[Facebooker-talk] Form method=get signature failure

Agile Dev agiledevcool at gmail.com
Thu Nov 13 16:31:15 EST 2008 

>From the Developers Forum:

> We've flipped the sitevar back for now while we investigate this issue.
>
> Platform Developer Operations & Support


My apps are working now.

On Thu, Nov 13, 2008 at 1:26 PM, Chad Remesch <chad at remesch.com> wrote:

> I'm seeing it on both of my production apps.  The only quick fix I found is
> to comment out a couple lines inverify_signature
> (vendor/plugins/facebooker/lib/facebooker/rails/controller.rb).  I'm trying
> to find out what's going on.
>
> On Nov 13, 2008, at 1:19 PM, Mike Summers wrote:
>
>  This just started showing up in a working app, anyone else seeing this?
>
> Paul Covell wrote:
>
> Hi, this topic was originally posted here:
>   http://forums.pragprog.com/forums/59/topics/917
>
> Quick summary: forms created method=GET fail with a signature validation
> error:
> Facebooker::Session::IncorrectSignature
> (Facebooker::Session::IncorrectSignature):
>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:146:in
> `verify_signature'
>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:120:in
> `verified_facebook_params'
>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:35:in
> `facebook_params'
>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:63:in
> `valid_session_key_in_session?'
>     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:41:in
> `session_already_secured?'
>
> //////
> This can be reproduced with a small test application:
> rails test
> cd test
> script/plugin install git://github.com/mmangino/facebooker.git
> ruby script/generate controller home index search
>
> views/home/index.fbml.erb:
>
>
> <h1>Home</h1>
> <% form_tag(url_for(:action => :search), {:method=>:get}) do %>
> <p><%= text_field_tag(:keyword, params[:keyword]) %></p>
> <p><fb:submit>Go</fb:submit></p>
> <% end %>
>
> app/controller/application.rb—added immediately below helper :all
>
>   ensure_application_is_installed_by_facebook_user
>   ensure_authenticated_to_facebook
>
> And then I set up my development server and tunnel as I do with normal
> development. The error is the same. Also, if I remove the :method => :get,
> the error does not occur.
> //////
>
> I have done some additional digging tonight on the problem, and here is
> what I've learned:
>
> 1.  The verify_signature is working correctly (as expected) and calculating
> on all values passed to it --- the calculation is actually rendering a
> result inconsistent with the fb_sig passed to it.
> 2.  The hidden parameters from the form that appear in the URL are being
> faithfully transmitted through Facebook to Facebooker and showing up
> properly in verify_signature
> 3.  A copy + paste of the "raw string" generated by a working GET and a
> failing GET are identical except the timestamp and the session expiration
> time (of course).  You can test a working GET by removing the parameters
> from the URL letting facebook regenerate them.  This way everything else is
> identical.
>
> ==> I can only conclude that the fb_sig sent by facebook is being
> calculated based on a different order of parameters or excluding some
> parameters, but I don't know how to go about finding which ones (except
> brute force yuck).  I can't find any of the FB pages that offer any useful
> advice on this.
>
> Quick reference:
> Forms and Hidden Inputs:
> http://wiki.developers.facebook.com/index.php/UsageNotes/Forms
> How Facebook Authenticates:
> http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application
> Verifying the Signature:
> http://wiki.developers.facebook.com/index.php/Verifying_The_Signature
>
> -Paul
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
>
>  _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
>
>
>
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20081113/26088ceb/attachment.html>

More information about the Facebooker-talk mailing list