omniauth-facebook 1.2.0 → 1.3.0

data/.gitignore

@@ -5,3 +5,4 @@
 pkg/*
 .powenv
 tmp
+bin

data/README.md

@@ -26,28 +26,39 @@ Rails.application.config.middleware.use OmniAuth::Builder do
 end
 ```
 
-See a full example of both server and client-side flows in the example Sinatra app in the `example/` folder above.
+[See the example Sinatra app for full examples](https://github.com/mkdynamic/omniauth-facebook/blob/master/example/config.ru) of both the server and client-side flows (including using the Facebook Javascript SDK).
 
 ## Configuring
 
 You can configure several options, which you pass in to the `provider` method via a `Hash`:
 
-* `scope`: A comma-separated list of permissions you want to request from the user. See the Facebook docs for a full list of available permissions: http://developers.facebook.com/docs/reference/api/permissions. Default: `email,offline_access`
-* `display`: The display context to show the authentication page. Options are: `page`, `popup`, `iframe`, `touch` and `wap`. Read the Facebook docs for more details: http://developers.facebook.com/docs/reference/dialogs#display. Default: `page`
+* `scope`: A comma-separated list of permissions you want to request from the user. See the Facebook docs for a full list of available permissions: http://developers.facebook.com/docs/reference/api/permissions. Default: `email`
+* `display`: The display context to show the authentication page. Options are: `page`, `popup` and `touch`. Read the Facebook docs for more details: https://developers.facebook.com/docs/reference/dialogs/oauth/. Default: `page`
+* `secure_image_url`: Set to `true` to use https for the avatar image url returned in the auth hash. Default is `false`.
+* `image_size`: Set the size for the returned image url in the auth hash. Valid options are `square` (50x50), `small` (50 pixels wide, variable height), `normal` (100 pixels wide, variable height), or `large` (about 200 pixels wide, variable height). Default is `square` (50x50).
+
+For example, to request `email`, `user_birthday` and `read_stream` permissions and display the authentication page in a popup window:
 
-For example, to request `email`, `offline_access` and `read_stream` permissions and display the authentication page in a popup window:
- 
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
-  provider :facebook, ENV['FACEBOOK_KEY'], ENV['FACEBOOK_SECRET'], :scope => 'email,offline_access,read_stream', :display => 'popup'
+  provider :facebook, ENV['FACEBOOK_KEY'], ENV['FACEBOOK_SECRET'],
+           :scope => 'email,user_birthday,read_stream', :display => 'popup'
 end
 ```
 
-*NB.* If you want to set the `display` format on a per-request basis, you can just pass it to the OmniAuth request phase URL, for example: `/auth/facebook?display=popup`.
+### Per-Request Options
+
+If you want to set the `display` format or `scope` on a per-request basis, you can just pass it to the OmniAuth request phase URL, for example: `/auth/facebook?display=popup` or `/auth/facebook?scope=email`.
+
+You can also pass through a `state` param which will be passed along to the callback url.
+
+### Custom Callback URL/Path
 
-## Authentication Hash
+You can set a custom `callback_url` or `callback_path` option to override the default value. See [OmniAuth::Strategy#callback_url](https://github.com/intridea/omniauth/blob/master/lib/omniauth/strategy.rb#L387) for more details on the default.
 
-Here's an example *Authentication Hash* available in `request.env['omniauth.auth']`:
+## Auth Hash
+
+Here's an example *Auth Hash* available in `request.env['omniauth.auth']`:
 
 ```ruby
 {
@@ -61,12 +72,13 @@ Here's an example *Authentication Hash* available in `request.env['omniauth.auth
     :last_name => 'Bloggs',
     :image => 'http://graph.facebook.com/1234567/picture?type=square',
     :urls => { :Facebook => 'http://www.facebook.com/jbloggs' },
-    :location => 'Palo Alto, California'
+    :location => 'Palo Alto, California',
+    :verified => true
   },
   :credentials => {
     :token => 'ABCDEF...', # OAuth 2.0 access_token, which you may wish to store
-    :expires_at => 1321747205, # when the access token expires (if it expires)
-    :expires => true # if you request `offline_access` this will be false
+    :expires_at => 1321747205, # when the access token expires (it always will)
+    :expires => true # this will always be true
   },
   :extra => {
     :raw_info => {
@@ -92,9 +104,53 @@ The precise information available may depend on the permissions which you reques
 
 ## Client-side Flow
 
-The client-side flow supports parsing the authorization code from the signed request which Facebook puts into a cookie. This means you can to use the Facebook Javascript SDK as you would normally, and you just hit the callback endpoint (`/auth/facebook/callback` by default) once the user has authenticated in the `FB.login` success callback.
+You can use the Facebook Javascript SDK with `FB.login`, and just hit the callback endpoint (`/auth/facebook/callback` by default) once the user has authenticated in the success callback.
+
+Note that you must enable cookies in the `FB.init` config for this process to work.
+
+See the example Sinatra app under `example/` and read the [Facebook docs on Client-Side Authentication](https://developers.facebook.com/docs/authentication/client-side/) for more details.
+
+### How it Works
+
+The client-side flow is supported by parsing the authorization code from the signed request which Facebook places in a cookie.
+
+When you call `/auth/facebook/callback` in the success callback of `FB.login` that will pass the cookie back to the server. omniauth-facebook will see this cookie and:
+
+1. parse it,
+2. extract the authorization code contained in it
+3. and hit Facebook and obtain an access token which will get placed in the `request.env['omniauth.auth']['credentials']` hash.
+
+Note that this access token will be the same token obtained and available in the client through the hash [as (detailed in the Facebook docs](https://developers.facebook.com/docs/authentication/client-side/)).
+
+## Canvas Apps
+
+Canvas apps will send a signed request with the initial POST, therefore you *can* (if it makes sense for your app) pass this to the authorize endpoint (`/auth/facebook` by default) in the querystring.
+
+There are then 2 scenarios for what happens next:
+
+1. A user has already granted access to your app, this will contain an access token. In this case, omniauth-facebook will skip asking the user for authentication and immediately redirect to the callback endpoint (`/auth/facebook/callback` by default) with the access token present in the `request.env['omniauth.auth']['credentials']` hash.
+
+2. A user has not granted access to your app, and the signed request *will not* contain an access token. In this case omniauth-facebook will simply follow the standard auth flow.
+
+Take a look at [the example Sinatra app for one option of how you can integrate with a canvas page](https://github.com/mkdynamic/omniauth-facebook/blob/master/example/config.ru).
+
+Bear in mind you have several options (including [authenticated referrals](https://developers.facebook.com/docs/opengraph/authentication/#referrals)). Read [the Facebook docs on canvas page  authentication](https://developers.facebook.com/docs/authentication/canvas/) for more info.
+
+## Token Expiry
+
+Since Facebook deprecated the `offline_access` permission, this has become more complex. The expiration time of the access token you obtain will depend on which flow you are using. See below for more details.
+
+### Client-Side Flow
+
+If you use the client-side flow, Facebook will give you back a short lived access token (~ 2 hours).
+
+You can exchange this short lived access token for a longer lived version. Read the [Facebook docs about the offline_access  deprecation](https://developers.facebook.com/roadmap/offline-access-removal/) for more information.
+
+### Server-Side Flow
+
+If you use the server-side flow, Facebook will give you back a longer loved access token (~ 60 days).
 
-See the example Sinatra app under `example/` for more details.
+If you're having issue getting a long lived token with the server-side flow, make sure to enable the 'deprecate offline_access setting' in you Facebook app config. Read the [Facebook docs about the offline_access  deprecation](https://developers.facebook.com/roadmap/offline-access-removal/) for more information.
 
 ## Supported Rubies
 
@@ -113,7 +169,7 @@ gem 'jruby-openssl', :platform => :jruby
 
 ## License
 
-Copyright (c) 2011 by Mark Dodwell
+Copyright (c) 2012 by Mark Dodwell
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 

data/example/Gemfile

@@ -1,7 +1,4 @@
 source :rubygems
 
-# https://github.com/mkdynamic/omniauth-facebook/issues/20
-gem 'rack', '~> 1.3.6'
-
 gem 'sinatra'
 gem 'omniauth-facebook', :path => '../'

data/example/Gemfile.lock

@@ -1,30 +1,29 @@
 PATH
   remote: ../
   specs:
-    omniauth-facebook (1.1.0)
-      omniauth-oauth2 (~> 1.0.0)
+    omniauth-facebook (1.2.0)
+      omniauth-oauth2 (~> 1.0.2)
 
 GEM
   remote: http://rubygems.org/
   specs:
-    addressable (2.2.6)
-    faraday (0.7.5)
-      addressable (~> 2.2.6)
-      multipart-post (~> 1.1.3)
-      rack (>= 1.1.0, < 2)
+    faraday (0.8.0)
+      multipart-post (~> 1.1)
     hashie (1.2.0)
-    multi_json (1.0.4)
-    multipart-post (1.1.4)
-    oauth2 (0.5.2)
+    httpauth (0.1)
+    multi_json (1.3.4)
+    multipart-post (1.1.5)
+    oauth2 (0.6.1)
       faraday (~> 0.7)
-      multi_json (~> 1.0)
-    omniauth (1.0.1)
+      httpauth (~> 0.1)
+      multi_json (~> 1.3)
+    omniauth (1.1.0)
       hashie (~> 1.2)
       rack
-    omniauth-oauth2 (1.0.0)
-      oauth2 (~> 0.5.0)
+    omniauth-oauth2 (1.0.2)
+      oauth2 (~> 0.6.0)
       omniauth (~> 1.0)
-    rack (1.3.6)
+    rack (1.4.1)
     rack-protection (1.2.0)
       rack
     sinatra (1.3.2)
@@ -38,5 +37,4 @@ PLATFORMS
 
 DEPENDENCIES
   omniauth-facebook!
-  rack (~> 1.3.6)
   sinatra

data/example/config.ru

@@ -5,14 +5,17 @@ require 'omniauth-facebook'
 SCOPE = 'email,read_stream'
 
 class App < Sinatra::Base
+  # turn off sinatra default X-Frame-Options for FB canvas
+  set :protection, :except => :frame_options
+
   # server-side flow
   get '/' do
     # NOTE: you would just hit this endpoint directly from the browser
-    #       in a real app. the redirect is just here to setup the root 
+    #       in a real app. the redirect is just here to setup the root
     #       path in this example sinatra app.
     redirect '/auth/facebook'
   end
-  
+
   # client-side flow
   get '/client-side' do
     content_type 'text/html'
@@ -37,7 +40,6 @@ class App < Sinatra::Base
               appId  : '#{ENV['APP_ID']}',
               status : true, // check login status
               cookie : true, // enable cookies to allow the server to access the session
-              oauth  : true, // enable OAuth 2.0
               xfbml  : true  // parse XFBML
             });
           };
@@ -48,33 +50,56 @@ class App < Sinatra::Base
             js.src = "//connect.facebook.net/en_US/all.js";
             d.getElementsByTagName('head')[0].appendChild(js);
           }(document));
-          
+
           $(function() {
             $('a').click(function(e) {
               e.preventDefault();
-              
+
               FB.login(function(response) {
                 if (response.authResponse) {
-                  $.get('/auth/facebook/callback');
+                  $('#connect').html('Connected! Hitting OmniAuth callback (GET /auth/facebook/callback)...');
+
+                  // since we have cookies enabled, this request will allow omniauth to parse
+                  // out the auth code from the signed request in the fbsr_XXX cookie
+                  $.getJSON('/auth/facebook/callback', function(json) {
+                    $('#connect').html('Connected! Callback complete.');
+                    $('#results').html(JSON.stringify(json));
+                  });
                 }
               }, { scope: '#{SCOPE}' });
             });
           });
         </script>
-        
-        <p>
+
+        <p id="connect">
           <a href="#">Connect to FB</a>
         </p>
+
+        <p id="results" />
       </body>
       </html>
     END
   end
 
+  # auth via FB canvas and signed request param
+  post '/canvas/' do
+    # we just redirect to /auth/facebook here which will parse the
+    # signed_request FB sends us, asking for auth if the user has
+    # not already granted access, or simply moving straight to the
+    # callback where they have already granted access.
+    #
+    # we pass the state parameter which we can detect in our callback
+    # to do custom rendering/redirection for the canvas app page
+    redirect "/auth/facebook?signed_request=#{request.params['signed_request']}&state=canvas"
+  end
+
   get '/auth/:provider/callback' do
+    # we can do something special here is +state+ param is canvas
+    # (see notes above in /canvas/ method for more details)
     content_type 'application/json'
     MultiJson.encode(request.env)
   end
-  
+
   get '/auth/failure' do
     content_type 'application/json'
     MultiJson.encode(request.env)

data/lib/omniauth/facebook/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Facebook
-    VERSION = "1.2.0"
+    VERSION = "1.3.0"
   end
 end

data/lib/omniauth/strategies/facebook.rb

@@ -1,12 +1,15 @@
 require 'omniauth/strategies/oauth2'
 require 'base64'
 require 'openssl'
+require 'rack/utils'
 
 module OmniAuth
   module Strategies
     class Facebook < OmniAuth::Strategies::OAuth2
-      DEFAULT_SCOPE = 'email,offline_access'
-      
+      class NoAuthorizationCodeError < StandardError; end
+
+      DEFAULT_SCOPE = 'email'
+
       option :client_options, {
         :site => 'https://graph.facebook.com',
         :token_url => '/oauth/access_token'
@@ -20,11 +23,11 @@ module OmniAuth
         :header_format => 'OAuth %s',
         :param_name => 'access_token'
       }
-      
+
       option :authorize_options, [:scope, :display]
-      
+
       uid { raw_info['id'] }
-      
+
       info do
         prune!({
           'nickname' => raw_info['username'],
@@ -32,105 +35,162 @@ module OmniAuth
           'name' => raw_info['name'],
           'first_name' => raw_info['first_name'],
           'last_name' => raw_info['last_name'],
-          'image' => "http://graph.facebook.com/#{uid}/picture?type=square",
+          'image' => "#{options[:secure_image_url] ? 'https' : 'http'}://graph.facebook.com/#{uid}/picture?type=#{options[:image_size] || 'square'}",
           'description' => raw_info['bio'],
           'urls' => {
             'Facebook' => raw_info['link'],
             'Website' => raw_info['website']
           },
-          'location' => (raw_info['location'] || {})['name']
+          'location' => (raw_info['location'] || {})['name'],
+          'verified' => raw_info['verified']
         })
       end
-      
+
       credentials do
         prune!({
           'expires' => access_token.expires?,
           'expires_at' => access_token.expires_at
         })
       end
-      
+
       extra do
         prune!({
           'raw_info' => raw_info
         })
       end
-      
+
       def raw_info
-        @raw_info ||= access_token.get('/me').parsed
+        @raw_info ||= access_token.get('/me').parsed || {}
       end
 
       def build_access_token
-        with_authorization_code { super }.tap do |token|
-          token.options.merge!(access_token_options)
+        if signed_request_contains_access_token?
+          hash = signed_request.clone
+          ::OAuth2::AccessToken.new(
+            client,
+            hash.delete('oauth_token'),
+            hash.merge!(access_token_options.merge(:expires_at => hash.delete('expires')))
+          )
+        else
+          with_authorization_code! { super }.tap do |token|
+            token.options.merge!(access_token_options)
+          end
         end
       end
-      
-      # NOTE if we're using code from the signed request cookie
+
+      def request_phase
+        if signed_request_contains_access_token?
+          # if we already have an access token, we can just hit the
+          # callback URL directly and pass the signed request along
+          params = { :signed_request => raw_signed_request }
+          params[:state] = request.params['state'] if request.params['state']
+          query = Rack::Utils.build_query(params)
+
+          url = callback_url
+          url << "?" unless url.match(/\?/)
+          url << "&" unless url.match(/[\&\?]$/)
+          url << query
+
+          redirect url
+        else
+          super
+        end
+      end
+
+      # NOTE if we're using code from the signed request
       # then FB sets the redirect_uri to '' during the authorize
       # phase + it must match during the access_token phase:
       # https://github.com/facebook/php-sdk/blob/master/src/base_facebook.php#L348
       def callback_url
-        if @authorization_code_from_cookie
+        if @authorization_code_from_signed_request
           ''
         else
-          if options.authorize_options.respond_to?(:callback_url)
-            options.authorize_options.callback_url
-          else
-            super
-          end
+          options[:callback_url] || super
         end
       end
 
       def access_token_options
         options.access_token_options.inject({}) { |h,(k,v)| h[k.to_sym] = v; h }
       end
-      
+
+      ##
+      # You can pass +display+, +state+ or +scope+ params to the auth request, if
+      # you need to set them dynamically. You can also set these options
+      # in the OmniAuth config :authorize_params option.
+      #
+      # /auth/facebook?display=popup&state=ABC
+      #
       def authorize_params
         super.tap do |params|
-          params.merge!(:display => request.params['display']) if request.params['display']
-          params.merge!(:state => request.params['state']) if request.params['state']
+          %w[display state scope].each { |v| params[v.to_sym] = request.params[v] if request.params[v] }
           params[:scope] ||= DEFAULT_SCOPE
         end
       end
 
+      ##
+      # Parse signed request in order, from:
+      #
+      # 1. the request 'signed_request' param (server-side flow from canvas pages) or
+      # 2. a cookie (client-side flow via JS SDK)
+      #
       def signed_request
-        @signed_request ||= begin
-          cookie = request.cookies["fbsr_#{client.id}"] and
-          parse_signed_request(cookie)
-        end
+        @signed_request ||= raw_signed_request &&
+          parse_signed_request(raw_signed_request)
       end
-      
+
       private
-      
-      # picks the authorization code in order, from:
-      # 1. the request param
-      # 2. a signed cookie
-      def with_authorization_code
+
+      def raw_signed_request
+        request.params['signed_request'] ||
+        request.cookies["fbsr_#{client.id}"]
+      end
+
+      ##
+      # If the signed_request comes from a FB canvas page and the user
+      # has already authorized your application, the JSON object will be
+      # contain the access token.
+      #
+      # https://developers.facebook.com/docs/authentication/canvas/
+      #
+      def signed_request_contains_access_token?
+        signed_request &&
+        signed_request['oauth_token']
+      end
+
+      ##
+      # Picks the authorization code in order, from:
+      #
+      # 1. the request 'code' param (manual callback from standard server-side flow)
+      # 2. a signed request (see #signed_request for more)
+      #
+      def with_authorization_code!
         if request.params.key?('code')
           yield
-        else code_from_cookie = signed_request && signed_request['code']
-          request.params['code'] = code_from_cookie
-          @authorization_code_from_cookie = true
+        elsif code_from_signed_request = signed_request && signed_request['code']
+          request.params['code'] = code_from_signed_request
+          @authorization_code_from_signed_request = true
           begin
             yield
           ensure
             request.params.delete('code')
-            @authorization_code_from_cookie = false
+            @authorization_code_from_signed_request = false
           end
+        else
+          raise NoAuthorizationCodeError, 'must pass either a `code` parameter or a signed request (via `signed_request` parameter or a `fbsr_XXX` cookie)'
         end
       end
-      
+
       def prune!(hash)
-        hash.delete_if do |_, value| 
+        hash.delete_if do |_, value|
           prune!(value) if value.is_a?(Hash)
           value.nil? || (value.respond_to?(:empty?) && value.empty?)
         end
       end
-      
+
       def parse_signed_request(value)
         signature, encoded_payload = value.split('.')
 
-        decoded_hex_signature = base64_decode_url(signature)#.unpack('H*')
+        decoded_hex_signature = base64_decode_url(signature)
         decoded_payload = MultiJson.decode(base64_decode_url(encoded_payload))
 
         unless decoded_payload['algorithm'] == 'HMAC-SHA256'

data/omniauth-facebook.gemspec

@@ -15,8 +15,8 @@ Gem::Specification.new do |s|
   s.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
   s.require_paths = ['lib']
 
-  s.add_runtime_dependency 'omniauth-oauth2', '~> 1.0.0'
+  s.add_runtime_dependency 'omniauth-oauth2', '~> 1.0.2'
 
-  s.add_development_dependency 'rspec', '~> 2.7.0'
+  s.add_development_dependency 'rspec', '~> 2'
   s.add_development_dependency 'rake'
 end

data/spec/omniauth/strategies/facebook_spec.rb

@@ -8,11 +8,12 @@ describe OmniAuth::Strategies::Facebook do
     @request = double('Request')
     @request.stub(:params) { {} }
     @request.stub(:cookies) { {} }
-    
+    @request.stub(:env) { {} }
+
     @client_id = '123'
     @client_secret = '53cr3tz'
   end
-  
+
   subject do
     args = [@client_id, @client_secret, @options].compact
     OmniAuth::Strategies::Facebook.new(nil, *args).tap do |strategy|
@@ -37,26 +38,34 @@ describe OmniAuth::Strategies::Facebook do
   end
 
   describe '#callback_url' do
-    it "returns value from #authorize_options" do
-      url = 'http://auth.myapp.com/auth/fb/callback'
-      @options = { :authorize_options => { :callback_url => url } }
-      subject.callback_url.should eq(url)
+    it "returns the default callback url" do
+      url_base = 'http://auth.request.com'
+      @request.stub(:url) { "#{url_base}/some/page" }
+      subject.stub(:script_name) { '' } # as not to depend on Rack env
+      subject.callback_url.should eq("#{url_base}/auth/facebook/callback")
     end
 
-    it "callback_url from request" do
+    it "returns path from callback_path option" do
+      @options = { :callback_path => "/auth/FB/done"}
       url_base = 'http://auth.request.com'
       @request.stub(:url) { "#{url_base}/page/path" }
-      subject.stub(:script_name) { "" } # to not depend from Rack env
-      subject.callback_url.should eq("#{url_base}/auth/facebook/callback")
+      subject.stub(:script_name) { '' } # as not to depend on Rack env
+      subject.callback_url.should eq("#{url_base}/auth/FB/done")
+    end
+
+    it "returns url from callback_url option" do
+      url = 'https://auth.myapp.com/auth/fb/callback'
+      @options = { :callback_url => url }
+      subject.callback_url.should eq(url)
     end
   end
 
   describe '#authorize_params' do
-    it 'includes default scope for email and offline access' do
+    it 'includes default scope for email' do
       subject.authorize_params.should be_a(Hash)
-      subject.authorize_params[:scope].should eq('email,offline_access')
+      subject.authorize_params[:scope].should eq('email')
     end
-  
+
     it 'includes display parameter from request when present' do
       @request.stub(:params) { { 'display' => 'touch' } }
       subject.authorize_params.should be_a(Hash)
@@ -68,6 +77,12 @@ describe OmniAuth::Strategies::Facebook do
       subject.authorize_params.should be_a(Hash)
       subject.authorize_params[:state].should eq('some_state')
     end
+
+    it 'overrides default scope with parameter passed from request' do
+      @request.stub(:params) { { 'scope' => 'email' } }
+      subject.authorize_params.should be_a(Hash)
+      subject.authorize_params[:scope].should eq('email')
+    end
   end
 
   describe '#token_params' do
@@ -85,24 +100,24 @@ describe OmniAuth::Strategies::Facebook do
       subject.access_token_options[:header_format].should eq('OAuth %s')
     end
   end
-  
+
   describe '#uid' do
     before :each do
       subject.stub(:raw_info) { { 'id' => '123' } }
     end
-    
+
     it 'returns the id from raw_info' do
       subject.uid.should eq('123')
     end
   end
-  
+
   describe '#info' do
-    before :each do
-      @raw_info ||= { 'name' => 'Fred Smith' }
-      subject.stub(:raw_info) { @raw_info }
-    end
-    
     context 'when optional data is not present in raw info' do
+      before :each do
+        @raw_info ||= { 'name' => 'Fred Smith' }
+        subject.stub(:raw_info) { @raw_info }
+      end
+
       it 'has no email key' do
         subject.info.should_not have_key('email')
       end
@@ -110,33 +125,42 @@ describe OmniAuth::Strategies::Facebook do
       it 'has no nickname key' do
         subject.info.should_not have_key('nickname')
       end
-    
+
       it 'has no first name key' do
         subject.info.should_not have_key('first_name')
       end
-    
+
       it 'has no last name key' do
         subject.info.should_not have_key('last_name')
       end
-    
+
       it 'has no location key' do
         subject.info.should_not have_key('location')
       end
-    
+
       it 'has no description key' do
         subject.info.should_not have_key('description')
       end
-    
+
       it 'has no urls' do
         subject.info.should_not have_key('urls')
       end
+
+      it 'has no verified key' do
+        subject.info.should_not have_key('verified')
+      end
     end
-    
-    context 'when data is present in raw info' do
+
+    context 'when optional data is present in raw info' do
+      before :each do
+        @raw_info ||= { 'name' => 'Fred Smith' }
+        subject.stub(:raw_info) { @raw_info }
+      end
+
       it 'returns the name' do
         subject.info['name'].should eq('Fred Smith')
       end
-    
+
       it 'returns the email' do
         @raw_info['email'] = 'fred@smith.com'
         subject.info['email'].should eq('fred@smith.com')
@@ -146,44 +170,44 @@ describe OmniAuth::Strategies::Facebook do
         @raw_info['username'] = 'fredsmith'
         subject.info['nickname'].should eq('fredsmith')
       end
-    
+
       it 'returns the first name' do
         @raw_info['first_name'] = 'Fred'
         subject.info['first_name'].should eq('Fred')
       end
-    
+
       it 'returns the last name' do
         @raw_info['last_name'] = 'Smith'
         subject.info['last_name'].should eq('Smith')
       end
-    
+
       it 'returns the location name as location' do
         @raw_info['location'] = { 'id' => '104022926303756', 'name' => 'Palo Alto, California' }
         subject.info['location'].should eq('Palo Alto, California')
       end
-    
+
       it 'returns bio as description' do
         @raw_info['bio'] = 'I am great'
         subject.info['description'].should eq('I am great')
       end
-    
+
       it 'returns the square format facebook avatar url' do
         @raw_info['id'] = '321'
         subject.info['image'].should eq('http://graph.facebook.com/321/picture?type=square')
       end
-    
+
       it 'returns the Facebook link as the Facebook url' do
         @raw_info['link'] = 'http://www.facebook.com/fredsmith'
         subject.info['urls'].should be_a(Hash)
         subject.info['urls']['Facebook'].should eq('http://www.facebook.com/fredsmith')
       end
-    
+
       it 'returns website url' do
         @raw_info['website'] = 'https://my-wonderful-site.com'
         subject.info['urls'].should be_a(Hash)
         subject.info['urls']['Website'].should eq('https://my-wonderful-site.com')
       end
-    
+
       it 'return both Facebook link and website urls' do
         @raw_info['link'] = 'http://www.facebook.com/fredsmith'
         @raw_info['website'] = 'https://my-wonderful-site.com'
@@ -191,21 +215,45 @@ describe OmniAuth::Strategies::Facebook do
         subject.info['urls']['Facebook'].should eq('http://www.facebook.com/fredsmith')
         subject.info['urls']['Website'].should eq('https://my-wonderful-site.com')
       end
+
+      it 'returns the positive verified status' do
+        @raw_info['verified'] = true
+        subject.info['verified'].should be_true
+      end
+
+      it 'returns the negative verified status' do
+        @raw_info['verified'] = false
+        subject.info['verified'].should be_false
+      end
+    end
+
+    it 'returns the secure facebook avatar url when `secure_image_url` option is specified' do
+      @options = { :secure_image_url => true }
+      raw_info = { 'name' => 'Fred Smith', 'id' => '321' }
+      subject.stub(:raw_info) { raw_info }
+      subject.info['image'].should eq('https://graph.facebook.com/321/picture?type=square')
+    end
+
+    it 'returns the image size specified in the `image_size` option' do
+      @options = { :image_size => 'normal' }
+      raw_info = { 'name' => 'Fred Smith', 'id' => '321' }
+      subject.stub(:raw_info) { raw_info }
+      subject.info['image'].should eq('http://graph.facebook.com/321/picture?type=normal')
     end
   end
-  
+
   describe '#raw_info' do
     before :each do
       @access_token = double('OAuth2::AccessToken')
       subject.stub(:access_token) { @access_token }
     end
-    
+
     it 'performs a GET to https://graph.facebook.com/me' do
       @access_token.stub(:get) { double('OAuth2::Response').as_null_object }
       @access_token.should_receive(:get).with('/me')
       subject.raw_info
     end
-    
+
     it 'returns a Hash' do
       @access_token.stub(:get).with('/me') do
         raw_response = double('Faraday::Response')
@@ -217,6 +265,15 @@ describe OmniAuth::Strategies::Facebook do
       subject.raw_info.should be_a(Hash)
       subject.raw_info['ohai'].should eq('thar')
     end
+
+    it 'returns an empty hash when the response is false' do
+      @access_token.stub(:get).with('/me') do
+        response = double('OAuth2::Response')
+        response.stub(:parsed => false)
+        response
+      end
+      subject.raw_info.should be_a(Hash)
+    end
   end
 
   describe '#credentials' do
@@ -228,24 +285,24 @@ describe OmniAuth::Strategies::Facebook do
       @access_token.stub(:refresh_token)
       subject.stub(:access_token) { @access_token }
     end
-    
+
     it 'returns a Hash' do
       subject.credentials.should be_a(Hash)
     end
-    
+
     it 'returns the token' do
       @access_token.stub(:token) { '123' }
       subject.credentials['token'].should eq('123')
     end
-    
+
     it 'returns the expiry status' do
       @access_token.stub(:expires?) { true }
       subject.credentials['expires'].should eq(true)
-      
+
       @access_token.stub(:expires?) { false }
       subject.credentials['expires'].should eq(false)
     end
-    
+
     it 'returns the refresh token and expiry time when expiring' do
       ten_mins_from_now = (Time.now + 600).to_i
       @access_token.stub(:expires?) { true }
@@ -254,14 +311,14 @@ describe OmniAuth::Strategies::Facebook do
       subject.credentials['refresh_token'].should eq('321')
       subject.credentials['expires_at'].should eq(ten_mins_from_now)
     end
-    
+
     it 'does not return the refresh token when it is nil and expiring' do
       @access_token.stub(:expires?) { true }
       @access_token.stub(:refresh_token) { nil }
       subject.credentials['refresh_token'].should be_nil
       subject.credentials.should_not have_key('refresh_token')
     end
-    
+
     it 'does not return the refresh token when not expiring' do
       @access_token.stub(:expires?) { false }
       @access_token.stub(:refresh_token) { 'XXX' }
@@ -269,29 +326,29 @@ describe OmniAuth::Strategies::Facebook do
       subject.credentials.should_not have_key('refresh_token')
     end
   end
-  
+
   describe '#extra' do
     before :each do
       @raw_info = { 'name' => 'Fred Smith' }
       subject.stub(:raw_info) { @raw_info }
     end
-    
+
     it 'returns a Hash' do
       subject.extra.should be_a(Hash)
     end
-    
+
     it 'contains raw info' do
       subject.extra.should eq({ 'raw_info' => @raw_info })
     end
   end
 
   describe '#signed_request' do
-    context 'cookie not present' do
+    context 'cookie/param not present' do
       it 'is nil' do
         subject.send(:signed_request).should be_nil
       end
     end
-    
+
     context 'cookie present' do
       before :each do
         @payload = {
@@ -310,6 +367,102 @@ describe OmniAuth::Strategies::Facebook do
         subject.send(:signed_request).should eq(@payload)
       end
     end
+
+    context 'param present' do
+      before :each do
+        @payload = {
+          'algorithm' => 'HMAC-SHA256',
+          'oauth_token' => 'XXX',
+          'issued_at' => Time.now.to_i,
+          'user_id' => '123456'
+        }
+
+        @request.stub(:params) do
+          { 'signed_request' => signed_request(@payload, @client_secret) }
+        end
+      end
+
+      it 'parses the access code out from the param' do
+        subject.send(:signed_request).should eq(@payload)
+      end
+    end
+
+    context 'cookie + param present' do
+      before :each do
+        @payload_from_cookie = {
+          'algorithm' => 'HMAC-SHA256',
+          'from' => 'cookie'
+        }
+
+        @request.stub(:cookies) do
+          { "fbsr_#{@client_id}" => signed_request(@payload_from_cookie, @client_secret) }
+        end
+
+        @payload_from_param = {
+          'algorithm' => 'HMAC-SHA256',
+          'from' => 'param'
+        }
+
+        @request.stub(:params) do
+          { 'signed_request' => signed_request(@payload_from_param, @client_secret) }
+        end
+      end
+
+      it 'picks param over cookie' do
+        subject.send(:signed_request).should eq(@payload_from_param)
+      end
+    end
+  end
+
+  describe '#request_phase' do
+    describe 'params contain a signed request with an access token' do
+      before do
+        payload = {
+          'algorithm' => 'HMAC-SHA256',
+          'oauth_token' => 'm4c0d3z'
+        }
+        @raw_signed_request = signed_request(payload, @client_secret)
+        @request.stub(:params) do
+          { "signed_request" => @raw_signed_request }
+        end
+
+        subject.stub(:callback_url) { '/' }
+      end
+
+      it 'redirects to callback passing along signed request' do
+        subject.should_receive(:redirect).with("/?signed_request=#{Rack::Utils.escape(@raw_signed_request)}").once
+        subject.request_phase
+      end
+    end
+  end
+
+  describe '#build_access_token' do
+    describe 'params contain a signed request with an access token' do
+      before do
+        @payload = {
+          'algorithm' => 'HMAC-SHA256',
+          'oauth_token' => 'm4c0d3z',
+          'expires' => Time.now.to_i
+        }
+        @raw_signed_request = signed_request(@payload, @client_secret)
+        @request.stub(:params) do
+          { "signed_request" => @raw_signed_request }
+        end
+
+        subject.stub(:callback_url) { '/' }
+      end
+
+      it 'returns a new access token from the signed request' do
+        result = subject.build_access_token
+        result.should be_an_instance_of(::OAuth2::AccessToken)
+        result.token.should eq(@payload['oauth_token'])
+      end
+
+      it 'returns an access token with the correct expiry time' do
+        result = subject.build_access_token
+        result.expires_at.should eq(@payload['expires'])
+      end
+    end
   end
 
 private
@@ -324,7 +477,7 @@ private
     Base64.encode64(value).tr('+/', '-_').gsub(/\n/, '')
   end
 
-  def signature(payload, secret, algorithm = OpenSSL::Digest::SHA256.new)	
+  def signature(payload, secret, algorithm = OpenSSL::Digest::SHA256.new)
     OpenSSL::HMAC.digest(algorithm, secret, payload)
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-facebook
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.3.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,33 +9,43 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-01-06 00:00:00.000000000Z
+date: 2012-05-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
-  requirement: &70265885281820 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.0.2
   type: :runtime
   prerelease: false
-  version_requirements: *70265885281820
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.0.2
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70265885281320 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 2.7.0
+        version: '2'
   type: :development
   prerelease: false
-  version_requirements: *70265885281320
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: rake
-  requirement: &70265885280920 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -43,7 +53,12 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70265885280920
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: 
 email:
 - mark@mkdynamic.co.uk
@@ -79,21 +94,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: 896289232930300063
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: 896289232930300063
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.10
+rubygems_version: 1.8.22
 signing_key: 
 specification_version: 3
 summary: Facebook strategy for OmniAuth
@@ -101,3 +110,4 @@ test_files:
 - spec/omniauth/strategies/facebook_spec.rb
 - spec/spec_helper.rb
 - spec/support/shared_examples.rb
+has_rdoc: