Commit fa9d6bcb5e95dad83207a12e9c94c934582ae05b - ruby-omniauth-facebook

+1

-0

.gitignore less more

5	5	.powenv
6	6	tmp
7	7	bin
	8	example/app.log

+5

-0

.travis.yml less more

7	7	- 1.9.2
8	8	- 1.9.3
9	9	- 2.0.0
	10	- 2.1
10	11	- jruby
	12	- rbx
	13	matrix:
	14	allow_failures:
	15	- rvm: rbx

+6

-3

CHANGELOG.md less more

	0	## 2.0.0 (2014-08-07)
	1
	2	Bugfixes:
	3
	4	- bump omniauth-oauth2 dependency which addresses CVE-2012-6134 (#162, @linedotstar)
	5
0	6	## 1.6.0 (2014-01-13)
1	7
2	8	Features:

54	60	- have `raw_info` return an empty hash if the Facebook response returns false (#44, @brianjlandau)
55	61	- prevent oauth2 from interpreting Facebook's expires field as `expires_in`, when it's really `expires_at` (#39, @watsonbox)
56	62	- remove deprecated `offline_access` permission (@mkdynamic)
57
58		Changes:
59
60	63	- tidy up the `callback_url` option (@mkdynamic)
61	64
62	65	## 1.2.0 (2012-01-06)

+3

-1

Gemfile less more

1	1
2	2	gemspec
3	3
4		gem 'jruby-openssl', :platform => :jruby
	4	platforms :rbx do
	5	gem 'rubysl', '~> 2.0'
	6	end

+26

-44

README.md less more

0		**NOTE: If you're running < 1.5.1, please upgrade to address 2 security vulnerabilities.
1		More details [here](https://github.com/mkdynamic/omniauth-facebook/wiki/CSRF-vulnerability:-CVE-2013-4562) and [here](https://github.com/mkdynamic/omniauth-facebook/wiki/Access-token-vulnerability:-CVE-2013-4593).**
	0	**IMPORTANT: If you're running < 1.5.1, please upgrade to the latest version to address 3 security vulnerabilities.
	1	More details [here](https://github.com/mkdynamic/omniauth-facebook/wiki/CSRF-vulnerability:-CVE-2013-4562), [here](https://github.com/mkdynamic/omniauth-facebook/wiki/Access-token-vulnerability:-CVE-2013-4593) and [here](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6134).**
2	2
3	3	---
4	4
5	5	# OmniAuth Facebook  [![Build Status](https://secure.travis-ci.org/mkdynamic/omniauth-facebook.png?branch=master)](https://travis-ci.org/mkdynamic/omniauth-facebook)
	6
	7	These notes are based on master, please see tags for README pertaining to specific releases.
6	8
7	9	Facebook OAuth2 Strategy for OmniAuth.
8	10

36	38
37	39	You can configure several options, which you pass in to the `provider` method via a `Hash`:
38	40
39		* `scope`: A comma-separated list of permissions you want to request from the user. See the Facebook docs for a full list of available permissions: http://developers.facebook.com/docs/reference/api/permissions. Default: `email`
40		* `display`: The display context to show the authentication page. Options are: `page`, `popup` and `touch`. Read the Facebook docs for more details: https://developers.facebook.com/docs/reference/dialogs/oauth/. Default: `page`
41		* `auth_type`: Optionally specifies the requested authentication features as a comma-separated list, as per https://developers.facebook.com/docs/authentication/reauthentication/.
42		Valid values are `https` (checks for the presence of the secure cookie and asks for re-authentication if it is not present), and `reauthenticate` (asks the user to re-authenticate unconditionally). Default is `nil`.
43		* `secure_image_url`: Set to `true` to use https for the avatar image url returned in the auth hash. Default is `false`.
44		* `image_size`: Set the size for the returned image url in the auth hash. Valid options include `square` (50x50), `small` (50 pixels wide, variable height), `normal` (100 pixels wide, variable height), or `large` (about 200 pixels wide, variable height). Additionally, you can request a picture of a specific size by setting this option to a hash with `:width` and `:height` as keys. This will return an available profile picture closest to the requested size and requested aspect ratio. If only `:width` or `:height` is specified, we will return a picture whose width or height is closest to the requested size, respectively.
45		* `info_fields`: Specify exactly which fields should be returned when getting the user's info. Value should be a comma-separated string as per https://developers.facebook.com/docs/reference/api/user/ (only /me endpoint).
46		* `locale`: Specify locale which should be used when getting the user's info. Value should be locale string as per https://developers.facebook.com/docs/reference/api/locale/.
	41	Option name \| Default \| Explanation
	42	--- \| --- \| ---
	43	`scope` \| `email` \| A comma-separated list of permissions you want to request from the user. See the Facebook docs for a full list of available permissions: https://developers.facebook.com/docs/reference/login/
	44	`display` \| `page` \| The display context to show the authentication page. Options are: `page`, `popup` and `touch`. Read the Facebook docs for more details: https://developers.facebook.com/docs/reference/dialogs/oauth/
	45	`image_size` \| `square` \| Set the size for the returned image url in the auth hash. Valid options include `square` (50x50), `small` (50 pixels wide, variable height), `normal` (100 pixels wide, variable height), or `large` (about 200 pixels wide, variable height). Additionally, you can request a picture of a specific size by setting this option to a hash with `:width` and `:height` as keys. This will return an available profile picture closest to the requested size and requested aspect ratio. If only `:width` or `:height` is specified, we will return a picture whose width or height is closest to the requested size, respectively.
	46	`info_fields` \| \| Specify exactly which fields should be returned when getting the user's info. Value should be a comma-separated string as per https://developers.facebook.com/docs/graph-api/reference/user/ (only `/me` endpoint).
	47	`locale` \| \| Specify locale which should be used when getting the user's info. Value should be locale string as per https://developers.facebook.com/docs/reference/api/locale/.
	48	`auth_type` \| \| Optionally specifies the requested authentication features as a comma-separated list, as per https://developers.facebook.com/docs/facebook-login/reauthentication/. Valid values are `https` (checks for the presence of the secure cookie and asks for re-authentication if it is not present), and `reauthenticate` (asks the user to re-authenticate unconditionally). Default is `nil`.
	49	`secure_image_url` \| `false` \| Set to `true` to use https for the avatar image url returned in the auth hash.
	50	`callback_url` / `callback_path` \| \| Specify a custom callback URL used during the server-side flow. Note this must be allowed by your app configuration on Facebook (see 'Valid OAuth redirect URIs' under the 'Advanced' settings section in the configuration for your Facebook app for more details).
47	51
48	52	For example, to request `email`, `user_birthday` and `read_stream` permissions and display the authentication page in a popup window:
49	53

57	61	### Per-Request Options
58	62
59	63	If you want to set the `display` format, `auth_type`, or `scope` on a per-request basis, you can just pass it to the OmniAuth request phase URL, for example: `/auth/facebook?display=popup` or `/auth/facebook?scope=email`.
60
61		### Custom Callback URL/Path
62
63		You can set a custom `callback_url` or `callback_path` option to override the default value. See [OmniAuth::Strategy#callback_url](https://github.com/intridea/omniauth/blob/master/lib/omniauth/strategy.rb#L411) for more details on the default.
64	64
65	65	## Auth Hash
66	66

108	108
109	109	The precise information available may depend on the permissions which you request.
110	110
111		## Client-side Flow
	111	## Client-side Flow with Facebook Javascript SDK
112	112
113	113	You can use the Facebook Javascript SDK with `FB.login`, and just hit the callback endpoint (`/auth/facebook/callback` by default) once the user has authenticated in the success callback.
114	114
115		Note that you must enable cookies in the `FB.init` config for this process to work.
	115	Note that you must enable cookies in the `FB.init` config for this process to work.
116	116
117		See the example Sinatra app under `example/` and read the [Facebook docs on Client-Side Authentication](https://developers.facebook.com/docs/authentication/client-side/) for more details.
	117	See the example Sinatra app under `example/` and read the [Facebook docs on Login for JavaScript](https://developers.facebook.com/docs/facebook-login/login-flow-for-web/) for more details.
118	118
119	119	### How it Works
120	120

126	126	2. extract the authorization code contained in it
127	127	3. and hit Facebook and obtain an access token which will get placed in the `request.env['omniauth.auth']['credentials']` hash.
128	128
129		Note that this access token will be the same token obtained and available in the client through the hash [as detailed in the Facebook docs](https://developers.facebook.com/docs/authentication/client-side/).
130
131		## Canvas Apps
132
133		Canvas apps will send a signed request with the initial POST, therefore you can (if it makes sense for your app) pass this to the authorize endpoint (`/auth/facebook` by default) in the querystring.
134
135		There are then 2 scenarios for what happens next:
136
137		1. A user has already granted access to your app, this will contain an access token. In this case, omniauth-facebook will skip asking the user for authentication and immediately redirect to the callback endpoint (`/auth/facebook/callback` by default) with the access token present in the `request.env['omniauth.auth']['credentials']` hash.
138
139		2. A user has not granted access to your app, and the signed request will not contain an access token. In this case omniauth-facebook will simply follow the standard auth flow.
140
141		Take a look at [the example Sinatra app for one option of how you can integrate with a canvas page](https://github.com/mkdynamic/omniauth-facebook/blob/master/example/config.ru).
142
143		Bear in mind you have several [options](https://developers.facebook.com/docs/opengraph/authentication). Read [the Facebook docs on canvas page authentication](https://developers.facebook.com/docs/authentication/canvas/) for more info.
144
145	129	## Token Expiry
146	130
147		Since Facebook deprecated the `offline_access` permission, this has become more complex. The expiration time of the access token you obtain will depend on which flow you are using. See below for more details.
	131	The expiration time of the access token you obtain will depend on which flow you are using.
148	132
149	133	### Client-Side Flow
150	134
151	135	If you use the client-side flow, Facebook will give you back a short lived access token (~ 2 hours).
152	136
153		You can exchange this short lived access token for a longer lived version. Read the [Facebook docs about the offline_access deprecation](https://developers.facebook.com/roadmap/offline-access-removal/) for more information.
	137	You can exchange this short lived access token for a longer lived version. Read the [Facebook docs](https://developers.facebook.com/docs/facebook-login/access-tokens/) for more information on exchanging a short lived token for a long lived token.
154	138
155	139	### Server-Side Flow
156	140
157	141	If you use the server-side flow, Facebook will give you back a longer lived access token (~ 60 days).
158	142
159		If you're having issue getting a long lived token with the server-side flow, make sure to enable the 'deprecate offline_access setting' in you Facebook app config. Read the [Facebook docs about the offline_access deprecation](https://developers.facebook.com/roadmap/offline-access-removal/) for more information.
160
161	143	## Supported Rubies
162	144
163	145	Actively tested with the following Ruby versions:
164	146
	147	- MRI 2.1.0
165	148	- MRI 2.0.0
166	149	- MRI 1.9.3
167	150	- MRI 1.9.2
168	151	- MRI 1.8.7
169		- JRuby 1.7.4
170
171		NB. For JRuby < 1.7, you'll need to install the `jruby-openssl` gem. There's no way to automatically specify this in a Rubygem gemspec, so you need to manually add it your project's own Gemfile:
172
173		```ruby
174		gem 'jruby-openssl', :platform => :jruby
175		```
	152	- JRuby 1.7.9
	153	- Rubinius (latest stable)
176	154
177	155	## License
178	156

183	161	The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
184	162
185	163	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
	164
	165
	166	[![Bitdeli Badge](https://d2weczhvl823v0.cloudfront.net/mkdynamic/omniauth-facebook/trend.png)](https://bitdeli.com/free "Bitdeli Badge")
	167

checksums.yaml.gz less more

Binary diff not shown

+1

-0

example/Gemfile less more

0	0	source 'https://rubygems.org'
1	1
2	2	gem 'sinatra'
	3	gem 'sinatra-reloader'
3	4	gem 'omniauth-facebook', :path => '../'

+32

-17

example/Gemfile.lock less more

0	0	PATH
1	1	remote: ../
2	2	specs:
3		omniauth-facebook (1.6.0.rc1)
	3	omniauth-facebook (2.0.0.pre1)
4	4	omniauth-oauth2 (~> 1.1)
5	5
6	6	GEM
7	7	remote: https://rubygems.org/
8	8	specs:
9		faraday (0.8.8)
10		multipart-post (~> 1.2.0)
11		hashie (2.0.5)
12		httpauth (0.2.0)
13		jwt (0.1.8)
	9	backports (3.3.5)
	10	faraday (0.9.0)
	11	multipart-post (>= 1.2, < 3)
	12	hashie (2.1.1)
	13	jwt (0.1.13)
14	14	multi_json (>= 1.5)
15	15	multi_json (1.8.2)
16		multipart-post (1.2.0)
17		oauth2 (0.8.1)
18		faraday (~> 0.8)
19		httpauth (~> 0.1)
20		jwt (~> 0.1.4)
21		multi_json (~> 1.0)
	16	multi_xml (0.5.5)
	17	multipart-post (2.0.0)
	18	oauth2 (0.9.3)
	19	faraday (>= 0.8, < 0.10)
	20	jwt (~> 0.1.8)
	21	multi_json (~> 1.3)
	22	multi_xml (~> 0.5)
22	23	rack (~> 1.2)
23		omniauth (1.1.4)
	24	omniauth (1.2.1)
24	25	hashie (>= 1.2, < 3)
25		rack
26		omniauth-oauth2 (1.1.1)
27		oauth2 (~> 0.8.0)
28		omniauth (~> 1.0)
	26	rack (~> 1.0)
	27	omniauth-oauth2 (1.1.2)
	28	faraday (>= 0.8, < 0.10)
	29	multi_json (~> 1.3)
	30	oauth2 (~> 0.9.3)
	31	omniauth (~> 1.2)
29	32	rack (1.5.2)
30	33	rack-protection (1.5.1)
31	34	rack
	35	rack-test (0.6.2)
	36	rack (>= 1.0)
32	37	sinatra (1.4.4)
33	38	rack (~> 1.4)
34	39	rack-protection (~> 1.4)
35	40	tilt (~> 1.3, >= 1.3.4)
	41	sinatra-contrib (1.4.2)
	42	backports (>= 2.0)
	43	multi_json
	44	rack-protection
	45	rack-test
	46	sinatra (~> 1.4.0)
	47	tilt (~> 1.3)
	48	sinatra-reloader (1.0)
	49	sinatra-contrib
36	50	tilt (1.4.1)
37	51
38	52	PLATFORMS

41	55	DEPENDENCIES
42	56	omniauth-facebook!
43	57	sinatra
	58	sinatra-reloader

+93

-0

example/app.rb less more

	0	require 'sinatra'
	1	require "sinatra/reloader"
	2	require 'yaml'
	3
	4	# configure sinatra
	5	set :run, false
	6	set :raise_errors, true
	7
	8	# setup logging to file
	9	log = File.new("app.log", "a+")
	10	$stdout.reopen(log)
	11	$stderr.reopen(log)
	12	$stderr.sync = true
	13	$stdout.sync = true
	14
	15	# server-side flow
	16	get '/server-side' do
	17	# NOTE: You would just hit this endpoint directly from the browser in a real app. The redirect is just here to
	18	# explicit declare this server-side flow.
	19	redirect '/auth/facebook'
	20	end
	21
	22	# client-side flow
	23	get '/client-side' do
	24	content_type 'text/html'
	25	# NOTE: When you enable cookie below in the FB.init call the GET request in the FB.login callback will send a signed
	26	# request in a cookie back the OmniAuth callback which will parse out the authorization code and obtain an
	27	# access_token with it.
	28	<<-END
	29	<html>
	30	<head>
	31	<title>Client-side Flow Example</title>
	32	<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.0/jquery.min.js" type="text/javascript"></script>
	33	</head>
	34	<body>
	35	<div id="fb-root"></div>
	36
	37	<script type="text/javascript">
	38	window.fbAsyncInit = function() {
	39	FB.init({
	40	appId : '#{ENV['APP_ID']}',
	41	status : true, // check login status
	42	cookie : true, // enable cookies to allow the server to access the session
	43	xfbml : true // parse XFBML
	44	});
	45	};
	46
	47	(function(d) {
	48	var js, id = 'facebook-jssdk'; if (d.getElementById(id)) {return;}
	49	js = d.createElement('script'); js.id = id; js.async = true;
	50	js.src = "//connect.facebook.net/en_US/all.js";
	51	d.getElementsByTagName('head')[0].appendChild(js);
	52	}(document));
	53
	54	$(function() {
	55	$('a').click(function(e) {
	56	e.preventDefault();
	57
	58	FB.login(function(response) {
	59	if (response.authResponse) {
	60	$('#connect').html('Connected! Hitting OmniAuth callback (GET /auth/facebook/callback)...');
	61
	62	// since we have cookies enabled, this request will allow omniauth to parse
	63	// out the auth code from the signed request in the fbsr_XXX cookie
	64	$.getJSON('/auth/facebook/callback', function(json) {
	65	$('#connect').html('Connected! Callback complete.');
	66	$('#results').html(JSON.stringify(json));
	67	});
	68	}
	69	}, { scope: 'email,read_stream', state: 'abc123' });
	70	});
	71	});
	72	</script>
	73
	74	<p id="connect">
	75	<a href="#">Connect to FB!</a>
	76	</p>
	77
	78	<p id="results" />
	79	</body>
	80	</html>
	81	END
	82	end
	83
	84	get '/auth/:provider/callback' do
	85	content_type 'application/json'
	86	MultiJson.encode(request.env)
	87	end
	88
	89	get '/auth/failure' do
	90	content_type 'application/json'
	91	MultiJson.encode(request.env)
	92	end

+5

-104

example/config.ru less more

0	0	require 'bundler/setup'
1		require 'sinatra/base'
2	1	require 'omniauth-facebook'
	2	require './app.rb'
3	3
4		SCOPE = 'email,read_stream'
	4	use Rack::Session::Cookie, :secret => 'abc123'
5	5
6		class App < Sinatra::Base
7		# turn off sinatra default X-Frame-Options for FB canvas
8		set :protection, :except => :frame_options
9
10		# server-side flow
11		get '/' do
12		# NOTE: you would just hit this endpoint directly from the browser
13		# in a real app. the redirect is just here to setup the root
14		# path in this example sinatra app.
15		redirect '/auth/facebook'
16		end
17
18		# client-side flow
19		get '/client-side' do
20		content_type 'text/html'
21		# NOTE: when you enable cookie below in the FB.init call
22		# the GET request in the FB.login callback will send
23		# a signed request in a cookie back the OmniAuth callback
24		# which will parse out the authorization code and obtain
25		# the access_token. This will be the exact same access_token
26		# returned to the client in response.authResponse.accessToken.
27		<<-END
28		<html>
29		<head>
30		<title>Client-side Flow Example</title>
31		<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.0/jquery.min.js" type="text/javascript"></script>
32		</head>
33		<body>
34		<div id="fb-root"></div>
35
36		<script type="text/javascript">
37		window.fbAsyncInit = function() {
38		FB.init({
39		appId : '#{ENV['APP_ID']}',
40		status : true, // check login status
41		cookie : true, // enable cookies to allow the server to access the session
42		xfbml : true // parse XFBML
43		});
44		};
45
46		(function(d) {
47		var js, id = 'facebook-jssdk'; if (d.getElementById(id)) {return;}
48		js = d.createElement('script'); js.id = id; js.async = true;
49		js.src = "//connect.facebook.net/en_US/all.js";
50		d.getElementsByTagName('head')[0].appendChild(js);
51		}(document));
52
53		$(function() {
54		$('a').click(function(e) {
55		e.preventDefault();
56
57		FB.login(function(response) {
58		if (response.authResponse) {
59		$('#connect').html('Connected! Hitting OmniAuth callback (GET /auth/facebook/callback)...');
60
61		// since we have cookies enabled, this request will allow omniauth to parse
62		// out the auth code from the signed request in the fbsr_XXX cookie
63		$.getJSON('/auth/facebook/callback', function(json) {
64		$('#connect').html('Connected! Callback complete.');
65		$('#results').html(JSON.stringify(json));
66		});
67		}
68		}, { scope: '#{SCOPE}' });
69		});
70		});
71		</script>
72
73		<p id="connect">
74		<a href="#">Connect to FB</a>
75		</p>
76
77		<p id="results" />
78		</body>
79		</html>
80		END
81		end
82
83		# auth via FB canvas and signed request param
84		post '/canvas/' do
85		# we just redirect to /auth/facebook here which will parse the
86		# signed_request FB sends us, asking for auth if the user has
87		# not already granted access, or simply moving straight to the
88		# callback where they have already granted access.
89		redirect "/auth/facebook?signed_request=#{request.params['signed_request']}"
90		end
91
92		get '/auth/:provider/callback' do
93		content_type 'application/json'
94		MultiJson.encode(request.env)
95		end
96
97		get '/auth/failure' do
98		content_type 'application/json'
99		MultiJson.encode(request.env)
100		end
	6	use OmniAuth::Builder do
	7	provider :facebook, ENV['APP_ID'], ENV['APP_SECRET'], :scope => 'email,read_stream'
101	8	end
102	9
103		use Rack::Session::Cookie
104
105		use OmniAuth::Builder do
106		provider :facebook, ENV['APP_ID'], ENV['APP_SECRET'], :scope => SCOPE
107		end
108
109		run App.new
	10	run Sinatra::Application

+1

-1

lib/omniauth/facebook/version.rb less more

0	0	module OmniAuth
1	1	module Facebook
2		VERSION = "1.6.0"
	2	VERSION = "2.0.0"
3	3	end
4	4	end

+24

-55

lib/omniauth/strategies/facebook.rb less more

67	67	end
68	68
69	69	def callback_phase
70		super
	70	with_authorization_code! do
	71	super
	72	end
71	73	rescue NoAuthorizationCodeError => e
72	74	fail!(:no_authorization_code, e)
73	75	rescue UnknownSignatureAlgorithmError => e
74	76	fail!(:unknown_signature_algoruthm, e)
75	77	end
76	78
77		def request_phase
78		if signed_request_contains_access_token?
79		# If we already have an access token, we can just hit the callback URL directly and pass the signed request.
80		params = { :signed_request => raw_signed_request }
81		query = Rack::Utils.build_query(params)
82
83		url = callback_url
84		url << "?" unless url.match(/\?/)
85		url << "&" unless url.match(/[\&\?]$/)
86		url << query
87
88		redirect url
89		else
90		super
91		end
92		end
93
94	79	# NOTE If we're using code from the signed request then FB sets the redirect_uri to '' during the authorize
95	80	# phase and it must match during the access_token phase:
96		# https://github.com/facebook/php-sdk/blob/master/src/base_facebook.php#L348
	81	# https://github.com/facebook/facebook-php-sdk/blob/master/src/base_facebook.php#L477
97	82	def callback_url
98		if @authorization_code_from_signed_request
	83	if @authorization_code_from_signed_request_in_cookie
99	84	''
100	85	else
101	86	options[:callback_url] \|\| super

109	94	# You can pass +display+, +scope+, or +auth_type+ params to the auth request, if you need to set them dynamically.
110	95	# You can also set these options in the OmniAuth config :authorize_params option.
111	96	#
112		# /auth/facebook?display=popup
	97	# For example: /auth/facebook?display=popup
113	98	def authorize_params
114	99	super.tap do \|params\|
115	100	%w[display scope auth_type].each do \|v\|

122	107	end
123	108	end
124	109
125		# Parse signed request in order, from:
126		#
127		# 1. The request 'signed_request' param (server-side flow from canvas pages) or
128		# 2. A cookie (client-side flow via JS SDK)
129		def signed_request
130		@signed_request \|\|= raw_signed_request && parse_signed_request(raw_signed_request)
131		end
132
133	110	protected
134	111
135	112	def build_access_token
136		if signed_request_contains_access_token?
137		hash = signed_request.clone
138		::OAuth2::AccessToken.new(
139		client,
140		hash.delete('oauth_token'),
141		hash.merge!(access_token_options.merge(:expires_at => hash.delete('expires')))
142		)
143		else
144		with_authorization_code! { super }.tap do \|token\|
145		token.options.merge!(access_token_options)
146		end
	113	super.tap do \|token\|
	114	token.options.merge!(access_token_options)
147	115	end
148	116	end
149	117
150	118	private
151	119
152		def raw_signed_request
153		request.params['signed_request'] \|\| request.cookies["fbsr_#{client.id}"]
154		end
155
156		# If the signed_request comes from a FB canvas page and the user has already authorized your application, the JSON
157		# object will be contain the access token.
158		#
159		# https://developers.facebook.com/docs/authentication/canvas/
160		def signed_request_contains_access_token?
161		signed_request && signed_request['oauth_token']
	120	def signed_request_from_cookie
	121	@signed_request_from_cookie \|\|= raw_signed_request_from_cookie && parse_signed_request(raw_signed_request_from_cookie)
	122	end
	123
	124	def raw_signed_request_from_cookie
	125	request.cookies["fbsr_#{client.id}"]
162	126	end
163	127
164	128	# Picks the authorization code in order, from:
165	129	#
166	130	# 1. The request 'code' param (manual callback from standard server-side flow)
167		# 2. A signed request (see #signed_request for more)
	131	# 2. A signed request from cookie (passed from the client during the client-side flow)
168	132	def with_authorization_code!
169	133	if request.params.key?('code')
170	134	yield
171		elsif code_from_signed_request = signed_request && signed_request['code']
	135	elsif code_from_signed_request = signed_request_from_cookie && signed_request_from_cookie['code']
172	136	request.params['code'] = code_from_signed_request
173		@authorization_code_from_signed_request = true
	137	@authorization_code_from_signed_request_in_cookie = true
	138	# NOTE The code from the signed fbsr_XXX cookie is set by the FB JS SDK will confirm that the identity of the
	139	# user contained in the signed request matches the user loading the app.
	140	original_provider_ignores_state = options.provider_ignores_state
	141	options.provider_ignores_state = true
174	142	begin
175	143	yield
176	144	ensure
177	145	request.params.delete('code')
178		@authorization_code_from_signed_request = false
	146	@authorization_code_from_signed_request_in_cookie = false
	147	options.provider_ignores_state = original_provider_ignores_state
179	148	end
180	149	else
181		raise NoAuthorizationCodeError, 'must pass either a `code` parameter or a signed request (via `signed_request` parameter or a `fbsr_XXX` cookie)'
	150	raise NoAuthorizationCodeError, 'must pass either a `code` (via URL or by an `fbsr_XXX` signed request cookie)'
182	151	end
183	152	end
184	153

+6

-5

metadata.yml less more

0	0	--- !ruby/object:Gem::Specification
1	1	name: omniauth-facebook
2	2	version: !ruby/object:Gem::Version
3		version: 1.6.0
	3	version: 2.0.0
4	4	platform: ruby
5	5	authors:
6	6	- Mark Dodwell

8	8	autorequire:
9	9	bindir: bin
10	10	cert_chain: []
11		date: 2014-01-11 00:00:00.000000000 Z
	11	date: 2014-08-07 00:00:00.000000000 Z
12	12	dependencies:
13	13	- !ruby/object:Gem::Dependency
14	14	name: omniauth-oauth2

16	16	requirements:
17	17	- - ~>
18	18	- !ruby/object:Gem::Version
19		version: '1.1'
	19	version: '1.2'
20	20	type: :runtime
21	21	prerelease: false
22	22	version_requirements: !ruby/object:Gem::Requirement
23	23	requirements:
24	24	- - ~>
25	25	- !ruby/object:Gem::Version
26		version: '1.1'
	26	version: '1.2'
27	27	- !ruby/object:Gem::Dependency
28	28	name: minitest
29	29	requirement: !ruby/object:Gem::Requirement

82	82	- Rakefile
83	83	- example/Gemfile
84	84	- example/Gemfile.lock
	85	- example/app.rb
85	86	- example/config.ru
86	87	- lib/omniauth-facebook.rb
87	88	- lib/omniauth/facebook.rb

111	112	version: '0'
112	113	requirements: []
113	114	rubyforge_project:
114		rubygems_version: 2.0.2
	115	rubygems_version: 2.2.2
115	116	signing_key:
116	117	specification_version: 4
117	118	summary: Facebook OAuth2 Strategy for OmniAuth

+1

-1

omniauth-facebook.gemspec less more

15	15	s.executables = `git ls-files -- bin/*`.split("\n").map { \|f\| File.basename(f) }
16	16	s.require_paths = ['lib']
17	17
18		s.add_runtime_dependency 'omniauth-oauth2', '~> 1.1'
	18	s.add_runtime_dependency 'omniauth-oauth2', '~> 1.2'
19	19
20	20	s.add_development_dependency 'minitest'
21	21	s.add_development_dependency 'mocha'

+1

-0

test/helper.rb less more

35	35	@request.stubs(:params).returns({})
36	36	@request.stubs(:cookies).returns({})
37	37	@request.stubs(:env).returns({})
	38	@request.stubs(:scheme).returns({})
38	39	@request.stubs(:ssl?).returns(false)
39	40
40	41	@client_id = '123'

+44

-120

test/test.rb less more

114	114	@options = { :image_size => { :width => 123, :height => 987 } }
115	115	raw_info = { 'name' => 'Fred Smith', 'id' => '321' }
116	116	strategy.stubs(:raw_info).returns(raw_info)
117		image_url = strategy.info['image']
118		path, query = image_url.split("?")
119		query_params = Hash[*query.split("&").map {\|pair\| pair.split("=") }.flatten]
120
121		assert_equal 'http://graph.facebook.com/321/picture', path
122		assert_equal '123', query_params['width']
123		assert_equal '987', query_params['height']
	117	assert_match 'width=123', strategy.info['image']
	118	assert_match 'height=987', strategy.info['image']
	119	assert_match 'http://graph.facebook.com/321/picture?', strategy.info['image']
124	120	end
125	121	end
126	122

397	393
398	394	class CookieAndParamNotPresentTest < TestCase
399	395	test 'is nil' do
400		assert_nil strategy.send(:signed_request)
	396	assert_nil strategy.send(:signed_request_from_cookie)
401	397	end
402	398
403	399	test 'throws an error on calling build_access_token' do
404		assert_equal 'must pass either a `code` parameter or a signed request (via `signed_request` parameter or a `fbsr_XXX` cookie)',
405		assert_raises(OmniAuth::Strategies::Facebook::NoAuthorizationCodeError) { strategy.send(:build_access_token) }.message
	400	assert_raises(OmniAuth::Strategies::Facebook::NoAuthorizationCodeError) { strategy.send(:with_authorization_code!) {} }
406	401	end
407	402	end
408	403

420	415	end
421	416
422	417	test 'parses the access code out from the cookie' do
423		assert_equal @payload, strategy.send(:signed_request)
	418	assert_equal @payload, strategy.send(:signed_request_from_cookie)
424	419	end
425	420
426	421	test 'throws an error if the algorithm is unknown' do
427	422	setup('UNKNOWN-ALGO')
428		assert_equal "unknown algorithm: UNKNOWN-ALGO", assert_raises(OmniAuth::Strategies::Facebook::UnknownSignatureAlgorithmError) { strategy.send(:signed_request) }.message
429		end
430		end
431
432		class ParamPresentTest < TestCase
	423	assert_equal "unknown algorithm: UNKNOWN-ALGO", assert_raises(OmniAuth::Strategies::Facebook::UnknownSignatureAlgorithmError) { strategy.send(:signed_request_from_cookie) }.message
	424	end
	425	end
	426
	427	class EmptySignedRequestTest < TestCase
	428	def setup
	429	super
	430	@request.stubs(:params).returns({'signed_request' => ''})
	431	end
	432
	433	test 'empty param' do
	434	assert_equal nil, strategy.send(:signed_request_from_cookie)
	435	end
	436	end
	437
	438	class MissingCodeInParamsRequestTest < TestCase
	439	def setup
	440	super
	441	@request.stubs(:params).returns({})
	442	end
	443
	444	test 'calls fail! when a code is not included in the params' do
	445	strategy.expects(:fail!).times(1).with(:no_authorization_code, kind_of(Exception))
	446	strategy.callback_phase
	447	end
	448	end
	449
	450	class MissingCodeInCookieRequestTest < TestCase
433	451	def setup(algo = nil)
434	452	super()
435	453	@payload = {
436	454	'algorithm' => algo \|\| 'HMAC-SHA256',
437		'oauth_token' => 'XXX',
	455	'code' => nil,
438	456	'issued_at' => Time.now.to_i,
439	457	'user_id' => '123456'
440	458	}
441	459
442		@request.stubs(:params).returns({'signed_request' => signed_request(@payload, @client_secret)})
443		end
444
445		test 'parses the access code out from the param' do
446		assert_equal @payload, strategy.send(:signed_request)
447		end
448
449		test 'throws an error if the algorithm is unknown' do
450		setup('UNKNOWN-ALGO')
451		assert_equal "unknown algorithm: UNKNOWN-ALGO", assert_raises(OmniAuth::Strategies::Facebook::UnknownSignatureAlgorithmError) { strategy.send(:signed_request) }.message
452		end
453		end
454
455		class CookieAndParamPresentTest < TestCase
456		def setup
457		super
458		@payload_from_cookie = {
459		'algorithm' => 'HMAC-SHA256',
460		'from' => 'cookie'
461		}
462
463		@request.stubs(:cookies).returns({"fbsr_#{@client_id}" => signed_request(@payload_from_cookie, @client_secret)})
464
465		@payload_from_param = {
466		'algorithm' => 'HMAC-SHA256',
467		'from' => 'param'
468		}
469
470		@request.stubs(:params).returns({'signed_request' => signed_request(@payload_from_param, @client_secret)})
471		end
472
473		test 'picks param over cookie' do
474		assert_equal @payload_from_param, strategy.send(:signed_request)
475		end
476		end
477
478		class EmptySignedRequestTest < TestCase
479		def setup
480		super
481		@request.stubs(:params).returns({'signed_request' => ''})
482		end
483
484		test 'empty param' do
485		assert_equal nil, strategy.send(:signed_request)
486		end
487		end
488
489		end
490
491		class RequestPhaseWithSignedRequestTest < StrategyTestCase
492		include SignedRequestHelpers
493
494		def setup
495		super
496
497		payload = {
498		'algorithm' => 'HMAC-SHA256',
499		'oauth_token' => 'm4c0d3z'
500		}
501		@raw_signed_request = signed_request(payload, @client_secret)
502		@request.stubs(:params).returns("signed_request" => @raw_signed_request)
503
504		strategy.stubs(:callback_url).returns('/')
505		end
506
507		test 'redirects to callback passing along signed request' do
508		strategy.expects(:redirect).with("/?signed_request=#{Rack::Utils.escape(@raw_signed_request)}").once
509		strategy.request_phase
510		end
511		end
512
513		module BuildAccessTokenTests
514		class TestCase < StrategyTestCase
515		include SignedRequestHelpers
516		end
517
518		class ParamsContainSignedRequestWithAccessTokenTest < TestCase
519		def setup
520		super
521
522		@payload = {
523		'algorithm' => 'HMAC-SHA256',
524		'oauth_token' => 'm4c0d3z',
525		'expires' => Time.now.to_i
526		}
527		@raw_signed_request = signed_request(@payload, @client_secret)
528		@request.stubs(:params).returns({"signed_request" => @raw_signed_request})
529
530		strategy.stubs(:callback_url).returns('/')
531		end
532
533		test 'returns a new access token from the signed request' do
534		result = strategy.send(:build_access_token)
535		assert_kind_of ::OAuth2::AccessToken, result
536		assert_equal @payload['oauth_token'], result.token
537		end
538
539		test 'returns an access token with the correct expiry time' do
540		result = strategy.send(:build_access_token)
541		assert_equal @payload['expires'], result.expires_at
542		end
543		end
544		end
	460	@request.stubs(:cookies).returns({"fbsr_#{@client_id}" => signed_request(@payload, @client_secret)})
	461	end
	462
	463	test 'calls fail! when a code is not included in the cookie' do
	464	strategy.expects(:fail!).times(1).with(:no_authorization_code, kind_of(Exception))
	465	strategy.callback_phase
	466	end
	467	end
	468	end