rack-facebook 0.0.2

data/README.markdown

@@ -0,0 +1,29 @@
+This Rack middleware checks the signature of Facebook params, and
+converts them to Ruby objects when appropiate. Also, it converts
+the request method from the Facebook POST to the original HTTP
+method used by the client.
+
+If the signature is wrong, it returns a "400 Invalid Facebook Signature".
+
+Optionally, it can take a block that receives the Rack environment
+and returns a value that evaluates to true when we want the middleware to
+be executed for the specific request.
+
+# Usage
+
+In your config.ru:
+
+    require 'rack/facebook'
+    use Rack::Facebook, "my_facebook_secret_key"
+
+Using a block condition:
+
+    use Rack::Facebook, "my_facebook_secret_key" do |env|
+      env['REQUEST_URI'] =~ /^\/facebook_only/
+    end
+
+# Credits
+
+Carlos Paramio
+
+[http://evolve.st/](http://evolve.st/)

data/lib/rack/facebook.rb

@@ -0,0 +1,154 @@
+require 'digest'
+require 'rack/request'
+
+module Rack
+  # This Rack middleware checks the signature of Facebook params and
+  # converts them to Ruby objects when appropiate. Also, it converts
+  # the request method from the Facebook POST to the original HTTP
+  # method used by the client.
+  #
+  # If the signature is wrong, it returns a "400 Invalid Facebook Signature".
+  # 
+  # Optionally, it can take a block that receives the Rack environment
+  # and returns a value that evaluates to true when we want the middleware to
+  # be executed for the specific request.
+  #
+  # == Usage
+  #
+  # In your rack builder:
+  #
+  #   use Rack::Facebook, :application_secret => "SECRET", :api_key => "APIKEY"
+  #
+  # Using a block condition:
+  #
+  #   use Rack::Facebook, options do |env|
+  #     env['REQUEST_URI'] =~ /^\/facebook_only/
+  #   end
+  #
+  # == References
+  # * http://wiki.developers.facebook.com/index.php/Authorizing_Applications
+  # * http://wiki.developers.facebook.com/index.php/Verifying_The_Signature
+  #
+  class Facebook    
+    def initialize(app, options, &condition)
+      @app = app
+      @options = options
+      @condition = condition
+    end
+    
+    def app_name
+      @options[:application_name]
+    end
+    
+    def secret
+      @options[:application_secret]
+    end
+    
+    def api_key
+      @options[:api_key]
+    end
+    
+    def call(env)
+      request = Request.new(env)
+      request.api_key = api_key      
+      
+      if passes_condition?(request) and request.facebook?
+        valid = true
+        
+        if request.params_signature
+          fb_params = request.extract_facebook_params(:post)
+        
+          if valid = valid_signature?(fb_params, request.params_signature)
+            env["facebook.original_method"] = env["REQUEST_METHOD"]
+            env["REQUEST_METHOD"] = fb_params.delete("request_method")
+            save_facebook_params(fb_params, env)
+          end
+        elsif request.cookies_signature
+          cookie_params = request.extract_facebook_params(:cookies)
+          valid = valid_signature?(cookie_params, request.cookies_signature)
+        end
+        
+        unless valid
+          return [400, {"Content-Type" => "text/html"}, ["Invalid Facebook signature"]]
+        end
+      end
+      return @app.call(env)
+    end
+    
+    private
+    
+    def passes_condition?(request)
+      @condition.nil? or @condition.call(request.env)
+    end
+    
+    def valid_signature?(fb_params, actual_sig)
+      actual_sig == calculate_signature(fb_params)
+    end
+    
+    def calculate_signature(hash)
+      raw_string = hash.map{ |*pair| pair.join('=') }.sort.join
+      Digest::MD5.hexdigest([raw_string, secret].join)
+    end
+    
+    def save_facebook_params(params, env)
+      params.each do |key, value|
+        ruby_value = case key
+        when 'added', 'page_added', 'in_canvas', 'in_profile_tab', 'in_new_facebook', 'position_fix', 'logged_out_facebook'
+          value == '1'
+        when 'expires', 'profile_update_time', 'time'
+          Time.at(value.to_f) rescue TypeError
+        when 'friends'
+          value.split(',')
+        else
+          value
+        end
+            
+        env["facebook.#{key}"] = ruby_value
+      end
+      
+      env["facebook.app_name"] = app_name
+      env["facebook.api_key"] = api_key
+      env["facebook.secret"] = secret
+    end
+    
+    class Request < ::Rack::Request
+      FB_PREFIX = "fb_sig".freeze
+      attr_accessor :api_key
+      
+      def facebook?
+        params_signature or cookies_signature
+      end
+      
+      def params_signature
+        return @params_signature if @params_signature or @params_signature == false
+        @params_signature = self.POST.delete(FB_PREFIX) || false
+      end
+
+      def cookies_signature
+        cookies[@api_key]
+      end
+      
+      def extract_facebook_params(where)
+        
+        case where
+        when :post
+          source = self.POST
+          prefix = FB_PREFIX
+        when :cookies
+          source = cookies
+          prefix = @api_key
+        end
+        
+        prefix = "#{prefix}_"
+        
+        source.inject({}) do |extracted, (key, value)|
+          if key.index(prefix) == 0
+            extracted[key.sub(prefix, '')] = value
+            source.delete(key) if :post == where
+          end
+          extracted
+        end
+      end
+    end
+  end
+end

data/rack-facebook.gemspec

@@ -0,0 +1,20 @@
+Gem::Specification.new do |s|
+  s.name     = "rack-facebook"
+  s.version  = "0.0.2"
+  s.date     = "2009-01-09"
+  s.summary  = "Rack middleware to verify and parse Facebook parameters"
+  s.email    = "carlos@evolve.st"
+  s.homepage = "http://www.evolve.st/notebook/2009/1/9/rack-facebook-a-new-rack-middleware-to-parse-facebook-parameters"
+  s.description = "rack-facebook is a Rack middleware that checks the signature of Facebook params, and converts them to Ruby objects when appropiate. Also, it converts the request method from the Facebook POST to the original HTTP method used by the client."
+  s.has_rdoc = true
+  s.authors  = ["Carlos Paramio"]
+  s.files    = [
+		"README.markdown", 
+		"Rakefile", 
+		"rack-facebook.gemspec", 
+		"lib/rack/facebook.rb"]
+  s.test_files = ["spec/facebook_spec.rb"]
+  s.rdoc_options = ["--main", "Rack::Facebook"]
+  #s.extra_rdoc_files = ["History.txt", "Manifest.txt", "README.txt"]
+  s.add_dependency("rack", [">= 0.4.0"])
+end

data/spec/facebook_spec.rb

@@ -0,0 +1,167 @@
+require 'rack/request'
+require 'rack/mock'
+require 'rack/facebook'
+
+describe Rack::Facebook do
+  APP_NAME = 'my_app'
+  SECRET = "123456789"
+  API_KEY = "616313"
+  
+  def calculate_signature(hash)
+    raw_string = hash.map{ |*pair| pair.join('=') }.sort.join
+    Digest::MD5.hexdigest([raw_string, SECRET].join)
+  end
+  
+  def sign_hash(hash, prefix)
+    fb_hash = hash.inject({}) do |all, (key, value)|
+      all[key.sub("#{prefix}_", "")] = value if key.index("#{prefix}_") == 0
+      all
+    end
+    hash.merge(prefix => calculate_signature(fb_hash))
+  end
+  
+  def sign_params(hash)
+    sign_hash(hash, "fb_sig")
+  end
+  
+  def sign_cookies(hash)
+    sign_hash(hash, API_KEY)
+  end
+  
+  def mock_post(app, env)
+    facebook = described_class.new(app, :application_name => APP_NAME, :application_secret => SECRET, :api_key => API_KEY)
+    request = Rack::MockRequest.new(facebook)
+    @response = request.post("/", env)
+  end
+  
+  def post_env(params)
+    # set up form variables like rack::request had parsed them
+    env = {"rack.request.form_hash" => params}
+    env["rack.request.form_input"] = env["rack.input"] = "fb"
+    env
+  end
+  
+  def post_request(app, params)
+    mock_post app, post_env(params)
+  end
+  
+  def cookie_env(cookies)
+    # set up the cookie hash like rack::request would
+    env = {"rack.request.cookie_hash" => cookies}
+    env["rack.request.cookie_string"] = env["HTTP_COOKIE"] = "fb"
+    env
+  end
+  
+  def cookie_request(app, cookies)
+    mock_post app, cookie_env(cookies)
+  end
+  
+  def request
+    @request
+  end
+  
+  def response
+    @response
+  end
+  
+  def response_env(status = 200)
+    [status, {"Content-type" => "test/plain", "Content-length" => "5"}, ["hello"]]
+  end
+  
+  def app
+    @app ||= lambda do |env|
+      @request = Rack::Request.new(env)
+      response_env
+    end
+  end
+  
+  describe "without a block" do
+    describe "when the signature is not valid" do
+      it "should fail with 400 Invalid Facebook signature" do
+        post_request mock('rack app'), "fb_sig" => "INVALID"
+        response.status.should == 400
+      end
+    end
+    
+    describe "when the fb_sig is valid" do
+      def post(params)
+        post_request(app, sign_params(params))
+      end
+      
+      it "should convert the facebook parameters to ruby objects" do
+        post "fb_sig_in_canvas" => "1", "fb_sig_time" => "1", "fb_sig_user" => "234433"
+        
+        request.env['facebook.time'].should == Time.at(1)
+        request.env['facebook.in_canvas'].should be_true
+        request.env['facebook.user'].should == "234433"
+      end
+      
+      it "should add app name, api_key and secret to the environment" do
+        post "fb_sig_in_canvas" => "1", "fb_sig_time" => "1", "fb_sig_user" => "234433"
+        
+        request.env['facebook.app_name'].should == APP_NAME
+        request.env['facebook.api_key'].should == API_KEY
+        request.env['facebook.secret'].should == SECRET
+      end
+      
+      it "should strip facebook parameters from params hash" do
+        post "fb_sig_in_canvas" => "1", "fb_sig_user" => "234433"
+
+        request['fb_sig'].should be_nil
+        request['fb_sig_user'].should be_nil
+        request['fb_sig_in_canvas'].should be_nil
+      end
+      
+      it "should not touch parameters not prefixed with \"fb_sig\"" do
+        post "fb_sig_user" => "234433", "foo" => "bar"
+        
+        request['foo'].should == 'bar'
+      end
+      
+      it "should split friend IDs into an array" do
+        post "fb_sig_friends" => "2,3,5"
+        
+        request.env["facebook.friends"].should == ["2", "3", "5"]
+      end
+      
+      it "should convert the request method from POST to the original client method" do
+        post "fb_sig_request_method" => "PUT"
+        
+        request.request_method.should == 'PUT'
+        request.env['facebook.original_method'].should == 'POST'
+      end
+
+      it "should call app" do
+        @app = mock('rack app')
+        @app.should_receive(:call).with(instance_of(Hash)).and_return(response_env)
+        
+        post "fb_sig_foo" => "bar"
+        response.status.should == 200
+      end
+    end
+    
+    context "cookie authentication" do
+      it "should run app if cookie signature is valid" do
+        app = mock('rack app')
+        app.should_receive(:call).with(instance_of(Hash)).and_return(response_env)
+        
+        cookie_request app, sign_cookies("#{API_KEY}_user" => "22", "#{API_KEY}_ss" => "SEKRIT")
+        response.status.should == 200
+      end
+      
+      it "should not run app if cookie signature turns out invalid" do
+        cookie_request mock('rack app'), API_KEY => "INVALID", "#{API_KEY}_ss" => "SEKRIT"
+        response.status.should == 400
+      end
+    end
+  end
+
+  describe 'with a block' do
+    describe 'when the block returns a value that evaluates to true' do
+      it 'should execute the middleware'
+    end
+    describe 'when the block returns a value that evaluates to true' do
+      it 'should skip the middleware'
+    end
+  end
+end

metadata

@@ -0,0 +1,68 @@
+--- !ruby/object:Gem::Specification 
+name: rack-facebook
+version: !ruby/object:Gem::Version 
+  version: 0.0.2
+platform: ruby
+authors: 
+- Carlos Paramio
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-01-09 00:00:00 +01:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rack
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 0.4.0
+    version: 
+description: rack-facebook is a Rack middleware that checks the signature of Facebook params, and converts them to Ruby objects when appropiate. Also, it converts the request method from the Facebook POST to the original HTTP method used by the client.
+email: carlos@evolve.st
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- README.markdown
+- Rakefile
+- rack-facebook.gemspec
+- lib/rack/facebook.rb
+has_rdoc: true
+homepage: http://www.evolve.st/notebook/2009/1/9/rack-facebook-a-new-rack-middleware-to-parse-facebook-parameters
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --main
+- Rack::Facebook
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: Rack middleware to verify and parse Facebook parameters
+test_files: 
+- spec/facebook_spec.rb