[Facebooker-talk] Form method=get signature failure

[Chad Remesch]

I'm seeing it on both of my production apps.  The only quick fix I  
found is to comment out a couple lines in
verify_signature (vendor/plugins/facebooker/lib/facebooker/rails/ 
controller.rb).  I'm trying to find out what's going on.

On Nov 13, 2008, at 1:19 PM, Mike Summers wrote:

> This just started showing up in a working app, anyone else seeing  
> this?
>
> Paul Covell wrote:
>>
>> Hi, this topic was originally posted here:
>>   http://forums.pragprog.com/forums/59/topics/917
>>
>> Quick summary: forms created method=GET fail with a signature  
>> validation error:
>> Facebooker::Session::IncorrectSignature  
>> (Facebooker::Session::IncorrectSignature):
>>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
>> 146:in `verify_signature'
>>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
>> 120:in `verified_facebook_params'
>>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
>> 35:in `facebook_params'
>>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
>> 63:in `valid_session_key_in_session?'
>>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
>> 41:in `session_already_secured?'
>>
>> //////
>> This can be reproduced with a small test application:
>> rails test
>> cd test
>> script/plugin install git://github.com/mmangino/facebooker.git
>> ruby script/generate controller home index search
>>
>> views/home/index.fbml.erb:
>>
>>
>> <h1>Home</h1>
>> <% form_tag(url_for(:action => :search), {:method=>:get}) do %>
>> <p><%= text_field_tag(:keyword, params[:keyword]) %></p>
>> <p><fb:submit>Go</fb:submit></p>
>> <% end %>
>>
>> app/controller/application.rb—added immediately below helper :all
>>
>>   ensure_application_is_installed_by_facebook_user
>>   ensure_authenticated_to_facebook
>>
>> And then I set up my development server and tunnel as I do with  
>> normal development. The error is the same. Also, if I remove  
>> the :method => :get, the error does not occur.
>> //////
>>
>> I have done some additional digging tonight on the problem, and  
>> here is what I've learned:
>>
>> 1.  The verify_signature is working correctly (as expected) and  
>> calculating on all values passed to it --- the calculation is  
>> actually rendering a result inconsistent with the fb_sig passed to  
>> it.
>> 2.  The hidden parameters from the form that appear in the URL are  
>> being faithfully transmitted through Facebook to Facebooker and  
>> showing up properly in verify_signature
>> 3.  A copy + paste of the "raw string" generated by a working GET  
>> and a failing GET are identical except the timestamp and the  
>> session expiration time (of course).  You can test a working GET by  
>> removing the parameters from the URL letting facebook regenerate  
>> them.  This way everything else is identical.
>>
>> ==> I can only conclude that the fb_sig sent by facebook is being  
>> calculated based on a different order of parameters or excluding  
>> some parameters, but I don't know how to go about finding which  
>> ones (except brute force yuck).  I can't find any of the FB pages  
>> that offer any useful advice on this.
>>
>> Quick reference:
>> Forms and Hidden Inputs: http://wiki.developers.facebook.com/index.php/UsageNotes/Forms
>> How Facebook Authenticates: http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application
>> Verifying the Signature: http://wiki.developers.facebook.com/index.php/Verifying_The_Signature
>>
>> -Paul
>> _______________________________________________
>> Facebooker-talk mailing list
>> Facebooker-talk at rubyforge.org
>> http://rubyforge.org/mailman/listinfo/facebooker-talk
>>
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20081113/3b69960e/attachment.html>