[Facebooker-talk] Form method=get signature failure

Paul Covell pac at alum.mit.edu
Fri Sep 26 07:54:15 EDT 2008 

Hi, this topic was originally posted here:
   http://forums.pragprog.com/forums/59/topics/917

Quick summary: forms created method=GET fail with a signature  
validation error:
Facebooker::Session::IncorrectSignature  
(Facebooker::Session::IncorrectSignature):
     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
146:in `verify_signature'
     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
120:in `verified_facebook_params'
     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
35:in `facebook_params'
     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
63:in `valid_session_key_in_session?'
     /vendor/plugins/facebooker/lib/facebooker/rails/controller.rb: 
41:in `session_already_secured?'

//////
This can be reproduced with a small test application:
rails test
cd test
script/plugin install git://github.com/mmangino/facebooker.git
ruby script/generate controller home index search

views/home/index.fbml.erb:


<h1>Home</h1>
<% form_tag(url_for(:action => :search), {:method=>:get}) do %>
<p><%= text_field_tag(:keyword, params[:keyword]) %></p>
<p><fb:submit>Go</fb:submit></p>
<% end %>

app/controller/application.rb—added immediately below helper :all

   ensure_application_is_installed_by_facebook_user
   ensure_authenticated_to_facebook

And then I set up my development server and tunnel as I do with normal  
development. The error is the same. Also, if I remove the :method  
=> :get, the error does not occur.
//////

I have done some additional digging tonight on the problem, and here  
is what I've learned:

1.  The verify_signature is working correctly (as expected) and  
calculating on all values passed to it --- the calculation is actually  
rendering a result inconsistent with the fb_sig passed to it.
2.  The hidden parameters from the form that appear in the URL are  
being faithfully transmitted through Facebook to Facebooker and  
showing up properly in verify_signature
3.  A copy + paste of the "raw string" generated by a working GET and  
a failing GET are identical except the timestamp and the session  
expiration time (of course).  You can test a working GET by removing  
the parameters from the URL letting facebook regenerate them.  This  
way everything else is identical.

==> I can only conclude that the fb_sig sent by facebook is being  
calculated based on a different order of parameters or excluding some  
parameters, but I don't know how to go about finding which ones  
(except brute force yuck).  I can't find any of the FB pages that  
offer any useful advice on this.

Quick reference:
Forms and Hidden Inputs: http://wiki.developers.facebook.com/index.php/UsageNotes/Forms
How Facebook Authenticates: http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application
Verifying the Signature: http://wiki.developers.facebook.com/index.php/Verifying_The_Signature

-Paul

More information about the Facebooker-talk mailing list