Mike Papper
2008-Oct-15 09:39 UTC
[Facebooker-talk] FB Notify URLs and ensure_authenticated_to_facebook
Hi,
I am having a problem with verifying the facebook request when it
comes from the FB server after the user removes the application...
Consider 3 functions for ensure_*
1) Verify a request really comes from FB server
2) Verify that the user passed to me is who they say they are (really
logged into FB) - not necc. have added my app
3) Tell me if the user has the application installed (or not).
I assumed that ensure_authenticated_to_facebook is to do #1 and #2
above. But the code shows that if there is no current session, the
request MUST be for the canvas page otherwise we get a redirect to
"add this application" dialog.
What I see in the log is this:
-----------
Processing FbController#removed (for IP>IP>IP>IP at 2008-10-15
02:14:21) [POST]
Session ID: 04a1dde838ab7995b6c183d24a482dc7
Parameters: {"fb_sig_time"=>"1224062193.5147",
"fb_sig"=>"3c8fa09dc068fb76191fe1c39dcb3957",
"fb_sig_in_new_facebook"=>"1",
"fb_sig_locale"=>"en_US",
"action"=>"removed",
"controller"=>"fb",
"fb_sig_added"=>"0",
"fb_sig_api_key"=>"2401897b464320e9142685f65bd57bb0",
"fb_sig_user"=>"1558955543",
"fb_sig_uninstall"=>"1"}
Redirected to http://www.facebook.com/login.php?
api_key=XXXXXX4320e9142685f65bd57bb0&v=1.0
Filter chain halted as
[#<ActionController::Filters::ClassMethods::SymbolFilter:0x35d656c
@filter=:ensure_authenticated_to_facebook>] rendered_or_redirected.
Completed in 0.00036 (2763 reqs/sec) | DB: 0.00000 (0%) | 302 Found
[http://<server>/fb/removed]
----------------
Note: no fb_sig_session parameter
Note: Is fb_sig_user
My action method is never called - a problem!
My problem is that if I dont call ensure_auth... I cannot make sure
the request came from anybody on the Internet. If I call it, my
action method never gets called.
Related Question:
--------------------------
What is the difference between a user granting "access" for my app
and "adding" my app?
Similar Issue Too:
-----------------------
When I get a callback for the "authorized" post-url reuqest from FB
(whichis sent to <server>/fb/post-authorize (NOT a FB page request
like apps.facebook.com/my_app...) I get this error:
Facebooker::Session::IncorrectSignature
Presumably the current session SIG doesnt match this one since the
request is different...any ideas here?
Mike
Mike Summers
2008-Nov-05 21:09 UTC
[Facebooker-talk] FB Notify URLs and ensure_authenticated_to_facebook
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000066">
<font face="Helvetica, Arial, sans-serif">Is there any
resolution to
this? I''m having a similar problem with my post authorize controller
method. <br>
<br>
If I don''t use ensure_* there''s no facebook_session, if I use
ensure_*
I get redirected away :-(<br>
<br>
--Mike<br>
</font><br>
Mike Papper wrote:
<blockquote
cite="mid:69BDD071-1FF6-4725-894A-B617898ADEAD@bodaro.com"
type="cite">Hi,
<br>
<br>
I am having a problem with verifying the facebook request when it comes
from the FB server after the user removes the application...
<br>
<br>
Consider 3 functions for ensure_*
<br>
1) Verify a request really comes from FB server
<br>
2) Verify that the user passed to me is who they say they are (really
logged into FB) - not necc. have added my app
<br>
3) Tell me if the user has the application installed (or not).
<br>
<br>
I assumed that ensure_authenticated_to_facebook is to do #1 and #2
above. But the code shows that if there is no current session, the
request MUST be for the canvas page otherwise we get a redirect to "add
this application" dialog.
<br>
<br>
What I see in the log is this:
<br>
-----------
<br>
Processing FbController#removed (for IP>IP>IP>IP at 2008-10-15
02:14:21) [POST]
<br>
Session ID: 04a1dde838ab7995b6c183d24a482dc7
<br>
Parameters: {"fb_sig_time"=>"1224062193.5147",
"fb_sig"=>"3c8fa09dc068fb76191fe1c39dcb3957",
"fb_sig_in_new_facebook"=>"1",
"fb_sig_locale"=>"en_US",
"action"=>"removed",
"controller"=>"fb",
"fb_sig_added"=>"0",
"fb_sig_api_key"=>"2401897b464320e9142685f65bd57bb0",
"fb_sig_user"=>"1558955543",
"fb_sig_uninstall"=>"1"}
<br>
Redirected to
<a class="moz-txt-link-freetext"
href="http://www.facebook.com/login.php?api_key=XXXXXX4320e9142685f65bd57bb0&v=1.0">http://www.facebook.com/login.php?api_key=XXXXXX4320e9142685f65bd57bb0&v=1.0</a>
<br>
Filter chain halted as
[#<ActionController::Filters::ClassMethods::SymbolFilter:0x35d656c
@filter=:ensure_authenticated_to_facebook>] rendered_or_redirected.
<br>
Completed in 0.00036 (2763 reqs/sec) | DB: 0.00000 (0%) | 302 Found
[<a class="moz-txt-link-freetext"
href="http://">http://</a><server>/fb/removed]
<br>
----------------
<br>
<br>
Note: no fb_sig_session parameter
<br>
Note: Is fb_sig_user
<br>
My action method is never called - a problem!
<br>
<br>
My problem is that if I dont call ensure_auth... I cannot make sure the
request came from anybody on the Internet. If I call it, my action
method never gets called.
<br>
<br>
Related Question:
<br>
--------------------------
<br>
What is the difference between a user granting "access" for my app and
"adding" my app?
<br>
<br>
Similar Issue Too:
<br>
-----------------------
<br>
When I get a callback for the "authorized" post-url reuqest from FB
(whichis sent to <server>/fb/post-authorize (NOT a FB page
request like apps.facebook.com/my_app...) I get this error:
<br>
<br>
Facebooker::Session::IncorrectSignature
<br>
<br>
Presumably the current session SIG doesnt match this one since the
request is different...any ideas here?
<br>
<br>
Mike
<br>
_______________________________________________
<br>
Facebooker-talk mailing list
<br>
<a class="moz-txt-link-abbreviated"
href="mailto:Facebooker-talk@rubyforge.org">Facebooker-talk@rubyforge.org</a>
<br>
<a class="moz-txt-link-freetext"
href="http://rubyforge.org/mailman/listinfo/facebooker-talk">http://rubyforge.org/mailman/listinfo/facebooker-talk</a>
<br>
<br>
</blockquote>
</body>
</html>
Mike Mangino
2008-Nov-05 21:36 UTC
[Facebooker-talk] FB Notify URLs and ensure_authenticated_to_facebook
On Nov 5, 2008, at 4:09 PM, Mike Summers wrote:> Is there any resolution to this? I''m having a similar problem with > my post authorize controller method. > > If I don''t use ensure_* there''s no facebook_session, if I use > ensure_* I get redirected away :-(There is a set_facebook_session filter that will try to set the session without a redirect. Does that work for you? Mike> > > --Mike >-- Mike Mangino http://www.elevatedrails.com
Mike Summers
2008-Nov-05 21:50 UTC
[Facebooker-talk] FB Notify URLs and ensure_authenticated_to_facebook
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000066">
<font face="Helvetica, Arial, sans-serif">I''ll give it
a try and report
back.<br>
<br>
Thanks!<br>
</font><br>
Mike Mangino wrote:
<blockquote
cite="mid:58897397-F07A-4C3F-9450-D3C4C1FF5482@elevatedrails.com"
type="cite"><br>
On Nov 5, 2008, at 4:09 PM, Mike Summers wrote:
<br>
<br>
<blockquote type="cite">Is there any resolution to this?
I''m having a
similar problem with my post authorize controller method.
<br>
<br>
If I don''t use ensure_* there''s no facebook_session, if I use
ensure_*
I get redirected away :-(
<br>
</blockquote>
<br>
There is a set_facebook_session filter that will try to set the session
without a redirect. Does that work for you?
<br>
<br>
Mike
<br>
<br>
<blockquote type="cite"><br>
<br>
--Mike
<br>
<br>
</blockquote>
<br>
--
<br>
Mike Mangino
<br>
<a class="moz-txt-link-freetext"
href="http://www.elevatedrails.com">http://www.elevatedrails.com</a>
<br>
<br>
<br>
<br>
<br>
</blockquote>
</body>
</html>
Mike Summers
2008-Nov-05 22:37 UTC
[Facebooker-talk] FB Notify URLs and ensure_authenticated_to_facebook
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000066">
<font face="Helvetica, Arial, sans-serif">Didn''t work,
most likely
pilot error on my part. This is the code:<br>
<br>
<font face="Courier New, Courier, monospace">class
PostController <
ApplicationController<br>
include Facebooker::Rails::Controller<br>
protect_from_forgery(:only => [:create, :update,
:destroy])<br>
<br>
def add<br>
STDERR.puts("post.add")<br>
STDERR.flush<br>
redirect_to("#{AppRoot}")<br>
end<br>
<br>
def remove<br>
STDERR.puts("post.remove")<br>
STDERR.flush<br>
#redirect_to("#{AppRoot}")<br>
end<br>
<br>
def authorize<br>
result = set_facebook_session<br>
STDERR.puts("post.authorize:
set_facebook_session-
#{result.inspect}")<br>
STDERR.flush<br>
EventPublisher.deliver_authorize_event(session[:facebook_session].user)<br>
redirect_to("#{AppRoot}")<br>
end<br>
end<br>
</font><br>
set_facebook_session is returning nil. The controller shows the full
compliment of fb_sig_* parameters, their values look good.<br>
<br>
Am I including the Controller''s code correctly?<br>
<br>
Thanks for the help.<br>
<br>
</font>Mike Summers wrote:
<blockquote cite="mid:49121530.2010001@solarpowerme.com"
type="cite">
<meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type">
<font face="Helvetica, Arial, sans-serif">I''ll give
it a try and
report
back.<br>
<br>
Thanks!<br>
</font><br>
Mike Mangino wrote:
<blockquote
cite="mid:58897397-F07A-4C3F-9450-D3C4C1FF5482@elevatedrails.com"
type="cite"><br>
On Nov 5, 2008, at 4:09 PM, Mike Summers wrote: <br>
<br>
<blockquote type="cite">Is there any resolution to this?
I''m having
a
similar problem with my post authorize controller method. <br>
<br>
If I don''t use ensure_* there''s no facebook_session, if I use
ensure_*
I get redirected away :-( <br>
</blockquote>
<br>
There is a set_facebook_session filter that will try to set the session
without a redirect. Does that work for you? <br>
<br>
Mike <br>
<br>
<blockquote type="cite"><br>
<br>
--Mike <br>
<br>
</blockquote>
<br>
-- <br>
Mike Mangino <br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://www.elevatedrails.com">http://www.elevatedrails.com</a>
<br>
<br>
<br>
<br>
<br>
</blockquote>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
Facebooker-talk mailing list
<a class="moz-txt-link-abbreviated"
href="mailto:Facebooker-talk@rubyforge.org">Facebooker-talk@rubyforge.org</a>
<a class="moz-txt-link-freetext"
href="http://rubyforge.org/mailman/listinfo/facebooker-talk">http://rubyforge.org/mailman/listinfo/facebooker-talk</a>
</pre>
</blockquote>
</body>
</html>
Mike Mangino
2008-Nov-06 02:49 UTC
[Facebooker-talk] FB Notify URLs and ensure_authenticated_to_facebook
On Nov 5, 2008, at 5:37 PM, Mike Summers wrote:> Didn''t work, most likely pilot error on my part. This is the code: > > class PostController < ApplicationController > include Facebooker::Rails::Controller > protect_from_forgery(:only => [:create, :update, :destroy]) > > def add > STDERR.puts("post.add") > STDERR.flush > redirect_to("#{AppRoot}") > end > > def remove > STDERR.puts("post.remove") > STDERR.flush > #redirect_to("#{AppRoot}") > end > > def authorize > result = set_facebook_session > STDERR.puts("post.authorize: set_facebook_session- > #{result.inspect}") > STDERR.flush > > EventPublisher > .deliver_authorize_event(session[:facebook_session].user) > redirect_to("#{AppRoot}") > end > end > > set_facebook_session is returning nil. The controller shows the full > compliment of fb_sig_* parameters, their values look good. >Sorry, try looking at the value of facebook_session after calling set_facebook_session. It is a filter that should make the facebook_session variables available. Mike> Am I including the Controller''s code correctly? > > Thanks for the help. > > Mike Summers wrote: >> >> I''ll give it a try and report back. >> >> Thanks! >> >> Mike Mangino wrote: >>> >>> >>> On Nov 5, 2008, at 4:09 PM, Mike Summers wrote: >>> >>>> Is there any resolution to this? I''m having a similar problem >>>> with my post authorize controller method. >>>> >>>> If I don''t use ensure_* there''s no facebook_session, if I use >>>> ensure_* I get redirected away :-( >>> >>> There is a set_facebook_session filter that will try to set the >>> session without a redirect. Does that work for you? >>> >>> Mike >>> >>>> >>>> >>>> --Mike >>>> >>> >>> -- >>> Mike Mangino >>> http://www.elevatedrails.com >>> >>> >>> >>> >> >> _______________________________________________ >> Facebooker-talk mailing list >> Facebooker-talk at rubyforge.org >> http://rubyforge.org/mailman/listinfo/facebooker-talk >>-- Mike Mangino http://www.elevatedrails.com
Mike Summers
2008-Nov-06 15:49 UTC
[Facebooker-talk] FB Notify URLs and ensure_authenticated_to_facebook
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000066">
<font face="Helvetica, Arial, sans-serif">facebook_session is
null
after calling set_facebook_session.<br>
<br>
It looks like set_facebook_session is running into this:<br>
<font face="Courier New, Courier,
monospace"> def
secure_with_token!<br>
if
params[''auth_token'']<br>
@facebook_session = new_facebook_session<br>
@facebook_session.auth_token = params[''auth_token'']<br>
@facebook_session.secure!<br>
session[:facebook_session] = @facebook_session<br>
end<br>
end<br>
</font><br>
There is no ''auth_token'' in params, would this be due to our
coming
here from FB''s ''Allow Access?'' page?<br>
</font><br>
Mike Mangino wrote:
<blockquote
cite="mid:F49709A6-4AF4-4E37-B22A-CD4B814A0381@elevatedrails.com"
type="cite"><br>
On Nov 5, 2008, at 5:37 PM, Mike Summers wrote:
<br>
<br>
<blockquote type="cite">Didn''t work, most likely
pilot error on my
part. This is the code:
<br>
<br>
class PostController < ApplicationController
<br>
include Facebooker::Rails::Controller
<br>
protect_from_forgery(:only => [:create, :update, :destroy])
<br>
<br>
def add
<br>
STDERR.puts("post.add")
<br>
STDERR.flush
<br>
redirect_to("#{AppRoot}")
<br>
end
<br>
<br>
def remove
<br>
STDERR.puts("post.remove")
<br>
STDERR.flush
<br>
#redirect_to("#{AppRoot}")
<br>
end
<br>
<br>
def authorize
<br>
result = set_facebook_session
<br>
STDERR.puts("post.authorize:
set_facebook_session-
#{result.inspect}")
<br>
STDERR.flush
<br>
EventPublisher.deliver_authorize_event(session[:facebook_session].user)
<br>
redirect_to("#{AppRoot}")
<br>
end
<br>
end
<br>
<br>
set_facebook_session is returning nil. The controller shows the full
compliment of fb_sig_* parameters, their values look good.
<br>
<br>
</blockquote>
<br>
Sorry, try looking at the value of facebook_session after calling
set_facebook_session. It is a filter that should make the
facebook_session variables available.
<br>
<br>
Mike
<br>
<br>
<br>
<blockquote type="cite">Am I including the
Controller''s code
correctly?
<br>
<br>
Thanks for the help.
<br>
<br>
Mike Summers wrote:
<br>
<blockquote type="cite"><br>
I''ll give it a try and report back.
<br>
<br>
Thanks!
<br>
<br>
Mike Mangino wrote:
<br>
<blockquote type="cite"><br>
<br>
On Nov 5, 2008, at 4:09 PM, Mike Summers wrote:
<br>
<br>
<blockquote type="cite">Is there any resolution to this?
I''m
having a similar problem with my post authorize controller method.
<br>
<br>
If I don''t use ensure_* there''s no facebook_session, if I use
ensure_*
I get redirected away :-(
<br>
</blockquote>
<br>
There is a set_facebook_session filter that will try to set the session
without a redirect. Does that work for you?
<br>
<br>
Mike
<br>
<br>
<blockquote type="cite"><br>
<br>
--Mike
<br>
<br>
</blockquote>
<br>
-- <br>
Mike Mangino
<br>
<a class="moz-txt-link-freetext"
href="http://www.elevatedrails.com">http://www.elevatedrails.com</a>
<br>
<br>
<br>
<br>
<br>
</blockquote>
<br>
_______________________________________________
<br>
Facebooker-talk mailing list
<br>
<a class="moz-txt-link-abbreviated"
href="mailto:Facebooker-talk@rubyforge.org">Facebooker-talk@rubyforge.org</a>
<br>
<a class="moz-txt-link-freetext"
href="http://rubyforge.org/mailman/listinfo/facebooker-talk">http://rubyforge.org/mailman/listinfo/facebooker-talk</a>
<br>
<br>
</blockquote>
</blockquote>
<br>
--
<br>
Mike Mangino
<br>
<a class="moz-txt-link-freetext"
href="http://www.elevatedrails.com">http://www.elevatedrails.com</a>
<br>
<br>
<br>
<br>
<br>
</blockquote>
</body>
</html>
Mike Mangino
2008-Nov-06 19:06 UTC
[Facebooker-talk] FB Notify URLs and ensure_authenticated_to_facebook
What do the parameters look like? Mike On Nov 6, 2008, at 10:49 AM, Mike Summers wrote:> facebook_session is null after calling set_facebook_session. > > It looks like set_facebook_session is running into this: > def secure_with_token! > if params[''auth_token''] > @facebook_session = new_facebook_session > @facebook_session.auth_token = params[''auth_token''] > @facebook_session.secure! > session[:facebook_session] = @facebook_session > end > end > > There is no ''auth_token'' in params, would this be due to our coming > here from FB''s ''Allow Access?'' page? > > Mike Mangino wrote: >> >> >> On Nov 5, 2008, at 5:37 PM, Mike Summers wrote: >> >>> Didn''t work, most likely pilot error on my part. This is the code: >>> >>> class PostController < ApplicationController >>> include Facebooker::Rails::Controller >>> protect_from_forgery(:only => [:create, :update, :destroy]) >>> >>> def add >>> STDERR.puts("post.add") >>> STDERR.flush >>> redirect_to("#{AppRoot}") >>> end >>> >>> def remove >>> STDERR.puts("post.remove") >>> STDERR.flush >>> #redirect_to("#{AppRoot}") >>> end >>> >>> def authorize >>> result = set_facebook_session >>> STDERR.puts("post.authorize: set_facebook_session- >>> #{result.inspect}") >>> STDERR.flush >>> >>> EventPublisher >>> .deliver_authorize_event(session[:facebook_session].user) >>> redirect_to("#{AppRoot}") >>> end >>> end >>> >>> set_facebook_session is returning nil. The controller shows the >>> full compliment of fb_sig_* parameters, their values look good. >>> >> >> Sorry, try looking at the value of facebook_session after calling >> set_facebook_session. It is a filter that should make the >> facebook_session variables available. >> >> Mike >> >> >>> Am I including the Controller''s code correctly? >>> >>> Thanks for the help. >>> >>> Mike Summers wrote: >>>> >>>> I''ll give it a try and report back. >>>> >>>> Thanks! >>>> >>>> Mike Mangino wrote: >>>>> >>>>> >>>>> On Nov 5, 2008, at 4:09 PM, Mike Summers wrote: >>>>> >>>>>> Is there any resolution to this? I''m having a similar problem >>>>>> with my post authorize controller method. >>>>>> >>>>>> If I don''t use ensure_* there''s no facebook_session, if I use >>>>>> ensure_* I get redirected away :-( >>>>> >>>>> There is a set_facebook_session filter that will try to set the >>>>> session without a redirect. Does that work for you? >>>>> >>>>> Mike >>>>> >>>>>> >>>>>> >>>>>> --Mike >>>>>> >>>>> >>>>> -- >>>>> Mike Mangino >>>>> http://www.elevatedrails.com >>>>> >>>>> >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Facebooker-talk mailing list >>>> Facebooker-talk at rubyforge.org >>>> http://rubyforge.org/mailman/listinfo/facebooker-talk >>>> >> >> -- >> Mike Mangino >> http://www.elevatedrails.com >> >> >> >>-- Mike Mangino http://www.elevatedrails.com