rest-graph 2.0.0 → 2.0.1

data/CHANGES.md

@@ -1,5 +1,28 @@
 # CHANGES
 
+## rest-graph 2.0.1 -- 2011-11-25
+
+### Bugs fixes back ported from [rest-more][]
+
+* [RestGraph] Now we're using POST in `authorize!` to exchange the
+  access_token with the code instead of GET. If we're using GET,
+  we would run into a risk where a user might use the code to
+  get other people's access_token via the cache. Using POST would
+  prevent this because POSTs are not cached.
+
+* [RestGraph::RailsUtil] Fixed a serious bug. The bug would jump up if
+  you're using :write_session or :write_cookies or :write_handler along
+  with :auto_authorize, for example:
+  `rest_graph_setup(:auto_authorize => true, :write_session => true)`
+  The problem is that RestGraph::RailsUtil is not removing the invalid
+  access_token stored in session or cookie, and yet it is considered
+  authorized, making redirecting to Facebook and redirecting back doesn't
+  update the access_token. `rest_graph_cleanup` is introduced to remove
+  all invalid access_tokens, which would get called once the user is
+  redirected to Facebook, fixing this bug.
+
+[rest-more]: https://github.com/cardinalblue/rest-more
+
 ## rest-graph 2.0.0 -- 2011-10-08
 
 We have moved the development from rest-graph to [rest-core][].

data/README.md

@@ -13,7 +13,7 @@ an experienced Ruby programmer, you might also want to look at
 ## LINKS:
 
 * [github](https://ithub.com/cardinalblue/rest-graph)
-* [rubygems](http://rubygems.org/gems/rest-graph)
+* [rubygems](https://rubygems.org/gems/rest-graph)
 * [rdoc](http://rdoc.info/projects/cardinalblue/rest-graph)
 * [mailing list](http://groups.google.com/group/rest-graph/topics)
 

data/example/rails2/app/controllers/application_controller.rb

@@ -118,10 +118,10 @@ class ApplicationController < ActionController::Base
   end
 
   def filter_session
-    rest_graph_setup(:write_session => true)
+    rest_graph_setup(:write_session => true, :auto_authorize => true)
   end
 
   def filter_cookies
-    rest_graph_setup(:write_cookies => true)
+    rest_graph_setup(:write_cookies => true, :auto_authorize => true)
   end
 end

data/example/rails2/config/environment.rb

@@ -3,6 +3,16 @@
 # Specifies gem version of Rails to use when vendor/rails is not present
 RAILS_GEM_VERSION = '2.3.14' unless defined? RAILS_GEM_VERSION
 
+# monkey patch from https://github.com/rails/rails/pull/3473
+class MissingSourceFile < LoadError #:nodoc:
+  REGEXPS = [
+    [/^no such file to load -- (.+)$/i, 1],
+    [/^Missing \w+ (file\s*)?([^\s]+.rb)$/i, 2],
+    [/^Missing API definition file in (.+)$/i, 1],
+    [/^cannot load such file -- (.+)$/i, 1]
+  ]
+end
+
 # Bootstrap the Rails environment, frameworks, and default configuration
 require File.join(File.dirname(__FILE__), 'boot')
 

data/example/rails2/test/functional/application_controller_test.rb

@@ -166,6 +166,32 @@ class ApplicationControllerTest < ActionController::TestCase
     assert_equal '["yeti"]', @response.body
   end
 
+  def test_wrong_session
+    WebMock.reset!
+    stub_request(:get, 'https://graph.facebook.com/me').
+      to_return(:body => '{"error":{"type":"OAuthException"}}')
+
+    session = @request.session
+    key     = RestGraph::RailsUtil.rest_graph_storage_key
+    session[key] = 'bad'
+
+    get(:session_)
+    assert_equal nil, session[key]
+  end
+
+  def test_wrong_cookies
+    WebMock.reset!
+    stub_request(:get, 'https://graph.facebook.com/me').
+      to_return(:body => '{"error":{"type":"OAuthException"}}')
+
+    cookies = @request.cookies
+    key     = RestGraph::RailsUtil.rest_graph_storage_key
+    session[key] = 'bad'
+
+    get(:cookies_)
+    assert_equal nil, cookies[key]
+  end
+
   def test_error
     get(:error)
   rescue => e

data/example/rails3/app/controllers/application_controller.rb

@@ -118,10 +118,10 @@ class ApplicationController < ActionController::Base
   end
 
   def filter_session
-    rest_graph_setup(:write_session => true)
+    rest_graph_setup(:write_session => true, :auto_authorize => true)
   end
 
   def filter_cookies
-    rest_graph_setup(:write_cookies => true)
+    rest_graph_setup(:write_cookies => true, :auto_authorize => true)
   end
 end

data/example/rails3/test/functional/application_controller_test.rb

@@ -166,6 +166,32 @@ class ApplicationControllerTest < ActionController::TestCase
     assert_equal '["yeti"]', @response.body
   end
 
+  def test_wrong_session
+    WebMock.reset!
+    stub_request(:get, 'https://graph.facebook.com/me').
+      to_return(:body => '{"error":{"type":"OAuthException"}}')
+
+    session = @request.session
+    key     = RestGraph::RailsUtil.rest_graph_storage_key
+    session[key] = 'bad'
+
+    get(:session_)
+    assert_equal nil, session[key]
+  end
+
+  def test_wrong_cookies
+    WebMock.reset!
+    stub_request(:get, 'https://graph.facebook.com/me').
+      to_return(:body => '{"error":{"type":"OAuthException"}}')
+
+    cookies = @request.cookies
+    key     = RestGraph::RailsUtil.rest_graph_storage_key
+    session[key] = 'bad'
+
+    get(:cookies_)
+    assert_equal nil, cookies[key]
+  end
+
   def test_error
     get(:error)
   rescue => e

data/lib/rest-graph/core.rb

@@ -408,10 +408,10 @@ class RestGraph < RestGraphStruct
   end
 
   def authorize! opts={}
-    query = {:client_id => app_id, :client_secret => secret}.merge(opts)
+    payload = {:client_id => app_id, :client_secret => secret}.merge(opts)
     self.data = Rack::Utils.parse_query(
                   request({:auto_decode => false}.merge(opts),
-                          [:get, url('oauth/access_token', query)]))
+                          [:post, url('oauth/access_token'), payload]))
   end
 
 

data/lib/rest-graph/rails_util.rb

@@ -122,7 +122,7 @@ module RestGraph::RailsUtil
 
       logger.debug("DEBUG: RestGraph: redirect to #{@rest_graph_authorize_url}")
 
-      cookies.delete("fbs_#{rest_graph.app_id}")
+      rest_graph_cleanup
       rest_graph_authorize_redirect
     end
   end
@@ -318,6 +318,13 @@ module RestGraph::RailsUtil
 
 
   # ==================== begin misc ================================
+  def rest_graph_cleanup
+    cookies.delete("fbs_#{rest_graph.app_id}")
+    cookies.delete("fbsr_#{rest_graph.app_id}")
+    cookies.delete(rest_graph_storage_key)
+    session.delete(rest_graph_storage_key)
+  end
+
   def rest_graph_normalized_request_uri
     uri = if rest_graph_in_canvas?
             # rails 3 uses newer rack which has fullpath

data/lib/rest-graph/version.rb

@@ -1,4 +1,4 @@
 
 require 'rest-graph/core'
 
-RestGraph::VERSION = '2.0.0'
+RestGraph::VERSION = '2.0.1'

data/rest-graph.gemspec

@@ -2,13 +2,13 @@
 
 Gem::Specification.new do |s|
   s.name = "rest-graph"
-  s.version = "2.0.0"
+  s.version = "2.0.1"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = [
   "Cardinal Blue",
   "Lin Jen-Shin (godfat)"]
-  s.date = "2011-10-08"
+  s.date = "2011-11-25"
   s.description = "A lightweight Facebook Graph API client\n\nWe have moved the development from rest-graph to [rest-core][].\nBy now on, we would only fix bugs in rest-graph rather than adding\nfeatures, and we would only backport important changes from rest-core\nonce in a period. If you want the latest goodies, please see [rest-core][]\nOtherwise, you can stay with rest-graph with bugs fixes.\n\n[rest-core]: https://github.com/cardinalblue/rest-core"
   s.email = ["dev (XD) cardinalblue.com"]
   s.files = [

data/test/test_oauth.rb

@@ -22,9 +22,11 @@ describe RestGraph do
   end
 
   should 'do authorizing and parse result and save it in data' do
-    stub_request(:get, 'https://graph.facebook.com/oauth/access_token?' \
-                       'client_id=29&client_secret=18&code=zzz&'        \
-                       'redirect_uri=http%3A%2F%2Fzzz.tw').
+    stub_request(:post, 'https://graph.facebook.com/oauth/access_token'). \
+      with(:body => {'client_id'     => '29' ,
+                     'client_secret' => '18' ,
+                     'redirect_uri'  => 'http://zzz.tw',
+                     'code'          => 'zzz'}).
       to_return(:body => 'access_token=baken&expires=2918')
 
     result = {'access_token' => 'baken', 'expires' => '2918'}

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rest-graph
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.0.1
   prerelease: 
 platform: ruby
 authors:
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-10-08 00:00:00.000000000Z
+date: 2011-11-25 00:00:00.000000000 Z
 dependencies: []
 description: ! 'A lightweight Facebook Graph API client