mini_fb 0.2.4 → 0.2.5

data/README.markdown

@@ -67,8 +67,12 @@ Define an fb_connect method in your login/sessions controller like so:
         @fb_session = cookies[FB_API_KEY + "_session_key"]
         puts "uid=#{@fb_uid}"
         puts "session=#{@fb_session}"
-
-        # And here you would create the user if it doesn't already exist, then redirect them to wherever you want.
+        
+        if MiniFB.verify_connect_signature(FB_API_KEY, FB_SECRET, cookies)
+          # And here you would create the user if it doesn't already exist, then redirect them to wherever you want.
+        else
+          # The cookies may have been modified as the signature does not match
+        end
 
     end
 

data/lib/mini_fb.rb

@@ -114,7 +114,11 @@ module MiniFB
     end
 
     BAD_JSON_METHODS = ["users.getloggedinuser", "auth.promotesession", "users.hasapppermission",
-                        "Auth.revokeExtendedPermission", "pages.isAdmin", "pages.isFan"].collect { |x| x.downcase }
+                        "Auth.revokeExtendedPermission", "pages.isAdmin", "pages.isFan",
+                        "stream.publish",
+                        "dashboard.addNews", "dashboard.addGlobalNews", "dashboard.publishActivity",
+                        "dashboard.incrementcount", "dashboard.setcount"
+    ].collect { |x| x.downcase }
 
     # Call facebook server with a method request. Most keyword arguments
     # are passed directly to the server with a few exceptions.
@@ -157,11 +161,7 @@ module MiniFB
 
         file_name = kwargs.delete("filename")
 
-        # Hash with secret
-        arg_string = String.new
-        # todo: convert symbols to strings, symbols break the next line
-        kwargs.sort.each { |kv| arg_string << kv[0] << "=" << kv[1].to_s }
-        kwargs["sig"] = Digest::MD5.hexdigest( arg_string + secret.value.call )
+        kwargs["sig"] = signature_for(kwargs, secret.value.call)
 
         fb_method = kwargs["method"].downcase
         if fb_method == "photos.upload"
@@ -170,7 +170,7 @@ module MiniFB
         else
 
             begin
-                response = Net::HTTP.post_form( URI.parse(FB_URL), kwargs )
+                response = Net::HTTP.post_form( URI.parse(FB_URL), post_params(kwargs))
             rescue SocketError => err
                 # why are we catching this and throwing as different error?  hmmm..
 #                raise IOError.new( "Cannot connect to the facebook server: " + err )
@@ -205,31 +205,31 @@ module MiniFB
         return data
     end
 
-     def MiniFB.post_upload(filename, kwargs)
-      content = File.open(filename, 'rb') { |f| f.read }
-      boundary = Digest::MD5.hexdigest(content)
-      header = {'Content-type' => "multipart/form-data, boundary=#{boundary}"}
-
-      # Build query
-      query = ''
-      kwargs.each { |a, v|
+    def MiniFB.post_upload(filename, kwargs)
+        content = File.open(filename, 'rb') { |f| f.read }
+        boundary = Digest::MD5.hexdigest(content)
+        header = {'Content-type' => "multipart/form-data, boundary=#{boundary}"}
+
+        # Build query
+        query = ''
+        kwargs.each { |a, v|
+            query <<
+                    "--#{boundary}\r\n" <<
+                    "Content-Disposition: form-data; name=\"#{a}\"\r\n\r\n" <<
+                    "#{v}\r\n"
+        }
         query <<
-          "--#{boundary}\r\n" <<
-          "Content-Disposition: form-data; name=\"#{a}\"\r\n\r\n" <<
-          "#{v}\r\n"
-      }
-      query <<
-        "--#{boundary}\r\n" <<
-        "Content-Disposition: form-data; filename=\"#{File.basename(filename)}\"\r\n" <<
-        "Content-Transfer-Encoding: binary\r\n" <<
-        "Content-Type: image/jpeg\r\n\r\n" <<
-        content <<
-        "\r\n" <<
-        "--#{boundary}--"
-
-      # Call Facebook with POST multipart/form-data request
-      uri = URI.parse(FB_URL)
-      Net::HTTP.start(uri.host) {|http| http.post uri.path, query, header}
+                "--#{boundary}\r\n" <<
+                "Content-Disposition: form-data; filename=\"#{File.basename(filename)}\"\r\n" <<
+                "Content-Transfer-Encoding: binary\r\n" <<
+                "Content-Type: image/jpeg\r\n\r\n" <<
+                content <<
+                "\r\n" <<
+                "--#{boundary}--"
+
+        # Call Facebook with POST multipart/form-data request
+        uri = URI.parse(FB_URL)
+        Net::HTTP.start(uri.host) {|http| http.post uri.path, query, header}
     end
 
     # Returns true is signature is valid, false otherwise.
@@ -256,6 +256,36 @@ module MiniFB
         return false
     end
 
+    # Validates that the cookies sent by the user are those that were set by facebook. Since your
+    # secret is only known by you and facebook it is used to sign all of the cookies set.
+    #
+    # options:
+    # * api_key - the connect applications facebook API key
+    # * secret - the connect application secret
+    # * cookies - the cookies given by facebook - it is ok to just pass all of the cookies, the method will do the filtering for you.
+    def MiniFB.verify_connect_signature(api_key, secret, cookies)
+        signature = cookies[api_key]
+        return false if signature.nil?
+
+        unsigned = Hash.new
+        signed = Hash.new
+
+        cookies.each do |k, v|
+            if k =~ /^#{api_key}_(.*)/ then
+                signed[$1] = v
+            else
+                unsigned[k] = v
+            end
+        end
+
+        arg_string = String.new
+        signed.sort.each {|kv| arg_string << kv[0] << "=" << kv[1] }
+        if Digest::MD5.hexdigest(arg_string + secret) == signature
+            return true
+        end
+        return false
+    end
+
     # Returns the login/add app url for your application.
     #
     # options:
@@ -320,4 +350,30 @@ module MiniFB
             @value = Proc.new { value }
         end
     end
+
+    private
+    def self.post_params(params)
+        post_params = {}
+        params.each do |k, v|
+            k = k.to_s unless k.is_a?(String)
+            if Array === v || Hash === v
+                post_params[k] = JSON.dump(v)
+            else
+                post_params[k] = v
+            end
+        end
+        puts post_params.inspect
+        post_params
+    end
+
+    def self.signature_for(params, secret)
+        params.delete_if { |k, v| v.nil? }
+        raw_string = params.inject([]) do |collection, pair|
+            collection << pair.map { |x|
+                Array === x ? JSON.dump(x) : x
+            }.join("=")
+            collection
+        end.sort.join
+        Digest::MD5.hexdigest([raw_string, secret].join)
+    end
 end

metadata

@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
   segments: 
   - 0
   - 2
-  - 4
-  version: 0.2.4
+  - 5
+  version: 0.2.5
 platform: ruby
 authors: 
 - Travis Reeder
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-04-06 00:00:00 -07:00
+date: 2010-04-20 00:00:00 -07:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency