RubyGems - mini_fb - Versions diffs - 0.2.4 → 0.2.5 - Mend

mini_fb 0.2.4 → 0.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

data/README.markdown CHANGED Viewed

@@ -67,8 +67,12 @@ Define an fb_connect method in your login/sessions controller like so:
         @fb_session = cookies[FB_API_KEY + "_session_key"]
         puts "uid=#{@fb_uid}"
         puts "session=#{@fb_session}"
-        # And here you would create the user if it doesn't already exist, then redirect them to wherever you want.
+        if MiniFB.verify_connect_signature(FB_API_KEY, FB_SECRET, cookies)
+          # And here you would create the user if it doesn't already exist, then redirect them to wherever you want.
+        else
+          # The cookies may have been modified as the signature does not match
+        end
     end

data/lib/mini_fb.rb CHANGED Viewed

@@ -114,7 +114,11 @@ module MiniFB
     end
     BAD_JSON_METHODS = ["users.getloggedinuser", "auth.promotesession", "users.hasapppermission",
-                        "Auth.revokeExtendedPermission", "pages.isAdmin", "pages.isFan"].collect { |x| x.downcase }
+                        "Auth.revokeExtendedPermission", "pages.isAdmin", "pages.isFan",
+                        "stream.publish",
+                        "dashboard.addNews", "dashboard.addGlobalNews", "dashboard.publishActivity",
+                        "dashboard.incrementcount", "dashboard.setcount"
+    ].collect { |x| x.downcase }
     # Call facebook server with a method request. Most keyword arguments
     # are passed directly to the server with a few exceptions.
@@ -157,11 +161,7 @@ module MiniFB
         file_name = kwargs.delete("filename")
-        # Hash with secret
-        arg_string = String.new
-        # todo: convert symbols to strings, symbols break the next line
-        kwargs.sort.each { |kv| arg_string << kv[0] << "=" << kv[1].to_s }
-        kwargs["sig"] = Digest::MD5.hexdigest( arg_string + secret.value.call )
+        kwargs["sig"] = signature_for(kwargs, secret.value.call)
         fb_method = kwargs["method"].downcase
         if fb_method == "photos.upload"
@@ -170,7 +170,7 @@ module MiniFB
         else
             begin
-                response = Net::HTTP.post_form( URI.parse(FB_URL), kwargs )
+                response = Net::HTTP.post_form( URI.parse(FB_URL), post_params(kwargs))
             rescue SocketError => err
                 # why are we catching this and throwing as different error?  hmmm..
 #                raise IOError.new( "Cannot connect to the facebook server: " + err )
@@ -205,31 +205,31 @@ module MiniFB
         return data
     end
-     def MiniFB.post_upload(filename, kwargs)
-      content = File.open(filename, 'rb') { |f| f.read }
-      boundary = Digest::MD5.hexdigest(content)
-      header = {'Content-type' => "multipart/form-data, boundary=#{boundary}"}
-      # Build query
-      query = ''
-      kwargs.each { |a, v|
+    def MiniFB.post_upload(filename, kwargs)
+        content = File.open(filename, 'rb') { |f| f.read }
+        boundary = Digest::MD5.hexdigest(content)
+        header = {'Content-type' => "multipart/form-data, boundary=#{boundary}"}
+        # Build query
+        query = ''
+        kwargs.each { |a, v|
+            query <<
+                    "--#{boundary}\r\n" <<
+                    "Content-Disposition: form-data; name=\"#{a}\"\r\n\r\n" <<
+                    "#{v}\r\n"
+        }
         query <<
-          "--#{boundary}\r\n" <<
-          "Content-Disposition: form-data; name=\"#{a}\"\r\n\r\n" <<
-          "#{v}\r\n"
-      }
-      query <<
-        "--#{boundary}\r\n" <<
-        "Content-Disposition: form-data; filename=\"#{File.basename(filename)}\"\r\n" <<
-        "Content-Transfer-Encoding: binary\r\n" <<
-        "Content-Type: image/jpeg\r\n\r\n" <<
-        content <<
-        "\r\n" <<
-        "--#{boundary}--"
-      # Call Facebook with POST multipart/form-data request
-      uri = URI.parse(FB_URL)
-      Net::HTTP.start(uri.host) {|http| http.post uri.path, query, header}
+                "--#{boundary}\r\n" <<
+                "Content-Disposition: form-data; filename=\"#{File.basename(filename)}\"\r\n" <<
+                "Content-Transfer-Encoding: binary\r\n" <<
+                "Content-Type: image/jpeg\r\n\r\n" <<
+                content <<
+                "\r\n" <<
+                "--#{boundary}--"
+        # Call Facebook with POST multipart/form-data request
+        uri = URI.parse(FB_URL)
+        Net::HTTP.start(uri.host) {|http| http.post uri.path, query, header}
     end
     # Returns true is signature is valid, false otherwise.
@@ -256,6 +256,36 @@ module MiniFB
         return false
     end
+    # Validates that the cookies sent by the user are those that were set by facebook. Since your
+    # secret is only known by you and facebook it is used to sign all of the cookies set.
+    #
+    # options:
+    # * api_key - the connect applications facebook API key
+    # * secret - the connect application secret
+    # * cookies - the cookies given by facebook - it is ok to just pass all of the cookies, the method will do the filtering for you.
+    def MiniFB.verify_connect_signature(api_key, secret, cookies)
+        signature = cookies[api_key]
+        return false if signature.nil?
+        unsigned = Hash.new
+        signed = Hash.new
+        cookies.each do |k, v|
+            if k =~ /^#{api_key}_(.*)/ then
+                signed[$1] = v
+            else
+                unsigned[k] = v
+            end
+        end
+        arg_string = String.new
+        signed.sort.each {|kv| arg_string << kv[0] << "=" << kv[1] }
+        if Digest::MD5.hexdigest(arg_string + secret) == signature
+            return true
+        end
+        return false
+    end
     # Returns the login/add app url for your application.
     #
     # options:
@@ -320,4 +350,30 @@ module MiniFB
             @value = Proc.new { value }
         end
     end
+    private
+    def self.post_params(params)
+        post_params = {}
+        params.each do |k, v|
+            k = k.to_s unless k.is_a?(String)
+            if Array === v || Hash === v
+                post_params[k] = JSON.dump(v)
+            else
+                post_params[k] = v
+            end
+        end
+        puts post_params.inspect
+        post_params
+    end
+    def self.signature_for(params, secret)
+        params.delete_if { |k, v| v.nil? }
+        raw_string = params.inject([]) do |collection, pair|
+            collection << pair.map { |x|
+                Array === x ? JSON.dump(x) : x
+            }.join("=")
+            collection
+        end.sort.join
+        Digest::MD5.hexdigest([raw_string, secret].join)
+    end
 end

metadata CHANGED Viewed

@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
   segments:
   - 0
   - 2
-  - 4
-  version: 0.2.4
+  - 5
+  version: 0.2.5
 platform: ruby
 authors:
 - Travis Reeder
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2010-04-06 00:00:00 -07:00
+date: 2010-04-20 00:00:00 -07:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency