Jon
2008-Jun-28 04:19 UTC
[Facebooker-talk] How to handle facebook rails app uninstalls securely
I just figured out how to handle facebook rails app uninstalls securely and
I wanted to share how I did it in case it''s useful to anyone else.
I have an uninstall action in my users controller, which also means I had to
setup a route like so:
# facebook posts to users/uninstall, but I also want to get there via get
for testing
map.resources :users, :collection => {:uninstall => :any}
For my particular app, I don''t erase the user record when I get an
uninstall
ping. I get the user record and save a date in the date_uninstalled field
because I figure a user might uninstall accidentally or want to reinstall
later. Anyway, that''s not really the point of this post -
you''ll do what you
want on the uninstall action. My big hurdle was discovering how to check the
facebook signature so I could secure the uninstall action against malicious
users.
So yesterday I emailed Mike Mangino and asked him:
Is there a Facebooker method that can return a calculated signature that my
uninstall action can use to compare with the passed signature? Or even
simpler, is there maybe a method that just tells you directly whether they
match?
Mike emailed back saying "Session#signature_for will calculate a
signature"
and "Controller#verify_signature will verify one". Here''s
what I found after
following his leads:
The signature_for Facebooker method is useless for verifying a signature
because it doesn''t strip out the fb_sig param (note: fb_sig needs to be
stripped because it''s not used to make the signature - it''s
the value you
compare your calculated signature against).
Facebooker''s verify_signature method is useful, but it needs a hash of
params that doesn''t include fb_sig (you can''t just pass it
params in other
words). What I needed then was a method to properly prepare the params hash
for the verify_signature method (by stripping fb_sig and giving me the
rest). The first five lines of Facebooker''s verified_facebook_params
method
were exactly what I need. Note: the rest of the verified_facebook_params
method makes it unsuitable for getting the special hash of params that we
need.
It''s too bad there isn''t already a method in Facebooker that
does just what
those first five lines do and nothing else. Anyway, working with the
Facebooker methods available, I created a protected method in application.rb
called verify_uninstall_signature.
This is what it looks like: http://pastie.org/223872 (the snippet also shows
that I call the method as a before filter in the users controller -- also
note the protect_from_forgery line).
I hope that helps anyone else trying to figure out an efficient way to
verify signatures on an uninstall request.
Thanks for your help Mike!
-Jon