omniauth-facebook 1.0.0 → 1.1.0

data/Gemfile

@@ -1,3 +1,5 @@
 source :rubygems
 
 gemspec
+
+gem 'jruby-openssl', :platform => :jruby

data/README.md

@@ -2,7 +2,7 @@
 
 This gem contains the Facebook strategy for OmniAuth 1.0.
 
-Supports the OAuth 2.0 server-side flow. Read the Facebook docs for more details: http://developers.facebook.com/docs/authentication
+Supports the OAuth 2.0 server-side and client-side flows. Read the Facebook docs for more details: http://developers.facebook.com/docs/authentication
 
 ## Installing
 
@@ -26,6 +26,8 @@ Rails.application.config.middleware.use OmniAuth::Builder do
 end
 ```
 
+See a full example of both server and client-side flows in the example Sinatra app in the `example/` folder above.
+
 ## Configuring
 
 You can configure several options, which you pass in to the `provider` method via a `Hash`:
@@ -88,6 +90,12 @@ Here's an example *Authentication Hash* available in `request.env['omniauth.auth
 
 The precise information available may depend on the permissions which you request.
 
+## Client-side Flow
+
+The client-side flow supports parsing the authorization code from the signed request which Facebook puts into a cookie. This means you can to use the Facebook Javascript SDK as you would normally, and you just hit the callback endpoint (`/auth/facebook/callback` by default) once the user has authenticated in the `FB.login` success callback.
+
+See the example Sinatra app under `example/` for more details.
+
 ## Supported Rubies
 
 Actively tested with the following Ruby versions:
@@ -97,6 +105,12 @@ Actively tested with the following Ruby versions:
 - MRI 1.8.7
 - JRuby 1.6.5
 
+*NB.* For JRuby, you'll need to install the `jruby-openssl` gem. There's no way to automatically specify this in a Rubygem gemspec, so you need to manually add it your project's own Gemfile:
+
+```ruby
+gem 'jruby-openssl', :platform => :jruby
+```
+
 ## License
 
 Copyright (c) 2011 by Mark Dodwell

data/example/config.ru

@@ -2,10 +2,73 @@ require 'bundler/setup'
 require 'sinatra/base'
 require 'omniauth-facebook'
 
+SCOPE = 'email,read_stream'
+
 class App < Sinatra::Base
+  # server-side flow
   get '/' do
+    # NOTE: you would just hit this endpoint directly from the browser
+    #       in a real app. the redirect is just here to setup the root 
+    #       path in this example sinatra app.
     redirect '/auth/facebook'
   end
+  
+  # client-side flow
+  get '/client-side' do
+    content_type 'text/html'
+    # NOTE: when you enable cookie below in the FB.init call
+    #       the GET request in the FB.login callback will send
+    #       a signed request in a cookie back the OmniAuth callback
+    #       which will parse out the authorization code and obtain
+    #       the access_token. This will be the exact same access_token
+    #       returned to the client in response.authResponse.accessToken.
+    <<-END
+      <html>
+      <head>
+        <title>Client-side Flow Example</title>
+        <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.0/jquery.min.js" type="text/javascript"></script>
+      </head>
+      <body>
+        <div id="fb-root"></div>
+
+        <script type="text/javascript">
+          window.fbAsyncInit = function() {
+            FB.init({
+              appId  : '#{ENV['APP_ID']}',
+              status : true, // check login status
+              cookie : true, // enable cookies to allow the server to access the session
+              oauth  : true, // enable OAuth 2.0
+              xfbml  : true  // parse XFBML
+            });
+          };
+
+          (function(d) {
+            var js, id = 'facebook-jssdk'; if (d.getElementById(id)) {return;}
+            js = d.createElement('script'); js.id = id; js.async = true;
+            js.src = "//connect.facebook.net/en_US/all.js";
+            d.getElementsByTagName('head')[0].appendChild(js);
+          }(document));
+          
+          $(function() {
+            $('a').click(function(e) {
+              e.preventDefault();
+              
+              FB.login(function(response) {
+                if (response.authResponse) {
+                  $.get('/auth/facebook/callback');
+                }
+              }, { scope: '#{SCOPE}' });
+            });
+          });
+        </script>
+        
+        <p>
+          <a href="#">Connect to FB</a>
+        </p>
+      </body>
+      </html>
+    END
+  end
 
   get '/auth/:provider/callback' do
     content_type 'application/json'
@@ -21,7 +84,7 @@ end
 use Rack::Session::Cookie
 
 use OmniAuth::Builder do
-  provider :facebook, ENV['APP_ID'], ENV['APP_SECRET'], :scope => 'email,read_stream', :display => 'popup'
+  provider :facebook, ENV['APP_ID'], ENV['APP_SECRET'], :scope => SCOPE
 end
 
 run App.new

data/lib/omniauth/facebook/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Facebook
-    VERSION = "1.0.0"
+    VERSION = "1.1.0"
   end
 end

data/lib/omniauth/strategies/facebook.rb

@@ -1,4 +1,6 @@
 require 'omniauth/strategies/oauth2'
+require 'base64'
+require 'openssl'
 
 module OmniAuth
   module Strategies
@@ -58,10 +60,26 @@ module OmniAuth
       end
 
       def build_access_token
-        super.tap do |token|
+        with_authorization_code { super }.tap do |token|
           token.options.merge!(access_token_options)
         end
       end
+      
+      # NOTE if we're using code from the signed request cookie
+      # then FB sets the redirect_uri to '' during the authorize
+      # phase + it must match during the access_token phase:
+      # https://github.com/facebook/php-sdk/blob/master/src/base_facebook.php#L348
+      def callback_url
+        if @authorization_code_from_cookie
+          ''
+        else
+          if options.authorize_options.respond_to?(:callback_url)
+            options.authorize_options.callback_url
+          else
+            super
+          end
+        end
+      end
 
       def access_token_options
         options.access_token_options.inject({}) { |h,(k,v)| h[k.to_sym] = v; h }
@@ -73,15 +91,64 @@ module OmniAuth
           params[:scope] ||= DEFAULT_SCOPE
         end
       end
+
+      def signed_request
+        @signed_request ||= begin
+          cookie = request.cookies["fbsr_#{client.id}"] and
+          parse_signed_request(cookie)
+        end
+      end
       
       private
       
+      # picks the authorization code in order, from:
+      # 1. the request param
+      # 2. a signed cookie
+      def with_authorization_code
+        if request.params.key?('code')
+          yield
+        else code_from_cookie = signed_request && signed_request['code']
+          request.params['code'] = code_from_cookie
+          @authorization_code_from_cookie = true
+          begin
+            yield
+          ensure
+            request.params.delete('code')
+            @authorization_code_from_cookie = false
+          end
+        end
+      end
+      
       def prune!(hash)
         hash.delete_if do |_, value| 
           prune!(value) if value.is_a?(Hash)
           value.nil? || (value.respond_to?(:empty?) && value.empty?)
         end
       end
+      
+      def parse_signed_request(value)
+        signature, encoded_payload = value.split('.')
+
+        decoded_hex_signature = base64_decode_url(signature)#.unpack('H*')
+        decoded_payload = MultiJson.decode(base64_decode_url(encoded_payload))
+
+        unless decoded_payload['algorithm'] == 'HMAC-SHA256'
+          raise NotImplementedError, "unkown algorithm: #{decoded_payload['algorithm']}"
+        end
+
+        if valid_signature?(client.secret, decoded_hex_signature, encoded_payload)
+          decoded_payload
+        end
+      end
+
+      def valid_signature?(secret, signature, payload, algorithm = OpenSSL::Digest::SHA256.new)
+        OpenSSL::HMAC.digest(algorithm, secret, payload) == signature
+      end
+
+      def base64_decode_url(value)
+        value += '=' * (4 - value.size.modulo(4))
+        Base64.decode64(value.tr('-_', '+/'))
+      end
     end
   end
 end

data/spec/omniauth/strategies/facebook_spec.rb

@@ -1,14 +1,21 @@
 require 'spec_helper'
 require 'omniauth-facebook'
+require 'openssl'
+require 'base64'
 
 describe OmniAuth::Strategies::Facebook do
   before :each do
     @request = double('Request')
     @request.stub(:params) { {} }
+    @request.stub(:cookies) { {} }
+    
+    @client_id = '123'
+    @client_secret = '53cr3tz'
   end
   
   subject do
-    OmniAuth::Strategies::Facebook.new(nil, @options || {}).tap do |strategy|
+    args = [@client_id, @client_secret, @options].compact
+    OmniAuth::Strategies::Facebook.new(nil, *args).tap do |strategy|
       strategy.stub(:request) { @request }
     end
   end
@@ -29,6 +36,21 @@ describe OmniAuth::Strategies::Facebook do
     end
   end
 
+  describe '#callback_url' do
+    it "returns value from #authorize_options" do
+      url = 'http://auth.myapp.com/auth/fb/callback'
+      @options = { :authorize_options => { :callback_url => url } }
+      subject.callback_url.should eq(url)
+    end
+
+    it "callback_url from request" do
+      url_base = 'http://auth.request.com'
+      @request.stub(:url) { "#{url_base}/page/path" }
+      subject.stub(:script_name) { "" } # to not depend from Rack env
+      subject.callback_url.should eq("#{url_base}/auth/facebook/callback")
+    end
+  end
+
   describe '#authorize_params' do
     it 'includes default scope for email and offline access' do
       subject.authorize_params.should be_a(Hash)
@@ -256,4 +278,47 @@ describe OmniAuth::Strategies::Facebook do
       subject.extra.should eq({ 'raw_info' => @raw_info })
     end
   end
+
+  describe '#signed_request' do
+    context 'cookie not present' do
+      it 'is nil' do
+        subject.send(:signed_request).should be_nil
+      end
+    end
+    
+    context 'cookie present' do
+      before :each do
+        @payload = {
+          'algorithm' => 'HMAC-SHA256',
+          'code' => 'm4c0d3z',
+          'issued_at' => Time.now.to_i,
+          'user_id' => '123456'
+        }
+
+        @request.stub(:cookies) do
+          { "fbsr_#{@client_id}" => signed_request(@payload, @client_secret) }
+        end
+      end
+
+      it 'parses the access code out from the cookie' do
+        subject.send(:signed_request).should eq(@payload)
+      end
+    end
+  end
+
+private
+
+  def signed_request(payload, secret)
+    encoded_payload = base64_encode_url(MultiJson.encode(payload))
+    encoded_signature = base64_encode_url(signature(encoded_payload, secret))
+    [encoded_signature, encoded_payload].join('.')
+  end
+
+  def base64_encode_url(value)
+    Base64.encode64(value).tr('+/', '-_').gsub(/\n/, '')
+  end
+
+  def signature(payload, secret, algorithm = OpenSSL::Digest::SHA256.new)	
+    OpenSSL::HMAC.digest(algorithm, secret, payload)
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-facebook
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-11-19 00:00:00.000000000 Z
+date: 2011-12-10 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
-  requirement: &70230182116160 !ruby/object:Gem::Requirement
+  requirement: &70284008423900 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,10 +21,10 @@ dependencies:
         version: 1.0.0
   type: :runtime
   prerelease: false
-  version_requirements: *70230182116160
+  version_requirements: *70284008423900
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70230182114320 !ruby/object:Gem::Requirement
+  requirement: &70284008422620 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -32,10 +32,10 @@ dependencies:
         version: 2.7.0
   type: :development
   prerelease: false
-  version_requirements: *70230182114320
+  version_requirements: *70284008422620
 - !ruby/object:Gem::Dependency
   name: rake
-  requirement: &70230182112600 !ruby/object:Gem::Requirement
+  requirement: &70284008421960 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -43,7 +43,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70230182112600
+  version_requirements: *70284008421960
 description: 
 email:
 - mark@mkdynamic.co.uk
@@ -80,7 +80,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -728790844477512045
+      hash: -3067911989244546828
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -89,7 +89,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -728790844477512045
+      hash: -3067911989244546828
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.10