+      end
+    end
+    
+    
+    class OAuth
+      attr_reader :app_id, :app_secret, :oauth_callback_url
+      def initialize(app_id, app_secret, oauth_callback_url = nil)
+        @app_id = app_id
+        @app_secret = app_secret
+        @oauth_callback_url = oauth_callback_url 
+      end
+
+      def get_user_info_from_cookie(cookie_hash)
+        # Parses the cookie set by the official Facebook JavaScript SDK.
+        # 
+        # cookies should be a Hash, like the one Rails provides
+        # 
+        # If the user is logged in via Facebook, we return a dictionary with the
+        # keys "uid" and "access_token". The former is the user's Facebook ID,
+        # and the latter can be used to make authenticated requests to the Graph API.
+        # If the user is not logged in, we return None.
+        # 
+        # Download the official Facebook JavaScript SDK at
+        # http://github.com/facebook/connect-js/. Read more about Facebook
+        # authentication at http://developers.facebook.com/docs/authentication/.
+
+        if fb_cookie = cookie_hash["fbs_" + @app_id.to_s]
+          # remove the opening/closing quote
+          fb_cookie = fb_cookie.gsub(/\"/, "")
+
+          # since we no longer get individual cookies, we have to separate out the components ourselves
+          components = {}
+          fb_cookie.split("&").map {|param| param = param.split("="); components[param[0]] = param[1]}
+
+          # generate the signature and make sure it matches what we expect
+          auth_string = components.keys.sort.collect {|a| a == "sig" ? nil : "#{a}=#{components[a]}"}.reject {|a| a.nil?}.join("")
+          sig = Digest::MD5.hexdigest(auth_string + @app_secret)          
+          sig == components["sig"] && (components["expires"] == "0" || Time.now.to_i < components["expires"].to_i) ? components : nil
+        end
+      end
+      alias_method :get_user_info_from_cookies, :get_user_info_from_cookie
+    
+      def get_user_from_cookie(cookies)
+        if info = get_user_info_from_cookies(cookies)
+          string = info["uid"]
+        end
+      end
+      alias_method :get_user_from_cookies, :get_user_from_cookie
+    
+      # URLs
+    
+      def url_for_oauth_code(options = {})
+        # for permissions, see http://developers.facebook.com/docs/authentication/permissions
+        permissions = options[:permissions]
+        scope = permissions ? "&scope=#{permissions.is_a?(Array) ? permissions.join(",") : permissions}" : ""
+
+        callback = options[:callback] || @oauth_callback_url
+        raise ArgumentError, "url_for_oauth_code must get a callback either from the OAuth object or in the options!" unless callback
+
+        # Creates the URL for oauth authorization for a given callback and optional set of permissions
+        "https://#{GRAPH_SERVER}/oauth/authorize?client_id=#{@app_id}&redirect_uri=#{callback}#{scope}"    
+      end
+        
+      def url_for_access_token(code, options = {})
+        # Creates the URL for the token corresponding to a given code generated by Facebook
+        callback = options[:callback] || @oauth_callback_url
+        raise ArgumentError, "url_for_access_token must get a callback either from the OAuth object or in the parameters!" unless callback
+        "https://#{GRAPH_SERVER}/oauth/access_token?client_id=#{@app_id}&redirect_uri=#{callback}&client_secret=#{@app_secret}&code=#{code}"
+      end
+            
+      def get_access_token_info(code)
+        # convenience method to get a parsed token from Facebook for a given code
+        # should this require an OAuth callback URL?
+        get_token_from_server(:code => code, :redirect_uri => @oauth_callback_url)
+      end
+      
+      def get_access_token(code)
+        # upstream methods will throw errors if needed
+        if info = get_access_token_info(code) 
+          string = info["access_token"]        
+        end
+      end
+      
+      def get_app_access_token_info
+        # convenience method to get a the application's sessionless access token 
+        get_token_from_server({:type => 'client_cred'}, true)
+      end
+      
+      def get_app_access_token
+        if info = get_app_access_token_info
+          string = info["access_token"] 
+        end
+      end
+      
+      # signed_request
+      def parse_signed_request(request)
+        # Facebook's signed requests come in two parts -- the signature and the data payload
+        encoded_sig, payload = request.split(".")
+        
+        sig = base64_url_decode(encoded_sig)
+
+        # if the signature matches, return the data, decoded and parsed as JSON
+        if OpenSSL::HMAC.digest("sha256", @app_secret, payload) == sig
+          JSON.parse(base64_url_decode(payload))
+        else
+          nil
+        end
+      end
+
+      # from session keys
+      def get_token_info_from_session_keys(sessions)
+        # fetch the OAuth tokens from Facebook
+        response = fetch_token_string({
+          :type => 'client_cred',
+          :sessions => sessions.join(",")
+        }, true, "exchange_sessions")
+        
+        # get_token_from_session_key should return an empty body if an empty string or nil is provided
+        # if invalid tokens are provided, it returns an array of nulls, which is a valid result
+        if response == ""
+          raise APIError.new("ArgumentError", "get_token_from_session_key received an error (empty response body) for sessions #{sessions.inspect}!")
+        end
+        
+        JSON.parse(response)
+      end
+  
+      def get_tokens_from_session_keys(sessions)
+        # get the original hash results
+        results = get_token_info_from_session_keys(sessions)
+        # now recollect them as just the access tokens
+        results.collect { |r| string = r["access_token"] }
+      end
+      
+      def get_token_from_session_key(session)
+        # convenience method for a single key
+        # gets the overlaoded strings automatically
+        get_tokens_from_session_keys([session])[0]
+      end
+      
+      protected
+      
+      def get_token_from_server(args, post = false)
+        # fetch the result from Facebook's servers
+        result = fetch_token_string(args, post)
+        
+        # if we have an error, parse the error JSON and raise an error
+        raise APIError.new((JSON.parse(result)["error"] rescue nil) || {}) if result =~ /error/
+
+        # otherwise, parse the access token
+        parse_access_token(result)       
+      end
+      
+      def parse_access_token(response_text)
+        components = response_text.split("&").inject({}) do |hash, bit|
+          key, value = bit.split("=")
+          hash.merge!(key => value)
+        end
+        components 
+      end
+
+      def fetch_token_string(args, post = false, endpoint = "access_token")
+        Koala.make_request("oauth/#{endpoint}", {
+          :client_id => @app_id, 
+          :client_secret => @app_secret
+        }.merge!(args), post ? "post" : "get").body
+      end
+      
+      # base 64
+      def base64_url_decode(string)
+        # to properly decode what Facebook provides, we need to add == to the end
+        # and translate certain characters to others before running the actual decoding
+        # see http://developers.facebook.com/docs/authentication/canvas 
+        "#{string}==".tr("-_", "+/").unpack("m")[0]
+      end
+    end
+  end
+  
+  # finally, set up the http service Koala methods used to make requests
+  # you can use your own (for HTTParty, etc.) by calling Koala.http_service = YourModule
+  def self.http_service=(service)
+    self.send(:include, service)
+  end
+
+  # by default, try requiring Typhoeus -- if that works, use it
+  begin
+    require 'typhoeus'
+    Koala.http_service = TyphoeusService
+  rescue LoadError
+    Koala.http_service = NetHTTPService
+  end
+end

data/readme.md

@@ -0,0 +1,104 @@
+Koala
+====
+Koala (<a href="http://github.com/arsduo/koala" target="_blank">http://github.com/arsduo/koala</a>) is a new Facebook library for Ruby, supporting the Graph API, the old REST API, realtime updates, and OAuth validation.  We wrote Koala with four goals: 
+
+* Lightweight: Koala should be as light and simple as Facebook’s own new libraries, providing API accessors and returning simple JSON.  (We clock in, with comments, just over 500 lines of code.)
+* Fast: Koala should, out of the box, be quick. In addition to supporting the vanilla Ruby networking libraries, it natively supports Typhoeus, our preferred gem for making fast HTTP requests. Of course, That brings us to our next topic:
+* Flexible: Koala should be useful to everyone, regardless of their current configuration.  (We have no dependencies beyond the JSON gem.  Koala also has a built-in mechanism for using whichever HTTP library you prefer to make requests against the graph.)
+* Tested: Koala should have complete test coverage, so you can rely on it.  (Our complete test coverage can be run against either mocked responses or the live Facebook servers.)
+
+Graph API
+----
+The Graph API is the simple, slick new interface to Facebook's data.  Using it with Koala is quite straightforward: 
+    graph = Koala::Facebook::GraphAPI.new(oauth_access_token)
+    profile = graph.get_object("me")
+    friends = graph.get_connection("me", "friends")
+    graph.put_object("me", "feed", :message => "I am writing on my wall!")
+
+Check out the wiki for more examples.
+
+The old-school REST API
+-----
+Where the Graph API and the old REST API overlap, you should choose the Graph API.  Unfortunately, that overlap is far from complete, and there are many important API calls -- including fql.query -- that can't yet be done via the Graph.  
+
+Koala now supports the old-school REST API using OAuth access tokens; to use this, instantiate your class using the RestAPI class:
+
+	@rest = Koala::Facebook::RestAPI.new(oauth_access_token)
+	@rest.fql_query(my_fql_query) # convenience method
+	@rest.rest_call("stream.publish", arguments_hash) # generic version
+	
+We reserve the right to expand the built-in REST API coverage to additional convenience methods in the future, depending on how fast Facebook moves to fill in the gaps.  
+
+(If you want the power of both APIs in the palm of your hand, try out the GraphAndRestAPI class.)
+
+OAuth
+-----
+You can use the Graph and REST APIs without an OAuth access token, but the real magic happens when you provide Facebook an OAuth token to prove you're authenticated.  Koala provides an OAuth class to make that process easy:
+    @oauth = Koala::Facebook::OAuth.new(app_id, code, callback_url)
+
+If your application uses Koala and the Facebook [JavaScript SDK](http://github.com/facebook/connect-js) (formerly Facebook Connect), you can use the OAuth class to parse the cookies:
+    @oauth.get_user_from_cookie(cookies)
+
+And if you have to use the more complicated [redirect-based OAuth process](http://developers.facebook.com/docs/authentication/), Koala helps out there, too:
+	# generate authenticating URL
+	@oauth.url_for_oauth_code
+	# fetch the access token once you have the code
+	@oauth.get_access_token(code)
+
+You can also get your application's own access token, which can be used without a user session for subscriptions and certain other requests:
+    @oauth.get_app_access_token
+
+That's it!  It's pretty simple once you get the hang of it.  If you're new to OAuth, though, check out the wiki and the OAuth Playground example site (see below).
+
+*Exchanging session keys:* Stuck building tab applications on Facebook?  Wishing you had an OAuth token so you could use the Graph API?  You're in luck! Koala now allows you to exchange session keys for OAuth access tokens:
+    @oauth.get_token_from_session_key(session_key)
+    @oauth.get_tokens_from_session_keys(array_of_session_keys)
+
+Real-time Updates
+-----
+The Graph API now allows your application to subscribe to real-time updates for certain objects in the graph.
+
+Currently, Facebook only supports subscribing to users, permissions and errors.  On top of that, there are limitations on what attributes and connections for each of these objects you can subscribe to updates for.  Check the [official Facebook documentation](http://developers.facebook.com/docs/api/realtime) for more details.
+
+Koala makes it easy to interact with your applications using the RealTimeUpdates class:
+
+    @updates = Koala::Facebook::RealTimeUpdates.new(:app_id => app_id, :secret => secret)
+
+You can do just about anything with your real-time update subscriptions using the RealTimeUpdates class:
+
+    # Add/modify a subscription to updates for when the first_name or last_name fields of any of your users is changed
+    @updates.subscribe("user", "first_name, last_name", callback_token, verify_token)
+
+    # Get an array of your current subscriptions (one hash for each object you've subscribed to)
+    @updates.list_subscriptions
+
+    # Unsubscribe from updates for an object
+    @updates.unsubscribe("user")
+
+And to top it all off, RealTimeUpdates provides a static method to respond to Facebook servers' verification of your callback URLs:
+
+    # Returns the hub.challenge parameter in params if the verify token in params matches verify_token
+    Koala::Facebook::RealTimeUpdates.meet_challenge(params, your_verify_token)
+
+For more information about meet_challenge and the RealTimeUpdates class, check out the Real-Time Updates page on the wiki.
+
+See examples, ask questions
+-----
+Some resources to help you as you play with Koala and the Graph API:
+
+* Complete Koala documentation <a href="http://wiki.github.com/arsduo/koala/">on the wiki</a>
+* The <a href="http://groups.google.com/group/koala-users">Koala users group</a> on Google Groups, the place for your Koala and API questions
+* The Koala-powered <a href="http://oauth.twoalex.com" target="_blank">OAuth Playground</a>, where you can easily generate OAuth access tokens and any other data needed to test out the APIs or OAuth
+
+Testing
+-----
+
+Unit tests are provided for all of Koala's methods.  By default, these tests run against mock responses and hence are ready out of the box: 
+    # From the spec directory
+    spec koala_spec.rb
+
+You can also run live tests against Facebook's servers:
+    # Again from the spec directory
+    spec koala_spec_without_mocks.rb
+
+Important Note: to run the live tests, you have to provide some of your own data: a valid OAuth access token with publish\_stream and read\_stream permissions and an OAuth code that can be used to generate an access token.  You can get these data at the OAuth Playground; if you want to use your own app, remember to swap out the app ID, secret, and other values.  (The file also provides valid values for other tests, which you're welcome to swap out for data specific to your own application.)

data/spec/facebook_data.yml

@@ -0,0 +1,44 @@
+# Check out http://oauth.twoalex.com/ to easily generate tokens, cookies, etc.
+# Those values will work with the default settings in this yaml.
+# Of course, you can change this to work with your own app.
+# Just remember to update all fields!
+ 
+# You must supply this value yourself to test the GraphAPI class.
+# Your OAuth token should have publish_stream and read_stream permissions.
+oauth_token: 
+
+# for testing the OAuth class    
+# baseline app
+oauth_test_data: 
+  # You must supply this value yourself, since they will expire.
+  code: 
+  # easiest way to get session keys: use multiple test accounts with the Javascript login at http://oauth.twoalex.com
+  session_key: 
+  multiple_session_keys:
+    - 
+    - 
+  
+  # These values will work out of the box
+  app_id: 119908831367602
+  secret: e45e55a333eec232d4206d2703de1307
+  callback_url: http://oauth.twoalex.com/
+  app_access_token: 119908831367602|o3wswWQ88LYjEC9-ukR_gjRIOMw.
+  raw_token_string: "access_token=119908831367602|2.6GneoQbnEqtSiPppZzDU4Q__.3600.1273366800-2905623|3OLa3w0x1K4C1S5cOgbs07TytAk.&expires=6621"
+  raw_offline_access_token_string: access_token=119908831367602|2.6GneoQbnEqtSiPppZzDU4Q__.3600.1273366800-2905623|3OLa3w0x1K4C1S5cOgbs07TytAk.
+  valid_cookies: 
+    # note: the tests stub the time class so these default cookies are always valid (if you're using the default app)
+    # if not you may want to remove the stubbing to test expiration
+    fbs_119908831367602: '"access_token=119908831367602|2.LKE7ksSPOx0V_8mHPr2NHQ__.3600.1273363200-2905623|CMpi0AYbn03Oukzv94AUha2qbO4.&expires=1273363200&secret=lT_9zm5r5IbJ6Aa5O54nFw__&session_key=2.LKE7ksSPOx0V_8mHPr2NHQ__.3600.1273363200-2905623&sig=9515e93113921f9476a4efbdd4a3c746&uid=2905623"'
+  expired_cookies:
+    fbs_119908831367602: '"access_token=119908831367602|2.xv9mi6QSOpr474s4n2X_pw__.3600.1273287600-2905623|yVt5WH_S6J5p3gFa5_5lBzckhws.&expires=1273287600&secret=V_E79ovQnXqxGctFuC_n5A__&session_key=2.xv9mi6QSOpr474s4n2X_pw__.3600.1273287600-2905623&sig=eeef60838c0c800258d89b7e6ddddddb&uid=2905623"'
+  offline_access_cookies: 
+    # note: I've revoked the offline access for security reasons, so you can't make calls against this :)
+    fbs_119908831367602: '"access_token=119908831367602|08170230801eb225068e7a70-2905623|Q3LDCYYF8CX9cstxnZLsxiR0nwg.&expires=0&secret=78abaee300b392e275072a9f2727d436&session_key=08170230801eb225068e7a70-2905623&sig=423b8aa4b6fa1f9a571955f8e929d567&uid=2905623"'
+    
+subscription_test_data:
+  subscription_path: http://oauth.twoalex.com/subscriptions
+  verify_token: "myverificationtoken|1f54545d5f722733e17faae15377928f"
+  challenge_data: 
+    "hub.challenge": "1290024882"
+    "hub.verify_token": "myverificationtoken|1f54545d5f722733e17faae15377928f"
+    "hub.mode": "subscribe"

data/spec/koala/api_base_tests.rb

@@ -0,0 +1,80 @@
+class ApiBaseTests < Test::Unit::TestCase
+  describe "Koala API base class" do
+    before(:each) do
+      @service = Koala::Facebook::API.new  
+    end
+    
+    it "should not include an access token if none was given" do
+      Koala.should_receive(:make_request).with(
+        anything,
+        hash_not_including('access_token' => 1),
+        anything,
+        anything
+      ).and_return(Koala::Response.new(200, "", ""))
+      
+      @service.api('anything')
+    end
+    
+    it "should include an access token if given" do
+      token = 'adfadf'
+      service = Koala::Facebook::API.new token
+      
+      Koala.should_receive(:make_request).with(
+        anything,
+        hash_including('access_token' => token),
+        anything,
+        anything
+      ).and_return(Koala::Response.new(200, "", ""))
+      
+      service.api('anything')
+    end
+    
+    it "should get the attribute of a Koala::Response given by the http_component parameter" do
+      http_component = :method_name
+      
+      response = mock('Mock KoalaResponse', :body => '', :status => 200)
+      response.should_receive(http_component).and_return('')
+      
+      Koala.stub(:make_request).and_return(response)
+      
+      @service.api('anything', 'get', {}, :http_component => http_component)
+    end
+    
+    it "should return the body of the request as JSON if no http_component is given" do
+      response = stub('response', :body => 'body', :status => 200)
+      Koala.stub(:make_request).and_return(response)
+      
+      json_body = mock('JSON body')
+      JSON.stub(:parse).and_return([json_body])
+      
+      @service.api('anything').should == json_body
+    end
+    
+    it "should execute a block with the response body if passed one" do
+      body = '{}'
+      Koala.stub(:make_request).and_return(Koala::Response.new(200, body, {}))
+      
+      yield_test = mock('Yield Tester')
+      yield_test.should_receive(:pass)
+      
+      @service.api('anything') do |arg| 
+        yield_test.pass
+        arg.should == JSON.parse(body)
+      end
+    end
+    
+    it "should raise an API error if the HTTP response code is greater than or equal to 500" do
+      Koala.stub(:make_request).and_return(Koala::Response.new(500, 'response body', {}))
+      
+      lambda { @service.api('anything') }.should raise_exception(Koala::Facebook::APIError)
+    end
+    
+    it "should handle rogue true/false as responses" do
+      Koala.should_receive(:make_request).and_return(Koala::Response.new(200, 'true', {}))
+      @service.api('anything').should be_true
+      
+      Koala.should_receive(:make_request).and_return(Koala::Response.new(200, 'false', {}))
+      @service.api('anything').should be_false
+    end
+  end
+end

data/spec/koala/graph_and_rest_api/graph_and_rest_api_no_token_tests.rb

@@ -0,0 +1,10 @@
+class GraphAndRestAPINoTokenTests < Test::Unit::TestCase
+  describe "Koala GraphAndRestAPI without an access token" do
+    before(:each) do
+      @api = Koala::Facebook::GraphAndRestAPI.new
+    end
+    
+    it_should_behave_like "Koala RestAPI without an access token"
+    it_should_behave_like "Koala GraphAPI without an access token"
+  end
+end

data/spec/koala/graph_and_rest_api/graph_and_rest_api_with_token_tests.rb

@@ -0,0 +1,11 @@
+class GraphAndRestAPIWithTokenTests < Test::Unit::TestCase
+  describe "Koala GraphAndRestAPI without an access token" do
+    it_should_behave_like "live testing examples"
+    it_should_behave_like "Koala RestAPI with an access token"
+    it_should_behave_like "Koala GraphAPI with an access token"
+    
+    before(:each) do
+      @api = Koala::Facebook::GraphAndRestAPI.new(@token)
+    end
+  end
+end

data/spec/koala/graph_api/graph_api_no_access_token_tests.rb

@@ -0,0 +1,105 @@
+shared_examples_for "Koala GraphAPI without an access token" do
+  it "should get public data about a user" do
+    result = @api.get_object("koppel")
+    # the results should have an ID and a name, among other things
+    (result["id"] && result["name"]).should
+  end
+
+  it "should not get private data about a user" do
+    result = @api.get_object("koppel")
+    # updated_time should be a pretty fixed test case
+    result["updated_time"].should be_nil
+  end
+
+  it "should get public data about a Page" do
+    result = @api.get_object("contextoptional")
+    # the results should have an ID and a name, among other things
+    (result["id"] && result["name"]).should
+  end
+
+  it "should not be able to get data about 'me'" do
+    lambda { @api.get_object("me") }.should raise_error(Koala::Facebook::APIError)
+  end
+
+  it "should be able to get multiple objects" do
+    results = @api.get_objects(["contextoptional", "naitik"])
+    results.length.should == 2
+  end
+
+  it "shouldn't be able to access connections from users" do
+    lambda { @api.get_connections("lukeshepard", "likes") }.should raise_error(Koala::Facebook::APIError)
+  end
+
+  it "should be able to access a user's picture" do
+    @api.get_picture("chris.baclig").should =~ /http\:\/\//
+  end
+
+  it "should be able to access a user's picture, given a picture type"  do
+    @api.get_picture("chris.baclig", {:type => 'large'}).should =~ /^http\:\/\//
+  end
+
+  it "should be able to access connections from public Pages" do
+    result = @api.get_connections("contextoptional", "likes")
+    result.should be_a(Array)
+  end
+
+  it "should not be able to put an object" do
+    lambda { @result = @api.put_object("lukeshepard", "feed", :message => "Hello, world") }.should raise_error(Koala::Facebook::APIError)
+    puts "Error!  Object #{@result.inspect} somehow put onto Luke Shepard's wall!" if @result
+  end
+
+  # these are not strictly necessary as the other put methods resolve to put_object, but are here for completeness
+  it "should not be able to post to a feed" do
+    (lambda do
+      attachment = {:name => "Context Optional", :link => "http://www.contextoptional.com/"}
+      @result = @api.put_wall_post("Hello, world", attachment, "contextoptional") 
+    end).should raise_error(Koala::Facebook::APIError)
+    puts "Error!  Object #{@result.inspect} somehow put onto Context Optional's wall!" if @result
+  end
+
+  it "should not be able to comment on an object" do
+    # random public post on the ContextOptional wall
+    lambda { @result = @api.put_comment("7204941866_119776748033392", "The hackathon was great!") }.should raise_error(Koala::Facebook::APIError)
+    puts "Error!  Object #{@result.inspect} somehow commented on post 7204941866_119776748033392!" if @result    
+  end
+
+  it "should not be able to like an object" do
+    lambda { @api.put_like("7204941866_119776748033392") }.should raise_error(Koala::Facebook::APIError)
+  end
+
+
+  # DELETE
+  it "should not be able to delete posts" do 
+    # test post on the Ruby SDK Test application
+    lambda { @result = @api.delete_object("115349521819193_113815981982767") }.should raise_error(Koala::Facebook::APIError)
+  end
+
+  # SEARCH
+  it "should be able to search" do
+    result = @api.search("facebook")
+    result["data"].should be_an(Array)
+  end
+
+  # API
+  it "should never use the rest api server" do
+    Koala.should_receive(:make_request).with(
+      anything,
+      anything,
+      anything,
+      hash_not_including(:rest_api => true)
+    ).and_return(Koala::Response.new(200, "", {}))      
+    
+    @api.api("anything")
+  end
+end
+
+class FacebookNoAccessTokenTests < Test::Unit::TestCase
+  describe "Koala GraphAPI without an access token" do
+    before :each do
+      @api = Koala::Facebook::GraphAPI.new
+    end  
+    
+    it_should_behave_like "Koala GraphAPI without an access token"
+  end
+end
+