Facebooker talk - Mar 2009 - Stuck on IncorrectSignature

Hi, I''m stuck with signature verification errors for a super simple
Merb+Facebooker app.  I''m still unable to make the facebooker MD5 hash
match
what FB is sending.  As a sanity check, I implemented the verification
myself and confirmed that the value I''m generating is identical to the
Facebooker asserted value.  I''m at a loss of what the issue might be as
I''ve
been pulling my hair out over the last two days trying to get
:set_facebook_session filter to work.

To make matters worse, I can authenticate with FB Connect on the same site.
If anyone knows of ways to debug or simplify further, I''d really
appreciate
any suggestions.  This is with a clean merb app with a single
controller/view as well as a newly created FB app.  I''m happy to post
code
if that would help.

Thanks,

Kris
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/facebooker-talk/attachments/20090314/ece43c4e/attachment-0001.html>

This is a long shot but I had a signature verification error in an
OpenSocial app. During development, I setup a tunnel to my dev machine from
an external server (i.e., http://externalhost:3000). The OpenSocial
container calculated my signature based on the http://externalhost:3000 URL
(plus all the usual OpenSocial params) while my code calculated my sig based
on this URL - http://externalhost (sans port number).

For some strange reason, my request object dropped the port number and thus
calculated the signature differently.

Perhaps something similar is happening to you?

-- Bosco, SF Ruby Meetup organizer


On Sat, Mar 14, 2009 at 8:45 AM, Kristofer Goss <krsgoss at gmail.com>
wrote:
> Hi, I''m stuck with signature verification errors for a super
simple
> Merb+Facebooker app.  I''m still unable to make the facebooker MD5
hash match
> what FB is sending.  As a sanity check, I implemented the verification
> myself and confirmed that the value I''m generating is identical to
the
> Facebooker asserted value.  I''m at a loss of what the issue might
be as I''ve
> been pulling my hair out over the last two days trying to get
> :set_facebook_session filter to work.
>
> To make matters worse, I can authenticate with FB Connect on the same
> site.  If anyone knows of ways to debug or simplify further, I''d
really
> appreciate any suggestions.  This is with a clean merb app with a single
> controller/view as well as a newly created FB app.  I''m happy to
post code
> if that would help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/facebooker-talk/attachments/20090314/f030897a/attachment.html>

Hi Bosco, thanks for replying.  I do tunnel from my external server (port
8888) to my local merb instance running on port 4000.  However, does the
server URL factor in at all in terms of the signature verification?  From
what I understand, the algorithm only needs to collect all "fb_sig_"
prefixed POST/GET params, sort by key, then append the app''s secret key
into
the string before running through the MD5 hash algorithm.  From what I
understand, the host information should not factor in to this.  This one is
driving me nuts given I can''t get even the basics up and running.

Thanks again,

Kris

On Sat, Mar 14, 2009 at 1:39 PM, Bosco So <rubymeetup at boscoso.com>
wrote:
> This is a long shot but I had a signature verification error in an
> OpenSocial app. During development, I setup a tunnel to my dev machine from
> an external server (i.e., http://externalhost:3000). The OpenSocial
> container calculated my signature based on the http://externalhost:3000URL
(plus all the usual OpenSocial params) while my code calculated my sig
> based on this URL - http://externalhost (sans port number).
>
> For some strange reason, my request object dropped the port number and thus
> calculated the signature differently.
>
> Perhaps something similar is happening to you?
>
> -- Bosco, SF Ruby Meetup organizer
>
>
>
> On Sat, Mar 14, 2009 at 8:45 AM, Kristofer Goss <krsgoss at
gmail.com> wrote:
>
>> Hi, I''m stuck with signature verification errors for a super
simple
>> Merb+Facebooker app.  I''m still unable to make the facebooker
MD5 hash match
>> what FB is sending.  As a sanity check, I implemented the verification
>> myself and confirmed that the value I''m generating is
identical to the
>> Facebooker asserted value.  I''m at a loss of what the issue
might be as I''ve
>> been pulling my hair out over the last two days trying to get
>> :set_facebook_session filter to work.
>>
>> To make matters worse, I can authenticate with FB Connect on the same
>> site.  If anyone knows of ways to debug or simplify further,
I''d really
>> appreciate any suggestions.  This is with a clean merb app with a
single
>> controller/view as well as a newly created FB app.  I''m happy
to post code
>> if that would help.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/facebooker-talk/attachments/20090314/f0d119eb/attachment.html>

Not sure if this could be an issue, however, I thought that FB would POST
all params to a canvas application.  In my case, when hitting
apps.facebook.com/myapp I see the request sent as a GET.  This also
contradicts the information in the in the Wiki here:
http://wiki.developers.facebook.com/index.php/Verifying_The_Signature

Have I setup something wrong in my routes perhaps?

On Sat, Mar 14, 2009 at 3:22 PM, Kristofer Goss <krsgoss at gmail.com>
wrote:
> Hi Bosco, thanks for replying.  I do tunnel from my external server (port
> 8888) to my local merb instance running on port 4000.  However, does the
> server URL factor in at all in terms of the signature verification?  From
> what I understand, the algorithm only needs to collect all
"fb_sig_"
> prefixed POST/GET params, sort by key, then append the app''s
secret key into
> the string before running through the MD5 hash algorithm.  From what I
> understand, the host information should not factor in to this.  This one is
> driving me nuts given I can''t get even the basics up and running.
>
> Thanks again,
>
> Kris
>
>   On Sat, Mar 14, 2009 at 1:39 PM, Bosco So <rubymeetup at
boscoso.com>wrote:
>
>> This is a long shot but I had a signature verification error in an
>> OpenSocial app. During development, I setup a tunnel to my dev machine
from
>> an external server (i.e., http://externalhost:3000). The OpenSocial
>> container calculated my signature based on the
http://externalhost:3000URL (plus all the usual OpenSocial params) while my code
calculated my sig
>> based on this URL - http://externalhost (sans port number).
>>
>> For some strange reason, my request object dropped the port number and
>> thus calculated the signature differently.
>>
>> Perhaps something similar is happening to you?
>>
>> -- Bosco, SF Ruby Meetup organizer
>>
>>
>>
>> On Sat, Mar 14, 2009 at 8:45 AM, Kristofer Goss <krsgoss at
gmail.com>wrote:
>>
>>> Hi, I''m stuck with signature verification errors for a
super simple
>>> Merb+Facebooker app.  I''m still unable to make the
facebooker MD5 hash match
>>> what FB is sending.  As a sanity check, I implemented the
verification
>>> myself and confirmed that the value I''m generating is
identical to the
>>> Facebooker asserted value.  I''m at a loss of what the
issue might be as I''ve
>>> been pulling my hair out over the last two days trying to get
>>> :set_facebook_session filter to work.
>>>
>>> To make matters worse, I can authenticate with FB Connect on the
same
>>> site.  If anyone knows of ways to debug or simplify further,
I''d really
>>> appreciate any suggestions.  This is with a clean merb app with a
single
>>> controller/view as well as a newly created FB app.  I''m
happy to post code
>>> if that would help.
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/facebooker-talk/attachments/20090314/97991615/attachment.html>

What parameters are you getting? I wonder if a parameter is being  
silently eaten in your environment.

Have you tried the same thing with a simple Rails application?

Mike

On Mar 14, 2009, at 3:22 PM, Kristofer Goss wrote:
> Hi Bosco, thanks for replying.  I do tunnel from my external server  
> (port 8888) to my local merb instance running on port 4000.   
> However, does the server URL factor in at all in terms of the  
> signature verification?  From what I understand, the algorithm only  
> needs to collect all "fb_sig_" prefixed POST/GET params, sort by
> key, then append the app''s secret key into the string before
running
> through the MD5 hash algorithm.  From what I understand, the host  
> information should not factor in to this.  This one is driving me  
> nuts given I can''t get even the basics up and running.
>
> Thanks again,
>
> Kris
>
> On Sat, Mar 14, 2009 at 1:39 PM, Bosco So <rubymeetup at boscoso.com>
> wrote:
> This is a long shot but I had a signature verification error in an  
> OpenSocial app. During development, I setup a tunnel to my dev  
> machine from an external server (i.e., http://externalhost:3000).  
> The OpenSocial container calculated my signature based on the
http://externalhost:3000
>  URL (plus all the usual OpenSocial params) while my code calculated  
> my sig based on this URL - http://externalhost (sans port number).
>
> For some strange reason, my request object dropped the port number  
> and thus calculated the signature differently.
>
> Perhaps something similar is happening to you?
>
> -- Bosco, SF Ruby Meetup organizer
>
>
>
> On Sat, Mar 14, 2009 at 8:45 AM, Kristofer Goss <krsgoss at
gmail.com>
> wrote:
> Hi, I''m stuck with signature verification errors for a super
simple
> Merb+Facebooker app.  I''m still unable to make the facebooker MD5
> hash match what FB is sending.  As a sanity check, I implemented the  
> verification myself and confirmed that the value I''m generating is
> identical to the Facebooker asserted value.  I''m at a loss of what
> the issue might be as I''ve been pulling my hair out over the last
> two days trying to get :set_facebook_session filter to work.
>
> To make matters worse, I can authenticate with FB Connect on the  
> same site.  If anyone knows of ways to debug or simplify further,  
> I''d really appreciate any suggestions.  This is with a clean merb
> app with a single controller/view as well as a newly created FB  
> app.  I''m happy to post code if that would help.
>
>
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
--
Mike Mangino
http://www.elevatedrails.com



-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/facebooker-talk/attachments/20090315/a271a54c/attachment-0001.html>

Hi Zhao, the stack trace is below.  I''ve highlighted a couple parts
within:

- My own signature verification result of the request

- The facebooker signature verification result - I added a simple debug
statement into the verify_signature method for sanity checking

- I''ve removed my friend list from the request

- It''s a toy app, so here are the relevant settings, I''ve
removed a couple
pieces like email and my server host name only:
> *API Key**b5aa1d6f4bc5800270033c3d6dccef54**Application Secret**
> 9c12752f662186bd561f1255a9bcb4c7*Application ID56615211793Contact Email
> <email>Support Email<email>Canvas Callback
URLhttp://<url>:8888/facebookBase
> Domain Canvas URLhttp://apps.facebook.com/kg-demo/FBML/iframeFBMLDeveloper
> ModeOff

*merb : worker (port 4000) ~ Hash:
722061c69b3b5b35310f026a42a2d7*7a
> merb : worker (port 4000) ~
> ***** Debugger requested, but was not available: Start server with
> --debugger to enable *****
> *Facebooker: 722061c69b3b5b35310f026a42a2d77a*
> merb : worker (port 4000) ~ Facebooker::Session::IncorrectSignature -
> (Facebooker::Session::IncorrectSignature)
>
/Users/Kris/Code/spikes/merb-fb/gems/gems/merb_facebooker-0.0.2.1/lib/merb_facebooker/controller.rb:154:in
> `verify_signature''
>
/Users/Kris/Code/spikes/merb-fb/gems/gems/merb_facebooker-0.0.2.1/lib/merb_facebooker/controller.rb:130:in
> `verified_facebook_params''
>
/Users/Kris/Code/spikes/merb-fb/gems/gems/merb_facebooker-0.0.2.1/lib/merb_facebooker/controller.rb:42:in
> `facebook_params''
>
/Users/Kris/Code/spikes/merb-fb/gems/gems/merb_facebooker-0.0.2.1/lib/merb_facebooker/controller.rb:74:in
> `secure_with_facebook_params!''
>
/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/fileutils.rb:243:in
> `all?''
>
/Users/Kris/Code/spikes/merb-fb/gems/gems/merb_facebooker-0.0.2.1/lib/merb_facebooker/controller.rb:74:in
> `each''
>
/Users/Kris/Code/spikes/merb-fb/gems/gems/merb_facebooker-0.0.2.1/lib/merb_facebooker/controller.rb:74:in
> `all?''
>
/Users/Kris/Code/spikes/merb-fb/gems/gems/merb_facebooker-0.0.2.1/lib/merb_facebooker/controller.rb:74:in
> `secure_with_facebook_params!''
>
/Users/Kris/Code/spikes/merb-fb/gems/gems/merb_facebooker-0.0.2.1/lib/merb_facebooker/controller.rb:30:in
> `set_facebook_session''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/controller/abstract_controller.rb:346:in
> `send''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/controller/abstract_controller.rb:346:in
> `_call_filters''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/controller/abstract_controller.rb:338:in
> `each''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/controller/abstract_controller.rb:338:in
> `_call_filters''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/controller/abstract_controller.rb:283:in
> `_dispatch''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/controller/abstract_controller.rb:281:in
> `catch''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/controller/abstract_controller.rb:281:in
> `_dispatch''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/controller/merb_controller.rb:252:in
> `_dispatch''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/dispatch/dispatcher.rb:100:in
> `dispatch_action''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/dispatch/dispatcher.rb:100:in
> `synchronize''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/dispatch/dispatcher.rb:100:in
> `dispatch_action''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/dispatch/dispatcher.rb:74:in
> `handle''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/dispatch/dispatcher.rb:36:in
> `handle''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/rack/application.rb:17:in
> `call''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/rack/middleware/static.rb:28:in
> `call''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/rack/handler/mongrel.rb:82:in
> `process''
> /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:159:in
> `process_client''
> /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:158:in
`each''
> /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:158:in
> `process_client''
> /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:285:in
`run''
> /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:285:in
> `initialize''
> /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:285:in
`new''
> /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:285:in
`run''
> /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:268:in
> `initialize''
> /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:268:in
`new''
> /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:268:in
`run''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/rack/adapter/mongrel.rb:38:in
> `start_server''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/rack/adapter/abstract.rb:295:in
> `start_at_port''
>
/Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/rack/adapter/abstract.rb:128:in
> `start''
> /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/server.rb:174:in
> `bootup''
> /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/server.rb:42:in
> `start''
> /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core.rb:170:in
`start''
> /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/bin/merb:11
> /usr/bin/merb:19:in `load''
> /usr/bin/merb:19
> merb : worker (port 4000) ~ Params:
{"format"=>"fbml",
> "fb_sig_time"=>"1237044844.5038", *
> "fb_sig"=>"1cd09f74f68f5dff1729b2a1d8859406"*,
> "fb_sig_app_id"=>"56615211793",
"fb_sig_in_new_facebook"=>"1",
> "action"=>"index",
"fb_sig_locale"=>"en_US", "id"=>nil,
>
"fb_sig_session_key"=>"2.hT2Qz4cJt1tpmZXMI_lU0Q__.86400.1237132800-673124808",
> "fb_sig_position_fix"=>"1",
"fb_sig_in_canvas"=>"1",
> "controller"=>"facebook",
"fb_sig_request_method"=>"get",
> "fb_sig_expires"=>"1237132800",
"fb_sig_added"=>"1", *
> "fb_sig_friends"=>"1,2,3..."*,
>
"fb_sig_api_key"=>"b5aa1d6f4bc5800270033c3d6dccef54",
> "fb_sig_user"=>"673124808",
"fb_sig_profile_update_time"=>"1216646482"}
>
On Sat, Mar 14, 2009 at 4:36 PM, Zhao Lu <zhao.lu.us at gmail.com> wrote:
> Error stack and code please? If it''s a toy app, then revealing api
secret
> is safe too.
>
>
>
> On Mar 14, 2009, at 12:22 PM, Kristofer Goss <krsgoss at gmail.com>
wrote:
>
> Hi Bosco, thanks for replying.  I do tunnel from my external server (port
> 8888) to my local merb instance running on port 4000.  However, does the
> server URL factor in at all in terms of the signature verification?  From
> what I understand, the algorithm only needs to collect all
"fb_sig_"
> prefixed POST/GET params, sort by key, then append the app''s
secret key into
> the string before running through the MD5 hash algorithm.  From what I
> understand, the host information should not factor in to this.  This one is
> driving me nuts given I can''t get even the basics up and running.
>
> Thanks again,
>
> Kris
>
> On Sat, Mar 14, 2009 at 1:39 PM, Bosco So < <rubymeetup at
boscoso.com>
> rubymeetup at boscoso.com> wrote:
>
>> This is a long shot but I had a signature verification error in an
>> OpenSocial app. During development, I setup a tunnel to my dev machine
from
>> an external server (i.e., <http://externalhost:3000/>
>> http://externalhost:3000). The OpenSocial container calculated my
>> signature based on the <http://externalhost:3000/>
>> http://externalhost:3000 URL (plus all the usual OpenSocial params)
while
>> my code calculated my sig based on this URL -
<http://externalhost/>
>> http://externalhost (sans port number).
>>
>> For some strange reason, my request object dropped the port number and
>> thus calculated the signature differently.
>>
>> Perhaps something similar is happening to you?
>>
>> -- Bosco, SF Ruby Meetup organizer
>>
>>
>>
>> On Sat, Mar 14, 2009 at 8:45 AM, Kristofer Goss < <krsgoss at
gmail.com>
>> krsgoss at gmail.com> wrote:
>>
>>> Hi, I''m stuck with signature verification errors for a
super simple
>>> Merb+Facebooker app.  I''m still unable to make the
facebooker MD5 hash match
>>> what FB is sending.  As a sanity check, I implemented the
verification
>>> myself and confirmed that the value I''m generating is
identical to the
>>> Facebooker asserted value.  I''m at a loss of what the
issue might be as I''ve
>>> been pulling my hair out over the last two days trying to get
>>> :set_facebook_session filter to work.
>>>
>>> To make matters worse, I can authenticate with FB Connect on the
same
>>> site.  If anyone knows of ways to debug or simplify further,
I''d really
>>> appreciate any suggestions.  This is with a clean merb app with a
single
>>> controller/view as well as a newly created FB app.  I''m
happy to post code
>>> if that would help.
>>
>>
>>
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/facebooker-talk/attachments/20090315/cd7f8f57/attachment-0001.html>

Hi Mike, I will try a small Rails POC next.  One thing that I did not is
that my application is receiving a GET request from FB.  In reading the
documentation, I was under the impression that FB would POST any/all
requests to your FBML application.  Perhaps this has something to do with
it?

If I configure my routes and only expose the default facebook controller
route via POST, the router fails to match the request sent from FB when
viewing my application at apps.facebook.com/kg-demo.  I''ll try a rails
demo
as well this afternoon.  Here is the list of keys being sent with the
request from FB ( I removed my friend ID''s for their sake!):

merb : worker (port 4000) ~ Params:
{"format"=>nil,
> "fb_sig_time"=>"1237044844.5038",
> "fb_sig"=>"1cd09f74f68f5dff1729b2a1d8859406",
> "fb_sig_app_id"=>"56615211793",
"fb_sig_in_new_facebook"=>"1",
> "action"=>"index",
"fb_sig_locale"=>"en_US", "id"=>nil,
>
"fb_sig_session_key"=>"2.hT2Qz4cJt1tpmZXMI_lU0Q__.86400.1237132800-673124808",
> "fb_sig_position_fix"=>"1",
"fb_sig_in_canvas"=>"1",
> "controller"=>"facebook",
"fb_sig_request_method"=>"get",
> "fb_sig_expires"=>"1237132800",
"fb_sig_added"=>"1",
> "fb_sig_friends"=>"1,2,3...",
>
"fb_sig_api_key"=>"b5aa1d6f4bc5800270033c3d6dccef54",
> "fb_sig_user"=>"673124808",
"fb_sig_profile_update_time"=>"1216646482"}
>
>
Using the app''s secret key of
"9c12752f662186bd561f1255a9bcb4c7" I end up
with a different hash value than the fb_sig sent from FB, causing the
signature check to fail.

Thanks again for everyone''s help,

Kris

On Sun, Mar 15, 2009 at 9:32 AM, Mike Mangino <mmangino at
elevatedrails.com>wrote:
> What parameters are you getting? I wonder if a parameter is being silently
> eaten in your environment.
> Have you tried the same thing with a simple Rails application?
>
> Mike
>
> On Mar 14, 2009, at 3:22 PM, Kristofer Goss wrote:
>
> Hi Bosco, thanks for replying.  I do tunnel from my external server (port
> 8888) to my local merb instance running on port 4000.  However, does the
> server URL factor in at all in terms of the signature verification?  From
> what I understand, the algorithm only needs to collect all
"fb_sig_"
> prefixed POST/GET params, sort by key, then append the app''s
secret key into
> the string before running through the MD5 hash algorithm.  From what I
> understand, the host information should not factor in to this.  This one is
> driving me nuts given I can''t get even the basics up and running.
>
> Thanks again,
>
> Kris
>
> On Sat, Mar 14, 2009 at 1:39 PM, Bosco So <rubymeetup at boscoso.com>
wrote:
>
>> This is a long shot but I had a signature verification error in an
>> OpenSocial app. During development, I setup a tunnel to my dev machine
from
>> an external server (i.e., http://externalhost:3000). The OpenSocial
>> container calculated my signature based on the
http://externalhost:3000URL (plus all the usual OpenSocial params) while my code
calculated my sig
>> based on this URL - http://externalhost (sans port number).
>>
>> For some strange reason, my request object dropped the port number and
>> thus calculated the signature differently.
>>
>> Perhaps something similar is happening to you?
>>
>> -- Bosco, SF Ruby Meetup organizer
>>
>>
>>
>> On Sat, Mar 14, 2009 at 8:45 AM, Kristofer Goss <krsgoss at
gmail.com>wrote:
>>
>>> Hi, I''m stuck with signature verification errors for a
super simple
>>> Merb+Facebooker app.  I''m still unable to make the
facebooker MD5 hash match
>>> what FB is sending.  As a sanity check, I implemented the
verification
>>> myself and confirmed that the value I''m generating is
identical to the
>>> Facebooker asserted value.  I''m at a loss of what the
issue might be as I''ve
>>> been pulling my hair out over the last two days trying to get
>>> :set_facebook_session filter to work.
>>>
>>> To make matters worse, I can authenticate with FB Connect on the
same
>>> site.  If anyone knows of ways to debug or simplify further,
I''d really
>>> appreciate any suggestions.  This is with a clean merb app with a
single
>>> controller/view as well as a newly created FB app.  I''m
happy to post code
>>> if that would help.
>>
>>
>>
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
>
>
> --
> Mike Mangino
> http://www.elevatedrails.com
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/facebooker-talk/attachments/20090315/ad72d058/attachment.html>

Okay, mystery solved.  The merb_facebooker plugin was adding a request
override based on the fb_sig_request_method parameter.  Merb would then
downcase this value since all the verbs are lowercase symbols internally.
This also explains why I was not seeing POST requests to my controller as
the original HTTP method was being changed.  Clearing the override fixed the
issue.  I figured I would post the final answer here for the sake of
completeness.

Thanks again!

On Mon, Mar 16, 2009 at 8:40 AM, Kristofer Goss <krsgoss at gmail.com>
wrote:
> Zhao, thank you!  Hashing with "GET" instead of "get"
produced the correct
> result.  Now I just need to figure out what is altering the parameter value
> or whether it''s being sent incorrectly from Facebook.  It seems
unlikely
> that Merb would just downcase a single parameter, though it seems more
> unlikely that FB broke their signature verification algorithm!
>
> Once again, thanks so much for your help.  This was driving me nuts!
>
> Bests,
>
> Kris
>
>
> On Sun, Mar 15, 2009 at 3:55 PM, Zhao Lu <zhao.lu.us at gmail.com>
wrote:
>
>> is fb_sig_request_method "get" or "GET"?  maybe try
verifying sig with
>> GET.
>>
>>
>> On Sun, Mar 15, 2009 at 7:44 AM, Kristofer Goss <krsgoss at
gmail.com>wrote:
>>
>>> Hi Mike, I will try a small Rails POC next.  One thing that I did
not is
>>> that my application is receiving a GET request from FB.  In reading
the
>>> documentation, I was under the impression that FB would POST
any/all
>>> requests to your FBML application.  Perhaps this has something to
do with
>>> it?
>>>
>>> If I configure my routes and only expose the default facebook
controller
>>> route via POST, the router fails to match the request sent from FB
when
>>> viewing my application at apps.facebook.com/kg-demo.  I''ll
try a rails
>>> demo as well this afternoon.  Here is the list of keys being sent
with the
>>> request from FB ( I removed my friend ID''s for their
sake!):
>>>
>>> merb : worker (port 4000) ~ Params: {"format"=>nil,
>>>> "fb_sig_time"=>"1237044844.5038",
>>>>
"fb_sig"=>"1cd09f74f68f5dff1729b2a1d8859406",
>>>> "fb_sig_app_id"=>"56615211793",
"fb_sig_in_new_facebook"=>"1",
>>>> "action"=>"index",
"fb_sig_locale"=>"en_US", "id"=>nil,
>>>>
"fb_sig_session_key"=>"2.hT2Qz4cJt1tpmZXMI_lU0Q__.86400.1237132800-673124808",
>>>> "fb_sig_position_fix"=>"1",
"fb_sig_in_canvas"=>"1",
>>>> "controller"=>"facebook",
"fb_sig_request_method"=>"get",
>>>> "fb_sig_expires"=>"1237132800",
"fb_sig_added"=>"1",
>>>> "fb_sig_friends"=>"1,2,3...",
>>>>
"fb_sig_api_key"=>"b5aa1d6f4bc5800270033c3d6dccef54",
>>>> "fb_sig_user"=>"673124808",
"fb_sig_profile_update_time"=>"1216646482"}
>>>>
>>>>
>>> Using the app''s secret key of
"9c12752f662186bd561f1255a9bcb4c7" I end up
>>> with a different hash value than the fb_sig sent from FB, causing
the
>>> signature check to fail.
>>>
>>> Thanks again for everyone''s help,
>>>
>>> Kris
>>>
>>> On Sun, Mar 15, 2009 at 9:32 AM, Mike Mangino <
>>> mmangino at elevatedrails.com> wrote:
>>>
>>>> What parameters are you getting? I wonder if a parameter is
being
>>>> silently eaten in your environment.
>>>> Have you tried the same thing with a simple Rails application?
>>>>
>>>> Mike
>>>>
>>>> On Mar 14, 2009, at 3:22 PM, Kristofer Goss wrote:
>>>>
>>>> Hi Bosco, thanks for replying.  I do tunnel from my external
server
>>>> (port 8888) to my local merb instance running on port 4000. 
However, does
>>>> the server URL factor in at all in terms of the signature
verification?
>>>> From what I understand, the algorithm only needs to collect all
"fb_sig_"
>>>> prefixed POST/GET params, sort by key, then append the
app''s secret key into
>>>> the string before running through the MD5 hash algorithm.  From
what I
>>>> understand, the host information should not factor in to this. 
This one is
>>>> driving me nuts given I can''t get even the basics up
and running.
>>>>
>>>> Thanks again,
>>>>
>>>> Kris
>>>>
>>>> On Sat, Mar 14, 2009 at 1:39 PM, Bosco So <rubymeetup at
boscoso.com>wrote:
>>>>
>>>>> This is a long shot but I had a signature verification
error in an
>>>>> OpenSocial app. During development, I setup a tunnel to my
dev machine from
>>>>> an external server (i.e., http://externalhost:3000). The
OpenSocial
>>>>> container calculated my signature based on the
>>>>> http://externalhost:3000 URL (plus all the usual OpenSocial
params)
>>>>> while my code calculated my sig based on this URL -
>>>>> http://externalhost (sans port number).
>>>>>
>>>>> For some strange reason, my request object dropped the port
number and
>>>>> thus calculated the signature differently.
>>>>>
>>>>> Perhaps something similar is happening to you?
>>>>>
>>>>> -- Bosco, SF Ruby Meetup organizer
>>>>>
>>>>>
>>>>>
>>>>> On Sat, Mar 14, 2009 at 8:45 AM, Kristofer Goss <krsgoss
at gmail.com>wrote:
>>>>>
>>>>>> Hi, I''m stuck with signature verification
errors for a super simple
>>>>>> Merb+Facebooker app.  I''m still unable to make
the facebooker MD5 hash match
>>>>>> what FB is sending.  As a sanity check, I implemented
the verification
>>>>>> myself and confirmed that the value I''m
generating is identical to the
>>>>>> Facebooker asserted value.  I''m at a loss of
what the issue might be as I''ve
>>>>>> been pulling my hair out over the last two days trying
to get
>>>>>> :set_facebook_session filter to work.
>>>>>>
>>>>>> To make matters worse, I can authenticate with FB
Connect on the same
>>>>>> site.  If anyone knows of ways to debug or simplify
further, I''d really
>>>>>> appreciate any suggestions.  This is with a clean merb
app with a single
>>>>>> controller/view as well as a newly created FB app. 
I''m happy to post code
>>>>>> if that would help.
>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Facebooker-talk mailing list
>>>> Facebooker-talk at rubyforge.org
>>>> http://rubyforge.org/mailman/listinfo/facebooker-talk
>>>>
>>>>
>>>>  --
>>>> Mike Mangino
>>>> http://www.elevatedrails.com
>>>>
>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Facebooker-talk mailing list
>>> Facebooker-talk at rubyforge.org
>>> http://rubyforge.org/mailman/listinfo/facebooker-talk
>>>
>>>
>>
>>
>> --
>> Zhao
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/facebooker-talk/attachments/20090316/24a3b89e/attachment.html>