omniauth-facebook 1.5.1 → 1.6.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6df31b397c5361d54234d354ee57e9b04ee60d47
-  data.tar.gz: a7ab41bed0a9fa303660f05e8982e71bca05f31e
+  metadata.gz: f7b030284d8a9bc6fbcf3906a96421b08624cf21
+  data.tar.gz: 4884decdc889f23340364cf73b94d827246c8df7
 SHA512:
-  metadata.gz: 964b27002810318b96b5bc82d44ed4ee8fcff75783711e32ddabd939521474c5bed352932a8ae10d5e5382e7c66a45dd04bf0125a3bba710f6e6292b7cd26375
-  data.tar.gz: cd32aa970b991a00984d1fd8b2ec730b56682872d64550bb2f6da7c9c4e44b0d8683b3eb60282bb52d34cf1bc7b71ee36b15fb1892ad72aaa4d8d6115856c7fe
+  metadata.gz: ece06ac88f1c8122aa22e54a81740611446af348ce4fb9ce91dcc586311a5d45086ad7ccf5f4b724641dcc3ce7bee171ffdfc1bc0c428a98647308da0077422b
+  data.tar.gz: 113c6ba0645ee31730f662cadd48f30f8292b12d3b72921f419bb0e5e4ecf63e54fa982323e16b4d3b9620054ac05112f8a15390c2da639c48f33e883f554cb2

data/.travis.yml

@@ -2,4 +2,5 @@ rvm:
   - 1.8.7
   - 1.9.2
   - 1.9.3
+  - 2.0.0
   - jruby

data/CHANGELOG.md

@@ -0,0 +1,99 @@
+## 1.6.0.rc1 (Unreleased)
+
+Features:
+
+  - ability to specify `auth_type` per-request (#78, @sebastian-stylesaint)
+  - image dimension can be set using `image_size` option (#91, @weilu)
+  - update Facebook authorize URL to fix broken authorization (#103, @dlackty)
+  - adds `info_fields` option (#109, @bloudermilk)
+  - adds `locale` parameter (#133, @donbobka, @simi)
+  - add automatically `appsecret_proof` (#140, @nlsrchtr, @simi)
+
+Changes:
+
+  - `NoAuthorizationCodeError` and `UnknownSignatureAlgorithmError` will now `fail!` (#117, @nchelluri)
+  -  don't try to parse the signature if it's nil (#127, @oriolgual)
+
+## 1.5.1 (2013-11-18)
+
+Changes:
+
+  - don't use `access_token` in URL [CVE-2013-4593](https://github.com/mkdynamic/omniauth-facebook/wiki/Access-token-vulnerability:-CVE-2013-4593) (@homakov, @mkdynamic, @simi)
+
+## 1.5.0 (2013-11-13)
+
+Changes:
+
+  - remove `state` param to fix CSRF vulnerabilty [CVE-2013-4562](https://github.com/mkdynamic/omniauth-facebook/wiki/CSRF-vulnerability:-CVE-2013-4562) (@homakov, @mkdynamic, @simi)
+
+## 1.4.1 (2012-07-07)
+
+Changes:
+
+  - update to omniauth-oauth2 1.1.0 for csrf protection (@mkdynamic)
+
+## 1.4.0 (2012-06-24)
+
+Features:
+
+  - obey `skip_info?` config (@mkdynamic)
+  - add support of the `:auth_type` option to `:authorize_options` (#58, @JHeidinga, @mkdynamic)
+  - support `access_token` parameter as part of the callback request (#62, @steverandy)
+
+## 1.3.0 (2012-05-05)
+
+Features:
+
+  - dynamic permissions in the auth params (#30, @famoseagle)
+  - add support for facebook canvas (@mkdynamic)
+  - add verified key to the info hash (#34, @ryansobol)
+  - add option to use secure url for image in auth hash (@mkdynamic)
+  - add option to specify image size (@mkdynamic)
+
+Changes:
+
+  - have `raw_info` return an empty hash if the Facebook response returns false (#44, @brianjlandau)
+  - prevent oauth2 from interpreting Facebook's expires field as `expires_in`, when it's really `expires_at` (#39, @watsonbox)
+  - remove deprecated `offline_access` permission (@mkdynamic)
+
+Changes:
+
+  - tidy up the `callback_url` option (@mkdynamic)
+
+## 1.2.0 (2012-01-06)
+
+Features:
+
+  - add `state` to authorization params (#19, @GermanDZ)
+
+Changes:
+
+  - lock to `rack ~> 1.3.6` (@mkdynamic)
+
+## 1.1.0 (2011-12-10)
+
+Features:
+
+  - add `callback_url` option (#13, @gumayunov)
+  - support for parsing code from signed request cookie (client-side flow) (@mkdynamic)
+
+## 1.0.0 (2011-11-19)
+
+Features:
+
+  - allow passing of display via option (@mkdynamic)
+
+Bugfixes:
+
+  - fix `ten_mins_from_now` calculation (#7, @olegkovalenko)
+
+## 1.0.0.rc2 (2011-11-11)
+
+Features:
+
+  - allow passing `display` parameter (@mkdynamic)
+  - included default scope (@mkdynamic)
+
+## 1.0.0.rc1 (2011-10-29)
+
+  - first public gem release (@mkdynamic)

data/Gemfile

@@ -1,4 +1,4 @@
-source :rubygems
+source 'https://rubygems.org'
 
 gemspec
 

data/README.md

@@ -1,6 +1,11 @@
-# OmniAuth Facebook  [![Build Status](http://travis-ci.org/mkdynamic/omniauth-facebook.png?branch=master)](http://travis-ci.org/mkdynamic/omniauth-facebook)
+**NOTE: If you're running < 1.5.1, please upgrade to address 2 security vulnerabilities.
+More details [here](https://github.com/mkdynamic/omniauth-facebook/wiki/CSRF-vulnerability:-CVE-2013-4562) and [here](https://github.com/mkdynamic/omniauth-facebook/wiki/Access-token-vulnerability:-CVE-2013-4593).**
 
-Facebook OAuth2 Strategy for OmniAuth 1.0.
+---
+
+# OmniAuth Facebook &nbsp;[![Build Status](https://secure.travis-ci.org/mkdynamic/omniauth-facebook.png?branch=master)](https://travis-ci.org/mkdynamic/omniauth-facebook)
+
+Facebook OAuth2 Strategy for OmniAuth.
 
 Supports the OAuth 2.0 server-side and client-side flows. Read the Facebook docs for more details: http://developers.facebook.com/docs/authentication
 
@@ -16,7 +21,7 @@ Then `bundle install`.
 
 ## Usage
 
-`OmniAuth::Strategies::Facebook` is simply a Rack middleware. Read the OmniAuth 1.0 docs for detailed instructions: https://github.com/intridea/omniauth.
+`OmniAuth::Strategies::Facebook` is simply a Rack middleware. Read the OmniAuth docs for detailed instructions: https://github.com/intridea/omniauth.
 
 Here's a quick example, adding the middleware to a Rails app in `config/initializers/omniauth.rb`:
 
@@ -37,7 +42,9 @@ You can configure several options, which you pass in to the `provider` method vi
 * `auth_type`: Optionally specifies the requested authentication features as a comma-separated list, as per https://developers.facebook.com/docs/authentication/reauthentication/.
 Valid values are `https` (checks for the presence of the secure cookie and asks for re-authentication if it is not present), and `reauthenticate` (asks the user to re-authenticate unconditionally). Default is `nil`.
 * `secure_image_url`: Set to `true` to use https for the avatar image url returned in the auth hash. Default is `false`.
-* `image_size`: Set the size for the returned image url in the auth hash. Valid options are `square` (50x50), `small` (50 pixels wide, variable height), `normal` (100 pixels wide, variable height), or `large` (about 200 pixels wide, variable height). Default is `square` (50x50).
+* `image_size`: Set the size for the returned image url in the auth hash. Valid options include `square` (50x50), `small` (50 pixels wide, variable height), `normal` (100 pixels wide, variable height), or `large` (about 200 pixels wide, variable height). Additionally, you can request a picture of a specific size by setting this option to a hash with `:width` and `:height` as keys. This will return an available profile picture closest to the requested size and requested aspect ratio. If only `:width` or `:height` is specified, we will return a picture whose width or height is closest to the requested size, respectively.
+* `info_fields`: Specify exactly which fields should be returned when getting the user's info. Value should be a comma-separated string as per https://developers.facebook.com/docs/reference/api/user/ (only /me endpoint).
+* `locale`: Specify locale which should be used when getting the user's info. Value should be locale string as per https://developers.facebook.com/docs/reference/api/locale/.
 
 For example, to request `email`, `user_birthday` and `read_stream` permissions and display the authentication page in a popup window:
 
@@ -50,7 +57,7 @@ end
 
 ### Per-Request Options
 
-If you want to set the `display` format or `scope` on a per-request basis, you can just pass it to the OmniAuth request phase URL, for example: `/auth/facebook?display=popup` or `/auth/facebook?scope=email`.
+If you want to set the `display` format, `auth_type`, or `scope` on a per-request basis, you can just pass it to the OmniAuth request phase URL, for example: `/auth/facebook?display=popup` or `/auth/facebook?scope=email`.
 
 ### Custom Callback URL/Path
 
@@ -134,7 +141,7 @@ There are then 2 scenarios for what happens next:
 
 Take a look at [the example Sinatra app for one option of how you can integrate with a canvas page](https://github.com/mkdynamic/omniauth-facebook/blob/master/example/config.ru).
 
-Bear in mind you have several options (including [authenticated referrals](https://developers.facebook.com/docs/opengraph/authentication/#referrals)). Read [the Facebook docs on canvas page  authentication](https://developers.facebook.com/docs/authentication/canvas/) for more info.
+Bear in mind you have several [options](https://developers.facebook.com/docs/opengraph/authentication). Read [the Facebook docs on canvas page  authentication](https://developers.facebook.com/docs/authentication/canvas/) for more info.
 
 ## Token Expiry
 
@@ -148,7 +155,7 @@ You can exchange this short lived access token for a longer lived version. Read
 
 ### Server-Side Flow
 
-If you use the server-side flow, Facebook will give you back a longer loved access token (~ 60 days).
+If you use the server-side flow, Facebook will give you back a longer lived access token (~ 60 days).
 
 If you're having issue getting a long lived token with the server-side flow, make sure to enable the 'deprecate offline_access setting' in you Facebook app config. Read the [Facebook docs about the offline_access  deprecation](https://developers.facebook.com/roadmap/offline-access-removal/) for more information.
 
@@ -156,12 +163,13 @@ If you're having issue getting a long lived token with the server-side flow, mak
 
 Actively tested with the following Ruby versions:
 
+- MRI 2.0.0
 - MRI 1.9.3
 - MRI 1.9.2
 - MRI 1.8.7
-- JRuby 1.6.5
+- JRuby 1.7.4
 
-*NB.* For JRuby, you'll need to install the `jruby-openssl` gem. There's no way to automatically specify this in a Rubygem gemspec, so you need to manually add it your project's own Gemfile:
+*NB.* For JRuby < 1.7, you'll need to install the `jruby-openssl` gem. There's no way to automatically specify this in a Rubygem gemspec, so you need to manually add it your project's own Gemfile:
 
 ```ruby
 gem 'jruby-openssl', :platform => :jruby

data/example/Gemfile

@@ -1,4 +1,4 @@
-source :rubygems
+source 'https://rubygems.org'
 
 gem 'sinatra'
 gem 'omniauth-facebook', :path => '../'

data/example/Gemfile.lock

@@ -1,41 +1,40 @@
 PATH
   remote: ../
   specs:
-    omniauth-facebook (1.4.0)
-      omniauth-oauth2 (~> 1.1.0)
+    omniauth-facebook (1.6.0.rc1)
+      omniauth-oauth2 (~> 1.1)
 
 GEM
-  remote: http://rubygems.org/
+  remote: https://rubygems.org/
   specs:
-    faraday (0.8.1)
-      multipart-post (~> 1.1)
-    hashie (1.2.0)
-    httpauth (0.1)
-    json (1.7.3)
-    jwt (0.1.4)
-      json (>= 1.2.4)
-    multi_json (1.3.6)
-    multipart-post (1.1.5)
-    oauth2 (0.8.0)
+    faraday (0.8.8)
+      multipart-post (~> 1.2.0)
+    hashie (2.0.5)
+    httpauth (0.2.0)
+    jwt (0.1.8)
+      multi_json (>= 1.5)
+    multi_json (1.8.2)
+    multipart-post (1.2.0)
+    oauth2 (0.8.1)
       faraday (~> 0.8)
       httpauth (~> 0.1)
       jwt (~> 0.1.4)
       multi_json (~> 1.0)
       rack (~> 1.2)
-    omniauth (1.1.0)
-      hashie (~> 1.2)
+    omniauth (1.1.4)
+      hashie (>= 1.2, < 3)
       rack
-    omniauth-oauth2 (1.1.0)
+    omniauth-oauth2 (1.1.1)
       oauth2 (~> 0.8.0)
       omniauth (~> 1.0)
-    rack (1.4.1)
-    rack-protection (1.2.0)
+    rack (1.5.2)
+    rack-protection (1.5.1)
       rack
-    sinatra (1.3.2)
-      rack (~> 1.3, >= 1.3.6)
-      rack-protection (~> 1.2)
-      tilt (~> 1.3, >= 1.3.3)
-    tilt (1.3.3)
+    sinatra (1.4.4)
+      rack (~> 1.4)
+      rack-protection (~> 1.4)
+      tilt (~> 1.3, >= 1.3.4)
+    tilt (1.4.1)
 
 PLATFORMS
   ruby

data/lib/omniauth/facebook/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Facebook
-    VERSION = "1.5.1"
+    VERSION = "1.6.0.rc1"
   end
 end

data/lib/omniauth/strategies/facebook.rb

@@ -2,16 +2,19 @@ require 'omniauth/strategies/oauth2'
 require 'base64'
 require 'openssl'
 require 'rack/utils'
+require 'uri'
 
 module OmniAuth
   module Strategies
     class Facebook < OmniAuth::Strategies::OAuth2
       class NoAuthorizationCodeError < StandardError; end
+      class UnknownSignatureAlgorithmError < NotImplementedError; end
 
       DEFAULT_SCOPE = 'email'
 
       option :client_options, {
         :site => 'https://graph.facebook.com',
+        :authorize_url => "https://www.facebook.com/dialog/oauth",
         :token_url => '/oauth/access_token'
       }
 
@@ -35,7 +38,7 @@ module OmniAuth
           'name' => raw_info['name'],
           'first_name' => raw_info['first_name'],
           'last_name' => raw_info['last_name'],
-          'image' => "#{options[:secure_image_url] ? 'https' : 'http'}://graph.facebook.com/#{uid}/picture?type=#{options[:image_size] || 'square'}",
+          'image' => image_url(uid, options),
           'description' => raw_info['bio'],
           'urls' => {
             'Facebook' => raw_info['link'],
@@ -53,28 +56,28 @@ module OmniAuth
       end
 
       def raw_info
-        @raw_info ||= access_token.get('/me').parsed || {}
+        @raw_info ||= access_token.get('/me', info_options).parsed || {}
       end
 
-      def build_access_token
-        if signed_request_contains_access_token?
-          hash = signed_request.clone
-          ::OAuth2::AccessToken.new(
-            client,
-            hash.delete('oauth_token'),
-            hash.merge!(access_token_options.merge(:expires_at => hash.delete('expires')))
-          )
-        else
-          with_authorization_code! { super }.tap do |token|
-            token.options.merge!(access_token_options)
-          end
-        end
+      def info_options
+        params = {:appsecret_proof => appsecret_proof}
+        params.merge!({:fields => options[:info_fields]}) if options[:info_fields]
+        params.merge!({:locale => options[:locale]}) if options[:locale]
+
+        { :params => params }
+      end
+
+      def callback_phase
+        super
+      rescue NoAuthorizationCodeError => e
+        fail!(:no_authorization_code, e)
+      rescue UnknownSignatureAlgorithmError => e
+        fail!(:unknown_signature_algoruthm, e)
       end
 
       def request_phase
         if signed_request_contains_access_token?
-          # if we already have an access token, we can just hit the
-          # callback URL directly and pass the signed request along
+          # If we already have an access token, we can just hit the callback URL directly and pass the signed request.
           params = { :signed_request => raw_signed_request }
           query = Rack::Utils.build_query(params)
 
@@ -89,10 +92,9 @@ module OmniAuth
         end
       end
 
-      # NOTE if we're using code from the signed request
-      # then FB sets the redirect_uri to '' during the authorize
-      # phase + it must match during the access_token phase:
-      # https://github.com/facebook/php-sdk/blob/master/src/base_facebook.php#L348
+      # NOTE If we're using code from the signed request then FB sets the redirect_uri to '' during the authorize
+      #      phase and it must match during the access_token phase:
+      #      https://github.com/facebook/php-sdk/blob/master/src/base_facebook.php#L348
       def callback_url
         if @authorization_code_from_signed_request
           ''
@@ -105,16 +107,13 @@ module OmniAuth
         options.access_token_options.inject({}) { |h,(k,v)| h[k.to_sym] = v; h }
       end
 
-      ##
-      # You can pass +display+ or +scope+ params to the auth request, if
-      # you need to set them dynamically. You can also set these options
-      # in the OmniAuth config :authorize_params option.
+      # You can pass +display+, +scope+, or +auth_type+ params to the auth request, if you need to set them dynamically.
+      # You can also set these options in the OmniAuth config :authorize_params option.
       #
       # /auth/facebook?display=popup
-      #
       def authorize_params
         super.tap do |params|
-          %w[display scope].each do |v|
+          %w[display scope auth_type].each do |v|
             if request.params[v]
               params[v.to_sym] = request.params[v]
             end
@@ -124,42 +123,49 @@ module OmniAuth
         end
       end
 
-      ##
       # Parse signed request in order, from:
       #
-      # 1. the request 'signed_request' param (server-side flow from canvas pages) or
-      # 2. a cookie (client-side flow via JS SDK)
-      #
+      # 1. The request 'signed_request' param (server-side flow from canvas pages) or
+      # 2. A cookie (client-side flow via JS SDK)
       def signed_request
-        @signed_request ||= raw_signed_request &&
-          parse_signed_request(raw_signed_request)
+        @signed_request ||= raw_signed_request && parse_signed_request(raw_signed_request)
+      end
+
+      protected
+
+      def build_access_token
+        if signed_request_contains_access_token?
+          hash = signed_request.clone
+          ::OAuth2::AccessToken.new(
+            client,
+            hash.delete('oauth_token'),
+            hash.merge!(access_token_options.merge(:expires_at => hash.delete('expires')))
+          )
+        else
+          with_authorization_code! { super }.tap do |token|
+            token.options.merge!(access_token_options)
+          end
+        end
       end
 
       private
 
       def raw_signed_request
-        request.params['signed_request'] ||
-        request.cookies["fbsr_#{client.id}"]
+        request.params['signed_request'] || request.cookies["fbsr_#{client.id}"]
       end
 
-      ##
-      # If the signed_request comes from a FB canvas page and the user
-      # has already authorized your application, the JSON object will be
-      # contain the access token.
+      # If the signed_request comes from a FB canvas page and the user has already authorized your application, the JSON
+      # object will be contain the access token.
       #
       # https://developers.facebook.com/docs/authentication/canvas/
-      #
       def signed_request_contains_access_token?
-        signed_request &&
-        signed_request['oauth_token']
+        signed_request && signed_request['oauth_token']
       end
 
-      ##
       # Picks the authorization code in order, from:
       #
-      # 1. the request 'code' param (manual callback from standard server-side flow)
-      # 2. a signed request (see #signed_request for more)
-      #
+      # 1. The request 'code' param (manual callback from standard server-side flow)
+      # 2. A signed request (see #signed_request for more)
       def with_authorization_code!
         if request.params.key?('code')
           yield
@@ -186,12 +192,13 @@ module OmniAuth
 
       def parse_signed_request(value)
         signature, encoded_payload = value.split('.')
+        return if signature.nil?
 
         decoded_hex_signature = base64_decode_url(signature)
         decoded_payload = MultiJson.decode(base64_decode_url(encoded_payload))
 
         unless decoded_payload['algorithm'] == 'HMAC-SHA256'
-          raise NotImplementedError, "unkown algorithm: #{decoded_payload['algorithm']}"
+          raise UnknownSignatureAlgorithmError, "unknown algorithm: #{decoded_payload['algorithm']}"
         end
 
         if valid_signature?(client.secret, decoded_hex_signature, encoded_payload)
@@ -207,6 +214,24 @@ module OmniAuth
         value += '=' * (4 - value.size.modulo(4))
         Base64.decode64(value.tr('-_', '+/'))
       end
+
+      def image_url(uid, options)
+        uri_class = options[:secure_image_url] ? URI::HTTPS : URI::HTTP
+        url = uri_class.build({:host => 'graph.facebook.com', :path => "/#{uid}/picture"})
+
+        query = if options[:image_size].is_a?(String)
+          { :type => options[:image_size] }
+        elsif options[:image_size].is_a?(Hash)
+          options[:image_size]
+        end
+        url.query = Rack::Utils.build_query(query) if query
+
+        url.to_s
+      end
+
+      def appsecret_proof
+        @appsecret_proof ||= OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, client.secret, access_token.token)
+      end
     end
   end
 end

data/omniauth-facebook.gemspec

@@ -5,17 +5,18 @@ require 'omniauth/facebook/version'
 Gem::Specification.new do |s|
   s.name     = 'omniauth-facebook'
   s.version  = OmniAuth::Facebook::VERSION
-  s.authors  = ['Mark Dodwell']
-  s.email    = ['mark@mkdynamic.co.uk']
-  s.summary  = 'Facebook strategy for OmniAuth'
+  s.authors  = ['Mark Dodwell', 'Josef Šimánek']
+  s.email    = ['mark@madeofcode.com', 'retro@ballgag.cz']
+  s.summary  = 'Facebook OAuth2 Strategy for OmniAuth'
   s.homepage = 'https://github.com/mkdynamic/omniauth-facebook'
+  s.license  = 'MIT'
 
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
   s.require_paths = ['lib']
 
-  s.add_runtime_dependency 'omniauth-oauth2', '~> 1.1.0'
+  s.add_runtime_dependency 'omniauth-oauth2', '~> 1.1'
 
   s.add_development_dependency 'minitest'
   s.add_development_dependency 'mocha'

data/test/helper.rb

@@ -1,6 +1,6 @@
 require 'bundler/setup'
 require 'minitest/autorun'
-require 'mocha'
+require 'mocha/setup'
 require 'omniauth/strategies/facebook'
 
 OmniAuth.config.test_mode = true
@@ -25,7 +25,7 @@ module CustomAssertions
   end
 end
 
-class TestCase < MiniTest::Unit::TestCase
+class TestCase < Minitest::Test
   extend BlockTestHelper
   include CustomAssertions
 end
@@ -36,6 +36,7 @@ class StrategyTestCase < TestCase
     @request.stubs(:params).returns({})
     @request.stubs(:cookies).returns({})
     @request.stubs(:env).returns({})
+    @request.stubs(:ssl?).returns(false)
 
     @client_id = '123'
     @client_secret = '53cr3tz'

data/test/test.rb

@@ -13,7 +13,7 @@ class ClientTest < StrategyTestCase
   end
 
   test 'has correct authorize url' do
-    assert_equal '/oauth/authorize', strategy.client.options[:authorize_url]
+    assert_equal 'https://www.facebook.com/dialog/oauth', strategy.client.options[:authorize_url]
   end
 
   test 'has correct token url' do
@@ -56,6 +56,12 @@ class AuthorizeParamsTest < StrategyTestCase
     assert_equal 'touch', strategy.authorize_params[:display]
   end
 
+  test 'includes auth_type parameter from request when present' do
+    @request.stubs(:params).returns({ 'auth_type' => 'reauthenticate' })
+    assert strategy.authorize_params.is_a?(Hash)
+    assert_equal 'reauthenticate', strategy.authorize_params[:auth_type]
+  end
+
   test 'overrides default scope with parameter passed from request' do
     @request.stubs(:params).returns({ 'scope' => 'email' })
     assert strategy.authorize_params.is_a?(Hash)
@@ -95,15 +101,28 @@ class InfoTest < StrategyTestCase
     @options = { :secure_image_url => true }
     raw_info = { 'name' => 'Fred Smith', 'id' => '321' }
     strategy.stubs(:raw_info).returns(raw_info)
-    assert_equal 'https://graph.facebook.com/321/picture?type=square', strategy.info['image']
+    assert_equal 'https://graph.facebook.com/321/picture', strategy.info['image']
   end
 
-  test 'returns the image size specified in the `image_size` option' do
+  test 'returns the image with size specified in the `image_size` option' do
     @options = { :image_size => 'normal' }
     raw_info = { 'name' => 'Fred Smith', 'id' => '321' }
     strategy.stubs(:raw_info).returns(raw_info)
     assert_equal 'http://graph.facebook.com/321/picture?type=normal', strategy.info['image']
   end
+
+  test 'returns the image with width and height specified in the `image_size` option' do
+    @options = { :image_size => { :width => 123, :height => 987 } }
+    raw_info = { 'name' => 'Fred Smith', 'id' => '321' }
+    strategy.stubs(:raw_info).returns(raw_info)
+    image_url = strategy.info['image']
+    path, query = image_url.split("?")
+    query_params = Hash[*query.split("&").map {|pair| pair.split("=") }.flatten]
+
+    assert_equal 'http://graph.facebook.com/321/picture', path
+    assert_equal '123', query_params['width']
+    assert_equal '987', query_params['height']
+  end
 end
 
 class InfoTestOptionalDataPresent < StrategyTestCase
@@ -147,9 +166,9 @@ class InfoTestOptionalDataPresent < StrategyTestCase
     assert_equal 'I am great', strategy.info['description']
   end
 
-  test 'returns the square format facebook avatar url' do
+  test 'returns the facebook avatar url' do
     @raw_info['id'] = '321'
-    assert_equal 'http://graph.facebook.com/321/picture?type=square', strategy.info['image']
+    assert_equal 'http://graph.facebook.com/321/picture', strategy.info['image']
   end
 
   test 'returns the Facebook link as the Facebook url' do
@@ -227,31 +246,58 @@ class RawInfoTest < StrategyTestCase
   def setup
     super
     @access_token = stub('OAuth2::AccessToken')
+    @appsecret_proof = 'appsecret_proof'
+    @options = {:appsecret_proof => @appsecret_proof}
   end
 
   test 'performs a GET to https://graph.facebook.com/me' do
+    strategy.stubs(:appsecret_proof).returns(@appsecret_proof)
+    strategy.stubs(:access_token).returns(@access_token)
+    params = {:params => @options}
+    @access_token.expects(:get).with('/me', params).returns(stub_everything('OAuth2::Response'))
+    strategy.raw_info
+  end
+
+  test 'performs a GET to https://graph.facebook.com/me with locale' do
+    @options.merge!({ :locale => 'cs_CZ' })
     strategy.stubs(:access_token).returns(@access_token)
-    @access_token.expects(:get).with('/me').returns(stub_everything('OAuth2::Response'))
+    strategy.stubs(:appsecret_proof).returns(@appsecret_proof)
+    params = {:params => @options}
+    @access_token.expects(:get).with('/me', params).returns(stub_everything('OAuth2::Response'))
+    strategy.raw_info
+  end
+
+  test 'performs a GET to https://graph.facebook.com/me with info_fields' do
+    @options.merge!({:info_fields => 'about'})
+    strategy.stubs(:access_token).returns(@access_token)
+    strategy.stubs(:appsecret_proof).returns(@appsecret_proof)
+    params = {:params => {:appsecret_proof => @appsecret_proof, :fields => 'about'}}
+    @access_token.expects(:get).with('/me', params).returns(stub_everything('OAuth2::Response'))
     strategy.raw_info
   end
 
   test 'returns a Hash' do
     strategy.stubs(:access_token).returns(@access_token)
+    strategy.stubs(:appsecret_proof).returns(@appsecret_proof)
     raw_response = stub('Faraday::Response')
     raw_response.stubs(:body).returns('{ "ohai": "thar" }')
     raw_response.stubs(:status).returns(200)
     raw_response.stubs(:headers).returns({'Content-Type' => 'application/json' })
     oauth2_response = OAuth2::Response.new(raw_response)
-    @access_token.stubs(:get).with('/me').returns(oauth2_response)
+    params = {:params => @options}
+    @access_token.stubs(:get).with('/me', params).returns(oauth2_response)
     assert_kind_of Hash, strategy.raw_info
     assert_equal 'thar', strategy.raw_info['ohai']
   end
 
   test 'returns an empty hash when the response is false' do
     strategy.stubs(:access_token).returns(@access_token)
+    strategy.stubs(:appsecret_proof).returns(@appsecret_proof)
     oauth2_response = stub('OAuth2::Response', :parsed => false)
-    @access_token.stubs(:get).with('/me').returns(oauth2_response)
+    params = {:params => @options}
+    @access_token.stubs(:get).with('/me', params).returns(oauth2_response)
     assert_kind_of Hash, strategy.raw_info
+    assert_equal({}, strategy.raw_info)
   end
 
   test 'should not include raw_info in extras hash when skip_info is specified' do
@@ -354,13 +400,18 @@ module SignedRequestTests
     test 'is nil' do
       assert_nil strategy.send(:signed_request)
     end
+
+    test 'throws an error on calling build_access_token' do
+      assert_equal 'must pass either a `code` parameter or a signed request (via `signed_request` parameter or a `fbsr_XXX` cookie)',
+                   assert_raises(OmniAuth::Strategies::Facebook::NoAuthorizationCodeError) { strategy.send(:build_access_token) }.message
+    end
   end
 
   class CookiePresentTest < TestCase
-    def setup
-      super
+    def setup(algo = nil)
+      super()
       @payload = {
-        'algorithm' => 'HMAC-SHA256',
+        'algorithm' => algo || 'HMAC-SHA256',
         'code' => 'm4c0d3z',
         'issued_at' => Time.now.to_i,
         'user_id' => '123456'
@@ -372,13 +423,18 @@ module SignedRequestTests
     test 'parses the access code out from the cookie' do
       assert_equal @payload, strategy.send(:signed_request)
     end
+
+    test 'throws an error if the algorithm is unknown' do
+      setup('UNKNOWN-ALGO')
+      assert_equal "unknown algorithm: UNKNOWN-ALGO", assert_raises(OmniAuth::Strategies::Facebook::UnknownSignatureAlgorithmError) { strategy.send(:signed_request) }.message
+    end
   end
 
   class ParamPresentTest < TestCase
-    def setup
-      super
+    def setup(algo = nil)
+      super()
       @payload = {
-        'algorithm' => 'HMAC-SHA256',
+        'algorithm' => algo || 'HMAC-SHA256',
         'oauth_token' => 'XXX',
         'issued_at' => Time.now.to_i,
         'user_id' => '123456'
@@ -390,6 +446,11 @@ module SignedRequestTests
     test 'parses the access code out from the param' do
       assert_equal @payload, strategy.send(:signed_request)
     end
+
+    test 'throws an error if the algorithm is unknown' do
+      setup('UNKNOWN-ALGO')
+      assert_equal "unknown algorithm: UNKNOWN-ALGO", assert_raises(OmniAuth::Strategies::Facebook::UnknownSignatureAlgorithmError) { strategy.send(:signed_request) }.message
+    end
   end
 
   class CookieAndParamPresentTest < TestCase
@@ -414,6 +475,18 @@ module SignedRequestTests
       assert_equal @payload_from_param, strategy.send(:signed_request)
     end
   end
+
+  class EmptySignedRequestTest < TestCase
+    def setup
+      super
+      @request.stubs(:params).returns({'signed_request' => ''})
+    end
+
+    test 'empty param' do
+      assert_equal nil, strategy.send(:signed_request)
+    end
+  end
+
 end
 
 class RequestPhaseWithSignedRequestTest < StrategyTestCase
@@ -459,13 +532,13 @@ module BuildAccessTokenTests
     end
 
     test 'returns a new access token from the signed request' do
-      result = strategy.build_access_token
+      result = strategy.send(:build_access_token)
       assert_kind_of ::OAuth2::AccessToken, result
       assert_equal @payload['oauth_token'], result.token
     end
 
     test 'returns an access token with the correct expiry time' do
-      result = strategy.build_access_token
+      result = strategy.send(:build_access_token)
       assert_equal @payload['expires'], result.expires_at
     end
   end

metadata

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-facebook
 version: !ruby/object:Gem::Version
-  version: 1.5.1
+  version: 1.6.0.rc1
 platform: ruby
 authors:
 - Mark Dodwell
+- Josef Šimánek
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-11-18 00:00:00.000000000 Z
+date: 2013-12-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
@@ -16,14 +17,14 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 1.1.0
+        version: '1.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 1.1.0
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -68,13 +69,15 @@ dependencies:
         version: '0'
 description: 
 email:
-- mark@mkdynamic.co.uk
+- mark@madeofcode.com
+- retro@ballgag.cz
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
 - .gitignore
 - .travis.yml
+- CHANGELOG.md
 - Gemfile
 - README.md
 - Rakefile
@@ -90,7 +93,8 @@ files:
 - test/support/shared_examples.rb
 - test/test.rb
 homepage: https://github.com/mkdynamic/omniauth-facebook
-licenses: []
+licenses:
+- MIT
 metadata: {}
 post_install_message: 
 rdoc_options: []
@@ -103,15 +107,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - '>'
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.3
+rubygems_version: 2.1.11
 signing_key: 
 specification_version: 4
-summary: Facebook strategy for OmniAuth
+summary: Facebook OAuth2 Strategy for OmniAuth
 test_files:
 - test/helper.rb
 - test/support/shared_examples.rb