Created
January 9, 2010 23:39
-
-
Save fangamb/273204 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Facebooker Post Authorize / Post DeAuthorize Callbacks | |
#from the FanGamb team - http://www.fangamb.com | |
class CallbacksController < ApplicationController | |
skip_before_filter :ensure_app_installed, :except => :post_authorize | |
skip_before_filter :verify_authenticity_token | |
def post_authorize | |
if request.post? | |
if verify_uninstall_signature | |
#set user's has_app indicator to 1 to indicate active | |
end | |
end | |
render :nothing => true | |
end | |
def post_deauthorize | |
if request.post? | |
if verify_uninstall_signature | |
#set user's has_app indicator to 0 to indicate inactive | |
end | |
end | |
render :nothing => true | |
end | |
private | |
#based on http://wiki.developers.facebook.com/index.php/Post-Remove_URL | |
def verify_uninstall_signature | |
signature = '' | |
keys = params.keys.sort | |
keys.each do |key| | |
next if key == 'fb_sig' | |
next unless key.include?('fb_sig') | |
key_name = key.gsub('fb_sig_', '') | |
signature += key_name | |
signature += '=' | |
signature += params[key] | |
end | |
signature += FACEBOOK_YAML['secret_key'] | |
calculated_sig = Digest::MD5.hexdigest(signature) | |
if calculated_sig != params[:fb_sig] | |
logger.warn "\nWARNING :: potential spoofing :: expected signatures did not match" | |
logger.info "\nSignature (fb_sig param from facebook) :: #{params[:fb_sig]}" | |
logger.info "\nSignature String (pre-hash) :: #{signature}" | |
logger.info "\nMD5 Hashed Sig :: #{calculated_sig}" | |
#check to see if ip variables are nil | |
if not request.env['HTTP_X_FORWARDED_FOR'].nil? and not request.env['HTTP_X_REAL_IP'].nil? | |
ip = request.env['HTTP_X_FORWARDED_FOR'] || request.env['HTTP_X_REAL_IP'] | |
else | |
ip = request.remote_ip | |
end | |
logger.info "\nRemote IP :: #{ip}" | |
return false | |
else | |
#logger.warn "\n\nSUCCESS!! Signatures matched.\n" | |
end | |
return true | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment