rest-graph 1.4.1 → 1.4.2

data/CHANGES

@@ -1,5 +1,18 @@
 = rest-graph changes history
 
+== rest-graph 1.4.2 -- 2010-08-05
+
+* [RestGraph] Added RestGraph#fbs to generate fbs with correct sig,
+              to be used for future parse_fbs! See the bug in RailsUtil.
+
+* [RailsUtil] Added iframe and write_cookies option.
+* [RailsUtil] Fixed a bug that write_session didn't parse because parse_fbs!
+              reject the fbs due to missing sig.
+* [RailsUtil] Fixed a bug that in Rails 3, must call safe_html to prevent
+              unintended HTML escaping.
+
+* Thanks a lot, Andrew.
+
 == rest-graph 1.4.1 -- 2010-08-04
 
 * [RestGraph] Call error_handler when response contains error_code as well,

data/README

@@ -1,4 +1,4 @@
-= rest-graph 1.4.1
+= rest-graph 1.4.2
 by Cardinal Blue ( http://cardinalblue.com )
 
 == LINKS:

data/README.rdoc

@@ -1,4 +1,4 @@
-= rest-graph 1.4.1
+= rest-graph 1.4.2
 by Cardinal Blue ( http://cardinalblue.com )
 
 == LINKS:

data/example/rails/README

@@ -1,6 +1,4 @@
 
-Please fill config/rest-graph.yaml with your app_id, secret, and canvas to
-see if this example is working or not. This is supposed to be used in an
-iframe canvas page.
-
-The default setup is designed for standalone site with Facebook JavaScript SDK.
+Please fill config/rest-graph.yaml with your app_id, secret, etc., to
+see if this example is working or not. The default setup is designed for
+standalone site with Facebook JavaScript SDK.

data/example/rails/app/controllers/application_controller.rb

@@ -10,20 +10,22 @@ class ApplicationController < ActionController::Base
 
   include RestGraph::RailsUtil
 
-  before_filter :filter_common,      :only => [:index]
-  before_filter :filter_canvas,      :only => [:canvas]
-  before_filter :filter_options,     :only => [:options]
-  before_filter :filter_no_auto,     :only => [:no_auto]
-  before_filter :filter_diff_app_id, :only => [:diff_app_id]
-  before_filter :filter_diff_canvas, :only => [:diff_canvas]
-  before_filter :filter_cache,       :only => [:cache]
+  before_filter :filter_common       , :only => [:index]
+  before_filter :filter_canvas       , :only => [:canvas]
+  before_filter :filter_options      , :only => [:options]
+  before_filter :filter_no_auto      , :only => [:no_auto]
+  before_filter :filter_diff_app_id  , :only => [:diff_app_id]
+  before_filter :filter_diff_canvas  , :only => [:diff_canvas]
+  before_filter :filter_iframe_canvas, :only => [:iframe_canvas]
+  before_filter :filter_cache        , :only => [:cache]
 
   def index
     render :text => rest_graph.get('me').to_json
   end
-  alias_method :canvas     , :index
-  alias_method :options    , :index
-  alias_method :diff_canvas, :index
+  alias_method :canvas       , :index
+  alias_method :options      , :index
+  alias_method :diff_canvas  , :index
+  alias_method :iframe_canvas, :index
 
   def no_auto
     rest_graph.get('me')
@@ -57,6 +59,12 @@ class ApplicationController < ActionController::Base
                      :auto_authorize_scope => 'email')
   end
 
+  def filter_iframe_canvas
+    rest_graph_setup(:canvas               => 'zzz',
+                     :iframe               => true,
+                     :auto_authorize       => true)
+  end
+
   def filter_no_auto
     rest_graph_setup(:auto_authorize => false)
   end

data/example/rails/test/functional/application_controller_test.rb

@@ -29,24 +29,35 @@ class ApplicationControllerTest < ActionController::TestCase
 
   def test_canvas
     get(:canvas)
-    assert_response :success
+    assert_response :redirect
     assert_equal(
       normalize_url(
         'https://graph.facebook.com/oauth/authorize?client_id=123&' \
         'scope=publish_stream&'                                     \
         'redirect_uri=http%3A%2F%2Fapps.facebook.com%2Fcan%2Fcanvas'),
-      normalize_url((assigns(:rest_graph_authorize_url))))
+      normalize_url(assigns(:rest_graph_authorize_url)))
   end
 
   def test_diff_canvas
     get(:diff_canvas)
-    assert_response :success
+    assert_response :redirect
     assert_equal(
       normalize_url(
         'https://graph.facebook.com/oauth/authorize?client_id=123&' \
         'scope=email&'                                              \
         'redirect_uri=http%3A%2F%2Fapps.facebook.com%2FToT%2Fdiff_canvas'),
-      normalize_url((assigns(:rest_graph_authorize_url))))
+      normalize_url(assigns(:rest_graph_authorize_url)))
+  end
+
+  def test_iframe_canvas
+    get(:iframe_canvas)
+    assert_response :success
+    assert_equal(
+      normalize_url(
+        'https://graph.facebook.com/oauth/authorize?client_id=123&' \
+        'scope=&'                                                   \
+        'redirect_uri=http%3A%2F%2Fapps.facebook.com%2Fzzz%2Fiframe_canvas'),
+      normalize_url(assigns(:rest_graph_authorize_url)))
   end
 
   def test_options

data/lib/rest-graph/rails_util.rb

@@ -4,10 +4,12 @@ require 'rest-graph'
 class RestGraph
   module DefaultAttributes
     def default_canvas                ; ''   ; end
+    def default_iframe                ; false; end
     def default_auto_authorize        ; false; end
     def default_auto_authorize_options; {}   ; end
     def default_auto_authorize_scope  ; ''   ; end
     def default_write_session         ; false; end
+    def default_write_cookies         ; false; end
   end
 
   module RailsCache
@@ -36,10 +38,10 @@ module RestGraph::RailsUtil
     rest_graph_options_ctl.merge!(rest_graph_extract_options(options, :reject))
     rest_graph_options_new.merge!(rest_graph_extract_options(options, :select))
 
-    rest_graph_check_cookie
-    rest_graph_check_params_signed_request
-    rest_graph_check_params_session
-    rest_graph_check_code
+    rest_graph_check_cookie                # for javascript sdk (canvas or not)
+    rest_graph_check_params_signed_request # canvas
+    rest_graph_check_params_session        # i think it would be deprecated
+    rest_graph_check_code                  # oauth api
 
     # there are above 4 ways to check the user identity!
     # if nor of them passed, then we can suppose the user
@@ -47,7 +49,8 @@ module RestGraph::RailsUtil
     # before, in that case, the fbs would be inside session,
     # as we just saved it there
 
-    rest_graph_check_rails_session
+    rest_graph_check_rails_session # prefered way to store fbs
+    rest_graph_check_rails_cookies # in canvas, session might not work..
   end
 
   # override this if you need different app_id and secret
@@ -74,16 +77,23 @@ module RestGraph::RailsUtil
 
   # override this if you want the simple redirect_to
   def rest_graph_authorize_redirect
-    if !rest_graph_in_canvas?
+    if !rest_graph_oget(:iframe)
       redirect_to @rest_graph_authorize_url
     else
+      # for rails 3
+      @rest_graph_safe_url = if ''.respond_to?(:html_safe)
+                               @rest_graph_authorize_url.html_safe
+                             else
+                               @rest_graph_authorize_url
+                             end
+
       render :inline => <<-HTML
       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
       "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
       <html>
         <head>
         <script type="text/javascript">
-          window.top.location.href = '<%= @rest_graph_authorize_url %>'
+          window.top.location.href = '<%= @rest_graph_safe_url %>'
         </script>
         <noscript>
           <meta http-equiv="refresh" content="0;url=<%= h @rest_graph_authorize_url %>" />
@@ -142,6 +152,7 @@ module RestGraph::RailsUtil
 
     if rest_graph.authorized?
       rest_graph_write_session
+      rest_graph_write_cookies
     else
       logger.warn(
         "WARN: RestGraph: bad signed_request: #{params[:signed_request]}")
@@ -161,6 +172,7 @@ module RestGraph::RailsUtil
 
     if rest_graph.authorized?
       rest_graph_write_session
+      rest_graph_write_cookies
     else
       logger.warn("WARN: RestGraph: bad session: #{params[:session]}")
     end
@@ -177,27 +189,42 @@ module RestGraph::RailsUtil
       "#{rest_graph_normalized_request_uri}, " \
       "parsed: #{rest_graph.data.inspect}")
 
-    rest_graph_write_session if rest_graph.authorized?
+    if rest_graph.authorized?
+      rest_graph_write_session
+      rest_graph_write_cookies
+    end
   end
 
   def rest_graph_check_rails_session
-    return if rest_graph.authorized? || !session['fbs']
-
-    rest_graph.parse_fbs!(session['fbs'])
+    return if rest_graph.authorized? || !session['rest_graph_session']
+    rest_graph.parse_fbs!(session['rest_graph_session'])
     logger.debug("DEBUG: RestGraph: detected session, parsed:" \
                  " #{rest_graph.data.inspect}")
   end
 
+  def rest_graph_check_rails_cookies
+    return if rest_graph.authorized? || !cookies['rest_graph_cookies']
+    rest_graph.parse_fbs!(cookies['rest_graph_cookies'])
+    logger.debug("DEBUG: RestGraph: detected cookies, parsed:" \
+                 " #{rest_graph.data.inspect}")
+  end
+
   # ==================== others ================================
 
   def rest_graph_write_session
     return if !rest_graph_oget(:write_session)
-
-    fbs = rest_graph.data.to_a.map{ |k_v| k_v.join('=') }.join('&')
-    session['fbs'] = fbs
+    fbs = rest_graph.fbs
+    session['rest_graph_session'] = fbs
     logger.debug("DEBUG: RestGraph: wrote session: fbs => #{fbs}")
   end
 
+  def rest_graph_write_cookies
+    return if !rest_graph_oget(:write_cookies)
+    fbs = rest_graph.fbs
+    cookies['rest_graph_cookies'] = fbs
+    logger.debug("DEBUG: RestGraph: wrote cookies: fbs => #{fbs}")
+  end
+
   def rest_graph_log event
     message = "DEBUG: RestGraph: spent #{sprintf('%f', event.duration)} "
     case event

data/lib/rest-graph/version.rb

@@ -1,4 +1,4 @@
 
 require 'rest-graph'
 
-RestGraph::VERSION = '1.4.1'
+RestGraph::VERSION = '1.4.2'

data/lib/rest-graph.rb

@@ -130,6 +130,10 @@ class RestGraph < RestGraphStruct
   rescue JSON::ParserError
   end
 
+  def fbs
+    "#{fbs_without_sig(data)}&sig=#{calculate_sig(data)}"
+  end
+
   # facebook's new signed_request...
 
   def parse_signed_request! request
@@ -235,10 +239,12 @@ class RestGraph < RestGraphStruct
   end
 
   def calculate_sig cookies
-    args = cookies.reject{ |(k, v)| k == 'sig' }.sort.
-      map{ |a| a.join('=') }.join
+    Digest::MD5.hexdigest(fbs_without_sig(cookies) + secret)
+  end
 
-    Digest::MD5.hexdigest(args + secret)
+  def fbs_without_sig cookies
+    cookies.reject{ |(k, v)| k == 'sig' }.sort.
+      map{ |a| a.join('=') }.join
   end
 
   def cache_key uri

data/test/test_parse.rb

@@ -87,4 +87,15 @@ describe RestGraph do
     rg.parse_signed_request!(signed_request).should == nil
   end
 
+  it 'would generate correct fbs with correct sig' do
+    RestGraph.new(:access_token => 'fake', :secret => 's').fbs.should ==
+      "access_token=fake&sig=#{Digest::MD5.hexdigest('access_token=fakes')}"
+  end
+
+  it 'could parse fbs from facebook response which lacks sig...' do
+    rg = RestGraph.new(:access_token => 'a', :secret => 'z')
+    rg.parse_fbs!(rg.fbs)                           .should.kind_of?(Hash)
+    rg.parse_fbs!(rg.fbs.sub(/sig\=\w+/, 'sig=abc')).should == nil
+  end
+
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: rest-graph
 version: !ruby/object:Gem::Version 
-  hash: 5
+  hash: 3
   prerelease: false
   segments: 
   - 1
   - 4
-  - 1
-  version: 1.4.1
+  - 2
+  version: 1.4.2
 platform: ruby
 authors: 
 - Cardinal Blue
@@ -16,7 +16,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-08-04 00:00:00 +08:00
+date: 2010-08-05 00:00:00 +08:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -91,12 +91,12 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
-        hash: 31
+        hash: 29
         segments: 
         - 1
         - 3
-        - 2
-        version: 1.3.2
+        - 3
+        version: 1.3.3
   type: :development
   version_requirements: *id005
 - !ruby/object:Gem::Dependency