RubyGems - koala - Versions diffs - 1.0.0.beta2 → 1.0.0.beta2.1 - Mend

koala 1.0.0.beta2 → 1.0.0.beta2.1

Files changed (13) hide show

data/CHANGELOG +1 -0
data/Rakefile +1 -1
data/koala.gemspec +2 -2
data/lib/koala.rb +17 -31
data/lib/koala/http_services.rb +0 -6
data/spec/facebook_data.yml +17 -19
data/spec/koala/graph_api/graph_api_no_access_token_tests.rb +1 -1
data/spec/koala/graph_api/graph_api_with_access_token_tests.rb +2 -2
data/spec/koala/http_services/net_http_service_tests.rb +2 -2
data/spec/koala/oauth/oauth_tests.rb +3 -40
data/spec/koala_spec_helper.rb +2 -2
data/spec/mock_facebook_responses.yml +2 -2
metadata +4 -3

data/CHANGELOG CHANGED

@@ -19,6 +19,7 @@ Internal improvements:
 -- Beta 2: photo and file uploads now accept symbols as well as strings overall
 -- Beta 2: APIError is now < StandardError, not Exception
 -- Beta 2: Added KoalaError for non-API errors
+-- Beta 3: Updated parse_signed_request to match Facebook's current implementation (thanks, imajes!)
 Test improvements:
 -- Expanded HTTP service tests (added Typhoeus test suite and additional Net::HTTP test cases)
 -- Live tests now verify that the access token has the necessary permissions before starting

data/Rakefile CHANGED

@@ -4,7 +4,7 @@ require 'rake'
 require 'echoe'
 # gem management
-Echoe.new('koala', '1.0.0.beta2') do |p|
+Echoe.new('koala', '1.0.0.beta2.1') do |p|
   p.summary        = "A lightweight, flexible library for Facebook with support for the Graph API, the old REST API, realtime updates, and OAuth validation."
   p.description    = "Koala is a lightweight, flexible Ruby SDK for Facebook.  It allows read/write access to the social graph via the Graph API and the older REST API, as well as support for realtime updates and OAuth and Facebook Connect authentication.  Koala is fully tested and supports Net::HTTP and Typhoeus connections out of the box and can accept custom modules for other services."
   p.url            = "http://github.com/arsduo/koala"

data/koala.gemspec CHANGED

@@ -2,11 +2,11 @@
 Gem::Specification.new do |s|
   s.name = %q{koala}
-  s.version = "1.0.0.beta2"
+  s.version = "1.0.0.beta2.1"
   s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
   s.authors = ["Alex Koppel, Chris Baclig, Rafi Jacoby, Context Optional"]
-  s.date = %q{2011-03-10}
+  s.date = %q{2011-04-06}
   s.description = %q{Koala is a lightweight, flexible Ruby SDK for Facebook.  It allows read/write access to the social graph via the Graph API and the older REST API, as well as support for realtime updates and OAuth and Facebook Connect authentication.  Koala is fully tested and supports Net::HTTP and Typhoeus connections out of the box and can accept custom modules for other services.}
   s.email = %q{alex@alexkoppel.com}
   s.extra_rdoc_files = ["CHANGELOG", "LICENSE", "lib/koala.rb", "lib/koala/graph_api.rb", "lib/koala/http_services.rb", "lib/koala/realtime_updates.rb", "lib/koala/rest_api.rb", "lib/koala/test_users.rb", "lib/koala/uploadable_io.rb"]

data/lib/koala.rb CHANGED

@@ -211,38 +211,24 @@ module Koala
           string = info["access_token"]
         end
       end
-      # provided directly by Facebook
-      # see https://github.com/facebook/crypto-request-examples/blob/master/sample.rb
-      # and http://developers.facebook.com/docs/authentication/canvas/encryption_proposal
-      def parse_signed_request(input, max_age = 3600)
+      # Originally provided directly by Facebook, however this has changed
+      # as their concept of crypto changed. For historic purposes, this is their proposal:
+      # https://developers.facebook.com/docs/authentication/canvas/encryption_proposal/
+      # Currently see https://github.com/facebook/php-sdk/blob/master/src/facebook.php#L758
+      # for a more accurate reference implementation strategy.
+      def parse_signed_request(input)
         encoded_sig, encoded_envelope = input.split('.', 2)
+        signature = base64_url_decode(encoded_sig).unpack("H*").first
         envelope = JSON.parse(base64_url_decode(encoded_envelope))
-        algorithm = envelope['algorithm']
-        raise 'Invalid request. (Unsupported algorithm.)' \
-          if algorithm != 'AES-256-CBC HMAC-SHA256' && algorithm != 'HMAC-SHA256'
-        raise 'Invalid request. (Too old.)' \
-          if algorithm == "AES-256-CBC HMAC-SHA256" && envelope['issued_at'].to_i < Time.now.to_i - max_age
-        raise 'Invalid request. (Invalid signature.)' \
-          if base64_url_decode(encoded_sig) !=
-              OpenSSL::HMAC.hexdigest(
-                'sha256', @app_secret, encoded_envelope).split.pack('H*')
-        # for requests that are signed, but not encrypted, we're done
-        return envelope if algorithm == 'HMAC-SHA256'
-        # otherwise, decrypt the payload
-        cipher = OpenSSL::Cipher::Cipher.new('aes-256-cbc')
-        cipher.decrypt
-        cipher.key = @app_secret
-        cipher.iv = base64_url_decode(envelope['iv'])
-        cipher.padding = 0
-        decrypted_data = cipher.update(base64_url_decode(envelope['payload']))
-        decrypted_data << cipher.final
-        return JSON.parse(decrypted_data.strip)
+        raise "SignedRequest: Unsupported algorithm #{envelope['algorithm']}" if envelope['algorithm'] != 'HMAC-SHA256'
+        # now see if the signature is valid (digest, key, data)
+        hmac = OpenSSL::HMAC.hexdigest('sha256', @app_secret, encoded_envelope.tr("-_", "+/"))
+        raise 'SignedRequest: Invalid signature' if (signature != hmac)
+        return envelope
       end
       # from session keys
@@ -309,7 +295,7 @@ module Koala
       # directly from https://github.com/facebook/crypto-request-examples/raw/master/sample.rb
       def base64_url_decode(str)
         str += '=' * (4 - str.length.modulo(4))
-        Base64.decode64(str.gsub('-', '+').gsub('_', '/'))
+        Base64.decode64(str.tr('-_', '+/'))
       end
     end
   end

data/lib/koala/http_services.rb CHANGED

@@ -57,12 +57,6 @@ module Koala
           http = Net::HTTP.new(server(options), private_request ? 443 : nil)
           http.use_ssl = true if private_request
-          # we turn off certificate validation to avoid the
-          # "warning: peer certificate won't be verified in this SSL session" warning
-          # not sure if this is the right way to handle it
-          # see http://redcorundum.blogspot.com/2008/03/ssl-certificates-and-nethttps.html
-          http.verify_mode = OpenSSL::SSL::VERIFY_NONE
           result = http.start do |http|
             response, body = if verb == "post"
               if params_require_multipart? args

data/spec/facebook_data.yml CHANGED

@@ -5,18 +5,18 @@
 # You must supply this value yourself to test the GraphAPI class.
 # Your OAuth token should have publish_stream, read_stream, and user_photos permissions.
-oauth_token:
+oauth_token: 119908831367602|2.SzVOt20se6d7VnLzsG3USg__.3600.1302102000-2905623|Qxhc8NPxIQFKuNOaL1XdYNcztAM
 # for testing the OAuth class
 # baseline app
 oauth_test_data:
   # You must supply this value yourself, since they will expire.
-  code:
+  code: 2.SzVOt20se6d7VnLzsG3USg__.3600.1302102000-2905623|Z5x3PcJgROjfj6DOwVQpb714nkQ
   # easiest way to get session keys: use multiple test accounts with the Javascript login at http://oauth.twoalex.com
-  session_key:
+  session_key: 2.SzVOt20se6d7VnLzsG3USg__.3600.1302102000-2905623
   multiple_session_keys:
-    -
-    -
+    - 2.SzVOt20se6d7VnLzsG3USg__.3600.1302102000-2905623
+    - 2.SzVOt20se6d7VnLzsG3USg__.3600.1302102000-2905623
   # These values will work out of the box
   app_id: 119908831367602
@@ -35,23 +35,21 @@ oauth_test_data:
     # note: I've revoked the offline access for security reasons, so you can't make calls against this :)
     fbs_119908831367602: '"access_token=119908831367602|08170230801eb225068e7a70-2905623|Q3LDCYYF8CX9cstxnZLsxiR0nwg.&expires=0&secret=78abaee300b392e275072a9f2727d436&session_key=08170230801eb225068e7a70-2905623&sig=423b8aa4b6fa1f9a571955f8e929d567&uid=2905623"'
-  # These values will work out of the box
-  # They're from Facebook's example at http://developers.facebook.com/docs/authentication/canvas
+  # These values from the OAuth Playground (see above) will work out of the box
   # You can update this to live data if desired
   # request_secret is optional and will fall back to the secret above if absent
-  request_secret: "secret"
-  signed_request: "vlXgu64BQGFSQrY0ZcJBZASMvYvTHu9GQ0YM9rjPSso.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsIjAiOiJwYXlsb2FkIn0"
-  signed_request_result:
-      "0": payload
-      algorithm: HMAC-SHA256
-  # signed params
-  # examples from http://developers.facebook.com/docs/authentication/canvas/encryption_proposal
-  signed_params: t63pZQ4Q3ZTHJt0hOsKrY2pb28xRlduW0pg4lL_Zhl4.eyJhbGdvcml0aG0iOiJBRVMtMjU2LUNCQyBITUFDLVNIQTI1NiIsImlzc3VlZF9hdCI6MTI4NzYwMTk4OCwiaXYiOiJmRExKQ1cteWlYbXVOYTI0ZVNhckpnIiwicGF5bG9hZCI6IllHeW00cG9Rbk1UckVnaUFPa0ZUVkk4NWxsNVJ1VWlFbC1JZ3FmeFRPVEhRTkl2VlZJOFk4a1Z1T29lS2FXT2Vhc3NXRlRFdjBRZ183d0NDQkVlbjdsVUJCemxGSjFWNjNISjNBZjBTSW5nY3hXVEo3TDZZTGF0TW13WGdEQXZXbjVQc2ZxeldrNG1sOWg5RExuWXB0V0htREdMNmlCaU9oTjdXeUk3cDZvRXBWcmlGdUp3X2NoTG9QYjhhM3ZHRG5vVzhlMlN4eDA2QTJ4MnhraWFwdmcifQ
-  signed_params_secret: 13750c9911fec5865d01f3bd00bdf4db
+  signed_params: "zWRm0gd5oHW_jzXP_WA9CirO7c5CLHotn-SKRqH2NmU.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOjEzMDE5MjIwMDAsImlzc3VlZF9hdCI6MTMwMTkxNzI5OSwib2F1dGhfdG9rZW4iOiIxMTk5MDg4MzEzNjc2MDJ8Mi56VkZfNk5yTUVMSHVKYTRnSVU5dEt3X18uMzYwMC4xMzAxOTIyMDAwLTI5MDU2MjN8emdxUHNyMkJHOUxvT0s5a2VrR2dSVVJaeDBrIiwidXNlciI6eyJjb3VudHJ5IjoiZGUiLCJsb2NhbGUiOiJkZV9ERSIsImFnZSI6eyJtaW4iOjIxfX0sInVzZXJfaWQiOiIyOTA1NjIzIn0"
   signed_params_result:
-    access_token: "101244219942650|2.wdrSr7KyE_VwQ0fjwOfW9A__.3600.1287608400-499091902|XzxMQd-_4tjlC2VEgide4rmg6LI"
-    expires_in: 6412
-    user_id: "499091902"
+      expires: 1301922000
+      algorithm: HMAC-SHA256
+      user_id: "2905623"
+      oauth_token: 119908831367602|2.zVF_6NrMELHuJa4gIU9tKw__.3600.1301922000-2905623|zgqPsr2BG9LoOK9kekGgRURZx0k
+      user:
+        country: de
+        locale: de_DE
+        age:
+          min: 21
+      issued_at: 1301917299
 subscription_test_data:
   subscription_path: http://oauth.twoalex.com/subscriptions

data/spec/koala/graph_api/graph_api_no_access_token_tests.rb CHANGED

@@ -22,7 +22,7 @@ shared_examples_for "Koala GraphAPI without an access token" do
   # these are not strictly necessary as the other put methods resolve to put_object, but are here for completeness
   it "should not be able to post to a feed" do
     (lambda do
-      attachment = {:name => "Context Optional", :link => "http://www.contextoptional.com/"}
+      attachment = {:name => "OAuth Playground", :link => "http://www.oauth.twoalex.com/"}
       @result = @api.put_wall_post("Hello, world", attachment, "contextoptional")
     end).should raise_error(Koala::Facebook::APIError)
     puts "Error!  Object #{@result.inspect} somehow put onto Context Optional's wall!" if @result

data/spec/koala/graph_api/graph_api_with_access_token_tests.rb CHANGED

@@ -55,7 +55,7 @@ shared_examples_for "Koala GraphAPI with an access token" do
   end
   it "should be able to post a message with an attachment to a feed" do
-    result = @api.put_wall_post("Hello, world, from the test suite again!", {:name => "Context Optional", :link => "http://www.contextoptional.com/"})
+    result = @api.put_wall_post("Hello, world, from the test suite again!", {:name => "OAuth Playground", :link => "http://oauth.twoalex.com/"})
     @temporary_object_id = result["id"]
     @temporary_object_id.should_not be_nil
   end
@@ -93,7 +93,7 @@ shared_examples_for "Koala GraphAPI with an access token" do
   end
   it "should be able to verify a message with an attachment posted to a feed" do
-    attachment = {"name" => "Context Optional", "link" => "http://www.contextoptional.com/"}
+    attachment = {"name" => "OAuth Playground", "link" => "http://oauth.twoalex.com/"}
     result = @api.put_wall_post("Hello, world, from the test suite again!", attachment)
     @temporary_object_id = result["id"]
     get_result = @api.get_object(@temporary_object_id)

data/spec/koala/http_services/net_http_service_tests.rb CHANGED

@@ -138,8 +138,8 @@ class NetHTTPServiceTests < Test::Unit::TestCase
         Bear.make_request('anything', {}, 'anything', :rest_api => true)
       end
-      it "should turn off vertificate validaiton warnings" do
-        @http_mock.should_receive('verify_mode=').with(OpenSSL::SSL::VERIFY_NONE)
+      it "no longer turns off vertificate validaiton warnings" do
+        @http_mock.should_not_receive('verify_mode=')
         Bear.make_request('anything', {}, 'anything')
       end

data/spec/koala/oauth/oauth_tests.rb CHANGED

@@ -10,14 +10,7 @@ class FacebookOAuthTests < Test::Unit::TestCase
       @raw_token_string = @oauth_data["raw_token_string"]
       @raw_offline_access_token_string = @oauth_data["raw_offline_access_token_string"]
-      # per Facebook's example:
-      # http://developers.facebook.com/docs/authentication/canvas
-      # this allows us to use Facebook's example data while running the other live data
-      @request_secret = @oauth_data["request_secret"] || @secret
-      @signed_request = @oauth_data["signed_request"]
-      @signed_request_result = @oauth_data["signed_request_result"]
       # for signed requests (http://developers.facebook.com/docs/authentication/canvas/encryption_proposal)
-      @signed_params_secret = @oauth_data["signed_params_secret"] || @secret
       @signed_params = @oauth_data["signed_params"]
       @signed_params_result = @oauth_data["signed_params_result"]
@@ -354,12 +347,6 @@ class FacebookOAuthTests < Test::Unit::TestCase
     end
     describe "for parsing signed requests" do
-      before :each do
-        # you can test against live data by updating the YML, or you can use the default data
-        # which tests against Facebook's example on http://developers.facebook.com/docs/authentication/canvas
-        @oauth = Koala::Facebook::OAuth.new(@app_id, @request_secret || @app_secret)
-      end
       # the signed request code comes directly from Facebook
       # so we only need to test at a high level that it works
       # signed params refers to http://developers.facebook.com/docs/authentication/canvas
@@ -374,34 +361,10 @@ class FacebookOAuthTests < Test::Unit::TestCase
         lambda { @oauth.parse_signed_request(@signed_request) }.should raise_error
       end
-      describe "for signed params" do
-        it "should work" do
-          @oauth.parse_signed_request(@signed_request).should == @signed_request_result
-        end
+      it "properly parses requests" do
+        @oauth = Koala::Facebook::OAuth.new(@app_id, @secret || @app_secret)
+        @oauth.parse_signed_request(@signed_params).should == @signed_params_result
       end
-      describe "for signed requests" do
-        it "should work" do
-          @oauth = Koala::Facebook::OAuth.new(@app_id, @signed_params_secret || @app_secret)
-          @oauth.parse_signed_request(@signed_params).should == @signed_params_result
-        end
-        it "should throw an error if the params are too old" do
-          @time.stub!(:to_i).and_return(1287601988 + 4000)
-          @oauth = Koala::Facebook::OAuth.new(@app_id, @signed_params_secret || @app_secret)
-          lambda { @oauth.parse_signed_request(@signed_params) }.should raise_error
-        end
-        it "should let you specify the max age for a request" do
-          @time.stub!(:to_i).and_return(1287601988 + 4000)
-          @oauth = Koala::Facebook::OAuth.new(@app_id, @signed_params_secret || @app_secret)
-          lambda { @oauth.parse_signed_request(@signed_params, 4001) }.should_not raise_error
-        end
-      end
     end
   end # describe

data/spec/koala_spec_helper.rb CHANGED

@@ -10,10 +10,10 @@ else
   # Ruby 1.8.x
   require 'test/unit'
   require 'rubygems'
-  require 'spec/test/unit'
 end
+require 'yaml'
 # load the libraries
 require 'koala'

data/spec/mock_facebook_responses.yml CHANGED

@@ -83,7 +83,7 @@ graph_api:
     message=Hello, world, from the test suite delete method!:
       post:
         with_token: '{"id": "FEED_ITEM_DELETE"}'
-    link=http://www.contextoptional.com/&message=Hello, world, from the test suite again!&name=Context Optional:
+    link=http://oauth.twoalex.com/&message=Hello, world, from the test suite again!&name=OAuth Playground:
       post:
         with_token: '{"id": "FEED_ITEM_CONTEXT"}'
   /me/photos:
@@ -238,7 +238,7 @@ graph_api:
     no_args:
       <<: *item_deleted
       get:
-        with_token: '{"link":"http://www.contextoptional.com/", "name": "Context Optional"}'
+        with_token: '{"link":"http://oauth.twoalex.com/", "name": "OAuth Playground"}'
   /FEED_ITEM_CATS:
     no_args:

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: koala
 version: !ruby/object:Gem::Version
-  hash: 62196359
+  hash: 124392909
   prerelease: 6
   segments:
   - 1
@@ -9,7 +9,8 @@ version: !ruby/object:Gem::Version
   - 0
   - beta
   - 2
-  version: 1.0.0.beta2
+  - 1
+  version: 1.0.0.beta2.1
 platform: ruby
 authors:
 - Alex Koppel, Chris Baclig, Rafi Jacoby, Context Optional
@@ -17,7 +18,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-03-10 00:00:00 +01:00
+date: 2011-04-06 00:00:00 +02:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency