Hi, I''m stuck with signature verification errors for a super simple Merb+Facebooker app. I''m still unable to make the facebooker MD5 hash match what FB is sending. As a sanity check, I implemented the verification myself and confirmed that the value I''m generating is identical to the Facebooker asserted value. I''m at a loss of what the issue might be as I''ve been pulling my hair out over the last two days trying to get :set_facebook_session filter to work. To make matters worse, I can authenticate with FB Connect on the same site. If anyone knows of ways to debug or simplify further, I''d really appreciate any suggestions. This is with a clean merb app with a single controller/view as well as a newly created FB app. I''m happy to post code if that would help. Thanks, Kris -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20090314/ece43c4e/attachment-0001.html>
This is a long shot but I had a signature verification error in an OpenSocial app. During development, I setup a tunnel to my dev machine from an external server (i.e., http://externalhost:3000). The OpenSocial container calculated my signature based on the http://externalhost:3000 URL (plus all the usual OpenSocial params) while my code calculated my sig based on this URL - http://externalhost (sans port number). For some strange reason, my request object dropped the port number and thus calculated the signature differently. Perhaps something similar is happening to you? -- Bosco, SF Ruby Meetup organizer On Sat, Mar 14, 2009 at 8:45 AM, Kristofer Goss <krsgoss at gmail.com> wrote:> Hi, I''m stuck with signature verification errors for a super simple > Merb+Facebooker app. I''m still unable to make the facebooker MD5 hash match > what FB is sending. As a sanity check, I implemented the verification > myself and confirmed that the value I''m generating is identical to the > Facebooker asserted value. I''m at a loss of what the issue might be as I''ve > been pulling my hair out over the last two days trying to get > :set_facebook_session filter to work. > > To make matters worse, I can authenticate with FB Connect on the same > site. If anyone knows of ways to debug or simplify further, I''d really > appreciate any suggestions. This is with a clean merb app with a single > controller/view as well as a newly created FB app. I''m happy to post code > if that would help.-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20090314/f030897a/attachment.html>
Hi Bosco, thanks for replying. I do tunnel from my external server (port 8888) to my local merb instance running on port 4000. However, does the server URL factor in at all in terms of the signature verification? From what I understand, the algorithm only needs to collect all "fb_sig_" prefixed POST/GET params, sort by key, then append the app''s secret key into the string before running through the MD5 hash algorithm. From what I understand, the host information should not factor in to this. This one is driving me nuts given I can''t get even the basics up and running. Thanks again, Kris On Sat, Mar 14, 2009 at 1:39 PM, Bosco So <rubymeetup at boscoso.com> wrote:> This is a long shot but I had a signature verification error in an > OpenSocial app. During development, I setup a tunnel to my dev machine from > an external server (i.e., http://externalhost:3000). The OpenSocial > container calculated my signature based on the http://externalhost:3000URL (plus all the usual OpenSocial params) while my code calculated my sig > based on this URL - http://externalhost (sans port number). > > For some strange reason, my request object dropped the port number and thus > calculated the signature differently. > > Perhaps something similar is happening to you? > > -- Bosco, SF Ruby Meetup organizer > > > > On Sat, Mar 14, 2009 at 8:45 AM, Kristofer Goss <krsgoss at gmail.com> wrote: > >> Hi, I''m stuck with signature verification errors for a super simple >> Merb+Facebooker app. I''m still unable to make the facebooker MD5 hash match >> what FB is sending. As a sanity check, I implemented the verification >> myself and confirmed that the value I''m generating is identical to the >> Facebooker asserted value. I''m at a loss of what the issue might be as I''ve >> been pulling my hair out over the last two days trying to get >> :set_facebook_session filter to work. >> >> To make matters worse, I can authenticate with FB Connect on the same >> site. If anyone knows of ways to debug or simplify further, I''d really >> appreciate any suggestions. This is with a clean merb app with a single >> controller/view as well as a newly created FB app. I''m happy to post code >> if that would help. > > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20090314/f0d119eb/attachment.html>
Not sure if this could be an issue, however, I thought that FB would POST all params to a canvas application. In my case, when hitting apps.facebook.com/myapp I see the request sent as a GET. This also contradicts the information in the in the Wiki here: http://wiki.developers.facebook.com/index.php/Verifying_The_Signature Have I setup something wrong in my routes perhaps? On Sat, Mar 14, 2009 at 3:22 PM, Kristofer Goss <krsgoss at gmail.com> wrote:> Hi Bosco, thanks for replying. I do tunnel from my external server (port > 8888) to my local merb instance running on port 4000. However, does the > server URL factor in at all in terms of the signature verification? From > what I understand, the algorithm only needs to collect all "fb_sig_" > prefixed POST/GET params, sort by key, then append the app''s secret key into > the string before running through the MD5 hash algorithm. From what I > understand, the host information should not factor in to this. This one is > driving me nuts given I can''t get even the basics up and running. > > Thanks again, > > Kris > > On Sat, Mar 14, 2009 at 1:39 PM, Bosco So <rubymeetup at boscoso.com>wrote: > >> This is a long shot but I had a signature verification error in an >> OpenSocial app. During development, I setup a tunnel to my dev machine from >> an external server (i.e., http://externalhost:3000). The OpenSocial >> container calculated my signature based on the http://externalhost:3000URL (plus all the usual OpenSocial params) while my code calculated my sig >> based on this URL - http://externalhost (sans port number). >> >> For some strange reason, my request object dropped the port number and >> thus calculated the signature differently. >> >> Perhaps something similar is happening to you? >> >> -- Bosco, SF Ruby Meetup organizer >> >> >> >> On Sat, Mar 14, 2009 at 8:45 AM, Kristofer Goss <krsgoss at gmail.com>wrote: >> >>> Hi, I''m stuck with signature verification errors for a super simple >>> Merb+Facebooker app. I''m still unable to make the facebooker MD5 hash match >>> what FB is sending. As a sanity check, I implemented the verification >>> myself and confirmed that the value I''m generating is identical to the >>> Facebooker asserted value. I''m at a loss of what the issue might be as I''ve >>> been pulling my hair out over the last two days trying to get >>> :set_facebook_session filter to work. >>> >>> To make matters worse, I can authenticate with FB Connect on the same >>> site. If anyone knows of ways to debug or simplify further, I''d really >>> appreciate any suggestions. This is with a clean merb app with a single >>> controller/view as well as a newly created FB app. I''m happy to post code >>> if that would help. >> >> >> >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20090314/97991615/attachment.html>
What parameters are you getting? I wonder if a parameter is being silently eaten in your environment. Have you tried the same thing with a simple Rails application? Mike On Mar 14, 2009, at 3:22 PM, Kristofer Goss wrote:> Hi Bosco, thanks for replying. I do tunnel from my external server > (port 8888) to my local merb instance running on port 4000. > However, does the server URL factor in at all in terms of the > signature verification? From what I understand, the algorithm only > needs to collect all "fb_sig_" prefixed POST/GET params, sort by > key, then append the app''s secret key into the string before running > through the MD5 hash algorithm. From what I understand, the host > information should not factor in to this. This one is driving me > nuts given I can''t get even the basics up and running. > > Thanks again, > > Kris > > On Sat, Mar 14, 2009 at 1:39 PM, Bosco So <rubymeetup at boscoso.com> > wrote: > This is a long shot but I had a signature verification error in an > OpenSocial app. During development, I setup a tunnel to my dev > machine from an external server (i.e., http://externalhost:3000). > The OpenSocial container calculated my signature based on the http://externalhost:3000 > URL (plus all the usual OpenSocial params) while my code calculated > my sig based on this URL - http://externalhost (sans port number). > > For some strange reason, my request object dropped the port number > and thus calculated the signature differently. > > Perhaps something similar is happening to you? > > -- Bosco, SF Ruby Meetup organizer > > > > On Sat, Mar 14, 2009 at 8:45 AM, Kristofer Goss <krsgoss at gmail.com> > wrote: > Hi, I''m stuck with signature verification errors for a super simple > Merb+Facebooker app. I''m still unable to make the facebooker MD5 > hash match what FB is sending. As a sanity check, I implemented the > verification myself and confirmed that the value I''m generating is > identical to the Facebooker asserted value. I''m at a loss of what > the issue might be as I''ve been pulling my hair out over the last > two days trying to get :set_facebook_session filter to work. > > To make matters worse, I can authenticate with FB Connect on the > same site. If anyone knows of ways to debug or simplify further, > I''d really appreciate any suggestions. This is with a clean merb > app with a single controller/view as well as a newly created FB > app. I''m happy to post code if that would help. > > > _______________________________________________ > Facebooker-talk mailing list > Facebooker-talk at rubyforge.org > http://rubyforge.org/mailman/listinfo/facebooker-talk-- Mike Mangino http://www.elevatedrails.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20090315/a271a54c/attachment-0001.html>
Hi Zhao, the stack trace is below. I''ve highlighted a couple parts within: - My own signature verification result of the request - The facebooker signature verification result - I added a simple debug statement into the verify_signature method for sanity checking - I''ve removed my friend list from the request - It''s a toy app, so here are the relevant settings, I''ve removed a couple pieces like email and my server host name only:> *API Key**b5aa1d6f4bc5800270033c3d6dccef54**Application Secret** > 9c12752f662186bd561f1255a9bcb4c7*Application ID56615211793Contact Email > <email>Support Email<email>Canvas Callback URLhttp://<url>:8888/facebookBase > Domain Canvas URLhttp://apps.facebook.com/kg-demo/FBML/iframeFBMLDeveloper > ModeOff*merb : worker (port 4000) ~ Hash: 722061c69b3b5b35310f026a42a2d7*7a> merb : worker (port 4000) ~ > ***** Debugger requested, but was not available: Start server with > --debugger to enable ***** > *Facebooker: 722061c69b3b5b35310f026a42a2d77a* > merb : worker (port 4000) ~ Facebooker::Session::IncorrectSignature - > (Facebooker::Session::IncorrectSignature) > /Users/Kris/Code/spikes/merb-fb/gems/gems/merb_facebooker-0.0.2.1/lib/merb_facebooker/controller.rb:154:in > `verify_signature'' > /Users/Kris/Code/spikes/merb-fb/gems/gems/merb_facebooker-0.0.2.1/lib/merb_facebooker/controller.rb:130:in > `verified_facebook_params'' > /Users/Kris/Code/spikes/merb-fb/gems/gems/merb_facebooker-0.0.2.1/lib/merb_facebooker/controller.rb:42:in > `facebook_params'' > /Users/Kris/Code/spikes/merb-fb/gems/gems/merb_facebooker-0.0.2.1/lib/merb_facebooker/controller.rb:74:in > `secure_with_facebook_params!'' > /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/fileutils.rb:243:in > `all?'' > /Users/Kris/Code/spikes/merb-fb/gems/gems/merb_facebooker-0.0.2.1/lib/merb_facebooker/controller.rb:74:in > `each'' > /Users/Kris/Code/spikes/merb-fb/gems/gems/merb_facebooker-0.0.2.1/lib/merb_facebooker/controller.rb:74:in > `all?'' > /Users/Kris/Code/spikes/merb-fb/gems/gems/merb_facebooker-0.0.2.1/lib/merb_facebooker/controller.rb:74:in > `secure_with_facebook_params!'' > /Users/Kris/Code/spikes/merb-fb/gems/gems/merb_facebooker-0.0.2.1/lib/merb_facebooker/controller.rb:30:in > `set_facebook_session'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/controller/abstract_controller.rb:346:in > `send'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/controller/abstract_controller.rb:346:in > `_call_filters'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/controller/abstract_controller.rb:338:in > `each'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/controller/abstract_controller.rb:338:in > `_call_filters'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/controller/abstract_controller.rb:283:in > `_dispatch'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/controller/abstract_controller.rb:281:in > `catch'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/controller/abstract_controller.rb:281:in > `_dispatch'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/controller/merb_controller.rb:252:in > `_dispatch'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/dispatch/dispatcher.rb:100:in > `dispatch_action'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/dispatch/dispatcher.rb:100:in > `synchronize'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/dispatch/dispatcher.rb:100:in > `dispatch_action'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/dispatch/dispatcher.rb:74:in > `handle'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/dispatch/dispatcher.rb:36:in > `handle'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/rack/application.rb:17:in > `call'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/rack/middleware/static.rb:28:in > `call'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/rack/handler/mongrel.rb:82:in > `process'' > /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:159:in > `process_client'' > /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:158:in `each'' > /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:158:in > `process_client'' > /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:285:in `run'' > /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:285:in > `initialize'' > /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:285:in `new'' > /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:285:in `run'' > /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:268:in > `initialize'' > /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:268:in `new'' > /Library/Ruby/Gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:268:in `run'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/rack/adapter/mongrel.rb:38:in > `start_server'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/rack/adapter/abstract.rb:295:in > `start_at_port'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/rack/adapter/abstract.rb:128:in > `start'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/server.rb:174:in > `bootup'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core/server.rb:42:in > `start'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/lib/merb-core.rb:170:in `start'' > /Library/Ruby/Gems/1.8/gems/merb-core-1.0.9/bin/merb:11 > /usr/bin/merb:19:in `load'' > /usr/bin/merb:19 > merb : worker (port 4000) ~ Params: {"format"=>"fbml", > "fb_sig_time"=>"1237044844.5038", * > "fb_sig"=>"1cd09f74f68f5dff1729b2a1d8859406"*, > "fb_sig_app_id"=>"56615211793", "fb_sig_in_new_facebook"=>"1", > "action"=>"index", "fb_sig_locale"=>"en_US", "id"=>nil, > "fb_sig_session_key"=>"2.hT2Qz4cJt1tpmZXMI_lU0Q__.86400.1237132800-673124808", > "fb_sig_position_fix"=>"1", "fb_sig_in_canvas"=>"1", > "controller"=>"facebook", "fb_sig_request_method"=>"get", > "fb_sig_expires"=>"1237132800", "fb_sig_added"=>"1", * > "fb_sig_friends"=>"1,2,3..."*, > "fb_sig_api_key"=>"b5aa1d6f4bc5800270033c3d6dccef54", > "fb_sig_user"=>"673124808", "fb_sig_profile_update_time"=>"1216646482"} >On Sat, Mar 14, 2009 at 4:36 PM, Zhao Lu <zhao.lu.us at gmail.com> wrote:> Error stack and code please? If it''s a toy app, then revealing api secret > is safe too. > > > > On Mar 14, 2009, at 12:22 PM, Kristofer Goss <krsgoss at gmail.com> wrote: > > Hi Bosco, thanks for replying. I do tunnel from my external server (port > 8888) to my local merb instance running on port 4000. However, does the > server URL factor in at all in terms of the signature verification? From > what I understand, the algorithm only needs to collect all "fb_sig_" > prefixed POST/GET params, sort by key, then append the app''s secret key into > the string before running through the MD5 hash algorithm. From what I > understand, the host information should not factor in to this. This one is > driving me nuts given I can''t get even the basics up and running. > > Thanks again, > > Kris > > On Sat, Mar 14, 2009 at 1:39 PM, Bosco So < <rubymeetup at boscoso.com> > rubymeetup at boscoso.com> wrote: > >> This is a long shot but I had a signature verification error in an >> OpenSocial app. During development, I setup a tunnel to my dev machine from >> an external server (i.e., <http://externalhost:3000/> >> http://externalhost:3000). The OpenSocial container calculated my >> signature based on the <http://externalhost:3000/> >> http://externalhost:3000 URL (plus all the usual OpenSocial params) while >> my code calculated my sig based on this URL - <http://externalhost/> >> http://externalhost (sans port number). >> >> For some strange reason, my request object dropped the port number and >> thus calculated the signature differently. >> >> Perhaps something similar is happening to you? >> >> -- Bosco, SF Ruby Meetup organizer >> >> >> >> On Sat, Mar 14, 2009 at 8:45 AM, Kristofer Goss < <krsgoss at gmail.com> >> krsgoss at gmail.com> wrote: >> >>> Hi, I''m stuck with signature verification errors for a super simple >>> Merb+Facebooker app. I''m still unable to make the facebooker MD5 hash match >>> what FB is sending. As a sanity check, I implemented the verification >>> myself and confirmed that the value I''m generating is identical to the >>> Facebooker asserted value. I''m at a loss of what the issue might be as I''ve >>> been pulling my hair out over the last two days trying to get >>> :set_facebook_session filter to work. >>> >>> To make matters worse, I can authenticate with FB Connect on the same >>> site. If anyone knows of ways to debug or simplify further, I''d really >>> appreciate any suggestions. This is with a clean merb app with a single >>> controller/view as well as a newly created FB app. I''m happy to post code >>> if that would help. >> >> >> > _______________________________________________ > Facebooker-talk mailing list > Facebooker-talk at rubyforge.org > http://rubyforge.org/mailman/listinfo/facebooker-talk > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20090315/cd7f8f57/attachment-0001.html>
Hi Mike, I will try a small Rails POC next. One thing that I did not is that my application is receiving a GET request from FB. In reading the documentation, I was under the impression that FB would POST any/all requests to your FBML application. Perhaps this has something to do with it? If I configure my routes and only expose the default facebook controller route via POST, the router fails to match the request sent from FB when viewing my application at apps.facebook.com/kg-demo. I''ll try a rails demo as well this afternoon. Here is the list of keys being sent with the request from FB ( I removed my friend ID''s for their sake!): merb : worker (port 4000) ~ Params: {"format"=>nil,> "fb_sig_time"=>"1237044844.5038", > "fb_sig"=>"1cd09f74f68f5dff1729b2a1d8859406", > "fb_sig_app_id"=>"56615211793", "fb_sig_in_new_facebook"=>"1", > "action"=>"index", "fb_sig_locale"=>"en_US", "id"=>nil, > "fb_sig_session_key"=>"2.hT2Qz4cJt1tpmZXMI_lU0Q__.86400.1237132800-673124808", > "fb_sig_position_fix"=>"1", "fb_sig_in_canvas"=>"1", > "controller"=>"facebook", "fb_sig_request_method"=>"get", > "fb_sig_expires"=>"1237132800", "fb_sig_added"=>"1", > "fb_sig_friends"=>"1,2,3...", > "fb_sig_api_key"=>"b5aa1d6f4bc5800270033c3d6dccef54", > "fb_sig_user"=>"673124808", "fb_sig_profile_update_time"=>"1216646482"} > >Using the app''s secret key of "9c12752f662186bd561f1255a9bcb4c7" I end up with a different hash value than the fb_sig sent from FB, causing the signature check to fail. Thanks again for everyone''s help, Kris On Sun, Mar 15, 2009 at 9:32 AM, Mike Mangino <mmangino at elevatedrails.com>wrote:> What parameters are you getting? I wonder if a parameter is being silently > eaten in your environment. > Have you tried the same thing with a simple Rails application? > > Mike > > On Mar 14, 2009, at 3:22 PM, Kristofer Goss wrote: > > Hi Bosco, thanks for replying. I do tunnel from my external server (port > 8888) to my local merb instance running on port 4000. However, does the > server URL factor in at all in terms of the signature verification? From > what I understand, the algorithm only needs to collect all "fb_sig_" > prefixed POST/GET params, sort by key, then append the app''s secret key into > the string before running through the MD5 hash algorithm. From what I > understand, the host information should not factor in to this. This one is > driving me nuts given I can''t get even the basics up and running. > > Thanks again, > > Kris > > On Sat, Mar 14, 2009 at 1:39 PM, Bosco So <rubymeetup at boscoso.com> wrote: > >> This is a long shot but I had a signature verification error in an >> OpenSocial app. During development, I setup a tunnel to my dev machine from >> an external server (i.e., http://externalhost:3000). The OpenSocial >> container calculated my signature based on the http://externalhost:3000URL (plus all the usual OpenSocial params) while my code calculated my sig >> based on this URL - http://externalhost (sans port number). >> >> For some strange reason, my request object dropped the port number and >> thus calculated the signature differently. >> >> Perhaps something similar is happening to you? >> >> -- Bosco, SF Ruby Meetup organizer >> >> >> >> On Sat, Mar 14, 2009 at 8:45 AM, Kristofer Goss <krsgoss at gmail.com>wrote: >> >>> Hi, I''m stuck with signature verification errors for a super simple >>> Merb+Facebooker app. I''m still unable to make the facebooker MD5 hash match >>> what FB is sending. As a sanity check, I implemented the verification >>> myself and confirmed that the value I''m generating is identical to the >>> Facebooker asserted value. I''m at a loss of what the issue might be as I''ve >>> been pulling my hair out over the last two days trying to get >>> :set_facebook_session filter to work. >>> >>> To make matters worse, I can authenticate with FB Connect on the same >>> site. If anyone knows of ways to debug or simplify further, I''d really >>> appreciate any suggestions. This is with a clean merb app with a single >>> controller/view as well as a newly created FB app. I''m happy to post code >>> if that would help. >> >> >> > _______________________________________________ > Facebooker-talk mailing list > Facebooker-talk at rubyforge.org > http://rubyforge.org/mailman/listinfo/facebooker-talk > > > -- > Mike Mangino > http://www.elevatedrails.com > > > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20090315/ad72d058/attachment.html>
Okay, mystery solved. The merb_facebooker plugin was adding a request override based on the fb_sig_request_method parameter. Merb would then downcase this value since all the verbs are lowercase symbols internally. This also explains why I was not seeing POST requests to my controller as the original HTTP method was being changed. Clearing the override fixed the issue. I figured I would post the final answer here for the sake of completeness. Thanks again! On Mon, Mar 16, 2009 at 8:40 AM, Kristofer Goss <krsgoss at gmail.com> wrote:> Zhao, thank you! Hashing with "GET" instead of "get" produced the correct > result. Now I just need to figure out what is altering the parameter value > or whether it''s being sent incorrectly from Facebook. It seems unlikely > that Merb would just downcase a single parameter, though it seems more > unlikely that FB broke their signature verification algorithm! > > Once again, thanks so much for your help. This was driving me nuts! > > Bests, > > Kris > > > On Sun, Mar 15, 2009 at 3:55 PM, Zhao Lu <zhao.lu.us at gmail.com> wrote: > >> is fb_sig_request_method "get" or "GET"? maybe try verifying sig with >> GET. >> >> >> On Sun, Mar 15, 2009 at 7:44 AM, Kristofer Goss <krsgoss at gmail.com>wrote: >> >>> Hi Mike, I will try a small Rails POC next. One thing that I did not is >>> that my application is receiving a GET request from FB. In reading the >>> documentation, I was under the impression that FB would POST any/all >>> requests to your FBML application. Perhaps this has something to do with >>> it? >>> >>> If I configure my routes and only expose the default facebook controller >>> route via POST, the router fails to match the request sent from FB when >>> viewing my application at apps.facebook.com/kg-demo. I''ll try a rails >>> demo as well this afternoon. Here is the list of keys being sent with the >>> request from FB ( I removed my friend ID''s for their sake!): >>> >>> merb : worker (port 4000) ~ Params: {"format"=>nil, >>>> "fb_sig_time"=>"1237044844.5038", >>>> "fb_sig"=>"1cd09f74f68f5dff1729b2a1d8859406", >>>> "fb_sig_app_id"=>"56615211793", "fb_sig_in_new_facebook"=>"1", >>>> "action"=>"index", "fb_sig_locale"=>"en_US", "id"=>nil, >>>> "fb_sig_session_key"=>"2.hT2Qz4cJt1tpmZXMI_lU0Q__.86400.1237132800-673124808", >>>> "fb_sig_position_fix"=>"1", "fb_sig_in_canvas"=>"1", >>>> "controller"=>"facebook", "fb_sig_request_method"=>"get", >>>> "fb_sig_expires"=>"1237132800", "fb_sig_added"=>"1", >>>> "fb_sig_friends"=>"1,2,3...", >>>> "fb_sig_api_key"=>"b5aa1d6f4bc5800270033c3d6dccef54", >>>> "fb_sig_user"=>"673124808", "fb_sig_profile_update_time"=>"1216646482"} >>>> >>>> >>> Using the app''s secret key of "9c12752f662186bd561f1255a9bcb4c7" I end up >>> with a different hash value than the fb_sig sent from FB, causing the >>> signature check to fail. >>> >>> Thanks again for everyone''s help, >>> >>> Kris >>> >>> On Sun, Mar 15, 2009 at 9:32 AM, Mike Mangino < >>> mmangino at elevatedrails.com> wrote: >>> >>>> What parameters are you getting? I wonder if a parameter is being >>>> silently eaten in your environment. >>>> Have you tried the same thing with a simple Rails application? >>>> >>>> Mike >>>> >>>> On Mar 14, 2009, at 3:22 PM, Kristofer Goss wrote: >>>> >>>> Hi Bosco, thanks for replying. I do tunnel from my external server >>>> (port 8888) to my local merb instance running on port 4000. However, does >>>> the server URL factor in at all in terms of the signature verification? >>>> From what I understand, the algorithm only needs to collect all "fb_sig_" >>>> prefixed POST/GET params, sort by key, then append the app''s secret key into >>>> the string before running through the MD5 hash algorithm. From what I >>>> understand, the host information should not factor in to this. This one is >>>> driving me nuts given I can''t get even the basics up and running. >>>> >>>> Thanks again, >>>> >>>> Kris >>>> >>>> On Sat, Mar 14, 2009 at 1:39 PM, Bosco So <rubymeetup at boscoso.com>wrote: >>>> >>>>> This is a long shot but I had a signature verification error in an >>>>> OpenSocial app. During development, I setup a tunnel to my dev machine from >>>>> an external server (i.e., http://externalhost:3000). The OpenSocial >>>>> container calculated my signature based on the >>>>> http://externalhost:3000 URL (plus all the usual OpenSocial params) >>>>> while my code calculated my sig based on this URL - >>>>> http://externalhost (sans port number). >>>>> >>>>> For some strange reason, my request object dropped the port number and >>>>> thus calculated the signature differently. >>>>> >>>>> Perhaps something similar is happening to you? >>>>> >>>>> -- Bosco, SF Ruby Meetup organizer >>>>> >>>>> >>>>> >>>>> On Sat, Mar 14, 2009 at 8:45 AM, Kristofer Goss <krsgoss at gmail.com>wrote: >>>>> >>>>>> Hi, I''m stuck with signature verification errors for a super simple >>>>>> Merb+Facebooker app. I''m still unable to make the facebooker MD5 hash match >>>>>> what FB is sending. As a sanity check, I implemented the verification >>>>>> myself and confirmed that the value I''m generating is identical to the >>>>>> Facebooker asserted value. I''m at a loss of what the issue might be as I''ve >>>>>> been pulling my hair out over the last two days trying to get >>>>>> :set_facebook_session filter to work. >>>>>> >>>>>> To make matters worse, I can authenticate with FB Connect on the same >>>>>> site. If anyone knows of ways to debug or simplify further, I''d really >>>>>> appreciate any suggestions. This is with a clean merb app with a single >>>>>> controller/view as well as a newly created FB app. I''m happy to post code >>>>>> if that would help. >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> Facebooker-talk mailing list >>>> Facebooker-talk at rubyforge.org >>>> http://rubyforge.org/mailman/listinfo/facebooker-talk >>>> >>>> >>>> -- >>>> Mike Mangino >>>> http://www.elevatedrails.com >>>> >>>> >>>> >>>> >>> >>> _______________________________________________ >>> Facebooker-talk mailing list >>> Facebooker-talk at rubyforge.org >>> http://rubyforge.org/mailman/listinfo/facebooker-talk >>> >>> >> >> >> -- >> Zhao >> > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20090316/24a3b89e/attachment.html>