<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000066">
<font face="Helvetica, Arial, sans-serif">This just started showing up
in a working app, anyone else seeing this?</font><br>
<br>
Paul Covell wrote:
<blockquote cite="mid:E36F974C-5CDE-496E-9A7C-4AF81ACD9C22@alum.mit.edu"
type="cite">Hi, this topic was originally posted here:
<br>
<a class="moz-txt-link-freetext" href="http://forums.pragprog.com/forums/59/topics/917">http://forums.pragprog.com/forums/59/topics/917</a>
<br>
<br>
Quick summary: forms created method=GET fail with a signature
validation error:
<br>
Facebooker::Session::IncorrectSignature
(Facebooker::Session::IncorrectSignature):
<br>
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:146:in
`verify_signature'
<br>
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:120:in
`verified_facebook_params'
<br>
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:35:in
`facebook_params'
<br>
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:63:in
`valid_session_key_in_session?'
<br>
/vendor/plugins/facebooker/lib/facebooker/rails/controller.rb:41:in
`session_already_secured?'
<br>
<br>
//////
<br>
This can be reproduced with a small test application:
<br>
rails test
<br>
cd test
<br>
script/plugin install git://github.com/mmangino/facebooker.git
<br>
ruby script/generate controller home index search
<br>
<br>
views/home/index.fbml.erb:
<br>
<br>
<br>
<h1>Home</h1>
<br>
<% form_tag(url_for(:action => :search), {:method=>:get}) do
%>
<br>
<p><%= text_field_tag(:keyword, params[:keyword])
%></p>
<br>
<p><fb:submit>Go</fb:submit></p>
<br>
<% end %>
<br>
<br>
app/controller/application.rb—added immediately below helper :all
<br>
<br>
ensure_application_is_installed_by_facebook_user
<br>
ensure_authenticated_to_facebook
<br>
<br>
And then I set up my development server and tunnel as I do with normal
development. The error is the same. Also, if I remove the :method =>
:get, the error does not occur.
<br>
//////
<br>
<br>
I have done some additional digging tonight on the problem, and here is
what I've learned:
<br>
<br>
1. The verify_signature is working correctly (as expected) and
calculating on all values passed to it --- the calculation is actually
rendering a result inconsistent with the fb_sig passed to it.
<br>
2. The hidden parameters from the form that appear in the URL are
being faithfully transmitted through Facebook to Facebooker and showing
up properly in verify_signature
<br>
3. A copy + paste of the "raw string" generated by a working GET and a
failing GET are identical except the timestamp and the session
expiration time (of course). You can test a working GET by removing
the parameters from the URL letting facebook regenerate them. This way
everything else is identical.
<br>
<br>
==> I can only conclude that the fb_sig sent by facebook is being
calculated based on a different order of parameters or excluding some
parameters, but I don't know how to go about finding which ones (except
brute force yuck). I can't find any of the FB pages that offer any
useful advice on this.
<br>
<br>
Quick reference:
<br>
Forms and Hidden Inputs:
<a class="moz-txt-link-freetext" href="http://wiki.developers.facebook.com/index.php/UsageNotes/Forms">http://wiki.developers.facebook.com/index.php/UsageNotes/Forms</a>
<br>
How Facebook Authenticates:
<a class="moz-txt-link-freetext" href="http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application">http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application</a>
<br>
Verifying the Signature:
<a class="moz-txt-link-freetext" href="http://wiki.developers.facebook.com/index.php/Verifying_The_Signature">http://wiki.developers.facebook.com/index.php/Verifying_The_Signature</a>
<br>
<br>
-Paul
<br>
_______________________________________________
<br>
Facebooker-talk mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Facebooker-talk@rubyforge.org">Facebooker-talk@rubyforge.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://rubyforge.org/mailman/listinfo/facebooker-talk">http://rubyforge.org/mailman/listinfo/facebooker-talk</a>
<br>
<br>
</blockquote>
</body>
</html>